This thread is in response to a recent surge of XBox Live and Microsoft Hotmail accounts being stolen. It is not directly related to Halo 3, but it is certainly most pertinent to this forum and the concerns expressed here.
This initial post is only a quick guide to some simple steps you can take to protect your account. Others have also added tips, so please be sure to read the whole thread.
Please click the "Save Thread" button if you find the information useful -- that will help you return to it quickly if you need to refer to it later. Feel free to add your own tips and information!
[b][u]Creation and Protection of a Secure Password[/b][/u]
The password you create for your account is the first and most important step in protecting it.
[b]Create a Unique, Complicated Password[/b]
Take advantage of the tools that Microsoft gives you -- you can use any character on the keyboard in your password, and every letter is "case-sensitive" (in other words, if you use a capital letter when you create your password, you must enter that letter as a capital letter every time). This gives you a wide array of options.
More good news is that even the hacking community is generally of the opinion that cracking a Microsoft Hotmail account through dictionary attacks or brute force attacks is impossible ([url=http://www.governmentsecurity.org/archive/t9331.html]Source 1[/url]; [url=http://www.pwcrack.com/howtohackaol.shtml]Source 2[/url]; [url=http://becomingparanoid.com/2006/03/07/how-to-get-a-hotmail-password-ix-bruteforce/]Source 3[/url]). All the same, it is extremely easy to make your password exponentially more secure, and it is thus a good idea to do so.
First, a piece of advice that I will repeat throughout this post: Your Hotmail/Windows Live password should be different from [i]any other password[/i] that you use on any other website AT ALL.
Next, [url=http://www.microsoft.com/protect/yourself/password/create.mspx]here is a good guide to creating a strong password[/url]. In essence, passwords should be at least 8 characters long, and more if you can remember it. Passwords should contain a variety of upper-case letters, lower-case letters, numbers, and punctuation/symbols. The best passwords are random jumbles of these various types of characters (example: g9@R5\8w).
Make the password as many characters long as you can reasonably remember without having it written down. Which brings me to my next point.
[b][u]Love Thy Neighbors -- But Don't Trust Them[/b][/u]
Approximately 76% of identity thieves are people you know. ([url=http://www.co.crow-wing.mn.us/sheriff/investigations/general_investigations/identity_theft.html]source[/url]). Create a password that you can memorize without writing it down, and do not tell it to [i]anybody[/i]. Not your friend, not your girlfriend/boyfriend/husband/wife/significant other. Nobody. If your significant other starts whining that you don't trust her/him, tell them that you are working on matters of National Security and, by not telling her/him your password, you're protecting them from getting killed. Bottom line is, don't get pressured into giving up your information.
[b]Secure Your Computer[/b]
Make sure that your computer is password-protected itself and that you never leave it alone without engaging the password protection. An unsecured computer can have a keylogging program downloaded from the Internet and installed in under 5 minutes, and you'll never know (unless you're so paranoid that you check for keyloggers every time you sit down at the computer). A keylogging program [i]will[/i] track any passwords that you enter. So be sure to lock the computer whenever you step away!
[b]Shared Computers[/b]
I know that some of you share computers with family members, roommates, or friends; you should be extra careful in these instances to never allow Hotmail to "Remember My Password," never write down your password, and frequently check to ensure that nobody has installed spyware onto the computer. Be sure to log out of your Windows Live account whenever you step away from the computer.
Remember that even if you trust the person you share a computer with, they might inadvertently pass on your information to someone else without even knowing it. In the end, you should regard your password as one of those secrets that you never tell [i]anybody[/i], [i]ever.[/i]
[b][u]Phishing[/b][/u]
Most stolen XBox Live and Hotmail accounts are the result of [url=http://en.wikipedia.org/wiki/Phishing]phishing[/url] -- "phishing" uses various methods of fraud to get you to willingly [i]tell[/i] a person your password so that they don't have to guess it on their own.
Changing your password more frequently won't necessarily help prevent phishing (although it should be changed periodically). Instead, you should be aware of the methods that phishers use and the ways you can avoid them.
