Cathode Tan - Games, Media and Geek Stuff
logo design by man bytes blog

Thursday, March 22, 2007

Xbox Live "Pretexted" - Not Hacked

Microsoft's Major Nelson has stated that they've looked into it and found no evidence of hacking being successful against their Xbox Live service:

Despite some recent reports and speculation, I want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of the Xbox Live Network or  There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account.  This is a good time to remind our members that they should never give out any of their personal information.
-- Xbox Live's Major Nelson : Xbox Live Security

As he puts it - it doesn't get much clearer than that. So what are these "isolated incidents"? Apparently some social engineering:

Among a tirade of name-calling, one player threatened to steal his account, the security researcher told SecurityFocus.

Finisterre did not put much store in the threat until the next day, when he found his girlfriend's account--which he had been using the day before--kicked off the system with a message that someone else was using her gamer tag on Microsoft's service, Xbox Live. Finisterre confirmed that he could no longer log onto the service, and a message on the Account Management page indicated that the account had been suspended.

After more than a half dozen calls to the support staff of XBox Live, which Halo 2 uses to authenticate players, the status of the account is still in limbo.
-- Account pretexters plague Xbox Live

While Nelson warns players against giving out personal information, the problem Security Focus describes is with Microsoft support. Clan Infamous claims to document ways to call support, pretend to be a player and get account information (aka pretexting). Then people can essentially go joy-riding online.

This isn't the worst security problem to have, even if it's a little embarrassing. It doesn't require a firmware upgrade or anything - just better training for some staff and more draconian measures when it comes to offering up account information.

No comments: