XBox live hacked and my friends credit card # swiped?

[Iguana Man]

My best friend just told me his kids Live account was hacked. It got his password and the credit card info he used to sign up. They are still fighting to get the stolen charges erased. WTF?

[umainebearman]

They know for a fact that it was hacked from XBL and now say a purchase from amazon or some subscription to a pornsite? Maybe some part time kid at the local movie rental place decided he needed some extra money so when your friend rented a movie and all his info came up the kid just wrote it down and went to town with it.

I'm just sayin'....

[Wirehed]

Yeah...is that really even possible?


More likely, if it was from the xbox itself, that it was done locally, at the machine, by, like a friend.

[Iguana Man]

Guys, come on, I ain't making this up. I'll ask for more details though.

[Ruined]

Quote:

Originally Posted by Iguana Man

Guys, come on, I ain't making this up. I'll ask for more details though.

I don't think people are trying to say you are making it up, its just that the idea of "hacking" a Live account is a bit far-fetched.

More likely the user voluntarily gave up their Live account info (i.e. phishing email), assuming the console was not stolen.

[Iguana Man]

This doesn't look good for the boy then. Hmmm. Tempest may not like the answers thus far.

[Derb]

I know some users have the resources to hack the console to enable game cheats in XBL, but thats all I've seen out of the ordinary.

I hope your friend is able to sue MS for millions!

[umainebearman]

Quote:

Originally Posted by Iguana Man

This doesn't look good for the boy then. Hmmm. Tempest may not like the answers thus far.

I know one thing that your friend might want to look into. If there kids ever goes to a friends house and recovers there gamertag on that friends 360 they have to go through a process that requires them to put in the email address associated with the account and a password. Now after the password is typed in it asks if you want to save the password. If they put in YES then that would let whos ever 360 that is recover that gamer tag whenever they wanted and would also give them access to all of the account info. Given that that gamertag is xbox live enabled and it has a credit card number associated with it of course.

[Iguana Man]

Quote:

Dude I checked all the computers in the house no viruses or Trojans, albert didn't give out his password, I changed it and 24 hours later someone else changed it, I could not get in. I have spent 6 hours on line with microsoft and the account is still being hacked into and charges are still being made against my card. Thank god I reported my credit card stolen because microshaft will not refund money spent on points, your just fucked. It is so bad someone used the gamertag to open a ZUNE account and buy ZUNE points. Support said stolen tags is a problem and it was good that i did not supply a fake email to open the account or else by the time I did alberts account would have unrecoverable. If I don't get this cleared up soon, albert will get a new account with out a credit card attached.

That was a reply to me asking what happened.

[ganthc]

That sucks for your friend Iggy. I would suggest that they dispute the charges with the credit card company for the amount given to MS. Even if MS doesn't want to credit it back, your friend should not have to pay it. You can tell them to call their credit card company and say they tried to reason with MS and were unsuccessful. I have found the credit card companies are a lot more effective at getting the money taken back than retailers are sometimes.

[Ruined]

It does suck but there are a couple of things to keep in mind:

1. There is no realistic way to hack or steal an XBOX Live account password without the user somehow compromising it. Some examples of this might be:

* User voluntarily enters their XBOX Live username/password in a phishing/scam email that appears to be coming from XBOX.COM but if looked at closely is actually from a rogue website. This is also usually how identity theft happens, as well as stolen Steam accounts.

* User enters their XBOX Live username/password in friend's console, and saves the information there. Their friend may then compromise the password in any of these ways alos.

* User's password sucks. An example of this is a person with gamertag "Freddy" and password "freddy". Might be convenient to remember, but it is also easily guessed. It is always good to use numbers in your password as well as words that will not easily guessed, with a length of ~8 characters minimum to be immune to brute force attacks.

2. The person who hijacked the account essentially has permanent free copies of the XBOX Live Arcade games and DLC he bought on his XBOX 360 hard drive, wherever that XBOX 360 is located. However, these games and DLC are also permanently stored in the original user's XBOX Live account. So this person's son's account now has access to all of these games bought. If the charge is disputed, Microsoft is going to have to go through the person's account and remove the DRM license for all games claimed to not be downloaded by the original user otherwise the son will have free access to all of the games bought by the other person. Note that Microsoft keeps track of the IP address of all download purchases, so they will likely not refund the money if the content was in actuality bought by the son in his own house and he is using the theft as an excuse -which is of course a possibility Microsoft must investigate.