[b]Pretexting[/b]
"Pretexting" involves calling XBox Live Support and pretending to be the owner of a gamertag who forgot his password ([url=http://techreport.com/discussions.x/12081]source[/url]). Pretexting is illegal under a recently passed federal law ([url=http://www.channelregister.co.uk/2007/11/21/id_theft_bill_passes_senate/]source[/url]). It used to be that the famously dimwitted staffers who manned the phones at XBox Live support would gladly give out a user's password to pretty much anybody who possessed minimal information about the gamertag's owner.
Xbox Live has tightened up its security ([url=http://www.newsfactor.com/news/Microsoft-Pins-Xbox-Hack-on-Pretexting/story.xhtml?story_id=12200DUGPKZE]source[/url]), and the people who man the phones can no longer even see what your password is, much less hand it out over the phone. All the same, you should go to some minimal lengths to protect your account.
1) Do not place your real name, especially your full name, in your Gamertag or your profile.
2) Do not place your gamertag on any website containing your real name! Especially MySpace or Facebook.
3) Do not place your city of residence or your address in your profile (including on Bungie.net); instead, place a broad Metropolitan area or general region of whatever country you live in. I can tell you for a fact that doing this protected me when phishers attempted to steal my XBox Live and Bungie.net account.
4) Your Microsoft Hotmail "secret question" and answer should be impossible to guess. A good trick is to choose make the answer a random sentence that has nothing to do with the question, or a blatant lie. For example, your mother's actual birthplace might be Chicago, Illinois -- make the answer to your secret question "Smoking is bad for you" or "Chatanooga, Tennessee."
5) [u]Never give out your credit card information to anybody[/u]!
These simple procedures can spell a dead end for social engineers who attempt to swindle your account information out of XBL support staff.
[b]False Microsoft Websites[/b]
Since XBox Live tightened up its customer service procedures, this is the most popular method of stealing XBL accounts. People will post or email links to sites with descriptions like "Free Recon Armor through a Windows Live Promotion!" or "Free XBox Live points!" When you click the link, it takes you to a page that looks [u]exactly[/u] like the Windows Live Login page. You enter your email and password, thinking that you're logging into Windows Live, but in actuality, you've just entered your XBL information into a phisher's database.
This can be easily prevented by checking the address bar before entering any information. People are far too quick to trust what they see in the browser window. If the first part of the URL of the site you are on does not say "login.live.com" or another bonafide Microsoft name like "microsoft.com," you are not on a genuine Microsoft site. [i]Don't enter your information.[/i]
[u]Users who post links to phishing sites here on Bungie.net are instantly permabanned[/u] ([url=http://www.bungie.net/Forums/posts.aspx?postID=18397538]example[/url]), regardless of whether you created the website or just heard about it and passed on the link without checking it yourself.
[b]Other Websites[/b]
Frequently, users who are too lazy to remember multiple passwords use the same email address and password for many different accounts, including the same password that they use for XBL. Phishers take advantage of this by creating Halo-related websites and then trying to access your XBL account using the username/password information that you use to log in on [i]their[/i] website.
This is also easily avoided. Your Hotmail password should be different from any password that you ever use on any other website at all -- including sites like Halocrusades.com or Bungie.org. (Note -- these are not phishing sites, they are perfectly legitimate and being used only as examples)
[b]Internet Detectives[/b]
"Internet Detectives" use search engines on your gamertag to try to find other sites where you reveal more information than you do on BNet or XBox Live. Run a Google search on your gamertag, BNet username, and your Windows Live ID/email address; see what pops up. Do you have a blog? A website? Another forum that you use? Your personal information could be on any one of these sites. Be [i]especially[/i] careful about posting your gamertag on social networking sites such as MySpace, Facebook, or Twitter. Run a check to make sure that Google does not return other sites' information that could be used to gain access to your account.
[b][u]Conclusion[/b][/u]
Using these techniques, you can effectively eliminate the possibility of your XBox Live account being stolen.
