04 December, 2011



How I was hacked – a tale of hijack, XBox Live and FIFA trading cards

Posted: 04 Dec 2011 08:00 AM PST

This week, my Xbox Live account was hacked. This is the story of what happened, my response to it, and the questions about security that it has raised.

The hijack

At twelve minutes past midnight on Tuesday night, just as I was finishing up some work, I received an email to say that I had purchased 6,000 Microsoft Points. My first thought was to laugh it off as spam, as I hadn't bought any points for months, but I thought I should check my console anyway. On switching on my Xbox, I found that I could no longer access my account.

A quick Google search revealed that other Xbox users had been experiencing similar problems, and I realized that my account had been compromised. I tried to contact Xbox Live support, but its helpline was unhelpfully shut for the night.

Trying to think clearly, despite my somewhat bleary late-night state of mind, I logged into my Microsoft account on my PC, and changed the password. I then went through the process of recovering my Xbox Live account on my console dashboard, which involved entering my Windows Live ID and the new password. On seeing my account again, I was relieved, but also surprised to note that it had been used to play FIFA 12, the popular Electronic Arts soccer game.

The loot

My next move was to contact my credit card provider. The customer service adviser at the bank revealed that there had indeed been a transaction to Xbox Live that night, for £51 (about $80), and they immediately cancelled my card. I was told to phone again once the transaction went through, as it would then be reversed, and dealt with as fraud. Thankfully I use a decent bank and the issue was dealt with quickly and efficiently from that end. I am not sure that every victim of such an attack will be so lucky with their card issuer.

The response

The next morning, I successfully contacted Xbox Live support, explaining in detail what had happened. The adviser confirmed that my account had been used to purchase 6000 Microsoft Points, and intimated that these points had been spent on FIFA 12 Ultimate Team packs. To add insult to injury, it seemed that the hacker had also used up my own, admittedly rather paltry, supply of MS Points during their spending spree.

Confirmation of these Ultimate Team card purchases was found when I checked my console, to find these three new achievements staring back at me:

New Club in Town – 5G – Create your FIFA 12 Ultimate Team club
I’ll Have That One – 10G – Open your first pack in FIFA 12 Ultimate Team
How Great is That? – 20G – Find a team of the week player in an Ultimate Team pack

Quite a kick in the teeth, but hey, at least someone got some pleasure out of those 35G.

The Ultimate Team packs of football cards that were purchased, containing various players that can be used in the game,  are apparently transferable between Xbox Live accounts. This allows a hacker to buy them with a hijacked account and then send them to their own account, for their own purposes. Scouring the internet, it appears that the rarer cards are being traded for cash, through  forums and online auction sites, with some fetching as much as $280 .

I was told by Microsoft Customer Support that my account would be suspended, pending an investigation, which could take between 21 and 30 days to complete. My existing points would apparently be restored once the investigation was complete, and the £51 that had been fraudulently spent would also be refunded (I said this was not necessary, due to the actions being taken by my bank). In the meantime, I would be unable to access my Xbox Live account, and would only be able to play my console offline.

A widespread problem?

Such hacking of Xbox Live accounts, particularly for the purchase of FIFA items, has been widely reported in the past few weeks, both in the specialist and mainstream press. There have also been multiple occurrences of such hacking reported on a variety of websites, including the official Xbox forum and Twitter.

Questions have been asked of Microsoft, as to whether its security is up to scratch, and the response has been that this is not a wider security breach, but rather individual cases of malicious activity.

I approached Microsoft with some questions on this hacking issue, and a spokesman responded with the following statement:

"It is important for us to reconfirm that the Xbox Live service has not been hacked. Some of our customers have been the victims of internet fraud on their accounts. This is a frequent issue that all internet and e-commerce sites and services experience every day. These threats include phishing, brute force attacks, malware, third-party security breaches and in-game scamming / social engineering.

Customers who use the same identity and log-in details across multiple online sites and services are more vulnerable against these everyday internet threats. As ever, we advise customers to be vigilant, and provide further advice on account security across Xbox 360, internet websites and email at www.xbox.com/security.

