Microsoft owns up to Xbox Live pretexting
'This situation shouldn't have happened,' says an Xbox exec
Computerworld - Months after Xbox Live users began complaining of hacked accounts, Microsoft Corp. yesterday acknowledged that the service's support staff is at fault, victims of "pretexting" calls by identity thieves.
Reports of account theft on Xbox Live have been making the rounds of its member forums since at least December. But Microsoft responded only after noted security researcher -- Kevin Finisterre of "Month of Apple Bugs" fame -- last week went public about how his account was hijacked.
As recently as Friday, the company was saying only that it had "found no evidence" of a data breach and that any thefts had occurred could be blamed on users giving out personal information.
That assertion changed yesterday. "A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of 'social engineering,' also known as 'pretexting,' through our support center," said Larry Hryb, director of programming at Xbox Live, in a blog entry. "Once I realized what he was talking about -- he sent me some painful-to-listen-to audio files -- I confirmed that the team is fully aware of this issue. They are examining the policies and have already begun retraining the support staff and partners to help make sure we reduce this type of social engineering attack.
"There's no other way to say it; this situation shouldn't have happened. Our customers deserve better," Hryb added.
The audio file Hryb referred to was provided to Computerworld by Finisterre last Wednesday, and was one of two user accounts described in an earlier story about Xbox Live support representatives and pretexting.
Although most users who posted comments to Hryb's blog entry were appreciative of the mea culpa, some were pessimistic about the chances that support would actually improve. "No surprise here. We've been telling you from Day One that Xbox/Xbox Live support is a joke," wrote someone identified as TH3Hammer. "You're right ... we DO deserve better, but I guarantee that it won't get better."
"I have ZERO faith in ms xbox support. No one I know does either," wrote jmel, another user. "Retrained? Thanks major, but its [sic] gonna take MUCH more, and it shouldn't take this kinda crap to wake up the decision makers at ms."
Many more users, worried about not only account theft but also the ease with which fraudsters were able to get support representatives to spill personal information, urged Microsoft to untangle credit card accounts from Xbox Live. "It would help if we could remove our credit card information after we've used it instead of it being stored on the system (or even the console) forever just waiting to be pretexted," wrote Joergen8.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts