Earlier this month, a hacker bragged that he’d gained access to the Xbox Live identity — or gamertag, as it’s known — of “Halo 3″ multiplayer producer Joe Tung. This allowed him access to Tung’s account and personal information. Tung isn’t alone.
For almost three years now, dozens of gamers who believed their Xbox 360 online identities were safe and secure have taken to message boards and Web sites to report gamertags stolen by zealous hackers. The practice has become prevalent enough that tutorials about how to do it have popped up across the Internet, heightened after the release of Bungie Studio’s sci-fi online shooter “Halo 3.”
“People don’t hack accounts by using programs and any other bullsh– that you hear around [Xbox Live],” the hacker claimed. “It’s as simple as picking up the phone.”
There is precedent for such claims. Since “Halo 3″ was released, and especially after the debut of the elusive Recon Armor, several Bungie employee accounts have been compromised along with dozens of users, MTV News has learned.
You don’t have to look far on the Bungie.net message boards for proof of paranoia. One user posted a list of concerns after being threatened with hacking following the conclusion of a heated “Halo 3″ match. Another user had a quick suggestion: “I would suggest kissing up to the hackers and hope they are merciful. But if they aren’t merciful, trash-talk till you start to feel like an ass.”
The hacks are typically accomplished through a popularized technique called social engineering, when someone is unknowingly coerced into revealing confidential information. This isn’t the first time it’s come up with “Halo 3.” It was widely documented by technology sites in March 2007, then again last December and, based on the evidence surrounding Tung’s account and others, remains a prominent form of abuse.
Bungie would only tell MTV News that an outside party accessed Tung’s account. “We can confirm that Joe’s account was compromised,” Bungie Studios writer Luke Smith said. “Representatives from Microsoft aided Joe in swiftly resolving the issue.”
As for the implications of the compromise: “No comment,” Smith said.
In 2007, Microsoft said it was working to retrain its customer-support staff to prevent it from happening again. MTV News contacted Microsoft Wednesday morning (August 27) about the most recent developments. “We have been made aware of this issue and are actively investigating it,” a company representative said.
We also, however, talked to an active Bungie.net poster well-versed in the nuances of social engineering who told MTV News he started helping fellow “Halo” fans regain access to their accounts last summer — using the same social-engineering tactics that allowed unsolicited access in the first place.
Our expert declined to explicitly tell us how he recovered the accounts but explained that most social-engineering hackers use Microsoft customer service and attempt to gain the sympathy of a customer-service representative to “prove” they’re the account holder.
The danger stems from the apparent failure of Microsoft customer service to keep track of repeated account access, our expert said. This allows hackers employing social-engineering tactics to call support lines without being tracked. A hacker can then use this information to gain access to a user’s Xbox Live gamertag, which typically has a credit card attached.
Access to a gamertag can also mean access to a Windows Live account. Windows Live is Microsoft’s proprietary log-in service. You use it when accessing account information on Xbox.com, but users who strictly use their Xbox 360 might not even know what Windows Live is. With Windows Live access, a hacker can change which gamertag and e-mail is associated with that Windows Live account, preventing a user from recovering their gamertag and creating a mess of confusion for customer service when investigating.
There are some steps you can take to protect yourself, however. Our expert outlined some of the common mistakes that lead to users being targeted and some steps to follow:
#1 Mistake: You give away your account password to a Web site advertising free Microsoft Points.
Tip: “It’s extremely difficult to recover an account in this situation. If you use that password for anything else, there’s a good chance the same hackers are now busy using that password combination on Amazon, eBay, CraigsList, bank accounts, etc.”
#2 Mistake: You routinely trade your gamertag around with friends.
Tip: “Passing gamertags makes it easy for people to trade Achievements together or play parts of a game they have not unlocked yet. If you are trading with multiple people and one of them ever gets compromised, a hacker has your gamertag and others’ as well.”
#3 Mistake: Someone guesses or otherwise obtains your details (such as the answer to your secret question) and resets your password.
Tip: “It’s important to remember not to give out personal information. One good thing you can do is change the answer to your secret question. If you make the answer completely unrelated to the question (i.e. Question: What is your favorite TV show? Answer: Avril Lavigne), you’re essentially creating a second password.”
As social engineering does not involve actual “hacking,” it’s a difficult and expensive problem to solve. Coming up with proper defenses rests in the hands of Microsoft.
In the meantime, maybe it’s time to change your password.
Check out the Multiplayer blog, updated daily, for even more gaming coverage.