Xbox Live Security Breach Identified as Pretexting
March 26, 2007
//
//
// 
//
// 
Xbox Live spokesman Major Nelson (real name Larry Hryb) has clarified reports last week of a security breach on Xbox Live after previously stating that there was no evidence of any compromise of security.
“As originally posted, Xbox Live has not been hacked. That is still true. A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of ’social engineering’, also known as ‘pre-texting’, through our support center,” he explained.
Pre-texting is an increasingly common technique for obtaining secure personal details using publicly available details, such as a member of the public’s date of birth or social security number. It can also involve impersonating authority figures like the police or bank staff. The tactic of pre-texting occurs predominately over the telephone, and the Major indicates that Xbox Live call staff are being re-trained in order to avoid similar problems in the future. “There’s no other way to say it; this situation shouldn’t have happened. Our customers deserve better,” Nelson said.
Initial reports had suggested that Xbox Liveand another web site had been hacked, but the pre-texting explanation implies that the security breach was not of a technical nature, and that Microsoft has simply been the victim of a form of fraud common to many other businesses.
Nonetheless, Nelson seems confident that Microsoft will learn from this: “I confirmed that the team is fully aware of this issue. They are examining the policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack.”
