Top
180°

Microsoft Begins War On Fraud

Microsoft is, perhaps more than most, aware of Xbox Live's growing security concerns. In a blog post on MajorNelson.com today, Xbox Live General Manager Alex Garden explored the troubling present and hopeful future of Xbox 360 safety. While he maintains there's not yet been a breach in Xbox Live's security, he confesses that the rampancy of account hijacking is discomforting for his company's customers, many of which have indeed been victimized with compromised accounts.

Read Full Story >>
xboxlive.ign.com
The story is too old to be commented.
Brosy2084d ago

I just wonder how much they can actually do since this problem is mainly caused by the consumer. I mean sure you can investigate, freeze the account, and return losses to customers. But the customer is one thing at fault in the first place. Real hackers are also to blame for stealing the information to begin with. I hope they stay vigilant and stamp out these problems. It must be a pain in the ass to have your account stolen.

Thielkesp182084d ago

Yep, I had my account stolen. They took my account purchased $20 of Microsoft Points and then used it for in game content for Fifa 12. Microsoft told me that this happens a lot with Xbox live accounts. They do a small amount because it could be missed unless you look at your accounts often.

darthv722084d ago

if someone uses your account to get points and buys content wouldnt that content be yours to download as well? I mean they had to use your account in the first place so there would be some trace of the purchase in your account history.

You may not have wanted the fifa content but if you had the game yourself then you would have the ability to use it as well.

on topic...: What i am wondering is if there are so many of these stolen accounts with such small things then how does MS know who is real or not? Anyone could call them up and say their account has been hacked and try and get some kind of credit back if they bought something they didnt want.

MS does not offer refunds so this could be a new way of getting refunds for purchases people make but are then have 2nd thoughts. Some accounts that have been hacked are legit but how many are people just trying to get in on the action?

Where does personal responsibility fall into things?

dragonelite2084d ago

And all the database hack results being out there and people having the same password on multiple services.
Also doesn't help.

LiL T2084d ago

I was under the impression, due to n4g xbox users, that this kinda stuff never happens and if it does its the user fault. So Why are they concerned if the n4g users say theres nothing wrong?

SaffronCurse2084d ago (Edited 2084d ago )

Yeah because apparently xbox live is unhackable., impenetrable to any sort of attack.

dragonelite2084d ago

nothing is unhackable the only thing you can do is make it to hard to hack so its financially or not worth the effort to hack.

ZippyZapper2084d ago

Xbox Live hasn't been hacked "there's not yet been a breach in Xbox Live's security" <-- reading helps fellas.

Hurry! go write your 320th blog campaign trying to convince people that Phishing Live accounts = the same thing as PSN hack. N4G Sony kids need it after the past few months they had.

SaffronCurse2083d ago

Ok i did not mean the service itself, but for some reason i feel that there is more theft, phishing going on in xbl than psn... Abit strange.

DFresh2084d ago ShowReplies(3)
Christopher2084d ago

***While he maintains there's not yet been a breach in Xbox Live's security***

It's my contention that brute force attacks being successful are signs of a breach in security.

Anyway, glad to see Microsoft actually doing something, but hell if I don't believe they need to greatly improve their Live security. Personal sites have better preventive methods for such attacks than Live.

gamingdroid2084d ago (Edited 2084d ago )

***It's my contention that brute force attacks being successful are signs of a breach in security.***

That is a first time I have ever heard anyone claim brute force attack is a breach of security.

I suppose extending that, one could also claim any system with a password that has had even just one unauthorized access has had a breach regardless of how that "breach" occurred....

Neither says much though.

That said, there is an opposition between usability and high security. MS just choose the former.

Christopher2084d ago (Edited 2084d ago )

***That is a first time I have ever heard anyone claim brute force attack is a breach of security. ***

You're kidding me, right? Letting brute force attacks to continue in this manner is a sign of weak security protocols, ie a breach of said weak security protocols.

Here are the standard and widely used methods in which brute force attempts can be prevented.

- Intrusion Detection/Prevention Systems: installed at various firewall levels. Detects and handles unusual activity from various sources and over a specific amount of time.

- Account login disabled upon multiple failures to log into the system with an e-mail sent to the account holder on this action and a link to unlock the account.

- CAPTCHA enabled after a single, unsuccessful login that is tied to the username/e-mail address on file to require it for all logins until a successful one is made.

Honestly, not having protocols and a system to handle such simple attacks isn't a sign of a weak security system that can be breached? This isn't the 90s.

And none of this is 'high security'.

gamingdroid2084d ago

It's a weakness of the password system in general.

MS used a CAPTCHA after 8 attempts, which pretty much falls under the category of:

***- CAPTCHA enabled after a single, unsuccessful login that is tied to the username/e-mail address on file to require it for all logins until a successful one is made.***

You must have a very weak password if brute forcing with 8 attempts was a success.

Also, displaying a CAPTCHA after ONE failed attempt is plain disgustingly user UNfriendly.

***Honestly, not having protocols and a system to handle such simple attacks isn't a sign of a weak security system that can be breached? This isn't the 90s.***

In fact, MS captcha is pretty strong strongest as illustrated by PWNtcha inability to "guess" the answer unlike many other "weak" captcha's:

http://caca.zoy.org/wiki/PW...

Hint: scroll down to the bottom titled "Other captchas and hard captchas"

Christopher2084d ago (Edited 2084d ago )

***MS used a CAPTCHA after 8 attempts, which pretty much falls under the category of: ***

Actually, they failed because what they didn't do is tie the need for CAPTCHA to the username/e-mail. The problem is that the CAPTCHA could be easily avoided by going back to the initial login page and trying 8 more times.

You see, the brute force wasn't just 8 times in a row, it was thousands of 8 times in a row on the same account.

gamingdroid2084d ago

@cgoodno

You are right!

I didn't realize MS screwed up on the captcha reset. That is an implementation weakness, and I expect more from large corporations like MS.

+ Show (1) more replyLast reply 2084d ago
2084d ago