trjp

@insanejedi: @insanejedi said:

So if idiot's are driving toyota's and blaming toyota for something like failed brakes it's somehow magically toyota's fault when the facts and studies just show that these people are idiots? The social engineers would have only gotten your secret question if it was true and if you let it out somewhere to someone. If you had a facebook page where you advertised that your dog name was "bill" or your mom connected you Via facebook and also had other relatives that don't have their last name changed so you got her maiden's name.

Stop being entitled asshats and blaming that it's everyone's problem but your own. The suggestions you give could be some of the most sophisticated encryption and security entry ever, and it won't give two shits if the man behind the computer is a dumbass and gives out his personal information that links to the secret question or just blatantly gives out the password. Worst yet are people who don't even know that their doing this. Like I said if you have a facebook page with your mom on it, and your mom links to relatives on her side, you could find out what her maiden's name is as just one example. It's impossible to make anything foolproof because you'll just make better fools.

You realize that they can't simply remotely delete the download from your account. Even if they could would you really want Sony, Nintendo, Steam, MS to have that ability to kill whatever you have from your 360, PS3, or even PC hard drive remotely? A: The money has changed hands from MS to whoever other company which is EA at the moment. B: The download has been made and if there was a policy like that, no one would pay for content ever because they would simply download it, report to MS that they didn't actually buy it, and then keep the DLC on their hard drive.

At the end of the day, so long as the database has not been compromised which I have yet to see evidence of, YOU picked the password, YOU picked the answers the questions.

You really are a prize idiot - I'm not even sure why I reply to fanbois like you, utterly convinced of something which you know NOTHING about whatoever.

I know for a 101% solid fact that no-one got my password or secret question from me - that means whoever broke into my account either

a - did so using a brute-force attack (something only Microsoft can prevent)

b - did so via a means which has nothing to do with my password or secret question whatsoever

Even if I'm unique and everyone else is handing out their login details willy-nilly - that means you need to tighten up security MORE - not less.

MS can do MUCH MUCH more to reduce these issues. Requiring additional authorisation before moving accounts between devices (ala Steam's system) - requiring backup authorisation before allowing purchases (just asking for a card's CVC code before authorising a purchase would totally cripple the FIFA Points scam overnight).

They could upgrade login security to use an Authenticator-like code (see Blizzard, Google and most Banks for such systems) which would render phishing completely and totally obsolete (and costs next to nothing as you just release free Apps/desktop tools to do the Authentication)

Why don't MS do these things? My guess is that they think putting any other 'hurdles' in the path of people buying stuff will reduce their income - kids will have to bug parents for the code, adults will have to go find their card and might lose interest and not login - but it would increase security IMMEASURABLY from where it is now.

Given that MS make having a card on your account pretty-much mandatory for most Gold Subscribers (and I'm pretty sure XBLIG developers need to keep payment details up-to-date also) - it's not like most people have a choice about risking their account being hacked and money charged to their account.

The FIFA scam gives hackers a way of making money - so it's not just amusement and vandalism, they're doing this before it's FREE MONEY and thus it will continue until MS do something (or law enforcement gets sick of them doing nothing and starts kicking-in doors)

@insanejedi said:

@mythrol said:

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

You can keep trolling us with your blind faith - but the fact you keep talking about passwords when most accounts are being compromised via their 'secret question' suggests you've not even bothered finding out about the problem you're blindly defending...

MS even got those 2 floppy-haired-fuckwits to do an in-dash video on how your 'secret question' should have a nonsense answer 'like another password' - I think it's clear they know this is the way into people's accounts (and resetting your password via your secret question does NOT generate an email so you don't know you've been hacked until the money is spent and you get the receipt by email).

End of the day MS are evidently besieged with people having problems and it doesn't matter who's "fault" it is, MS are the only people who can solve it and if they don't they should consider themselves likely for prosecution for aiding and abetting fraud.

Locking XBL accounts to specific devices would be a start (ala Steam's system) - as would putting a proper block on repeated attempts to guess secret questions (at this time it appears there's no limit on that - at least I lost patience trying it) - as would blocking repeated purchases of things like FIFA Gold Packs (better someone loses a few hundred points than thousands). New games should also have a system to verify that an account has a copy of a game they're trying to get DLC for - that will render the whole FIFA scam impossible.

Finally tho - if a customer calls and says they didn't buy some 'actually worthless online currency or digital download' then simply accept this with good grace, delete it from their account and don't fuck them around for months, lying to them and treating them like thieves eh??

@Stahlbrand said:

Also, LOL at the guy who said he was 101% sure he'd never been fished. That is the same as saying you're sure you've never been conned.

I can honestly say I've never, ever, ever been caught by any sort of phishing scam for the following reasons

1 - I've worked with networks since before most people knew they existed - I've worked with network security, email and the web for decades - I ever wrote anti-phishing browser plugins back when such things were popular - I know how stuff gets done, I know how scams work and phishing is really, really, really obvious to me - I just don't fall for it - ever.