Of the tens of millions of Xbox Live customers (there are 35 million active members) using the service daily, these issues are affecting a very small percentage of users globally.

Security in the technology industry is an ever-evolving challenge. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time, account security features have been added to help protect our customers' accounts, and we will continue to add features and processes.

As always, Xbox Live customers who have any queries or concerns should contact Xbox Live Customer Service on 0800 587 1102 [in the UK] or visit www.xbox.com/security."

So, according to Microsoft, this issue is only affecting a small percentage of global users, but that does not stop it being an issue that raises some pretty big questions, and it is deserving of further investigation.

How is this happening?

The Microsoft statement suggests that these breaches are caused by account details being obtained, via a variety of malicious methods. The nature of Xbox Live is such that an account can be 'recovered' on a second console, as long as you have access to the Windows Live ID and password of that user. That results in the account being locked on the original console, as I experienced. With card details being stored on the Microsoft servers, anyone hijacking an account in this way is then able to make purchases on Xbox Live, using the payment card linked to that account.

Why me?

While I cannot dispute that I may have been hacked through some third-party breach, I  would be surprised if that was actually the case. I am pretty careful with my passwords, having four or five that I tend to use for different websites, which I regularly change. I have never responded to a fake 'phishing' email and I keep my PC clean, using anti-virus and anti-spyware software.

Looking at other reports of Xbox Live hacking, it is clear that I am not the only one asking this question – a question that remains unanswered.

Filed under: games, VentureBeat

This posting includes an audio/video/photo media file: Download Now

SAP acquires SuccessFactors for $3.4 billion

Posted: 03 Dec 2011 08:31 PM PST

SuccessFactors graphicSAP has announced plans to acquire cloud-based business software provider SuccessFactors for $40 per share, a 52 percent premium over the company’s closing price of $26.25 on December 2. The deal is worth $3.4 billion.

SuccessFactors provides online tools for managing employee performance, including performance management, setting goals and managing to them, setting compensation accordingly, and training. Its stated mission is to make each customers “a more meritocratic place to work, where promotion and pay is based on performance and not politics.”

By acquiring SuccessFactors, SAP — a giant in legacy enterprise software — is making a big move to establish a presence in cloud services. It will have major challenges integrating SuccessFactors into its complex array of enterprise offerings, however.

SuccessFactors went public in 2007 and has made a string of acquisitions of its own over the years, including Jambok, a company that provided video education for employees; YouCalc, a business analytics software firm; and CubeTree, a social network for businesses (sort of like a Facebook for businesses).

SuccessFactors’ 3,500 customers (acorss 168 countries) pay for a total of 15 million subscription seats, making it one of the largest cloud companies in the world. Although it lost money in its early, pre-IPO days, the company stated that it posted 77 percent revenue growth year-over-year in the third quarter 2011 and 59 percent revenue growth year-over-year in the first nine months of 2011.

SuccessFactors was founded in 2001 by Lars Dalgaard. It is based in San Mateo, Calif. and has 1,450 employees. SAP, based in Walldorf, Germany, is one of the world’s largest enterprise software companies.

Hat tip: TechCrunch

Filed under: cloud

This posting includes an audio/video/photo media file: Download Now

When it comes to cell phones, this was the worst. Week. Ever. (video)

Posted: 03 Dec 2011 03:07 PM PST

In this business, sometimes you get the news, and sometimes, the news gets you.

This week, VentureBeat staffers Jolie O’Dell and Chris Peri were saddened and disappointed by news of possible corporate wrongdoing and anti-human bias, all in the arena of mobile technology. We love these little pocket-sized gadgets so much that we end up putting up with a lot of invasion of privacy and software bugginess.

But two of our top stories this week — Siri’s anti-abortion and birth control “glitch” and Carrier IQ’s keystroke logging of 100 million-plus users — cross just about every imaginary line we could draw between what we’ll let corporations get away with for the sake of awesome tech and just plain unacceptable behavior.

