Windows Live login suggested as Xbox Live security flaw

by Alexander Sliwinski on Jan 13th 2012 11:50AM

Since reporting on the "FIFA hack" and related security concerns with Xbox Live and the Windows Live ID system, we've received stories, documentation and theories on how this is happening from dozens of victims. As we continue to follow up on several leads, Analoghype posits an interesting theory on how some of these breaches may be occurring.

AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. Going to Xbox.com, the hacker can now test if the email is a valid ID by attempting to sign in. An error message of "account is invalid" has them moving on to another email; "password is incorrect" means they've got a real account, but a bad password.

Now, according to the theory, the hackers start batch running potential passwords: "Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for "try with another Live ID." Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker."

Of course, once they are in, the hacker has access to all your account details and associated credit cards, PayPal and Microsoft Points.

Mircrosoft told us recently that the Windows Live ID has not been compromised and the FIFA hack, along with other similar incidents, are cases of social engineering or phishing. We continue to recommend changing -- and not publicly posting -- account details.

Source: AnalogHype

Tags: fifa-hack, hack, microsoft, security, windows-live-id, xbox, xbox-live

Reader Comments (96)

I been trying to find out how to remove my credit card since on my xbox as i dont use it as much anymore but microsoft really wants to keep it

@Kibbles XIII

Some people in comments in other articles have said you can just change it by adding a fake CC number.

@Kibbles XIII

You have to do it through the website iirc. It's a real pain in the ass to remove it.

@Kibbles XIII

There is no way to remove it if it's your only pay type.

Conversely, the Wii Shop has no way of storing your credit card information and you must enter it every single time for every single purchase. Coincidentally, Nintendo is not currently being hacked and dealing with the issues Microsoft and Sony has and have been dealing with recently.

@Kibbles XIII I've successfully removed my credit card by calling Xbox Live tech support and asking them to do it.

@Co
That's weird, because I just removed my only VISA card information from the Xbox Home dashboard's account settings. Granted, I had auto-renewal of XBOX LIVE turned off prior to the recent update; but I thought that was enough to remove it. I guess I'll check Xbox.com and their Customer Service phone line to ensure it's completely removed.

As commented before, it's Microsoft/Sony/Nintendo points & subscription cards for me from now on; rather than my personal VISA card usage.

@Kibbles XIII

Have you tried performing a hard reset?

@Co

Coincidentally, you're a dumbass.

Anyways, if you do have credit card info on your XBL account, just change your expiration and security code to something else. Or, to delete your CC info, change your expiration to the following month, wait until it shows expired, then delete. Kind of a pain, but it works.

@foxhound

its because they give you that "this credit card is currently in use by this account" and you cant turn auto renewall of with out calling them and jumping through their hoops but since you already had it off it let you remove it.

@Kibbles XIII
So I see. Mind you, I was wondering why so many people claimed they had difficulty removing their credit/debit card from X360/PS3, and yet I deleted any and all cards listed from my Xbox360 in less than 5 minutes.
As a side note-- the only reason why I didn't bother with auto-renewal, is because I may have that money planned for other, more important expenses at the time.

@Co

Umm the reason Wii Shop accounts aren't being targeted is because there is barely anything worth buying. Even if it stored cc info it still wouldn't be targeted because there aren't thousands of people willing to pay actual money for someones Wii account access.

@Co
lololol what an awesome Nintentroll. This gaming platform is archeic and doesn't offer all the benefits of social gaming ease as the other two. It doesn't have all the problems you mentioned, it also doesn't have any games unless you want to play 2 really good Kirby games and 1.5 good mario games but those don't go online anyway. Here, have a Wii Fit board.

@Kibbles XIII

I had to call customer service and ask them to remove my CC from my Xbox Live account. It took but a few minutes and was pretty easy. That would probably be your best choice.

@Zoot Suit Jedi Grammar Hammer En Say hello to Meme of the year 2012

@Kibbles XIII
You have to call Microsoft support in order to remove the credit card info.

@Kibbles XIII
Just call Microsoft, they will do it for you and reimburse you for any gold attached to the card.

