
Skype account hijack technique may affect all users - dewey
http://community.skype.com/t5/Security-Privacy-Trust-and/URGENT-Skype-Support-Account-Security-Issue-CAN-AFFECT-ALL-USERS/td-p/1552372
======
david_shaw
It's interesting to see a social engineering proof of concept released in this
way.

When my company conducts social engineering assessments, whether physical or
remote, it always surprises the client to see how high their rates of failure
are. We rarely hit below 40% of users willing to change their passwords for us
on the phone, and usually more than half of the employees we email an
arbitrary URL will enter their password on a cloned webmail portal.

Most security advisories we see are for software vulnerabilities, but it's
interesting that "Ximer," the user who posted the linked forum advisory,
seemed to map out exactly the information needed to conduct this attack.

Hopefully Skype takes swift action to require more identity verification so
this attack doesn't become pervasive... but at the same time, it should be no
surprise that "social engineering works."

~~~
praptak
> it should be no surprise that "social engineering works."

Is it really social engineering if the employees followed the Microsoft
policy, however crappy it might be? I always thought social engineering is
making someone break the policy by psychological tricks.

~~~
david_shaw
_> Is it really social engineering if the employees followed the Microsoft
policy_

I'd say that the attack vector is still social engineering; the difference
here is that the result is not based in policy failure.

Normally we recommend that clients require their employees to attend security
awareness training, in order for them to understand social engineering risks
and remind them to follow the correct policies that are put in place.

In this instance, however, there is no policy being broken. My summation of
the issue would be that it is a policy failure being exploited by a social
engineering attack vector.

------
rlt
Am I reading this wrong, or does this guy run a DDoS service?

"Security Researcher, Hacker, Software Developer, <http://www.hfempire.net> \-
Cheap DDoS Tool, up to 35+ GBPS Attacks, Bypass DDoS Protection!"

<https://twitter.com/TibitXimer>

~~~
mathgorges
He does, and his service does as it claims.

I manage a school network and despite our ISP provided "DDOS Protected" IPs a
single student with a spare $12 was able to keep us down for a week using that
service.

Screw that guy.

~~~
venomsnake
Make him sysadmin. That was the only way me and my classmates were reigned in
while in high school.

~~~
iSnow
>Make him sysadmin.

Thereby incentivizing this behavior? I think not. Next thing you know, he'll
imagegrab each and every mail account belonging to a female student.

------
youngtaff
Someone hacked my Skype account back last summer and took at a subscription to
Guatemala.

Skype picked it up and locked me out of my account but after that were quite
frankly F All use: wouldn't refund the money, wouldn't give me any details as
to where my account had been accessed from (citing privacy concerns!!!)

Furthermore they even left the fraudulent subscription in place until I
cancelled it.

Don't leave money in a Skype account or hook it up to a credit card

~~~
oakaz
Similar story: Last summer I realized that one guy from India was using my
Skype account with me at the same time. He was making a lot of phone calls to
his girlfriend, and Skype was charging my bank account all the time. I noticed
once he forgot removing the history before he logs out.

------
unreal37
Not sure I trust this. A thread on a forum, where the first 20 posts are just
two (sockpuppet?) users talking to each other in full support of each other.

And then he keeps saying "scammers have stolen hundreds of dollars from
friends of mine through Skype." And "I've lost the trust of my customers". And
the guy runs a DDOS service as his business.

If you hire someone to do DDOS for you, do you trust him?

------
aashaykumar92
If this is true, I'm glad it reached the front page of HN. Given all the
popular services out there which we use with just enough trust to put our
privacy in jeopardy, I'm glad a hole is being exposed in such a big service.
Hopefully Skype changes their verification practices.

~~~
bskap
Skype is switching to use Microsoft Accounts, which have security questions
and 2-factor auth. This vulnerability is only for people who haven't switched
yet.

~~~
meritt
Haven't switched? You say that like Skype is actually forcing or even
suggesting users switch. I just logged into my account. Aside from a
'Microsoft Accounts' button on the login screen, there isn't a single thing
about MS Accounts let alone "you need to change your account!"

So, I'm going to wager this vulnerability affects about 99.99% of the users.

~~~
corin_
I've no idea if it's more like 10% of 90%, but I'm sure a lot lower than
99.99%.

People who used both Skype and MSN (Live Messenger) were shifted from MSN to
Skype and now use their Microsoft account to connect to both lists of contacts
in Skype. So it's not just for the geeky few who have set this up.

Second thought: last I checked, I could log-in to Skype with both my old
username and my Microsoft account, but my Skype username didn't allow me to
view MSN contacts. So if that's still the case, then I guess this would affect
100% of people, even those who have made the switch.