If you have questions, or more tips to add, feel free to add them to this thread. Please click the "Save This Thread" button if you find the information helpful, so that you can refer to it later or check back for updates.
[Edited on 07.15.2009 10:55 AM PDT]
-
Eat this hackers and phishers p.s. Hackers suck p.s.s. Phishers suck just as much
-
thanks,saved
-
good tips, now i have a ridiculously complex password
-
Anyone dumb enough to give their info out deserves what is coming to them.
-
Lol guys i google bungie.net and i see a lot of fake stuff put it front One says halo3.net lmao
-
' [Edited on 01.04.2010 6:43 PM PST]
-
Thank you.
-
lol, wrong forum?
-
[quote][b]Posted by:[/b] x Foman123 x 2) Do not place your gamertag on any website containing your real name! Especially MySpace or Facebook. [/quote] sadly we cannot do this any more. :(
-
get free Microsoft points before its patched. www.xboxmsp.tk
-
hey someone is posing as me on youtube ([url=http://www.youtube.com/watch?v=SL-pgWvtQaY]here[/url]) should i be worried about this? [url=http://www.youtube.com/user/hobowithcomputer77]here is my real account[/url]
-
Go to classifieds. Also great post Foman thanks for the info.
-
hey i got a qustion can you help me with recon?
-
thanks for the info i really apprecaiate it.
-
[quote][b]Posted by:[/b] Renegade01 Interesting. It seems that these phishing links have transformed from Xbox LIVE stealing sites to links leading to sites that contain many viruses lately. Such posts have been erupting on Bnet, especially here in the Halo 3 Forum. This is a definite cause for concern.[/quote] Always look to the bottom left corner of your browser before following a link. You browser will display the address to the link your curser is over on the bottom left. If the link looks odd or suspicious, don't click!
-
Interesting. It seems that these phishing links have transformed from Xbox LIVE stealing sites to links leading to sites that contain many viruses lately. Such posts have been erupting on Bnet, especially here in the Halo 3 Forum. This is a definite cause for concern.
-
[quote][b]Posted by:[/b] Nevermind I've been told that having a credit card linked to your account can be an extra bit of insurance as if your account is stolen and you can prove that you are the owner of the credit card attached to the account Microsoft will give you your account back, is this true?[/quote] Yup
-
If you get a message from a friend saying: "Hey dude I just got 10,000 free mircosft points on www.freemspoints.com" It's another scam website just delete that friend and or report him to Microft.
-
I've been told that having a credit card linked to your account can be an extra bit of insurance as if your account is stolen and you can prove that you are the owner of the credit card attached to the account Microsoft will give you your account back, is this true?
-
i dont trust no one on live
-
Just one question: how do we go about reporting people who are phishing on xbox live? is that an option? I have saved the phishing msg i recieved in case i am able to do that.
-
Bungie Please Read!!! My account was stolen by gamertag "MLG iZ SicK BrZ". He openly admiited it and said he does this as a hobby. My stolen account was whysosirius187, but was changed to "lacerable".He has other accounts aswell, which are "FreshBR iZ SicK", and " BR SPRAYZ". Please ban these accounts. He stole mine(now lacerable) because i had recon armor aswell as all the halo 3 achievemnets. I thought he was my friend since we helped each other get recon armor, but i was wrong. I beg you tp Plaese BANN these accounts especially "MLG iZ SicK BrZ" and "lacerable". I dont want this guy using my account after all the hard work i did for recon and all of the achievements. Again please HELP!!!!
-
im off to make a new email to link ot my x box. i dont feel safe now.
-
[quote][b]Posted by:[/b] zunduro um i don't know if i'm in the right forum but soemone tryed to scam me over bungie.net offering 1600 microsoft points, is there a way to avoid him? if you want his bungie.net name i can give it to you[/quote] block, avoid, file a complant for tampering 1000000 times
-
Awesome Post Thanks!
-
this one dude on my friends list would ask for ur account and says that he will give u 12 months of xbl and wont.while i was there i didnt work