

How easy it is to Socially Engineer Microsoft Skype Support - acqq
http://phrozenblog.com/?p=218

======
iam
EA's Origin has similar problems, it's pretty easy to social engineer
someone's account (tech support will reset your password and your secret
security question) and then they can buy a bunch of games before you notice.

Apparently the security hole was that you just needed to provide the email and
birthdate to the tech support, then they'd go ahead and reset your info.

At least there's no way to transfer the goods onto another account like there
is on Steam (yet).

The worst part about all this is when you ask the tech support how your
password got reset, they always say it's your fault (you got a virus,
keylogger, etc) and never that it's theirs (social engineering, database lost,
etc). Guess you gotta keep face.

------
mileswu
> In my case the hacker asked to all my contacts with an automatic message for
> some Liberty Reserve money. Most of them trust me and my account, so they
> were inclined to accept.

I'm not sure why anyone would give money to a friend via Liberty Reserve, just
because a friend requests some via an instant message. The average person has
probably never heard of Liberty Reserve either. Before sending any money of
any kind, wouldn't one ask the friend what's wrong whereupon it would become
obvious it's not them?

Maybe I'm just deeply skeptical and distrusting and the rest of the world is
more optimistic.

~~~
takluyver
I've been nearly taken in by a similar scam done by e-mail: a message from an
aunt, saying that her handbag had been stolen while she was in Spain, and she
urgently needed some money to sort things out and get home.

It needs a target who's close enough to care, but not so close that they know
the details are wrong (as far as I knew, my aunt could have been in Spain).
The apparent theft can stop a credulous target from trying to phone the
person.

Finally, it only needs to work occasionally to pay off, and the OP mentions
having over 1000 Skype contacts.

------
Swifty
I wouldn't say there was any social engineering here, they asked for some
detail's the hacker was able to give them.

This just highlights the problem of having accounts that rely in the same
email address that are used for identification.

Also im not sure how the author experts someone to add 5 temp accounts to
bypass the Microsoft support, when you would need to have the password and
have logged in to add them. In which case there already in the account and
wouldn't need to contact Microsoft. (unless there is a way to add Skype
contacts without being logged in.)

~~~
Uchikoma
Not with a hack, but you could create 5 accounts and ask the target to connect
for some reason. By scripting this, I guess you get enough people where you
"know" 5 accounts.

~~~
acqq
Yes, if I understood the author has 1000 contacts in his Skype, FWIW.

------
hjay
This is similar to stealing Hotmail accounts. All you needed was information
like the name of the person, the IP, a few contacts on the contact list,
(maybe) type a convincing message about being hacked, and voila!

Somehow Microsoft assumes knowing a small number of contacts ensures you are
the owner. Close friends or even co-workers and classmates can easily get
their account compromised by someone they know. Knowing any mutual friends
pretty much convinces them it's your account.

~~~
jzelinskie
I was just about to post my experiences with this. I used to play an online
game where everyone used MSN/Hotmail. When things got competitive, everyone
just recovered each other's accounts and impersonated each other because it
was so easy. You barely had to know anything about each other to do it. I
wrote to the team a few times and was finally able to speak with the team
during a reddit AMA years later and they claim to have made changes, but the
comments from other redditors seemed to claim otherwise.

The end result is I just don't trust Microsoft to have secure accounts for
anything. I'll stick to my Google account with two-factor authorization.

