If you’ve been floating around news outlets recently, then you may have heard of Susan Taylor, a woman who became famous when she blogged about her story of being hacked on XBox Live. It’s a wonderful and grim tale that indulges itself in issues such as hacking, and bad customer service, and poor security. Her story has ended already, but you can go read about what she had to go through with the link I provided above.
However, now she has changed her website to start displaying the stories of other hack victims on XBox Live, even providing an e-mail address for people to send in their stories to. Intriguing. It seems that Taylor has found the best way to raise Microsoft’s awareness: get the attention of their consumers. Apparently all you have to do to get your account back is blog about it. I don’t remember reading that part in the Terms of Service.
Since Taylor started writing about her story, many outlets have been reporting – from sources – information that might explain how hackers exploit Microsoft’s security to steal your account(s).
Believe it or not, this doesn’t actually deal with XBox Live being hacked, per se. The issue stems from XBox.com’s security. All hackers need are two things: the capabilities to brute hack passwords, and your Windows Live ID. This is the e-mail address that you registered to your XBox Live account. Jason Coutee – another victim of XBox Live hacking – found the exploit, which I’ll explain in a minute. Hackers can locate your e-mail addresses simply by searching Google a little bit, so next time you share your Gamertag and e-mail address in the same place, you should make a good mind to remove that information. Don’t expect to post information like your own name or even Gamertag and never expect someone to exploit it. You’d be surprised how resourceful hackers can be.
Now that hackers have your e-mail address, what’s next? Go to XBox.com’s website and start putting in fake passwords. First, they need to find out if your e-mail address is valid. But don’t worry, XBox.com has got that covered: they literally tell you if the ID is invalid after trying it. Then when they get the address right, they instead get a message saying “The e-mail address or password is incorrect. Please try again.” I’m pretty sure by this point, you know that the e-mail address is perfectly valid…
I mentioned brute hacking earlier, and that’s exactly what these hackers do. A script kiddie could pull this off. All the hacking script needs is a list of potential passwords, and this is easy to fetch thanks to Google – or no thanks to the victim. The website allows up to eight attempts before slapping you with a CAPTCHA code (only eight? Gee Microsoft, nobody is hacking your multiplayer). Hell, Microsoft is more than happy to give you a way around that, too! When the CAPTCHA code shows up, the hacker clicks a link saying “Try with another Live ID.” Obviously they don’t actually use another ID. This process is so open to exploit that any skilled hacker or resourceful script kiddie (someone who doesn’t make their own hacking programs) can simply automate it. Eight attempts, and then just click again and re-enter the e-mail address. You don’t even need to be at the computer to pull it off.
Now that your account has been compromised, hackers will use it to buy Microsoft points, grab your Netflix and Hulu Plus information, or even change your Gamertag and the e-mail address linked to it and sell it. Then as if you thought that this wasn’t bad enough, hackers have the option of purchasing a XBox Live Gold Family Pack. In other words, they can add another three Gamertags to this bundle and transfer Microsoft Points or 12-month Gold subscriptions to them. This can be exploited by hackers in order to sell accounts that already have Microsoft Points on them, and all at your expense. This is what happened to Susan Taylor, and may happen to you.
This issue has been rather lazily solved by Microsoft, however; they’ve made adjustments to the server so that way, it will stop responding to log-in attempts after about 20 failures. While this will slow down brute hackers, it’s more of a begrudging attempt by Microsoft just to make Jason Coutee and other “victims” of brute hacking look erroneous. They didn’t even make a press release or mention their mistake.
Having shed light onto this issue, I sincerely hope that Microsoft will stop making its customers suffer because they’re too lazy to make a security measure more secure than a pillow fortress. Adding a deniable change to your website’s security is a step in the right direction, but still isn’t good enough for me. However, if you’re up to it, you can do what Microsoft should be doing instead and make your account more secure.
First of all, do not link your XBox Live account to your bank or Paypal. If you like purchasing Microsoft Points or content from the XBox Live Marketplace, then you’ll probably take a liking to such a thing. However, it goes without saying that buying prepaid cards are much more secure. Depending on the state you live in, this may come with sales tax, but if you have to pay a few cents for each dollar just to stay safe, then I think that’s more than a fair trade-off. Microsoft offers some services that can only be purchased by surrendering credit or debit card information, like the aforementioned Family Pack. I would recommend buying a prepaid gift card from Visa or MasterCard and using this instead. I would recommend using Paypal only as a last resort, and never link your bank account to it. Keep in mind that Microsoft stores this old information.
Second, beware of how much information you share on the internet. Some old information you leave on less-viewed websites could be buried under Google searches, but that won’t stop a determined hacker, as they can be just as dangerous as their desire. Facebook, MySpace, and Twitter are popular places to grab information from. Even something like your full name can be exploited. It should go without saying that certain information is, indeed, more sensitive than other information, but before you post your full name and Gamertag in the same place, think about what would happen if a hacker called tech support and used your name. If Microsoft’s lazy security protocols haven’t already ticked you off, then you should probably hang onto your info tightly.
Finally, passwords are an important step. Many people use passwords for the same accounts, and some people use multiple passwords for various accounts and write them down. You should be careful when using a password in multiple places because while it does make it easier to remember, hackers might not always show up in the same place. For example, if you linked your uPlay (more like uPay) password to your XBox Live account, then that’s two fronts that hackers might attack you from. It should go without saying that the more you expose yourself, the more susceptible you are to a hacker catching your eye. Using multiple passwords is a good plan, but you may have difficulty remembering them. Something you should do regardless of whether or not your accounts all share the same password (sometimes they can’t because certain websites might not allow extended characters or symbols) is change your password every few months. Many people have learned that using symbols, numbers, and a mixture of upper and lower case in their passwords will make it more secure. But this is only true to an extent. What really makes a password secure is how long it is, because this means that a brute hacking process will take substantially longer trying to guess each character.
The best thing you can do is never share too much information for too long, and always keep secure information secure. For example, if you have a security question and the answer is somewhere on the internet already, you can almost guarantee that if a hacker comes after you, that they’re probably going to find this information. On the other hand, you might want to keep this security question and answer in case you need to reset your password. So if you can easily remember your password, then it’s up to you if you want to fill in the answer with a bunch of gibberish.