Sunday, January 11, 2009

Hi, can I have your password please?

I got a Live message from one of my friends last night asking me to visit http://xbox-profile.com/CyberKnight so I can claim my social networking account that they had supposedly set up for me. It encouraged me to do this "quickly", before someone else claimed my name.

I decided to check it out. As a quick trip to Google will show, my gamertag isn't the most unique word on the net, so there was some incentive to checking it out before someone tried claiming my name. When I visited the site, it redirected me to a page on Playfire.com that asked me to confirm my ownership of the gamertag by entering my Live ID and password in a simple web form.

Erm, no.

The only form that gets that information is one that submits to Live.com.

Tonight, I noticed that I got four more messages from other friends that all say the same exact thing. It sounds like this phishing scam is getting a few bites.

I hope for the sake of my friends that this site is doing exactly what it's claiming — verifying ownership of the gamertag — and nothing more. But I've sent my friends a message (and am posting this on my blog as a "public service") encouraging them to change their Live account password as soon as possible, just in case. This can be done by logging on to http://login.live.com.

If Playfire.com stores that information, they could use it to take control of the gamertag, plus any and all associated Hotmail, Messenger, or other Live service accounts. And of course if there are any credit cards associated with that ID (such as would happen if you buy Points or renew a Live or Zune Pass subscription online), then the new owner could use that information to make more purchases.

It's already apparent that they use your login information to access your friends list and send out messages on your behalf to your friends to come and sign up. And if the apology messages from my friends are any indication, this happens without the explicit knowledge or authorization of the account holder.

I tried connecting to Playfire.com today to get more details for this blog post, but the entire site appears to be down. It certainly seems more suspicious.

13 comments:

Benji said...

Hi CyberKnight, I'm Benji from Playfire. Just to clarify a couple of things and hopefully set your mind at ease about why we ask for your login and password and what we do with it.

We're not phishing. We don't store the login and password at all - they are used to verify you own your gamertag and to send a PM to your friends list inviting them to Playfire. This is made clear on the page after you have submitted your login; we state that we will send a friend request to your Xbox friends.

We're planning to build some nice Xbox features in the near future and to prevent people cheating and claiming gamertags that aren't there's we are verifying them in this way.

Playfire was down last night, bad timing :) We're migrating to new hosters this week so there will be a small amount of downtime but this was unscheduled so sorry about that.

Just to reiterate, there is nothing untoward about what we are doing, we're not harvesting passwords and in fact don't store them at all during the process.

Feel free to contact me directly or here if you have any more questions.

Cheers,
Benji.
ben at playfire dot com

Yakko Warner said...

Hi Benji. I appreciate you taking the time to post a response.


This is made clear on the page after you have submitted your login; we state that we will send a friend request to your Xbox friends.
That may be. I haven't seen the page, so I can't judge how clear it is or not. I do know, however, that I was a programmer on a certain web app where we once put a warning message that users claimed never to see. This was an internal application on a corporate intranet, where we trained the users to look for this message. After we put it in 16-point font, in red text on a yellow background in a box with a nice thick border, there were still users who said they never saw it.

So when you say you are clear that you will send PMs and I hear someone say they didn't know you would send PMs, I can believe it. ;)

I can understand what you're doing. How do you verify that someone actually owns the gamertag they claim they own? A certain way to prove that would be to provide the login credentials for that gamertag. Makes sense. What causes me to balk is thinking about everything else that's tied to those credentials — Hotmail, Messenger, Points, Live Space, Mesh, Sky Drive… I don't give up those credentials lightly.

Benji said...

I understand what you mean about people not seeing the text. We've had a bit of feedback about this since we trialled this at the end of last week and have since made it clearer as well as adding more information on what we do with this data.

We verify it simply by logging in as that user automatically and checking the gamertag on the resultant Xbox LIVE page matched the gamertag they claimed.

And yes, I understand your concern. Unfortunately there's no easier way for us to do this. We can only give our word that we don't store passwords in any way.

Alternatively, you can manually message your friends; Playfire works a lot better when your friends are on board ;)

JediChric said...

Benji, I signed up for your service and have to say the site looks good. But I too have a reservation about the site.

For one, why does a spam message direct us from www.xboxprofile.com to www.playfire.com? That is a huge warning sign that I missed.

Also, why does it force you to spam your entire Friends List instead of letting us pick and choose who we want to contact?

If this is legit, as you say, the way you communicate with your potential users needs tweaking. As well as other things.