~~~
mcintyre1994
I thought it was just merging the accounts? I login with my skype name, and
can talk with all my MSN contacts there. All the 'switch' does is add your MSN
contacts, and give you a second way to log in. As far as I can tell, this
affects everybody.

------
ams6110
TL;DR: Social engineering attacks work. I was able to reset my Ameritrade
account password by giving the support person the name of one of the stocks in
my portfolio (along with some other basic identifying info).

~~~
darkarmani
> TL;DR: Social engineering attacks work.

They work against the service company you mean. This is not a normal vector.
The company is supposed to be smart enough to not divulge their customer's
accounts through social engineering.

~~~
lucb1e
> _supposed to be smart enough_

You should ask Kevin Mitnick about that :)

------
littletables
I wrote this article (same title as HN post above) 27 Apr 2013 02:40 PDT.

Here it is in its entirety with updates as of ten minutes ago:
[http://www.zdnet.com/alert-skype-account-hijack-technique-
ma...](http://www.zdnet.com/alert-skype-account-hijack-technique-may-affect-
all-users-7000014611/)

------
thebadplus
I think there's a conflict of interest. If you're telling the truth, and they
lock you out of your account, then they lose a customer. If an attacker is
trying to steal your identity, you suffer much more than Skype.

Thanks for bringing this to my attention.

~~~
dewiz
I can't see any conflict of interests. Skype would lose x>1 customers
mistakenly locking out one users who blogs about it. When in doubt you can
tell the user the identity verification test didn't go well and ask for extra
information about the account, for example checking the IPs.

------
Morphling
I'm really curious in what legit situation this kind of "account recovery"
would be needed.

Like you forgot your email address and/or password so you can't recover you
skype account via that way?

~~~
plorkyeran
There's plenty of ways people can lose access to the attached email address:
signed up with a work email, then left the company; signed up with an ISP
email, then switched ISPs; email provider went out of business; Google banned
your account. It's useful to have a fallback for those cases.

~~~
adir1
With little amount of information Skype requires when signing up, I think
fallback option is just not feasible. If you left the company or email
provider out of business - and you forgot to switch your email AND THEN you
forgot your password??! Just sign up for new Skype account...

------
uvdiv
Are there Skype alternatives which aren't so thoroughly dependent on a third
party?

~~~
Sprint
<https://jitsi.org> let's you do voice and video chat on top of XMPP. It's
free software and runs on Win/Linux/Mac

------
hmottestad
Can anyone verify this story?

~~~
eksith
Something similar happened to a friend of mine 3 months ago, however I didn't
have this much detail.

What I did know was that the person who took over his (my friend's) account
didn't have his laptop or PC hacked but the hijacker used Skype support
instead and involved, what I'm assuming, the same information that the OP's
thread mentions.

Interestingly, there's no link to what the moderator was mentioning here :

"Dear All,

The post in question was deleted from this thread as the information was
duplicate-posted elsewhere. The post did not directly contribute to the topic.

This thread has been escalated to those to whom I report.

Regards,

Elaine

Community Moderator"

I'm curious to find where that "elsewhere" is. I've never seen a legitimate
case of posts being deleted because content was "duplicate-posted elsewhere."
At the most, the thread will get locked with a link to wherever "elsewhere"
resides.

~~~
hga
A commenter after that, posting "1 hour ago" like you at the moment, says the
information was on Skype alternatives.

I can just imagine the Skype forums having that as a high visibility pinned
topic ^_^.

~~~
eksith
Haha! Good point. This would explain why they're trying to limit it to
"elsewhere", presumably off their forums altogether.

Speaking of alternatives, I found Jitsi to be pretty good (
<https://jitsi.org/> ) and best of all, it's Open Source. A friend of mine
uses Viber although its has had security hiccups lately.

------
Qantourisc
Hell ! Even a bloody e-mail-reset-password is more safe then THIS! Good think
I didn't decide to switch from MSN to Skype yet (and drop both) ... but now I
decided.

------
oddshocks
Across the globe, thousands of free software advocates are completely
unaffected.

------
yoster
Good thing I don't use Skype.

------
kevinpet
"because Skype support didn't verify if the person owned the account or not,
just wanted those 3 points mentioned above"

So, what? Is the author expecting Skype to just have some "does this person
own the account" crystal ball? What do they want? If it's security questions,
I don't consider those much of a solution because the questions tend to be
very poor on the ratio of "things I can remember specifically" to "things
people can't look up about me".

~~~
praptak
There is a huge difference between:

* poor security question, which is up to the user to choose

* poor account recovery policy which is Microsoft choice, is the same for all users and which the user cannot do anything about

