Xbox Live fraud: Xbox.com security secretly tightened - report

By Robert Purchese Published 16 January, 2012

Brute-force entry no longer as easy.

Microsoft may have already tightened security on Xbox.com - the website blamed for allowing brute-force entry to Xbox Live accounts.

Jason Coutee, the IT consultant who revealed the weak underbelly of Xbox.com, informed Eurogamer yesterday that something had changed.

"Shortly after IGN posted the Microsoft response (on Friday), the server over at Xbox.com started handling the brute force script differently," Coutee told us.

"Good news is that at least they lengthened the time it would take to brute-force Live IDs."

Jason Coutee, IT consultant that uncovered Xbox.com weakness

"Before, it would just let you try over and over. But now it seems that, even though I'm still able to use the link to get past the CAPTCHA, they handle the sign-in request on the server in a way that it will stop replying after about 20 attempts.

"To me, this seems like they tightened security but didn't make any noticeable changes on the front-end so they could discredit me.

"Good news," he added, "is that at least they lengthened the time it would take to brute-force Live IDs."

Microsoft shared the statement - issued at the weekend - with Eurogamer this morning.

"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company declared.

"Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it.

"We continue to evolve our security features and processes to ensure Xbox Live customers' information is secure.

"Online fraud and identity theft are industry-wide problems and, as such, people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable."

"This is not a loophole in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."

Microsoft

Microsoft pointed to the "Xbox Live Account Security" article as a helpful resource.

Microsoft also reiterated its stance on this break-in being an isolated exploit of an Xbox.com loophole.

"This is not a loophole in Xbox.com," Microsoft rejected. "The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."

Last week, Eurogamer helped expose the brute-force method being used to access - and subsequently fraudulently use - Xbox Live accounts. It boiled down to being able to infinitely try Windows Live ID passwords on Xbox.com. A script to automate this procedure is apparently simple to produce and readily available online.

The issue of Xbox Live accounts being fraudulently used stretches back to last autumn and to FIFA 12 - the game fraudsters were buying and reselling FIFA Ultimate Team content for.

How widespread the issue is, is hard to gauge; each time we publish a story, another half-a-dozen victims get in touch and share their story (please keep doing so, incidentally).

Picture of Robert.

About Robert Purchese

Bertie is Eurogamer's Senior Staff Writer. When he's not hunting down news stories he's often found playing with his kids or gabbling about fantasy games and strange online worlds. @Clert on Twitter.

Read more articles from Robert by visiting the Robert Purchese archive page.

You may also like...

Comments (61) Latest comment 4 months ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • Lexx87 #1 4 months ago

    The thing is if people used any half decent password bruteforce wouldn't be an issue.

    Don't use a dictionary word, add a couple numbers and a special character in there and it would have no hope.

    In this day and age you need a better password than "monkey123".
    Edited by Lexx87 at 16/01/12 @ 11:38

  • wizlon #2 4 months ago

    Way to sweep that under the rug MS, an official statement or admission to some culpability might have been nice.

  • Shadders #3 4 months ago

    But I thought there was no problem with their security?

    Don't let this drop EG - I think they owe people an apology.

  • Ranger101 #4 4 months ago

    @Lexx87 Fuck! How did you know my password????

  • Bertie Verified Senior Staff Writer, Eurogamer.net #5 4 months ago

    Maybe Xbox Live could issue one of those annoying calculator-like devices HSBC customers carry around with them so they can use online banking.

    That'd be great. I could add it to my already bulky keyring.

  • FogHeart #6 4 months ago

    While there's a means of circumventing the captcha and trying the same ID without it, the problem isn't fixed.

    I think eight attempts before slapping the user with a captcha is too many in any case.

  • Lexx87 #7 4 months ago

    Also people are being a little harsh on MS about this.

    A problem was reported, and they took action to deal with the issue. Okay maybe it would be 'nice' to give props to the guy who made it public, but surely it would be worse if they didn't take any action at all.

  • lennon #8 4 months ago

    Or maybe they could give people the opportunity to use an app like WoW or SWTOR which they could have on their phone or ipad which they almost always have with them anyway.

  • gandhimaster #9 4 months ago

    @Shadders if, IF this is the way all these accounts have been compromised, no apologies are necessary. Weak passwords are to blame. Even allowing for the previous CAPATCHA issue which still would not be a problem if passwords were not shit. I'm still not too sure this is entirely all the story, purely as most if not all problems involve EA games.