3. The whole Zune points thing baffles me. As far as I know any Zune points bought with the account are deposited directly into the account. While that person could then buy Zune songs, Zune DRM is setup that it requires online re-authorization of songs at certain points (unlike 360 DRM) I believe. So while those downloaded songs might temporarily work, once the account is recovered I believe they will cease working so buying them would be pointless in the first place.

4. Everytime Microsoft points are purchased, Microsoft immediately notifies the person via the gamertag-associated email how many points were purchased and on what date/time they were purchased. Therefore this person should have been receiving emails every time the thief bought points, as he claims his email address remained intact for the account. This should have immediately prompted him that his account was hijacked and if he was more cogent he probably could have prevented the said damage earlier.

Just some points to keep in mind. There is no real reliable way to "intercept" or "hack" a 360 or Steam password through the internet. Some sort of user error is generally involved whether it is falling for a scam email or using a weak password, where the user voluntarily gives up their password to the thief unknowingly or simply does not use a good password to protect their account in the first place.

[Iguana Man]

From my friend:

Quote:

1st albert doesn't go anywhere but even if he did that would not explain how
it would get changed after I changed it. The safest way is not have a credit
card hooked to the account, you can buy a card from "shaft" to renew your
membership and you can buy point cards, that way the worst hit you can take
is for the points you haven't spent. That is my solution. By the way think
about this MS has to update windows constantly because of security flaws,
the xbox is just another OS they have made and it is not protected by your
router because you have to let everybody in to play, do actually think they
made a perfectly secure system? They can't do it with your computer. Once
someone hacks into your xbox they sign on with their machine, your gamertag
and they are you, they have all your security info. I think I have finally
stopped the charges, had all my security questions changed but that does not
solve the original problem that someone got in. One of three things happened
albert gave out his password, I doubt it, two they hack one of my computers
and found his password there from logging into bungie and shaft billing, my
computers all check clean, I have a firewall on everything but the xbox,
three someone hacked the xbox itself or xbox live. Just be care full dude.

I'm not trying to stir things up here, just looking for some answers.

[Astrakan]

How old is Albert?

Unless he's a pre-teen, my money's on him not telling his dad the full story. Granted, I don't know this kid or his family, but I have a hell of an easier time believing that some teenage kid was irresonsible with his account than that someone hacked his Xbox.

KM

[umainebearman]

Yeah from that last response from your friend Iggy is sounds like he's trying to blame someone else for a mistake that took place with either him or his son. Don't know whys he's including the bungie site in the response. Did they buy something from them too??

It's too bad something like this has to happen but I'm betting that Astrakan is pretty close to the bullseye. When kids know they have screwed the pooch they are more willing to keep there mouths shut and rather than tell the truth let the adults start drawing conclusions and hope those conclusions go in a direction that they aren't standing.

[Wirehed]

Something is fishy in this story Iggy. I doubt it is actually possible to hack into a 360 remotely and steal that information.

[Iguana Man]

My friend is pretty pissed about all this so I'm going to drop it for now. However it happened, happened. I kinda feel bad for bringing it up on this forum too so if you fellas don't mind, I'm going to bail on posting any more replies.

[Ruined]

Quote:

Originally Posted by Wirehed

Something is fishy in this story Iggy. I doubt it is actually possible to hack into a 360 remotely and steal that information.

There are much, much, much easier and more plausible way to get accounts if they want the info (i.e. phishing). There is no listening server on an XBOX 360 nor is there a way to run unsigned code so there is no plausible way to "hack in."

99% chance it was one of the things in my above post.

[Wirehed]

And so the guy gets pissed and doesn't want to talk about it anymore? Heh, he wont listen to reason and he doesn't want to think about any other possibilities beyond mysterious hackers.


Sounds like denial to me. I bet there's some other problem underneath all this. Likely it's none of our business, but that doesn't mean people should think their 360's are in danger of this sort of thing happening.