@Kibbles XIII - You cannot remove it if it was under an active subscription, but you can edit the card expiration date and security code so that charges shouldn't go through.

@foxhound Exactly what I did without issue. Good point on following up with support to make sure CC was fully removed. I've never turned on auto-renew and I guess for that I'm lucky now.

Points cards and Xbox Live Gold cards are the way to go for game and subscription renewals.

Since a WP7 and Zune also use Live ID, and need real $$, best thing is to buy a $25 or $50 VISA gift card to use that for music or phone game purchases too.

@foxhound
Removing your credit card info from the PS3 is really easy.

Alternatively, you can also remove your CC info from the Sony Entertainment Network website.

Turning off the PS+ auto-renew thing is also pretty easy on the PS3:
PS Network ==> Account Management ==> Transaction Management ==> Services ==> PS+

The nice thing about PS+ is that turning off the auto-renew basically means that I the PS+ subscription continues until its expiration date. Also, it only asks you ONCE to confirm your decision to turn off auto-renew.

@Co:
Nintendo had their website hacked by LulzSec. Given enough motivation, they could easily trash the site and its whole account and CC processing system.

@Kibbles XIII

I had auto-renewal off and also was unable to remove my only CC number on my account.

I called Xbox Live Support to remove my credit card and tech guy said he can, but he'll have to cancel my xbox live gold subscription first to do it. After it's canceled, he said I can enter the codes he emailed me for xbox live gold to add back up to the number of months I had left on my subscription (19 1/2 months).

He emailed 5 codes, one for 12 months, 2 for 3 months, and 2 for 1 month of XBL gold. Entered them on xbox.com without a problem, and it actually added 2 weeks extra since I was in the middle of a month's subscription.

No problems, very easy, but ridiculous you can't do it online to start with.

@Kibbles XIII
Get yourself a new credit card. Tell the bank you lost it and want a new number. Then just use paypal for all transactions on xbox live. That's the way I do it. I have never had problems with pay pal. They always got me back my money when some one scammed me on Ebay.

@Kibbles XIII

I removed my credit card info by going to the website and selecting "My Account" in the upper right corner, turning off automatic renewal, then going to "Manage Payment Options" and removing my credit card. It was easy... Took like, 10 seconds. I don't know why people are still having trouble.

@MrClickerson

I just tried that then and i was able to turn off automatic renewall but not remove the credit card (i think i can only do that when im back to silver) but i think the problem that i and other people had was that awhile ago they changed it so credit card infomation could only be changed through calling them.

@Kibbles XIII

I did this... The day before yesterday, I believe, maybe 3 days ago... I don't believe I've actually purchased XBL Gold membership with it, but it did have automatic renewal on, and I removed it through the steps I mentioned. If that doesn't work for you, then that's pretty weird.

Interesting. There seems to be two serious problems with that system. Simply making the error for an invalid ID "password is incorrect" seems like it could stop a lot of this. After that the captcha code thing is nonsense. Captcha after 3 failed attempts. Locked and need to call support (or locked for 24 hours) after 10. Problem solved.

@Tonezorz
First off: You're right, there IS something wrong with that.

Then again I don't know if it would be as simple as changing the error message. Even if the message on your screen is the same the server might still reply differently. Although why exactly they differentiate between the two in the first place is beyond me.

Also if you had to call support or were locked for that long for typing in the wrong password too often, everybody who knows your email could lock you out of your account whenever they feel like it.

@Tonezorz
I think they should just lock you out completely after a few attempts and at that point need security questions, call a number, alternate email, something.

It's gonna get harder for them to deny being compromised when it'll happen a few dozen more times.

@ColorblindMonk xbox live is as compromised as any other place where they know your login credentials.

The most they can do is always say the login is invalid unless you have a correct e-mail and password combo.

Other than that nothing's going to save you if someone knows your e-mail and your password unless microsoft implements an extra layer of security like an authenticator like the one google and blizzard have.

Gah, this seems like a common sense security thing. Most login screens / pages will not specify whether you got the ID wrong or the password wrong. They just present a generic "login failed"-type message.