2 - I cannot ever remember receiving an email asking me to login to XBOX Live for any reason anyway - I've had them for PayPal and every Bank/Finance site you can think of but I cannot ever remember seeing one for XBL (and as I said earlier, I don't click on anything in emails - ever - anyway)

3 - I know I've not been phished in this case because they accessed my account using my secret question and I DONT KNOW WHAT THAT IS - I just hammered the keyboard to make it up - so I cannot possibly have surrendered it to anyone! :)

You (and MS) can keep kidding yourself that this is entirely a "user problem" but I strongly suspect there's more to it and that, sooner or later, you may well find yourself on the wrong end of it.

Meanwhile it must be costing MS a fortune to deal with all the cases - but then they'll be making a fortune from people who don't check their accounts carefully and get scammed and never notice (which, if it transpires this is MS's problem and not just a 'user problem' - makes them a party in fraud surely?)

The worrying thing here isn't just that there's clearly a security problem they're ignoring (and have been for at least a year as Googling shows cases going back to at least late 2010) - it's the sheer scale of the problem.

If it's taking MS over a month to deal with each case - how many cases do they have?? I mean I cannot imagine it takes more than a few minutes for someone to look into an account and see what happened, so even if only 1 person were doing it, that's several hundred cases a day (and in reality it's probably 100 times that!?)

If that doesn't tell them they need to tighten-up security - I've no idea what will.

To back this up - just mention XBL accounts being hacked on any gaming forum and you'll find people instantly who've been through this - I don't know all that many people with 360s (hence my disinterest in Gold) but of the dozen-or-so I know, 2 were hacked before me and 3 have been hacked since - that's a fairly high percentage!!

You have to be an idiot to assume this is all down to phishing or social engineering - it's just too widespread. I'm 101% convinced that MS are just fronting - thinking if they say "XBL is a closed and secure system" that it will be believed - but it's clearly far, FAR from that.

One thing I should add - when you report that you've been hacked, one of the things they ask for is your console serial number.

In my case, they came back after about 35 days and said I'd given them "the wrong console serial number". Now I only have 1 console - I've only EVER had one - I've never logged-in to another console and when I confirmed the serial number, the guy on the phone said it was "the same as they already had and he couldn't understand what the problem was".

Later, when they concluded that "no fraud had taken place" they said that the transaction had "taken place on my console". If that's the case - why did they initially conclude that I'd given them "the wrong console serial number"?! There's almost no way someone could know my console serial number (nor could I know the hacker's serial number and if I were trying to defraud them - I'd have made one up!?)

I'm pretty convinced that there's a security hole somewhere - one of the things hackers do is buy Zune Points (not MS Points) and I'm wondering why that is?? It suggests that they're not operating the hack from a console directly - or even that the hack exploits a specific security hole which only permits Zune and not normal MS points to be bought!?

I'm 101% sure I've not been phished (I can't even remember receiving an XBL-related scam email) - MS confirmed I've never called to access my account (so no social engineering) and my account has only even been Silver (so I've never played online). They said that "it appeared my account was reset using my secret question' and I know that wasn't me because I made that some random shit and even I couldn't remember what it was (which means I cannot possibly have told anyone it!!

Microsoft's attitude to the whole issue of XBL security is wrong-headed - they are absolutely convinced the system is 'secure' but all the evidence suggests otherwise. They claims it's only the behaviour of users which is causing a problem but the sheer scale of the problem suggests otherwise (and even if it was, it's upto them to make it more secure anyway surely?)

My account was hacked and I can categorically say that I wasn't phished, I have never shared my password and my 'secret question' was neither a dictionary word nor a logical answer to the question. I know people who've had dormant accounts hacked - that absolutely rules-out password sharing or phishing and points right back to a glaring security hole in the system somewhere.

Worse still, hackers have found a way to make money from breaching people's accounts - by using saved payment details (mandatory for Gold/Developer accounts) to buy FIFA cards which they then transfer to other accounts/turn into coins/points and ultimately sell via eBay (check it or other sites - there's always plenty of stuff for sale).

This has been going on for at least a year - my account was hacked in September and they came back after just under 60 days to say "there was no evidence of fraud" (yeah, I gave away £54's worth of DLC for a game I don't even own!!) My bank had already refunded the money by this time - something MS actually suggested I do anyway "if I wasn't happy with their findings" (does that scream "we know we're wrong but fuck you buddy" or what?)

I have zero desire to be their customer any longer and so the XBOX is boxed and ready for sale (it's that or hack it - I'm not giving them a brass cent any other way) - and I'd STRONGLY remind people that keeping payment details up-to-date on XBL is a bad idea (pay with PayPal and then scrap the account!!) :)