  • agparrot #10 4 months ago

    Tee Hee, @Bertie.

    The thing is, it doesn't need anything so drastic to prevent the theft of money, just a way of confirming CVV or Paypal details when points are purchased. This still wouldn't help if people had gained control of accounts that already have points available, though. I'm not sure how you'd prevent people spending those, unless MS added a new feature where you have to answer security questions to spend your own points. Perhaps this should be achievable by some reworking of the Parental Controls system.

    I agree with MS about brute force attacks not being something specific to xbox.com, but just because it exists everywhere doesn't mean they can't do a little bit more to protect their users against it, beyond asking them to have complicated passwords, surely?

  • gremly #11 4 months ago

    :3

    President Skroob: Did it work? Where's the king?
    Dark Helmet: It worked, sir. We have the combination.
    President Skroob: Great. Now we can take every last breath of fresh air from Planet
    Druidia. What's the combination?
    Colonel Sandurz: 1-2-3-4-5
    President Skroob: 1-2-3-4-5?
    Colonel Sandurz: Yes!
    President Skroob: That's amazing. I've got the same combination on my luggage.
    Dark Helmet, Colonel Sandurz: [looks at each other]

  • DDevil #12 4 months ago

    I'll say this again, I was a victim of this, yet my password was unique and not a word.

  • Shadders #13 4 months ago

    @gandhimaster
    What? A company like MS allowing any potential hacker to write a simple brute force script that could gain access to an account is not worthy of an apology?

    At any rate, with the system as it was until the other day a brute force script would have had an infinite number of guesses at a password, given enough time any account could be hacked regardless of password complexity.

    I don't know of any other online service that allows such a simple brute force work around? Even Microsoft's other sites don't allow you to do this so it is a security oversight on their part no matter how you look at it.

  • Spekingur #14 4 months ago

    @Bertie @lennon Are you guys talking about an authenticator?

    This isn't technically a breach although it is a problem with the login method that MS employs. Many companies have this problem though.
    The best security would be fewer tries before captcha, making captcha remain after these tries, disable login possibility for 24 hours after too many wrong tries (with or without captcha).

    How does EG handle its own login methods?

  • Eraser #15 4 months ago

    I don't really think MS is to blame here.
    If these passwords were bruteforced (and I still doubt it) then that's more likely caused by people choosing insecure passwords than MS' security not being tight. Sure, MS could have done some more things to prevent brute force attacks, but a brute force attack in itself is already unfeasible.

    I think a more likely explanation is some other website being hacked where usernames/emails and passwords were stolen and the hackers trying these email/password combinations on XBox Live. People often share the same password across many services, so it's not unlikely something like this happened.

  • FogHeart #16 4 months ago

    Sure, MS can argue that you can brute force in lots of secure websites, but in this case MS had put in a means to prevent brute force - the captcha - but not checked thoroughly enough to ensure it can't be circumvented. Somewhere at MS there are web devs and security testers that have egg on their faces right now.

  • dancingrob #17 4 months ago

    I'm assuming that MS have checked to see how many failed logins the compromised accounts have received?

    Given they'd be able to see the hundreds of failed attempts (if they exist), you'd have thought there would have been an immediately obvious tightening of security (notably the removal of the 'email does not exist' message) if brute forcing is all there is to this problem.

    I'm thinking there is definitely something else happening that has not yet been worked out, perhaps relating back to this much suggested link with the EA systems

  • gandhimaster #18 4 months ago

    @Shadders no access via this method will work with a password that is not a dictionary word. But i agree if its a method other sites are able to block, this is a mistake by MS for sure. Doesn't warrant an apology, for me as by following standard password procedures would protect you. But, as i say, that's why i dont believe this is the method used. People on here are pretty smart and if they say their password was random, then i believe them and brute forcing would not work.

  • Shadders #19 4 months ago

    @Eurocensor
    *tries*

    Oh my god..

    Sony.

  • bradgrenz #20 4 months ago

    @Lexx87 Your idea of what constitutes a secure password is antiquated. Nine characters, alphanumeric is not secure. The password on my hacked account was 8 characters long, no words, letters and numbers. It was considered secure when I originally created it over a decade ago, but computational power, fiber connections, gpu acceleration and distributed attacks have made a 8 or 9 character password, no matter its composition, pretty insecure. I have since moved on to unique 16+ character passwords for most applications, and a 20+ character password for my primary email account.