If this really is what's going on, though, people need to start using better passwords.

@moro

oh, this goes way beyond a common sense thing, trust me. it is an industry standard and practice to not specify which field is wrong simply for this reason. shame on you MicroSoft. for someone who tries to create those standards, you sure don't follow them very well.

@moro

Common sense thing.....so you mean my password of password is not a good idea?

@Mal F4cti0n

If I'm reading the post correctly, even the best "strong" password isn't going to work here. So long as they have 2 live accounts they know are real, they can keep switching between them every 8th failure and Live Login won't care or remember that, hey, this IP has been trying to log in and failed 100+ times in the past 2 min. With no time period for lock out, and the ability to reset the counter without human intervention, scripts could brute force there way past any password.

It's not a question of IF they can, its WHEN they will.

makes you wonder how bad the passwords are of the people who got their account information stolen. Brute force on a case sensitive password containing symbols is going to take forever. Sure they could be using a password dictionary and can probably get into some accounts that way but surely there is some sort of monitoring/logging in place for failed logins. I'm thinking there might be some other underlying security flaw that we haven't been told about.

Hacker groups will have a list of emails and passwords they got from phishing facebook or keylogging, it is very unlikely that they are doing "brute force" to crack the passwords and are instead just seeing who has a gamertag from the lists of emails they have passwords to.

@C1 Also, because it can reset the amount before the CAPTCHA, the entire process could be very easily automated. Running through a massive list of common passwords or just running through all combinations for so many digits of a password (6-10). The biggest thing Microsoft needs to fix is the ability to turn off the CAPTCHA with that little trick. Which would be a very easy verification of input loop and making sure the variable for the number of tries is shared between pages. Hopefully stored for 24 hours (linked to the log-in ID) somewhere Microsoft side of things.

@(Unverified)

There still should be some process that locks an account out after X tries

@C1

May I direct you to this: http://www.xkcd.com/936/

Having a strong password isn't anything like what everyone seems to think it is. Capital letters and symbols may have been good password theft deterrents for over-the-shoulder password stealing, but sheer length is the only thing that stands a chance against brute-forcing.

i actually just got off the phone with ms like an hour ago. i noticed that someone played fifa on my live id on 12/27 and spent 800 or so ms points buying DLC. apparently, they need to suspend my live account for 15 days to resolve this? lol

@(Unverified) 15 days if you're lucky. I had to wait three months for them to get me my account and points back.

@(Unverified) Is/was you xbox live password the same as either of the following; facebook, ea, sony, myspace?

Basically did you use the same password as another site?

Such a good security system...

Yeah, I quite upset when they kept asking me if I'd given my password to a friend or put it up on a website. I asked if they were serious?! I was hacked, and I hadn't even played a multiplayer game in about a month; I was playing Dragon Age at the time. I'm also not an idiot, and I don't click links, or answer phishing questions. There's a security flaw somewhere that they were able to get my info, and this looks like a good culprit.

@Divo366

Were you using the same password for your EA account as you Win Live account? That could have been an "in" there.

@baby sea tuna as an xbox live user of EA games you HAVE to have the same info for palying EA games its what makes playing EA games on xbox live seamless....so that you dont have two different gamertags one for xbox and one for EA like on PSN

@Protege420

You dont have to have the same password though. My EA password is different from my Live password.

@R Planteer

As is mine. I was just trying to deduce possible causes.

@Divo366 Your password being brute forced isn't a flaw.

What a surprise So once again, it's user error. I can't tell if it's a good thing that people are so trusting onlne, or if it's a bad thing cuz they're so naive.

@FlashJS How is that a user error?

| 1 | 2 | Most Recent | Next 50 Comments

Sorry, you must be logged in to leave a comment.

