Sunday, April 5, 2009

I'll give you Recon if you give me your password

In a certain online forum, I caught wind of someone who was very upset that her son's Xbox Live account had been hacked. He no longer had access to his Live account on the Xbox or on the PC, or his Yahoo email account.

I offered to spread the word. Hopefully, it'll help prevent others from getting scammed, and just maybe it'll help catch the guy who did this.

Well, here's what happened. The boy, who we'll call by his gamertag Vaeb41, created his account using his Yahoo email address and a prepaid card purchased in a store. At some point in his Halo game playing, he was approached by another player, who we'll call "Rhepysp iz pr0" (which at this point does not appear to be a valid Xbox Live gamertag) approached him and offered him the coveted Recon armor. "pr0" was able to "prove" that he was a Bungie employee by the fact that he had all Halo 3 achievements (including those for maps that have not even been released yet) and video showing himself wearing the flaming employee armor. Convinced, Vaeb41 gave pr0 his Xbox Live login email and password.

Of course, Vaeb41 never got Recon armor. He found that his password had been changed, the password reset "secret question" had been changed, his Yahoo email account password had been changed, and his account was basically no longer his.

They are going through Microsoft support. Since the account was not created by a credit card, it seems the key to getting it back lies in the prepaid card that was used to create the account, which they may not have anymore. (Who keeps those cards once you've used the "one-time use" 5x5 codes anyway?) Even if they do get the Live account back, getting the Yahoo account back will be another issue altogether, as that information is in the hands of another system.

It's a good time to iterate what should be the first rule of security: you never, ever give out your password to anybody, no matter how legitimate they claim to be. As an addendum to that, anyone who claims they are an employee will never need to know your password, as an employee should have whatever tools they need to grant whatever access or privileges they claim at their disposal. Ever see the warning message on MSN or AOL that cautions "An employee will never ask you for your login details or password?" It's true. The most they might need is your account name, and if they're talking to you on Xbox Live or MSN or AOL or whatever else, they already have that.

I wonder about the use of prepaid cards in this case. It seems, on one hand, it's a good thing, in that the stolen account has no credit card information attached to it. On the other hand, without a credit card account to prove ownership, it seems like it's more difficult to reclaim the account now that it has been stolen, and that it might have been easier to do it if they had this credit card available.

No comments: