
Tell HN: Microsoft Skype Security Is Flawed - samnwa
I received an email today from Skype that someone had changed the email address on an old Skype account of mine. Presumably this means that they were able to gain access to a password. There was no mechanism in the email to block the action. Next, I received an email that said &quot;Someone started a process to replace all of the security info for the Microsoft account.&quot; Again, there was no way to block this action.<p>Both emails encouraged me to contact customer support. I did so only to be met with a request to fill out an online form with an incredible amount of personal information to verify the account. Why would I provide 10X the personal info that might then be made accessible to a user whose email address was swapped into the account with no verification at all?<p>Does anyone have any advice on how to resolve or escalate to Microsoft? Ideally the original email address on the account would be restored and more broadly, Live &#x2F; Skype should update their security procedures to avoid this type of &quot;easy to steal accounts&quot; security policy while hard to block the stealing of accounts.<p>Any help &#x2F; suggestions appreciated.
======
superkuh
Skype security has been flawed ever since that series of odd buyout events
that led to the sudden removal of end-to-end encrypted peer to peer operation.

First eBay bought what they thought was Skype but instead was only the license
to the branding and users and not the p2p backend tech the swiss guys still
owned. Then Microsoft stepped in out of nowhere to take the useless brand from
eBay and the actual backend only to promptly throw away the entire backend and
move to a centralized unencrypted model.

~~~
dragonshed
They gradually removed[0] the peer to peer operation because it sucked -
quality was bad, calls dropped, outages, bad mobile support.

[0] [https://arstechnica.com/information-
technology/2012/05/skype...](https://arstechnica.com/information-
technology/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-
microsoft/)

~~~
fsflover
Or for another reason:

[https://news.ycombinator.com/item?id=18411779](https://news.ycombinator.com/item?id=18411779)

~~~
lern_too_spel
Snowden's leaks showed that Skype allowed governments to wiretap its video
calls since at least 2010, when those wiretaps were ingested into PRISM. That
is before the Microsoft acquisition.

It amazes me that people parrot this conspiracy theory without doing 5 minutes
of Google searching first before making themselves look silly.

------
rodolphoarruda
> Both emails encouraged me to contact customer support. I did so only to be
> met with a request to fill out an online form with an incredible amount of
> personal information to verify the account. Why would I provide 10X the
> personal info (...)?

This by itself looks like a phishing attack. Did you click a link to Skype
support in the second email message or find it by yourself going to the Skype
website and browsing around?

~~~
gmaster1440
Also very confident that this is a phishing attack, have received similar
emails for Office 365 as well. If you examine the email headers you'll notice
a suspicious "From:" address.

------
buboard
Thats how i lost my last account. They were asking me details like the account
creation date which was > 15 years old

~~~
samnwa
Were you worried at all about the culprit using the access to figure out other
accounts? My account had a balance so I assume it had some old credit card
info in it or something similar.

~~~
buboard
I did manage to get them to block the account because it was obviously stolen.
But unable to reclaim it. I was more worried they d spam my friends.

~~~
samnwa
In messaging with support, they advised that the system would 'automatically'
identify the account as compromised and eventually block it. This doesn't seem
that likely so I will ping them again in a few hours.

------
nip
Somewhat related, I ran (and am still running) into a very uncanny issue
related to another product of Microsoft: Live / Outlook.

When Live and Outlook got merged (IIRC a couple of years ago), my @msn.com
address got an @outlook.com alias.

Unfortunately, this "alias" shouldn't have been one and the email was actually
owned by someone else.

By some sort of failed merging, I hence ended up getting access to someone
else' emails: PayPal related emails, Dropbox access connected to this email
account, private email exchanges, etc...

I tried to reach out to Microsoft but hit (expectedly) a wall.

------
aksss
Anyone using [insert service here] should be using MFA of some sort. This
would solve so many of these problems. It does sound like OP is being hit by a
phishing attack, but assuming it's not that, this can only be a lesson for
everyone to turn on MFA now if you haven't already. Yes, MS' consumer platform
(live, hotmail, outlook, etc) supports it.

~~~
rlpb
Without widespread U2F support, the list of individual MFA secrets I would
have to maintain would be unmanageable. It's not yet reasonable to expect
users to have MFA on all of their accounts; only their most important ones.

~~~
stephenr
I have MFA setup for 29 things, and I don’t really see how adding another 229
would make it any less usable.

It’s arguable that something like u2f is more secure but with a good TOTP app
_usability_ is not the problem.

------
z3t4
Try to contact all your contacts and tell them that your Skype account have
been hacked. Also don't give away any personal details unless you are 100%
sure you are dealing with the official support. Your account will likely be
used to scam your friends and family. If you have your voice online somewhere
they can fake it, or just use the chat to impersonate you. Your personal
details and chat history will make it very convincing.

Hi, this is Samnwa, your brother, we talking yesterday about xyz, how is that
going? btw, could you help me login to my bank, can't find my key card, can I
use yours? Cool, alright, Just enter this number... Ooops I entered it wrong,
lets try this number...

------
kuzee
I experienced the same problem with a very old Skype account. There's no way
to reset my password because it says my Microsoft account doesn't exist. My
guess is they botched the account migrations from Skype to MSFT in a way that
means we cannot prevent account takeovers not access the Skype account. I
received an email saying my account was being taken over and given no way to
disavow or prevent it. I'm very frustrated with MSFT security. I'm not even
sure how one can report such a big.

------
Iolaum
If the password to the account hasn't changed, log in, change back the email
and change the password.

~~~
samnwa
Unfortunately it appears that the password has changed.

------
2rsf
How old was the account ? a few years ago they (tried to) move all the
accounts to be Microsoft accounts with better security and policies

------
gruturo
That's a scary amount of information which is being asked of you. Are you sure
the site asking for it is a genuine Microsoft asset?

~~~
Svip
I lost my password to go through the same process a few years ago, so I can
confirm that yes, they do ask you for a lot of personal information. I did not
get an email asking for it, I went to Skype's website to find support.

Fortunately my account was not in the process of being hacked, so I was more
willing to provide information. Yet despite that, they would not provide me
access to my account, and thus I have not used Skype since.

------
confeit
Did you reuse the password at any other site? Check your haveibeenpawned.

~~~
dev_tty01
Typo. I think you meant haveibeenpwned.com.

------
rakibtg
This is most probably a phishing attack.

~~~
samnwa
You would think so but feel free to try a reset / recovery at live.com and you
will see that this is their standard form. That's what is so absurd -- change
an email with no verification, but require next-level verification for the
original owner to secure the account.

