Halo 3 Forum
This topic has moved here: Subject: MJOLNIR for XBL: Protecting Your XBox Live Account Against Thieves
  • Subject: MJOLNIR for XBL: Protecting Your XBox Live Account Against Thieves
Subject: MJOLNIR for XBL: Protecting Your XBox Live Account Against Thieves
  • gamertag: [none]
  • user homepage:

Destinypedia - The Wiki for Bungie's Destiny
Posted by: DEATHPIMP72
Anyone but Foman. He smells like cheese.

This thread is in response to a recent surge of XBox Live and Microsoft Hotmail accounts being stolen. It is not directly related to Halo 3, but it is certainly most pertinent to this forum and the concerns expressed here.

This initial post is only a quick guide to some simple steps you can take to protect your account. Others have also added tips, so please be sure to read the whole thread.

Please click the "Save Thread" button if you find the information useful -- that will help you return to it quickly if you need to refer to it later. Feel free to add your own tips and information!

Creation and Protection of a Secure Password

The password you create for your account is the first and most important step in protecting it.

Create a Unique, Complicated Password

Take advantage of the tools that Microsoft gives you -- you can use any character on the keyboard in your password, and every letter is "case-sensitive" (in other words, if you use a capital letter when you create your password, you must enter that letter as a capital letter every time). This gives you a wide array of options.

More good news is that even the hacking community is generally of the opinion that cracking a Microsoft Hotmail account through dictionary attacks or brute force attacks is impossible (Source 1; Source 2; Source 3). All the same, it is extremely easy to make your password exponentially more secure, and it is thus a good idea to do so.

First, a piece of advice that I will repeat throughout this post: Your Hotmail/Windows Live password should be different from any other password that you use on any other website AT ALL.

Next, here is a good guide to creating a strong password. In essence, passwords should be at least 8 characters long, and more if you can remember it. Passwords should contain a variety of upper-case letters, lower-case letters, numbers, and punctuation/symbols. The best passwords are random jumbles of these various types of characters (example: g9@R5\8w).

Make the password as many characters long as you can reasonably remember without having it written down. Which brings me to my next point.


Love Thy Neighbors -- But Don't Trust Them

Approximately 76% of identity thieves are people you know. (source). Create a password that you can memorize without writing it down, and do not tell it to anybody. Not your friend, not your girlfriend/boyfriend/husband/wife/significant other. Nobody. If your significant other starts whining that you don't trust her/him, tell them that you are working on matters of National Security and, by not telling her/him your password, you're protecting them from getting killed. Bottom line is, don't get pressured into giving up your information.

Secure Your Computer

Make sure that your computer is password-protected itself and that you never leave it alone without engaging the password protection. An unsecured computer can have a keylogging program downloaded from the Internet and installed in under 5 minutes, and you'll never know (unless you're so paranoid that you check for keyloggers every time you sit down at the computer). A keylogging program will track any passwords that you enter. So be sure to lock the computer whenever you step away!

Shared Computers

I know that some of you share computers with family members, roommates, or friends; you should be extra careful in these instances to never allow Hotmail to "Remember My Password," never write down your password, and frequently check to ensure that nobody has installed spyware onto the computer. Be sure to log out of your Windows Live account whenever you step away from the computer.

Remember that even if you trust the person you share a computer with, they might inadvertently pass on your information to someone else without even knowing it. In the end, you should regard your password as one of those secrets that you never tell anybody, ever.


Phishing

Most stolen XBox Live and Hotmail accounts are the result of phishing -- "phishing" uses various methods of fraud to get you to willingly tell a person your password so that they don't have to guess it on their own.

Changing your password more frequently won't necessarily help prevent phishing (although it should be changed periodically). Instead, you should be aware of the methods that phishers use and the ways you can avoid them.

Pretexting

"Pretexting" involves calling XBox Live Support and pretending to be the owner of a gamertag who forgot his password (source). Pretexting is illegal under a recently passed federal law (source). It used to be that the famously dimwitted staffers who manned the phones at XBox Live support would gladly give out a user's password to pretty much anybody who possessed minimal information about the gamertag's owner.

Xbox Live has tightened up its security (source), and the people who man the phones can no longer even see what your password is, much less hand it out over the phone. All the same, you should go to some minimal lengths to protect your account.

1) Do not place your real name, especially your full name, in your Gamertag or your profile.

2) Do not place your gamertag on any website containing your real name! Especially MySpace or Facebook.

3) Do not place your city of residence or your address in your profile (including on Bungie.net); instead, place a broad Metropolitan area or general region of whatever country you live in. I can tell you for a fact that doing this protected me when phishers attempted to steal my XBox Live and Bungie.net account.

4) Your Microsoft Hotmail "secret question" and answer should be impossible to guess. A good trick is to choose make the answer a random sentence that has nothing to do with the question, or a blatant lie. For example, your mother's actual birthplace might be Chicago, Illinois -- make the answer to your secret question "Smoking is bad for you" or "Chatanooga, Tennessee."