  • FireMonkey #21 4 months ago

    @Shadders - Have you seen Facebook? How many users does that have? Their log-in actively helps you to hack into the site.

    You have as many attempts as you like.
    If you get an e-mail (user) wrong, it specifically tells you that that e-mail address is incorrect.
    Once you get a correct e-mail address it tells you the password is incorrect so you just hammer that.

    I hardly ever use Facebook and always forget what e-mail account I linked with it and what my password is so this is usually how I get in.

  • miiiguel #22 4 months ago

    As a Live user myself, I feel more confortable that MS doesn't share security measures and changes/upgrades to its system publicly.

    Security is meant to be as low profile as possible, no teasing, no bragging, no details.

  • agparrot #23 4 months ago

    I have to agree with @Eraser about details from other hacks also possibly contributing to the compromising of xbox.com ones. This is separate from the issue of how MS can help to stop people's money being spent with one-click payments.

    Without wishing to invoke any preposterous fanboy response, there is a possibility that some people use the same login and password on their xbox accounts as on their PSN accounts, and we all know that those *might* be in the public domain. Similarly, the Bethesda forums were hacked last year, giving hackers visibility of lots of gamers email addresses and other possibly helpful information. I'm not saying this *is* how the penetrations are taking place, but they must be considered.

    What must also be considered is the oft-quoted link to EA accounts. EG'er Cozeny had his Live account hacked over the weekend, and when he called xbox support, the person on the phone actually cast aspersions on EA as a possible hole in the security loop. This might also mean nothing, and be the opinion of one employee, but it might also reflect a feeling amongst xbox support staff, or perhaps MS themselves, about where the problem lies.

  • FanBoysSuck #24 4 months ago

    @Lexx87 A brute force attack goes through every possible combinations of possible characters. What you're describing is a dictionary attack.

    As a few people have said, they've used non word alpha numeric passwords and still been hacked. The strength of the password is irrelevant in this case.

  • kestral #25 4 months ago

    @Lexx87 "The thing is if people used any half decent password bruteforce wouldn't be an issue."

    No the problem is that you have to enter the password on your XBOX. Now when you use a stronger password than monkey123 like 0W@#LCEzBDTt@wLP then you will spend the next 10 minutes repeatedly trying to enter it correctly with a controller.

    Maybe this could be solved through a verification process so that you can link your xbox on xbox.com and then enter a 4 digit verification code to enable accounts.

  • GamesConnoisseur #26 4 months ago

    Correct that MS must be properly held to account but man, I ve seen too much of 'XBL HACKED and MS just lying when Sony fessed up!'

    All over the Internet, brute forcing into individual login is widespread and even on PSN you could try that, but the term hacking are too loosely applies to all kind and scales of breaches.

    I had Facebook PS3 mates lolling this and that, tried to clarify then why bother? People will believe what they want, any attempts to lessen the 'crimes' are just fanboyism according to them.

    My wife had her Facebook account hacked a few months ago, lots of trouble to get it back. All kind of hackings everywhere and on different scales, all need to be actioned on, and so need to keep at MS but the brute forcing can also be done on PSN and so question is what the right steps to safeguard our accounts?

    Change passwords every so often, and keep separate pool for banking, shopping and so on, numbers and mixture of capital or small cases. Too much trouble I know and that's the burden of 21st century living.

  • FireMonkey #27 4 months ago

    @FanBoysSuck - But length is relevant.
    Size DOES matter.

  • chrisjm #28 4 months ago

    CAPACHA can be read easier by scripts than real people.

  • cyacomini #29 4 months ago

    I think the easiest way to deal with such tactics would be to enforce an account lockout period - much the same way that Active Directory works.

    3 incorrect login attempts locks your account - either for a set period of time or until you contact MS to verify your identity.

  • AbracadaverAK #30 4 months ago

    XKCD summed up passwords quite nicely here: http://xkcd.com/936/

  • Shadders #31 4 months ago

    @AbracadaverAK

    Excellent post! :D

  • Psychotext #32 4 months ago

    Will say it once again... and every time MS roll out that "industry problem" bullshit. Why aren't we seeing this "FIFA hacking" on the PS3? I've seen hundreds of user reports on having their 360 account stolen to purchase FIFA tokens with... and a grand total of one PS3 user (who also had their 360 account hacked).

