Xbox Live Support Falls Victim To Pretexting

    March 27, 2007

Data privacy and security is at the forefront of concerns facing companies looking to make the most of the Web 2.0 phenomenon. So much information is available these days on user habits and search histories.

With that in mind, it’s interesting to see how the Xbox live community has gone up in arms over the hijacking of numerous accounts. The interesting note here is that the Xbox Live support team are the ones responsible for handing out user information to the hijackers.

Normally, you’ll find that online companies have creeds or mission statements assuring the utmost standards of security for the user data they house. The actual safety of that data, however, falls into serious question when held under a microscope. Careful examination unveils that anyone halfway decent at pretexting can convince support personnel to cough up sensitive information.

Okay, so what is pretexting? From Wikipedia:

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone. It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g., for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

If hackers were so easily able to obtain access to multiple Xbox live accounts, what is to stop them from calling up banks, credit card agencies, and other institutions and implementing the same methodology to get their hands on financial records, account numbers, and pin codes?

The naiveté that fuels the notion of data privacy on the Internet, or anywhere else for that matter, is pretty dangerous. Ironically enough, there may be only one person who has any real power to keep your information secure — you.