Microsoft has blamed Xbox Live network account hacks on users' gullibility, but evidence shows that in some cases the gaming service's own support staff could be unwittingly helping hackers snare players' identities.
Responding to reports of account theft on Xbox Live that surfaced this week after security researcher Kevin Finisterre - of 'Month of Apple Bugs' fame - went public with how his account was pinched, Microsoft US said it had wrapped up its investigation.
"Despite some recent reports and speculation, I want to reassure all of our six million Xbox Live members that we have looked into the situation and found no evidence of any compromise of the security of Bungie.net or our Live network," Larry Hryb, the Xbox Live director of programming, said on his Major Nelson blog. "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their Live account.
"Hope that clears things up," he added.
Both Hryb and the Microsoft spokesman also reminded users not to "give out information that personally identifies you, such as your real name, address, phone number, credit card number, etc”.
But its Xbox Live support staff may not have got that message.
Xbox Live users have offered accounts to PC Advisor’s sister title Computerworld US of instances where the service's support representatives have given out personal information about an account without verifying the caller's identity. Computerworld also obtained an audio recording of one such call.
"We learned of [a hack into my son's account] in December, when Live charges were showing up on my credit card," said Lori Dobson. "When I contacted Microsoft, the rep I dealt with actually gave me the name and city, state that was using the account, other than my son!"
In the audio recording, an Xbox Live support rep ends up giving out another user's gamertag, the service's term for a player's username, as well as that user's street address and city. The caller, who was attempting to hijack a friend's account with that friend's permission - the friend was listening in on the line - started with a legitimate gamertag, but then when the rep said she could not pull up the file based on a bogus phone number, he shifted to phoney information, eventually making up a last name and claiming he didn't know which credit card was associated with the account.
"Okay, I got it," the rep said after the caller had given out a fake surname for the account. She then read out another player's gamertag as well as a street address and city associated with that account.
Although the caller wasn't able to collect enough information to hijack the gamertag, the recording demonstrated the tactic that one Xbox Live hacking group uses. The website of the ‘Infamous’ clan - a group of Halo players who have crowed about hijacking accounts of other players - boast how easy it is to dupe the service's support staff.
"How do we get your information? Its easy...you call [and] pretend to be that person, make up a story about how your little brother put in the information on the account and it was all fake, blah blah blah you might get one little piece of information per call but then you keep calling and keep calling, every time getting a little more information. Once you have enough information you can get the password on the windows live ID Reset. They may tell you they can’t but its bull s***. People at Bungie CAN and WILL reset your password."
As previously reported, the site is now offline.
The technique laid out by the Infamous team is similar to the process used by pretexters, who came to national attention last year during the HP boardroom scandal. Then, HP had hired investigators to track down a media leak; the private investigators, in turn, contracted pretexters to obtain phone records of board members and journalists.
When the Xbox Live user stories were related to him, Kevin Finisterre's reaction was swift: "It's not us that has the problem giving up info, it is their employees," he wrote in an email. "Clan Infamous clearly said that on their Web page."
The ease with which fraudsters can worm information out of Xbox Live support has implications beyond gamers, especially if the service draws even more users in May, when it launches Games for Windows Live. That service, which will combine Windows PC gamers with those running Xbox, will debut with the Vista version of Halo 2.
"Think of it this way," said Finisterre. "Single sign on, single point of compromise. With access to people's services, leveraging that into system access can be trivial. Maybe I break into your girlfriend's email account and send you a Trojan horse from her claiming to be a funny picture or something.
"Some folks are creative."