Originally posted by Dogg Thang
View Post
How many dodgy phisting links have you clicked on hoyteamx?
-
I'm actually quite looking forward to a prominent long term forum member here posting they've been phacked.
How many dodgy phisting links have you clicked on hoyteamx? -
Should've asked him for his password and got on the case.Comment
-
Eurogamer are saying they were contacted by someone who had been hacked and investigated it himself, he found out the following.
Comment
-
Hopefully someone at MS will take notice & fix this ASAPComment
-
So I read this:
And then I remember these. Seems like their systems ARE compromised!Originally posted by Family Fry View Post
Originally posted by fuse View PostOriginally posted by fuse View PostOriginally posted by toythatkills View PostOriginally posted by toythatkills View PostOriginally posted by toythatkills View Post
There might be other quotes, but I'm bored of trawling this thread just for a nyer-nyer post.Comment
-
You know Xbox LIVE hasn't been hacked, right, even if that EG article is true? Brute-forcing passwords is not the same as hacking Xbox LIVE.Originally posted by Sketcz View Post
Anyway, if MS are at fault then that's incredibly ****, but as I've said pretty much the whole time, until there's such a thing as hard evidence pointing to an actual cause, it's still useless pointing fingers. All we've got, and all we've ever had, is anecdotal. It could still be anything, and there's really no point trying to argue against that because it's indisputable fact.
EDIT: And just to be clear, since there appears to be some confusion, I am not trying to defend Microsoft and nor am I in any way a Microsoft fanboy. I'm not pro-Microsoft, I'm anti-misinformation. The amount of ridiculous statements made about this whole thing based on no evidence at all is ridiculous, and that's all that's ever bothered me.Last edited by toythatkills; 13-01-2012, 14:36.Comment
-
Being able to get around the CAPTCHA by refreshing, and it taking eight wrong passwords for CAPTCHA to appear are the fails here. The former shouldn't happen, and CAPTCHA should kick in after 2-3 fails. That would improve security a fair bit imo.Lie with passion and be forever damned...Comment
-
Well, if it is true (and I don't yet know if it is), a huge fail would be MS not finding it and fixing it before some random internet dude.Comment
-
The issue is that, although Captcha kicks in after 8 failed attempts, using a different username resets that and gives 8 more goes, but you have to put another address.Originally posted by Mayhem View Post
I just tried it on one of my Live accounts until Captcha appeared. Even after trying another account, going back to the previous one still gave the Captcha request.
What we'd need to find out is how long does it remember the failed attempts and give another 8 goes for the same account.
I'm not sure how brute-forcing works over the internet but I pinged Google and got a 19ms response. If that's 19ms there and back, that's 52 attempts per second. If it's 19ms each way, that's 26 attempts per second.
Now, Matt mentioned he didn't use a dopey password which could be found by a dictionary attack, in which case the time it would take to properly brute-force would be immense, surely?Last edited by randombs; 13-01-2012, 14:57.Comment
-
Depends on password length. You're actually much better off using a password like "Mary Basingstoke a go-er with get in bonus" than "hptns^156", much harder to brute force and far easier to remember.
Writing a script to brute force and sticking it up on Amazon's cloud service (or similar) and let it rip, might nest you some weak password results.
I can't see this being effective for the number levels I've seen mind.Comment
-
I think this could've been a much smaller issue if users were emailed after a number of failed attempts. I think every site or service that involves access to money or stored payment methods(Paypal, XBL, PSN, etc) should do that.
Ok, so a fair few might not check their emails every day but for those that do, it could be the difference between getting phisted and... not getting phisted.
Until they've got access to the account, they can't change the email address or fiddle with notifications.Comment
-
Awww, I have another "ph" word but I better not say it.Originally posted by billy_dimashq View Post
Just wondering, how many people on here have been affected by this issue?Comment
-
Just MattComment
-
Sorry if I'm being a bit thick, but what exactly would the advantage(s) of disabling auto log in be? Since I can't see it helping to prevent an account from being compromised in the first place, what would doing it accomplish beyond, after you had regained control of your account and changed the password, preventing the hacker from continuing to log in on his console using your account?Originally posted by EvilBoris View PostIf you go to
You can see which consoles don't require your password, if you click (require password) then next time you log in it will ask you for your new one, until you put auto log in back on.
You can also use this to see if the profile has visited any other machines lately.Comment
-
It won't help with being hacked in the first place.
If you don't do that after you've been hacked, though, then changing your password has no effect. The hacker would just be able to auto sign-in on their console on your account again, without needing the new password.Comment
Comment