Xbox Live security foiled by smooth talkers, not hackers
by Ludwig Kietzmann 
{ Mar 23rd 2007 at 10:20PM }
Major Nelson writes in his latest post that some Xbox Live accounts may have already been compromised thanks to phonies phoning in and extracting sensitive information via the use of pretexting -- the invention of a scenario that fools the operator into divulging your precious data. "There's no other way to say it; this situation shouldn't have happened. Our customers deserve better." The Major promises that support staff will be better trained and be made aware of such "social engineering" attempts.
While the transparency is appreciated, it's alarming to think that Xbox Live security is succumbing to one of the oldest tricks in what's, by now, a rather pig-eared book.
Get a WordPress.com Blog
Reader Comments (Page 1 of 1)
Scott @ Mar 23rd 2007 10:31PM
The person on the end of 18004MYXBOX is not her.
Lewis @ Mar 23rd 2007 10:45PM
WEAK.
LaughingTarget @ Mar 23rd 2007 10:50PM
Not surprising. The #1 method "hackers" use to get into secure systems is to call as an IT person and ask. You'd be amazed how many people just up and give away user names and passwords when you say "Code Red Computer Emergency".
BloodyDuck @ Mar 24th 2007 10:58AM
I wonder whether they were as unsuccessful at this as Microsoft says. I got a Citigroup call earlier today indicating that someone stole my credit card information and used it to make purchases in England yesterday... the information is no doubt in other places besides my Live account, but the timing makes me wonder...
-Geoff
http://www.alinktothefuture.com
Brandon @ Mar 23rd 2007 11:14PM
Actually laughingtarget they would call the end users first to extract data from them... People who know nothing about it are more likely to believe that you are telling the truth. Most IT people know something about social engineering.
m ike @ Mar 23rd 2007 11:20PM
its quite simple. they call give them their gamertag and say they forgot what their .net email address is. the untrained service cneter operators would give them that info.
the policy should be to bad you forgot your e-mail. and thats how it will be. basicaly this wa sa loophole in security. any other service you calla nd say you forgot private info they usualy ahve a security question or just refuse you the info.
With that said i had all the info for my wife and the cable company would not help me cause my name wa snot on the account. why i dunno but she set it up when we moved. I had to ahve ehr call them from work and put me on the account. i than stated to the lady i could ahve ahd any one call and say they was my wife and she got quiet.
so there are loop holes every where specially if you know some of the info already. but thats just life. this case should not have happened because ms should not be giving out any info. if you forgot your .net email and password your out 50 bucks 2 bad.
Acceptable Risk @ Mar 23rd 2007 11:35PM
Social engineering is hacking. It's the most effective and reliable method for gaining access to restricted systems. That's what hacking is all about.
Matt B @ Mar 23rd 2007 11:44PM
Actually, the CSR that you talk to really has no respect for you, because you are bitching that your video games don't work to a person who is trying to make a living listening to your complaints.
Face it, you are pissed off even before your call and you want heads to roll (cause you think you are the center of the universe).
So they will buy any excuse to get your piece of crap attitude off the phone.
Sounds pretty easy to me to impersonate a 15 year old.
dark @ Mar 24th 2007 12:17AM
That's why.......I say..........@#$% it!
LaughingTarget @ Mar 24th 2007 12:23AM
That is why I said call *AS* one, not call an IT person. Being IT and using those words are magic.
Matt @ Mar 24th 2007 2:38AM
Goldang, she's a hottie!
ssuk @ Mar 24th 2007 8:06AM
10: She's a model, so yeah... Illustrating a 'glamourous' side of this industry. Unfortunatly, call centres have ME to deal with, lord help them.
Ben @ Mar 24th 2007 5:13PM
Or of course, it wasn't your bank phoning but someone pretending to be them to extract personal information from you ;)
Social Engineering is commonplace and it's the biggest organisations that are the most vulnerable. To be honest it's good to see Microsoft (or at least parts of it) be open and honest about this, it shows they're likely to actually do something about it.
http://gamenian.blogspot.com/