Breaking News

The most popular posts
in the last 7 days

Rumor: Japanese Vita devs jumping ship, Sony responds 124 comments
Buy 2 get 1 free on select Vita games at GameStop starting today 114 comments
Sony's Rohde: proprietary Vita cards 'completely necessary' to combat piracy 112 comments
Sony: Call of Duty blasting onto Vita this fall 89 comments
Asura's Wrath review: Wrecking the curve 84 comments

Windows Live login suggested as Xbox Live security flaw

Reader Comments (96)

Posted: Jan 13th 2012 11:57AM Kibbles XIII said

Posted: Jan 13th 2012 12:02PM Styli said

Posted: Jan 13th 2012 12:06PM Faceless Troll said

Posted: Jan 13th 2012 12:11PM Co said

Posted: Jan 13th 2012 12:18PM tabicat said

Posted: Jan 13th 2012 12:39PM foxhound said

Posted: Jan 13th 2012 12:42PM Zoot Suit Jedi Grammar Hammer En said

Posted: Jan 13th 2012 12:50PM Captain Planet Planeteer Power said

Posted: Jan 13th 2012 12:50PM Kibbles XIII said

Posted: Jan 13th 2012 1:04PM foxhound said

Posted: Jan 13th 2012 1:12PM Johnnynumber5 is powered by cell said

Posted: Jan 13th 2012 1:29PM MuneBeam said

Posted: Jan 13th 2012 2:16PM Stevetrop Man of Mystery said

Posted: Jan 13th 2012 2:19PM Deathmore said

Posted: Jan 13th 2012 2:48PM huffhuffhuff said

Posted: Jan 13th 2012 3:44PM iceytoa1 said

Posted: Jan 13th 2012 4:58PM Fearmonkey said

Posted: Jan 13th 2012 4:35PM pyr0 said

Posted: Jan 13th 2012 8:08PM mahouneko said

Posted: Jan 13th 2012 8:37PM ravissimo said

Posted: Jan 14th 2012 1:48AM IQ Review said

Posted: Jan 14th 2012 5:39AM MrClickerson said

Posted: Jan 14th 2012 6:47AM Kibbles XIII said

Posted: Jan 14th 2012 8:24AM MrClickerson said

Posted: Jan 13th 2012 11:59AM Tonezorz said

Posted: Jan 13th 2012 2:50PM sparkster said

Posted: Jan 13th 2012 6:24PM DarkNightRJ said

Posted: Jan 13th 2012 12:00PM ColorblindMonk said

Posted: Jan 13th 2012 12:22PM paperless said

Posted: Jan 13th 2012 12:02PM moro said

Posted: Jan 13th 2012 12:38PM LexStewther said

Posted: Jan 13th 2012 2:08PM Mal F4cti0n said

Posted: Jan 14th 2012 4:37AM GCountach said

Posted: Jan 13th 2012 12:03PM C1 said

Posted: Jan 13th 2012 12:36PM singleandlovinit said

Posted: Jan 13th 2012 2:42PM (Unverified) said

Posted: Jan 13th 2012 4:12PM C1 said

Posted: Jan 13th 2012 4:36PM Gendreavus said

Posted: Jan 13th 2012 12:03PM (Unverified) said

Posted: Jan 13th 2012 1:10PM ATimson said

Posted: Jan 13th 2012 7:30PM pensuhl said

Posted: Jan 13th 2012 12:05PM Ospov said

Posted: Jan 13th 2012 12:05PM Divo366 said

Posted: Jan 13th 2012 12:37PM baby sea tuna said

Posted: Jan 13th 2012 12:45PM Protege420 said

Posted: Jan 13th 2012 1:10PM R Planteer said

Posted: Jan 13th 2012 1:23PM baby sea tuna said

Posted: Jan 13th 2012 3:03PM TheTorch said

Posted: Jan 13th 2012 12:08PM FlashJS said

Posted: Jan 13th 2012 6:33PM (Unverified) said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Amnesia: A Machine for Pigs is the next title from Frictional Games and Dear Esther dev

Featured Stories

Building A Machine for Pigs and expanding the universe of Amnesia

Persona 3, Tactics Ogre, and other PSP RPGs that will live on my Vita

Tekken 3D Prime Edition review: Far from prime edition

The most popular postsin the last 7 days

Engadget

TUAW

Massively

WoW

The most popular posts
in the last 7 days