Benji said...

We had that URL as we thought it would make it clear what the site was about (as Playfire could mean anything!), but we've had feedback that it's weird so we changed it to just using Playfire.com. We'll see also look into adding features like picking and choosing.

Yakko Warner said...

To quote Topper Harley, "I'm not saying I don't trust you, and I'm not saying that I do… but I don't." It's nothing personal; it's just best practice that you don't give out your password for one site to another.

I did say I understand what you're trying to do, but it's still not right. Just because it's the easiest doesn't mean it's the most appropriate. Arguably, it would be a whole lot easier to get rich by robbing a bank than by working my butt off day in and day out, but I still wouldn't recommend it as the most appropriate course of action.

Here are a couple other ideas, free of charge.

I think it was the site 360Voice.com that had me verify my gamertag ownership by changing my gamerpic. It picked one of the standard ones off the Xbox.com site and had me change it to that. They could verify the change very easily, and once that was confirmed, I could change it back of course.

Granted, this might not work so well today, since gamerpics include "Xii" portraits that can take some time to set up, and a user might be hesitant to throw away their perfect portrait just to join your website — but the same idea could be used. You could generate a random word or pair of words, and request that the user add the words to their bio. (The user might have to make their bio "public", if it was set to "private", at least temporarily.) When your system verifies that they made this change to a publicly-viewable piece of information on their profile — that only they would have access to change — you would have verified that they own that gamertag (and then the user can remove the verification phrase from their bio).

Another idea is to send a message to that gamertag containing a verification word or phrase. You would then say something to the effect of, "Your gamertag has received a message from the account Playfire01. Please log in to your gamertag, check the message, and input the verification word contained in that message." The only trick here is that the user's account must be set to accept messages from random gamertags (i.e. not just friends).

And there may be other ways. Perhaps there's a way to use an actual Passport authentication form to verify access to a gamertag. You'd have to contact Microsoft for details.

True, without snagging the username and password, you lose the ability to send messages as that user. However, this is the biggest issue. (Not for me; for me, the biggest issue is password sharing. But on a very large gaming community site I participate in, the conversation is all about the messages being sent. Truth be told, for most people, this probably would've gone completely unnoticed if not for those messages.) That message needs to go away, anyway.

Let's be blunt: it lies. Here's the message I received:

"Hi CyberKnight, I just joined this social network for gamers, it's really cool! I started your profile! Go here to have a look: http://xbox-profile.com/CyberKnight - Friend's gamertag PS. Claim your profile before someone else gets it!"

First off, the friend didn't start any profile for me. Second, if account verification is required, there's no reason to rush to claim my profile before someone else gets it. No one else can get it. The only reason I can think of to imply a sense of urgency is to make me favor speed over caution in signing over my login credentials.

And actually, the URL thing didn't bother me too much. I do pay attention to it, but even Microsoft registers new URLs for promotional deals and contests and such. Perhaps because "xbox-profile" was so generic, it implied a closer tie to an actual Xbox site than it turned out to be?

Missus Boot said...

I've noticed that if there is a negative post about Playfire on blogs or forums they're remarkably quick to send out the 'reassuring' task force who tell us to trust them, and not to worry because they'll never store or abuse our credentials.

Last week a few of us sent Playfire emails asking very similar questions about safer forms of verification as you did in the post above. To date, none of us has been given an answer, have you had any answer from them about this? It appears that they run in, post how they are trustworthy, then run away and evade any other questions. This doesn't paint them in a positive light at all and certainly isn't the actions of a company that has its users security as any sort of priority.

@Benji, some chap knocked on my door earlier and he said he was you. I'm not convinced that he was you, so if you could send me your credit card details for verification purposes, that would be golden. I won't use or store your credit card details, you have my word on that. I'm very trustworthy.

Yakko Warner said...

Nope, no further answers. What you see is what I got, which is pretty much as you described — swoop in, reassure, and disappear. So far, anyway. I haven't been inclined to visit their site further.

Hope someone doesn't claim my profile first.…

Benji said...

Apologies for the delay in replying, to be honest I missed your comments after my post.

C J, I'll get on the case with your contact emails, you should have had a reply by now. I'll try and answer some questions here though.

The reason we use the email/password method of verification is that we already have the code for doing this in our email friend finder. This is the same code used by MySpace, Friendster etc. and is the same thing used by other social networks such as Facebook to log into your email accounts and get your contacts list. This saved us a lot of time and we also assumed that users would be comfortable with it (as the email friend finder is common all over the web and has been used for a long time). We are, however, exploring other ways of doing this; thanks for your suggestions.