Hopefully, we’ll be able to come back next week with better news, but for now, we encourage you to keep fighting the good fight by letting companies, including manufacturers and carriers, know when they’re letting you down.

Filed under: mobile, video

This posting includes an audio/video/photo media file: Download Now

Find out if your Android phone has Carrier IQ spyware with this app

Posted: 03 Dec 2011 02:57 PM PST

Carrier IQ is an insanely invasive bit of software, and it’s on at least 100 million phones, entirely without the owners’ knowledge.

If you use an Android device, there’s now a simple way to find out if Carrier IQ is already installed on your phone.

We first showed you how Carrier IQ works earlier this week. Basically, it’s low-level mobile ware that tracks everything you do — your apps, your phone calls, your locations and even your text messages, perhaps keystroke by keystroke — and then stores the data and sends it to your mobile carrier.

One mobile developer, Trevor Eckhart, took it upon himself to find out how Carrier IQ actually works, and the Internet has been in an uproar over the blatant invasion of privacy ever since.

We wouldn’t be sounding the alarm about this software if it wasn’t incredibly widespread. In early 2009, when Carrier IQ was raising a $20 million finding round, the company said its software was already installed on 35 million cell phones through seven mobile vendors.

However, by the middle of last year, when the company raised another $12 million round, it told VentureBeat its software had been deployed on more than 90 million mobile devices by 12 leading vendors worldwide.

So if you’re concerned about your privacy or if you just want to know whether or not Carrier IQ is on your Android phone, here’s the app to check out: Carrier IQ Detector [Android Market link].

This new app comes from Lookout Labs, a mobile security firm. Lookout’s Tim Wyatt writes, “While there are a number of blogs that have posted instructions on how to detect and/or remove Carrier IQ software, these are largely technical in nature and difficult for the average user to follow.”

Wyatt notes that it is still unclear just how invasive or unwarranted Carrier IQ’s tracking of data might be, but he does say, “We're encouraged that the mobile community is paying increasing attention to privacy risks associated with their mobile data.”

While knowing whether or not you’re currently running Carrier IQ is half the battle, actually getting the software off your phone is, especially for the less technical, an almost impossible task involving rooting the phone and installing a new mobile OS. Several guides for Carrier IQ removal are available online, but perhaps the best course of action is for consumers to raise a stink about the software, get carriers’ attention, and force these companies to take our collective privacy a bit more seriously in the future.

Filed under: mobile, security

This posting includes an audio/video/photo media file: Download Now

The icon designer who helped make the Macintosh so darn cute

Posted: 03 Dec 2011 02:33 PM PST

Susan Kare's "Happy Mac" iconWhen it appeared in 1984, the Macintosh blew people away with its graphical interface, its mouse, and its unusual industrial design.

It also charmed customers with its cute, approachable icons, from the smiling Mac that appeared while it was booting to the bomb that popped up when something went terribly wrong. The Mac’s many icons were the work of Susan Kare, a painter who landed at Apple at just the right time and came to play a key role in the original Macintosh team. Kare started sketching icons on graph paper using markers, and eventually wound up designing many of the interface elements in the Mac. Her designs helped shape the personality of the Mac, giving it a touch of whimsy and friendliness not seen in computers before.

Kare went on to design icons for Windows, OS/2 and even designed the Solitaire deck that shipped with Windows. She’s just come out with a retrospective book showcasing her work, Susan Kare ICONS, and it’s a great opportunity for students of design to stop and consider what separates interfaces that people merely use from the ones that people actually love. You can also buy fine art prints of her classic icons from her site.

Susan Kare's dog icon, aka Clarus the DogcowThere aren’t too many designers whose work can honestly be described as “iconic,” but in Kare’s case, that adjective is true both literally and figuratively.

VentureBeat interviewed Kare via e-mail recently. Here’s the (lightly edited) text of our exchange.

Did you try many different versions of your classic Mac icons before settling on the right ones?

