Reports on the Xbox Box forums this week indicated that Xbox Live users were being targeted in a security scam by phishers, criminals who attempt to fraudulently acquire sensitive information from individuals such as usernames, passwords and credit card details.
Microsoft has confirmed the validity of these reports, telling Next-Gen that it has "taken action to help protect our subscribers' accounts".
A number of Xbox Live users have been receiving emails, supposedly from Xbox Support, informing them that Microsoft has made changes to all Xbox Live accounts. The emails redirect users to a replication of Microsoft's Passport login page where they are asked to enter sensitive information which can be hijacked by phishers.
According to Microsoft, it is all over this security threat. It says it is retraining staff on the ins and outs of phishing, will reimburse any users that have had their accounts tampered with, and has offered some advice to Xbox Live users.
In an email to Next-Gen the platform holder said:
"Microsoft has confirmed reports of certain individuals taking over subscribers' Xbox LIVE accounts through fraudulent behavior.
We've taken action to help protect our subscribers' accounts and are working with our call center staff to help reduce the likelihood of future incidents. This includes:
Retraining all customer support representatives. Examining the policies and processes for account recovery. Continuing to monitor the situation closely to take appropriate action as necessary.
In addition to these steps, we continue to recommend that our customers always be careful with whom they share information while connected to Xbox LIVE.
We will reimburse any customer whose account has been compromised in this fashion. If they have lost content such as Xbox Live Arcade games, we will provide the customer with replacement content at no charge.
This was not a failure of software technology. We want to reassure our customers that there has been no security breach of the Xbox LIVE network or of Bungie.net.
Customers who have any concerns about their account should visit www.xbox.com/support, click on the link titled "Troubleshooting Access to your Xbox Live Account," and perform the steps outlined there."
I can't believe that after all these years people are still falling for phishing scams.
And to anyone in any doubt (although I doubt anyone like that reads net articles very often), here's the point: Why would any company need you to send your password to them? They must already have it on their database to check it against when you log in.
Why would any company need you to send your password to them? They must already have it on their database to check it against when you log in.
It doesn't work like that. Passwords are stored on the server in a very highly encrypted and secure form, and so the company has no way of finding out what it is. That is why if you forget your pasword, they often have to just reset it with a new one rather than retrieve the old...
Why would any company need you to send your password to them? They must already have it on their database to check it against when you log in.
It doesn't work like that. Passwords are stored on the server in a very highly encrypted and secure form, and so the company has no way of finding out what it is. That is why if you forget your pasword, they often have to just reset it with a new one rather than retrieve the old...
That is true. We hash our passwords before they are stored in the database so there is no way anyone could ever know what that password is.
But that said people should still be very suspicious if a company contacts you for this information as most would never send out an email or telephone you for it.
If these phishing people are caught they should be put in stocks so that we can go and kick them in their annoying little faces. They can be put next to the spammers (who we can all go and stick pins in the eyes of).
I'm kind of impressed how MS has handled this. To reimbuse people who got screwed over by a scam like this is damn impressive. Also to do all those extra things listed in the article, like retrain staff etc. is pretty good.
I never meant that people necessarily had access to them, but presumably if they needed it for any reason it could be applied directly from encrypted storage to whatever other new function they need it for without a single person seeing it.
The bank doesn't contact you when they use 'your' money to pay other things, they just do it.
But yes, I guess MS feels they have some ass kissing to do with the overheating issues now a stated fact. Maybe now is the time to ask Bill for a loan
I never meant that people necessarily had access to them, but presumably if they needed it for any reason it could be applied directly from encrypted storage to whatever other new function they need it for without a single person seeing it.
The bank doesn't contact you when they use 'your' money to pay other things, they just do it.
But yes, I guess MS feels they have some ass kissing to do with the overheating issues now a stated fact. Maybe now is the time to ask Bill for a loan
Nobody would be able to work out what the password is and I mean nobody at all.
Also phishers also user copies of the login pages so that you put your username and password in to login and bingo they have it.
It's not as hard for fall for phishing as people seem to think. I've recently been getting bank phishing emails. The e-mail appears as any you might expect from any bank, they ask you to follow a link to update some details because of a software update. The page that you're taken to looks almost exactly the same as the actual bank one. Except that it asks for your whole PIN and password rather than just certain characters. The only obvious indication that it is a fake login page being the address, but how many people would pay attention to that.
Anyone who isn't absolutely paranoid of everything on the internet (ie the most net savvy people out there), will be caught out by it.
It's not as hard for fall for phishing as people seem to think. I've recently been getting bank phishing emails. The e-mail appears as any you might expect from any bank, they ask you to follow a link to update some details because of a software update. The page that you're taken to looks almost exactly the same as the actual bank one. Except that it asks for your whole PIN and password rather than just certain characters. The only obvious indication that it is a fake login page being the address, but how many people would pay attention to that.
Anyone who isn't absolutely paranoid of everything on the internet (ie the most net savvy people out there), will be caught out by it.
Actually most savvy people on the net out there know that banks or other companies that you may have an account with which is accesed by passwords and or stores credit card detalis etc never ask for any sensitive info of that nature so it is hard to catch people out like only, idiots get caught out. This kind of thing which redirects you to fake log ins happens on websites like ebay or Myspace etc all the time, but most people have the common sense to ignore it.
Actually most savvy people on the net out there know that banks or other companies that you may have an account with which is accesed by passwords and or stores credit card detalis etc never ask for any sensitive info of that nature so it is hard to catch people out like only, idiots get caught out. This kind of thing which redirects you to fake log ins happens on websites like ebay or Myspace etc all the time, but most people have the common sense to ignore it.
I guess you were referring to the PIN. The PIN I was pointing out, was the PIN to access your online account, not your card PIN (though I'm sure they can be the same). I've seen this log in page, and if I didn't know that Natwest only ever asked you for certain characters of your (account) PIN and password, then I could have been fooled (and if I didn't look at the address bar). I wouldn't be surprised if the odd common sense wielding person occasionally got suckered by it.
Copyright 2006 - 2009 Future Publishing Limited, Beauford Court, 30 Monmouth Street, Bath, UK BA1 2BW England and Wales company registration number 2008885