Cyberknight, after the feedback we've received (and I'll add yours to that as well) we changed the message sent out immediately. The URL is now playfire.com and the message loses some of the hyperbole :) The reason for the initial message is that with an email invite the user can click and immediately be on the site. With the Xbox PM there's a disconnect between the console and their computer so we wanted it to be more memorable. This was a guess on our part; you were one of the first recipients of the PM. Turns out it doesn't matter so much so we've toned down the message considerably.

Again, I repeat, we're not phishing and at no time do we do anything that isn't made clear on the page and we do not store your password at any time. It's a trust issue and I understand if you choose not to do this - Playfire works without you verifiying your gamertag or inviting your friends (although it's better with your friends there). We're adding some more Xbox features in the near future and want to prevent people from adding someone else's gamertag as well as providing an easy method for you to invite your Xbox friends.

Yakko Warner said...

I don't know what MySpace or Friendster or Facebook do, since I have not used those services. However, I have used LinkedIn (a networking site that focuses on professional careers rather than social acquaintances), and I know it provides the option to import contacts from other webmail clients, so I just checked that feature to see how they did it.

For both Hotmail (a Microsoft Live service) and Yahoo, it redirects you to a login form on that provider (live.com and yahoo.com, respectively). Both Microsoft and Yahoo have set up these login pages that let you log in to your account and then explicitly grant read access to your contact list to linkedin.com for a limited time. Yahoo grants access to the whole list for two weeks, and provides instructions for revoking this access via a link. Microsoft allows you to select the duration of access (from as short as 1 day) and even select which contacts. Once accepted, you're redirected back to LinkedIn's site, which now has access to your contact list (but nothing else).

LinkedIn also lets you import from Google GMail, AOL, and a host of other services; however, these require you to enter your username and password on LinkedIn's page, presumably because those services have not provided an API to LinkedIn for getting access to a contact list otherwise (or if they have, LinkedIn doesn't know about/hasn't implemented it yet).

I imported my contacts from Hotmail and Yahoo, and I didn't feel too nervous about doing either, because I sent my username and password to the host sites only. I did not, however, import my GMail contacts, because that would've required me giving my password to LinkedIn. I don't know if others would be comfortable giving that information out or not; I am not. (LinkedIn also has an assurance on that form that they will not store that username or password; but my same policy applies.)

Also worthy to note is what LinkedIn did with those contacts. It showed me a list of contacts, with checkboxes, asking me to invite my contacts to join my network. Ok, all the checkboxes were pre-checked, but I could still un-check any or all of them (there was even the "Select All" checkbox that cleared all checkboxes with one click). It also had a button on that very page to delete that list of contacts off of LinkedIn's servers.

PSORaine said...

Benji,

The thing about myspace and facebook and importing contacts is... IT'S OPTIONAL. To join your site, and claim my gamertag, apparently I have to spam my friends with invites before I even know if the site is good or not? Not cool. Also, I have a 360v account... an a360p account, an xba account... pretty much an account with every xbox related site, and my gamertag is linked to my user name. I have NEVER given my live ID or pw to any other site besides xbox.com. It's an email I ONLY use for my gamertag, and it's a password I don't use for any other account. Why is your site so incredible that you feel people will be lying about gamertags to get in, anyway?

Also... to sign in here and post this comment, I had to give my gmail info. THAT'S FINE! My credit card info isn't linked to my Gmail!!!!

Benji said...

@Yakko Warner

Yup, if there was some kind of API to invite friends then we would definitely use it. We're planning to change our email friend finder to use the same authentication APIs that LinkedIn use as well.

We've also added the ability to select which friends you can PM (with a select/deselect all option :) and you can also add an optional note to the PM before you send it.

@Melissa

Good points. We've made it optional now so you can skip the invite friends step and you don't have to verify your gamertag anymore. If and when we reintroduce this in the future it will definitely be optional.

Thanks for the feedback.

Coco from Stoke said...

Your site is terrible, after the of error or entering my password i changed it then went to delete my account. Surprise, I can't. Why?
Your site is unclear on what it does on your behalf. The only reason i signed up was because of a trusted friend. Within a week of hearing about you, there is so much bad stuff on the net about you guys. Use a brain cell, let people delete their account, tell them your gonna spam their friends with bull shit mail saying i have created an account for them. Where in truth i haven't and finally let me delete my account