It was definitely an interative process. I always like to work with placeholders and tweak and improve images while there’s time. I remember trying a lot of different images for “copy” (some involving mirrors) and “undo.” Abstract nouns and verbs are always tough.

Susan Kare's bomb icon

Lots of people must be designing icons now, for websites and software. What are some examples that you really admire?

Never say never, but I tend to prefer simple imagery for user interfaces without too much detail. I remember reading in Scott McCloud’s book, Understanding Comics, why more people can “see” themselves in a simple smile face graphic than a detailed drawing of Prince Valiant. This principle applies to icons: Universality is good. So a very detailed, very specific icon of a certain type of writing implement seems less effective as a symbol.

One detail: I can never understand why the red circle-with-slash is occasionally used to mean “delete” when it means something is prohibited.

Susan Kare alert iconYour icons play a huge role in the personality and approachability of the interfaces they appear in. They’re also very clear and understandable. What advice do you have for people designing interfaces or websites?

Thank you! I try to think hard about the meaning of icons and look at them in context (in a mockup) and exercise restraint. You don’t want the UI to compete with the data.

What are you really excited about that’s just coming up in terms of computer design or interface design?

The thermostat from Nest looks great!

It seems like you sort of fell into icon design by being in the right place at the right time. Yet this is a seemingly very limited medium. Are you able to express yourself as an artist through computer icons? Or do you have other outlets (like painting)?

Some projects have many constraints in terms of limited screen real estate or palette, but the problems to solve are always interesting. I also love working on logos and working with type. And I have always enjoyed making sculpture.

Susan Kare icon portrait of Steve Jobs in 1983

Images courtesy Susan Kare.

Filed under: VentureBeat

This posting includes an audio/video/photo media file: Download Now

Science: the new “women’s work” (video)

Posted: 03 Dec 2011 01:31 PM PST

Women in science have a rough go of it, especially as they enter the post-doctoral phase that coincide with many ladies’ late 20s.

In this video, we chat with Elizabeth Iorns, a co-founder of Science Exchange, a Y Combinator startup focused on optimizing research and the use of high-dollar scientific equipment through technology.

In this interview, Iorns talks about women dropping out of science work as they enter the baby-makin’ phase of life, about being a minority (both in age and gender) in her Y Combinator incubator class, and about what it’s really like to work with Paul Graham.

Enjoy the vid, and stay tuned for more.

Filed under: video

This posting includes an audio/video/photo media file: Download Now

Tetris for iOS relaunches with new fees & subscriptions that have users puzzled

Posted: 03 Dec 2011 11:40 AM PST

EA has just relaunched its iOS version of Tetris [iTunes link], the popular puzzle game beloved of all kinds of players, from the casual commuter to the hardcore arcade nerd.

However, the game’s new pricing structure isn’t so beloved, as it turns out.

The game itself costs $0.99, which alone isn’t unreasonable. However, the $30-per-year subscription fee has raised some eyebrows.

The latest version of the game brings along some new features, such as a “Galaxy Mode” and a “Marathon One-Touch Mode,” which was created specifically with touchscreen gamers in mind. You even get the famous 8-bit theme song, Korobeiniki.

But the feature that’s got everyone up in arms is the T-Club, a $2.99-per-month (or $30 a year, if you’re feeling committed) “elite” set of digital ephemera that lets users “gain an advantage with bonus lines and T-Coins.”

Users who don’t opt into the T-Club are required to log into Origins, the software’s social component that is also the only other way to save one’s scores in the game.

The game also packs new social components and in-app T-Coin purchases for extras and power-ups, which some users will enjoy and others will despise.

As one irate review wrote, “This would easily be the best Tetris remake to date, not for the in-app purchases and social network logins.

“To pay for a game then be required to keep purchasing over and over to get five stars on a level is just despicable… And also note if you bought the last Tetris game from EA, they have removed it from the app store for this garbage.”

Filed under: games, VentureBeat

This posting includes an audio/video/photo media file: Download Now