Is Xbox support staff helping hackers hijack accounts?
- March 23, 2007 00:00 AM PST
Although the caller wasn't able to collect enough information to hijack the gamertag, the recording demonstrated the tactic that one Xbox Live hacking group uses. The Web site of the "Infamous" clan -- a group of Halo players who have crowed about hijacking accounts of other players -- boast how easy it is to dupe the service's support staff.
"How do we get your information? Its easy...you call [and] pretend to be that person make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling everytime getting a little more information. once you have enough information you can get the password on the windows live ID Reset. they may tell you they cant but its bull s***. people at Bungie CAN and WILL reset your password."
The site, which was online as recently as Wednesday, was offline Thursday.
The technique laid out by the Infamous team is similar to the process used by pretexters, who came to national attention last year during the Hewlett-Packard Co. boardroom scandal. Then, HP had hired investigators to track down a media leak; the private investigators, in turn, contracted pretexters to obtain phone records of board members and journalists.
When the Xbox Live user stories were related to him, Kevin Finisterre's reaction was swift: "It's not us that has the problem giving up info, it is their employees," he wrote in an e-mail. "Clan Infamous clearly said that on their Web page."
The ease with which fraudsters can worm information out of Xbox Live support has implications beyond gamers, especially if the service draws even more users in May, when it launches Games for Windows -- Live. That service, which will combine Windows PC gamers with those running Xbox, will debut with the Vista version of Halo 2.
"Think of it this way," said Finisterre in a follow-up e-mail. "Single sign on, single point of compromise. With access to people's services, leveraging that into system access can be trivial. Maybe I break into your girlfriend's e-mail account and send you a Trojan horse from her claiming to be a funny picture or something.
"Some folks are creative."