    Anyone? Is Sony's password security so much better, can you get away with weak passwords on the 360 but not on the PS3? I don't think so.

  • FogHeart #33 4 months ago

    @chrisjm Yeah, I read that in New Scientist - a system called DeCaptcha. Apparently distorted characters, lines through characters etc can be corrected by software, but when characters overlap they just can't be decoded. Captcha in its present form is crackable (albeit with far more processing power per attempt than usual) but with some modification the Captcha system can be made sound again.

  • PixelPirate #34 4 months ago

    If MS had one of those MIB brain wipe things they would totally use it on you.

    EVIL

  • YenRug #35 4 months ago

    @Psychotext I think the main reason for the 360 being targetted is their "Family Pack" which allows the transfer of MSP to other accounts; as far as I am aware, PSN does not even allow gifting of games, let alone currency transfer.

  • memeroot #36 4 months ago

    Offer to link it to an ip address list

  • dagas #37 4 months ago

    I'm surprised that any site still allow a brute force attack. It's so easy to stop with captcha or a maximum number of attempts or something. It's good that they have stopped that, but it should have been done a decade ago.

  • dirtysteve #38 4 months ago

    @wizlon - I doubt any corporation would be quick to admit any kind of culpability unless they absolutely had to.
    @DDevil, me too.
    There seems to have been a 'blame the user' attitude from MS.
    People who use sensible passwords are being made to look like idiots.

  • patch #39 4 months ago

    For me, as big an issue is that you get re-directed to a different page if you enter a valid account name with the wrong password than you do if you enter a non-valid account name. Once you have a valid account name, you start the brute force. I don't know of many other sites that tell you if you've entered a correct account name, specifically to stop things like this.

  • twll #40 4 months ago

    I got screwed by this nonsense back in September and I've yet to have any joy from approaching Xbox UK or Xbox US support about the problem. No-one seems to know how to help, how to get my account back or how to even transfer my purchases to another account. I am trapped in limbo with a dead profile that I can't use. The only form of compensation for this has been two months of free Xbox Live Gold.

    The Live ID associated with my gamertag had a unique password (as anything that uses an email address as a login should do). I'd only used it on xbox.com and bungie.net (I don't use any other Microsoft services with it). But I found out that my account had been given another email address, some MS points were bought with it (now refunded) and the gamer profile migrated to a Russian console.

    My account has been suspended pending a never-ending investigation, but every time I call to get a status update, the support representatives fob me off with a different excuse, can't put me through to another department or allow me to talk to anyone higher up the management chain than a supervisor.

    I am stuck with a useless profile and the inability to use the console as intended, all because of Microsoft. I am not entirely convinced that my account will ever be returned to me.

  • VibratingDonkey #41 4 months ago

    @Bertie Or you know, do the same thing without the thingie, sending the verification code to your email or phone instead.

    Two-step verification, it's a thing, Microsoft. It's a thing that has existed for some time which protects against this prevalent industry-wide problem you keep mentioning that has existed for even longer. Some companies are even using it to protect the accounts of their customers against these ever-changing threats of phishing scams and brute force attacks. And they haven't even declared over and over again how committed they are to online safety. They just do it. Imagine that.
    Edited by VibratingDonkey at 16/01/12 @ 15:23

  • Dizzy #42 4 months ago

    @bradgrenz brute forcing a secure 8 or 9 character password over the Internet is virtually impossible TBH. Time to crack... 229 years at 100K passwords tries per second (yes simple math).

  • DwarfyP #43 4 months ago

    @wizlon Microsoft should admit that their customers use passwords that are too easy to crack through a method that any website is vulnerable to in some way?

  • Bruce_One #44 4 months ago

    @DDevil Me too!!

  • Razorus #45 4 months ago

    I've recently been made a victim of fraud. Someone somehow used 2400 of my Microsoft Points to download COD4. Called up customer support and they said they'd have to lock my account while they investigate. Could take up to 30 days. This was a few days ago. Every time I switch on my 360, I still seem to be logged in to Live, which leads me to believe their super sleuths are not doing anything.

  • FanBoysSuck #46 4 months ago

    @FireMonkey Fair point dude, what I was getting at was 6 random characters and a 6 letter word are just as easy to get past if your talking about a brute force attack. Having a 20 character password would of course make it more secure ;)

  • RexRunti #47 4 months ago

    The problem with automatic lock outs is it creates an even easier way to screw with a service.