[Iguana Man]

Quote:

Originally Posted by Wirehed

And so the guy gets pissed and doesn't want to talk about it anymore? Heh, he wont listen to reason and he doesn't want to think about any other possibilities beyond mysterious hackers.


Sounds like denial to me. I bet there's some other problem underneath all this. Likely it's none of our business, but that doesn't mean people should think their 360's are in danger of this sort of thing happening.

It's not he, it's me. I don't want to talk about it anymore since it will only lead to me asking him more questions. That will result in potential, make that definite ARGUMENTS. Why should I pursue that Wire? He's a friend for 25 years and frankly I don't, nor he, needs to escalate a very personal and touchy situation (try and read between the lines here). It is what it is and I'm deciding to let it go.

Hey, I was worried I may have been told of a 'problem' with Xbox Live and wanted to report it to you folks. That's all. If it's completely false in your and everyone elses eyes...cool. I apologize and shouldn't have posted it to begin with.

Seriously, sorry I brought the whole thing up.

Feel free to delete the thread too as it may cause unnecessary concerns for those that frequent these boards. I don't want to be responsible for that as well as pushing a sensitive subject onto the one few real life friends I have.

[Wirehed]

Ok, that's fine.


Don't get upset with us though, YOU brought it up, we're just responding to your inquiry --that MS isn't handling the situation well in refunding charges; we're pointing out that MS probably isn't responsible for this in the first place.

[Iguana Man]

Quote:

Originally Posted by Wirehed

Don't get upset with us though,

I'm not. Am I coming off that way? If anything I am upset at the fact I posted this to begin with and that is all.

Spoiler (Highlight or Triple Click to Read):

It's cool.

[Wirehed]

Diggity

[Jason]

There was an article on ZDNet dated March 20, 2007 that outlined something pretty similar to this happening. A follow up article states that Microsoft denied the hack and said it was some "social engineering attack." Posts following both articles from people who say that they were hacked, and others saying it's not possible. Doing a Google search will get you the articles, but I'm not going to link to them because one of them outlines how to supposedly hack an XBox Live account.

[ganthc]

Quote:

Originally Posted by Jason

There was an article on ZDNet dated March 20, 2007 that outlined something pretty similar to this happening. A follow up article states that Microsoft denied the hack and said it was some "social engineering attack." Posts following both articles from people who say that they were hacked, and others saying it's not possible. Doing a Google search will get you the articles, but I'm not going to link to them because one of them outlines how to supposedly hack an XBox Live account.

Interesting. I was curious when Iggy's friend said that MS had acknowledged that there have been issues with what his friend was experiencing. I think it's funny that people think the Live accounts are somehow hack proof. Considering how hackers have thwarted other types of supposedly hack proof things, I am not too surprised if they have found a way to do so. Considering that credit card numbers are attached to many of these accounts, it certainly makes for a strong target.

[Ruined]

Quote:

Originally Posted by ganthc

Interesting. I was curious when Iggy's friend said that MS had acknowledged that there have been issues with what his friend was experiencing. I think it's funny that people think the Live accounts are somehow hack proof. Considering how hackers have thwarted other types of supposedly hack proof things, I am not too surprised if they have found a way to do so. Considering that credit card numbers are attached to many of these accounts, it certainly makes for a strong target.

Again, phishing or "social engineering," whatever you want to call it, is how 99% of today's attacks are done. The reason why is because its 1000x easier to fool someone into giving you their information than it is to actually hack an account - which would be near impossible with a decent password.

I think most have the false idea of scary hackers busting open their accounts from watching movies like "Hackers" where the main characters just pull up a terminal and start breaking into people's accounts through secret methods - that is pure fiction and is a fruitless endendeavor. Real hacking of a single account could take weeks or months, and by the time you got the password not only would you have gotten caught by your millions of failed attempts, but you probably could have easily captured 100 accounts in the same time by phishing/social engineering techniques - bulk send emails with fake websites that look like the real deal. To have someone actually hack these days without essentially having the user voluntarily give up their information is very, very rare.

[Wirehed]

You would have to be a massive target, that's for sure.

And even yet, I doubt a "hacker" could get access to the credit card information remotely.