5) Never give out your credit card information to anybody!

These simple procedures can spell a dead end for social engineers who attempt to swindle your account information out of XBL support staff.

False Microsoft Websites

Since XBox Live tightened up its customer service procedures, this is the most popular method of stealing XBL accounts. People will post or email links to sites with descriptions like "Free Recon Armor through a Windows Live Promotion!" or "Free XBox Live points!" When you click the link, it takes you to a page that looks exactly like the Windows Live Login page. You enter your email and password, thinking that you're logging into Windows Live, but in actuality, you've just entered your XBL information into a phisher's database.

This can be easily prevented by checking the address bar before entering any information. People are far too quick to trust what they see in the browser window. If the first part of the URL of the site you are on does not say "login.live.com" or another bonafide Microsoft name like "microsoft.com," you are not on a genuine Microsoft site. Don't enter your information.

Users who post links to phishing sites here on Bungie.net are instantly permabanned (example), regardless of whether you created the website or just heard about it and passed on the link without checking it yourself.

Other Websites

Frequently, users who are too lazy to remember multiple passwords use the same email address and password for many different accounts, including the same password that they use for XBL. Phishers take advantage of this by creating Halo-related websites and then trying to access your XBL account using the username/password information that you use to log in on their website.

This is also easily avoided. Your Hotmail password should be different from any password that you ever use on any other website at all -- including sites like Halocrusades.com or Bungie.org. (Note -- these are not phishing sites, they are perfectly legitimate and being used only as examples)

Internet Detectives

"Internet Detectives" use search engines on your gamertag to try to find other sites where you reveal more information than you do on BNet or XBox Live. Run a Google search on your gamertag, BNet username, and your Windows Live ID/email address; see what pops up. Do you have a blog? A website? Another forum that you use? Your personal information could be on any one of these sites. Be especially careful about posting your gamertag on social networking sites such as MySpace, Facebook, or Twitter. Run a check to make sure that Google does not return other sites' information that could be used to gain access to your account.


Conclusion

Using these techniques, you can effectively eliminate the possibility of your XBox Live account being stolen.

If you have questions, or more tips to add, feel free to add them to this thread. Please click the "Save This Thread" button if you find the information helpful, so that you can refer to it later or check back for updates.

[Edited on 07.15.2009 10:55 AM PDT]

  • 06.23.2008 8:21 AM PDT
Subject: MJOLNIR Armor for XBL: Protecting Your XBox Live Account Against Th...
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

First post. Suck it internet.

EDIT: Awesome post Foman! Very informative!

[Edited on 06.23.2008 8:25 AM PDT]

  • 06.23.2008 8:23 AM PDT

Second Post, And I will save this thread as you said so.

  • 06.23.2008 8:25 AM PDT

Good advice, and a lot of it's relevant to any website. Take heed, ye with weak passwords...

  • 06.23.2008 8:26 AM PDT
  • gamertag: [none]
  • user homepage:

I'm watching you!

Thanks. Wall 'O' text aswell lol, but I still read it becuase it was made by a ninja.

EDIT: The worst password is "Password"

[Edited on 06.23.2008 8:27 AM PDT]

  • 06.23.2008 8:26 AM PDT

“Political Correctness is a doctrine, fostered by a delusional, illogical minority, and rabidly promoted by an unscrupulous mainstream media, which holds forth the proposition that it is entirely possible to pick up a turd by the clean end.”

great info, thanks

  • 06.23.2008 8:26 AM PDT

DMH | TMA | Blueprint

Can't be too careful with your company. I can feel the devil walking next to me.

I keep getting e-mails aboout doing something with PayPal even though I don't have it. would this be one of those hackers?

  • 06.23.2008 8:26 AM PDT

aight thanks

  • 06.23.2008 8:27 AM PDT

It's not actually a Wall 'O' Text, a Wall 'O' Text would be long as this without paragraphs, indents, spacing.
Posted by: HIGGINZ08
Thanks. Wall 'O' text aswell lol, but I still read it becuase it was made by a ninja.

  • 06.23.2008 8:27 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

extremly intrestingly helping WILL DO good foman


my pasword is more of a eer um messed up so how do i change it

[Edited on 06.23.2008 8:29 AM PDT]

  • 06.23.2008 8:28 AM PDT

A need for Xbox Live Gold...

I saved this thread the moment I touched it.And it should be stickied.

Woops,not third post,my bad.

[Edited on 06.23.2008 8:30 AM PDT]

  • 06.23.2008 8:28 AM PDT
  • gamertag: [none]
  • user homepage:

I'm watching you!

Posted by: Karl2177
I keep getting e-mails aboout doing something with PayPal even though I don't have it. would this be one of those hackers?

Hackers=Mega Boffin
*Hacker is looking at me* ...err...I mean hackers rock! *Runs into corner*

  • 06.23.2008 8:29 AM PDT

Can't Stop, Won't Stop

This should be pinned?

