In continuation with the ongoing investigation regarding suspicious activity on the accounts of Xbox Live users, some gamers are taking matters into their own hands. Jason Coutee, a network infrastructure manager who had his Xbox Live account hacked decided to look into the issue himself after Xbox Live customer service failed to be of much help.
After Coutee had realized that his credit card had been charged with a purchase of 8000 Microsoft Points, he called the Xbox Live support desk only to find out that another transaction for an Xbox Live Family Pack was in the middle of being processed. Coutee canceled the purchase and customer service offered him the standard 30 day account freeze in order to investigate.
Coutee researched potential account vulnerabilities and came away with a possible link to Microsoft’s Windows Live ID system. Hackers can feasibly gather a list of gamertags from any Xbox Live multiplayer game and enter each one on Google. Certain social networking sites may turn up in the search with a valid e-mail address attached to that gamertag. The hackers would then check that e-mail on the Windows Live login page. If the hacker gets the error message, “account is invalid”, the user may have updated their information. However if the error message, “password is wrong” comes up, the hacker has found a valid ID and simply needs to figure out the password.
The article at Analog Hype mentions how these hackers would then go about getting into the account by running a script program which would attempt to detect several passwords and try logging in with them.
“Now with a simple script, hackers can brute force their way into your Xbox Live account. The script would batch run a list of potential password, which anybody can find online with a simple Google search. The script will attempt to enter these potential passwords until it gets in. Xbox allows you to enter your password incorrectly 8 times on the website, then it asks for a CAPTCHA code. When hackers get to that CAPTCHA code, there is a link for “try with another Live ID”. Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again. This process can easily be automated by a skilled hacker.”
Once they’re in the account, they have access to all of your account details and credit cards that may be associated with it. The article offers a valid point in how Microsoft can prevent, or at the very least assist Xbox Live users in keeping their account safe – contacting the owner of the account via e-mail after there have been more than “X” amount of failed login attempts.
It’s become an all-too cliché piece of advice, but it is worth reiterating over and over: do not keep your login information consistent across all of your various internet accounts. It’s definitely a pain in the ass, yet taking that extra step may ensure that you do not have to go through an ordeal like Coutee’s and countless others who have had similar experiences.