    Step 1) Get gamertag very easily
    Step 2) try to log in several times
    Step 3) Account is locked out
    Step 4) Repeat with new gamertag

    And before you know it no one can access XBox Live.

  • Feanor #48 4 months ago

    @twll Get the Better business Bureau involved in the US, or its UK equivalent.

  • kangarootoo #49 4 months ago

    @Lexx87

    "Don't use a dictionary word, add a couple numbers and a special character in there and it would have no hope"

    Yeah, 'cos that fools computers no end.

    Using numbers instead of vowels is the oldest trick in the book, and it is beyond trivial for someone to include that and all the other usual special character tricks in their script.

    Edit: ahh, sorry. You seem to have been repeatedly jumped on already :)
    Edited by kangarootoo at 16/01/12 @ 15:33

  • kangarootoo #50 4 months ago

    @Eurocensor

    Just seen some about that floating round Facebook. Plain text passwords ffs, I mean SERIOUSLY!

    When Sony had probs a while back, the difference between storing passwords and storing hashes of passwords became a frequent topic of explanation on here and other pages. That distinction really does mean everything if your security is compromised (especially if your customers use the same password for other places). If it turns out to be true, a company of that size, well... words fail.

  • wattsn26 #51 4 months ago

    Remember when Sony issued that statement about someone trying to phish passwords and it was news EVERYWHERE...why is this not mentioned in major news outlets?

  • wattsn26 #52 4 months ago

    @miiiguel Is that why people got angry with Sony cause they DIDN'T disclose every little detail with them?...you're not making sense. If someone was hacking into XBL and potentially had access to your credit card you'd want to know about

  • wattsn26 #53 4 months ago

    @Psychotext Sony can disable your account if you try to login on PSN via a different console and use someone else's credit card information, on XBL you can use someone else's password and still buy Microsoft Points with that person's credit card

  • kangarootoo #54 4 months ago

    @miiiguel

    I think perhaps more than anything, security is supposed to be secure.

    Whether something is discussed publicly or not should be decided on a case by case basis, with maintaining or security driving that decision. Remaining quiet at all times is no better for security than talking about it at all times.


    And sometimes, to pick on a particular point you made, sometimes security should absolutely be public to act as a deterrent. To say "you're wasting your time here - try someone else's front door" can be part of increasing your security. Of course some people will see that as a challenge, but most thieves pick the easiest target and letting them know you aren't it is a factor.

  • Sunyavadin #55 4 months ago

    http://xkcd.com/936/

  • kangarootoo #56 4 months ago

    Post deleted at 17:19:49 16-01-2012

  • TheChieftian #57 4 months ago

    The hacked accounts can't be from brute force attacks.

    For a password made of just lowercase letters and numbers, there are 26 + 10 = 36 possibilities per character. Truely random 8 character password = 36 ^ 8 = 2821109907456 possibilities. Assume you guess right after trying half of them. That's 1410554953728 tries. If one login attempt takes 1 kilobyte of bandwith (and that's very optimistic) then just to hack ONE account would require over 1.3 PETAbytes of traffic, let alone how long it would take. Brute force attacks like this are only really possible as offline attacks.

    A dictionary attack is at least possible, but that doesn't explain how the people who have strong passwords had their accounts hacked.

    However they get in though, one thing MS could do to help is block adding an email address on a live account without sending a confirmation link to the original email (assuming that email account isn't also compromised).

  • spitfire1945 #58 4 months ago

    @FanBoysSuck Almost irrelevant, I would say. There is always the possibility that some passwords are so strong that it would take ages to guess it, if ever. http://en.wikipedia.org/wiki/Password_strength

  • DaftFunker #59 4 months ago

    @dirtysteve

  • FanBoysSuck #60 4 months ago

    @spitfire1945 : I take your point, but in that example it assumes the algorithm counts up. If it goes the other way the oposite is true, except for the mixed characters. If they're the same length, contain the same amount of alphanumeric characters and are using pure brute force eg starts at 1, a, 9 whatever, it will come down to length. The xkcd comic somes it up well.

  • jabberwocky #61 4 months ago

    Mines was hacked this morning and 4400 mspoints used for "Premium Gold Content" which i'm assuming is Fifa 12 packs as Fifa had been loaded up on my profile when i know that the last game i played was Dead Space 2. My account has now been frozen.