  • 06.23.2008 8:29 AM PDT
  • gamertag: [none]
  • user homepage:

Destinypedia - The Wiki for Bungie's Destiny
Posted by: DEATHPIMP72
Anyone but Foman. He smells like cheese.

Posted by: Karl2177
I keep getting e-mails aboout doing something with PayPal even though I don't have it. would this be one of those hackers?
It depends on what the email is. What does it say?

  • 06.23.2008 8:30 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Thankyou for the advice. Much appreciated and I'm sure it will help some of the higher profile people alot as well.

  • 06.23.2008 8:30 AM PDT

never give up

saved

  • 06.23.2008 8:31 AM PDT
  • gamertag: [none]
  • user homepage:

I'm watching you!

Posted by: x Foman123 x
Posted by: Karl217
I keep getting e-mails aboout doing something with PayPal even though I don't have it. would this be one of those hackers?
It depends on what the email is. What does it say?

"Do not pass go. Do not collect £200"

  • 06.23.2008 8:32 AM PDT

thanks for the advice.

you said a lot about hotmail accounts, can people hack other emails or just hotmail

[Edited on 06.23.2008 8:34 AM PDT]

  • 06.23.2008 8:33 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

good post foman should be made a sticky

  • 06.23.2008 8:33 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

[Thread saved]

Cheers Fo'.

  • 06.23.2008 8:34 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Good post, FoMan. You should sticky this.

  • 06.23.2008 8:35 AM PDT

I've used information similar to this before. Thanks Foman!

  • 06.23.2008 8:36 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

how exactly do i CHANGE MY PASSWORD?

i will explore to find out how until someone posts how

  • 06.23.2008 8:37 AM PDT

DMH | TMA | Blueprint

Can't be too careful with your company. I can feel the devil walking next to me.

Posted by: x Foman123 x

Posted by: Karl217
I keep getting e-mails aboout doing something with PayPal even though I don't have it. would this be one of those hackers?

It depends on what the email is. What does it say?

This is the email. Where it says -name exempted- is an email adress or someone's name

Dear PayPal Member,


This email confirms that you have sent an eBay payment of $347.85 USD to
-name exempted-for an eBay item.



-----------------------------------
Payment Details
-----------------------------------

Amount: $347.85 USD

Transaction ID: 2LC956793J776333Y

Subject: Digimax 130


-----------------------------------
Item Information
-----------------------------------


eBay User ID: -name exempted-


----------------------------------------------------------------
-name exempted-UNCONFIRMED Address
----------------------------------------------------------------

-name exempted-
-address exempted-

Important Note: -name exempted- has provided an Unconfirmed Address. If
you are planning on shipping items to -name exempted-, please check the
Transaction Details page of this payment to find out whether you will
be covered by the PayPal Seller Protection Policy.



Note:

If you haven't authorized this charge ,click the link below to dispute transaction
and get full refund

Dispute transaction (Encrypted Link )

*SSL connection:
PayPal automatically encrypts your confidential information
in transit from your computer to ours using the Secure
Sockets Layer protocol (SSL) with an encryption key length
of 128-bits (the highest level commercially available)



----------------------------------------------------------------
This payment was sent using your bank account.

By using your bank account to send money, you just:

- Paid easily and securely

- Sent money faster than writing and mailing paper checks
- Paid instantly -- your purchase won't show up on bills at the end of
the month.

Thanks for using your bank account!


[Edited on 06.23.2008 8:42 AM PDT]

  • 06.23.2008 8:37 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Anti-Virus
Make sure you use a upto date Anti-Virus. Viruses and trojans are the first thing that a Hacker needs to delete files on the computer. I use AVG and Avast but still recommend AVG Free.

Firewalls
Always use a different filewall then Windows Filewall. I recommend Comodo Firewall free set to Training Level. This will stop all them hackers getting anywhere near. Also it has a Spyware scanner built in.

Windows Live ID[/u]
Never give the Windows Live ID or Password to anyone. Even if the website asks for it. Check at the top URL bar or the bottom to see if its signed by Microsoft Corporation. This will guantee the server that is asking for it is Microsoft or Windows Live.

Create a different Email for your Gamertag. So its secure and make sure its never used. Only for account billing and accessing Bungie and Xbox, and then use another email for.. Well email. You can change your Email of the console in the Account Management.

I recommend doing this. If you use Messenger on your 360 I don't recommend doing them steps.

Fingerprint Reader
There are Fingerprint Readers Built into Keyboards and Laptops. You can buy them USB aswell. These reveal your password though a option but on Windows Live ID its blurred with dots. This makes people around you clueless and if you need to recover your Gamertag its simple as going into the options, Fingerprinting and thats it.

Browsers
I recommend using a browser with a Phishing Filter (Fishing Filter) built in like IE7 or Mozilla Firefox 2 or Firefox 3. I recommend Firefox 3 as its the securest and fastest browser out there

Hope this helps and Bookmarked.

  • 06.23.2008 8:39 AM PDT