There has been a lot of buzz recently about the possibility of Xbox Live being hacked. People are taking over accounts, locking out the original owners, and racking up charges. Message boards were in a panic, speculating about what the gaping security hole was and how it was exploited. As it turns out, the whole thing boils down to a social engineering attack (or pre-texting, for those who like to invent new words). The attackers simply call up Xbox Live support and convince the customer service rep to reset the account. Not particularly exciting but as usual, very effective -- after all, social engineering is the oldest trick in the book.

Xbox Live is undoubtedly a complicated system that, hopefully, has layered security designed in from the ground up. It may or may not be resilient to application-level attacks. In the eyes of the public, however, that is irrelevant. No matter how secure Xbox Live is from a purely technical perspective, it has now been "hacked". Players don't care whether their accounts are stolen through an application-level hack or a social engineering attack -- the end result is the same to them.

Now Microsoft has to figure out how to solve this problem without making it impossible for the people who need their accounts reset for legitimate reasons. Solving a process issue is a lot harder than patching a SQL Injection vulnerability, that is for sure.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.