It's interesting to see a social engineering proof of concept released in this way.
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."
> it should be no surprise that "social engineering works."
Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.
I manage a school network and despite our ISP provided "DDOS Protected" IPs a single student with a spare $12 was able to keep us down for a week using that service.
I love it how every computer criminal now calls himself "security researcher". Muggers should start calling themselves "personal security researchers" and burglars should be "house security researchers".
Someone hacked my Skype account back last summer and took at a subscription to Guatemala.
Skype picked it up and locked me out of my account but after that were quite frankly F All use: wouldn't refund the money, wouldn't give me any details as to where my account had been accessed from (citing privacy concerns!!!)
Furthermore they even left the fraudulent subscription in place until I cancelled it.
Don't leave money in a Skype account or hook it up to a credit card
Similar story: Last summer I realized that one guy from India was using my Skype account with me at the same time. He was making a lot of phone calls to his girlfriend, and Skype was charging my bank account all the time. I noticed once he forgot removing the history before he logs out.
Not sure I trust this. A thread on a forum, where the first 20 posts are just two (sockpuppet?) users talking to each other in full support of each other.
And then he keeps saying "scammers have stolen hundreds of dollars from friends of mine through Skype." And "I've lost the trust of my customers". And the guy runs a DDOS service as his business.
If you hire someone to do DDOS for you, do you trust him?
If this is true, I'm glad it reached the front page of HN. Given all the popular services out there which we use with just enough trust to put our privacy in jeopardy, I'm glad a hole is being exposed in such a big service. Hopefully Skype changes their verification practices.
Skype is switching to use Microsoft Accounts, which have security questions and 2-factor auth. This vulnerability is only for people who haven't switched yet.
TL;DR: Social engineering attacks work. I was able to reset my Ameritrade account password by giving the support person the name of one of the stocks in my portfolio (along with some other basic identifying info).
They work against the service company you mean. This is not a normal vector. The company is supposed to be smart enough to not divulge their customer's accounts through social engineering.
I think there's a conflict of interest. If you're telling the truth, and they lock you out of your account, then they lose a customer. If an attacker is trying to steal your identity, you suffer much more than Skype.
I can't see any conflict of interests. Skype would lose x>1 customers mistakenly locking out one users who blogs about it. When in doubt you can tell the user the identity verification test didn't go well and ask for extra information about the account, for example checking the IPs.
There's plenty of ways people can lose access to the attached email address: signed up with a work email, then left the company; signed up with an ISP email, then switched ISPs; email provider went out of business; Google banned your account. It's useful to have a fallback for those cases.
Something similar happened to a friend of mine 3 months ago, however I didn't have this much detail.
What I did know was that the person who took over his (my friend's) account didn't have his laptop or PC hacked but the hijacker used Skype support instead and involved, what I'm assuming, the same information that the OP's thread mentions.
Interestingly, there's no link to what the moderator was mentioning here :
"Dear All,
The post in question was deleted from this thread as the information was duplicate-posted elsewhere. The post did not directly contribute to the topic.
This thread has been escalated to those to whom I report.
Regards,
Elaine
Community Moderator"
I'm curious to find where that "elsewhere" is. I've never seen a legitimate case of posts being deleted because content was "duplicate-posted elsewhere." At the most, the thread will get locked with a link to wherever "elsewhere" resides.
Hell ! Even a bloody e-mail-reset-password is more safe then THIS!
Good think I didn't decide to switch from MSN to Skype yet (and drop both) ... but now I decided.
"because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above"
So, what? Is the author expecting Skype to just have some "does this person own the account" crystal ball? What do they want? If it's security questions, I don't consider those much of a solution because the questions tend to be very poor on the ratio of "things I can remember specifically" to "things people can't look up about me".
[+] [-] david_shaw|13 years ago|reply
When my company conducts social engineering assessments, whether physical or remote, it always surprises the client to see how high their rates of failure are. We rarely hit below 40% of users willing to change their passwords for us on the phone, and usually more than half of the employees we email an arbitrary URL will enter their password on a cloned webmail portal.
Most security advisories we see are for software vulnerabilities, but it's interesting that "Ximer," the user who posted the linked forum advisory, seemed to map out exactly the information needed to conduct this attack.
Hopefully Skype takes swift action to require more identity verification so this attack doesn't become pervasive... but at the same time, it should be no surprise that "social engineering works."
[+] [-] praptak|13 years ago|reply
Is it really social engineering if the employees followed the Microsoft policy, however crappy it might be? I always thought social engineering is making someone break the policy by psychological tricks.
[+] [-] rlt|13 years ago|reply
"Security Researcher, Hacker, Software Developer, http://www.hfempire.net - Cheap DDoS Tool, up to 35+ GBPS Attacks, Bypass DDoS Protection!"
https://twitter.com/TibitXimer
[+] [-] D9u|13 years ago|reply
http://www.hfempire.net/register
A case of poetic justice if I've ever seen one.[+] [-] mathgorges|13 years ago|reply
I manage a school network and despite our ISP provided "DDOS Protected" IPs a single student with a spare $12 was able to keep us down for a week using that service.
Screw that guy.
[+] [-] smsm42|13 years ago|reply
[+] [-] youngtaff|13 years ago|reply
Skype picked it up and locked me out of my account but after that were quite frankly F All use: wouldn't refund the money, wouldn't give me any details as to where my account had been accessed from (citing privacy concerns!!!)
Furthermore they even left the fraudulent subscription in place until I cancelled it.
Don't leave money in a Skype account or hook it up to a credit card
[+] [-] oakaz|13 years ago|reply
[+] [-] flog|13 years ago|reply
[+] [-] unreal37|13 years ago|reply
And then he keeps saying "scammers have stolen hundreds of dollars from friends of mine through Skype." And "I've lost the trust of my customers". And the guy runs a DDOS service as his business.
If you hire someone to do DDOS for you, do you trust him?
[+] [-] aashaykumar92|13 years ago|reply
[+] [-] bskap|13 years ago|reply
[+] [-] ams6110|13 years ago|reply
[+] [-] darkarmani|13 years ago|reply
They work against the service company you mean. This is not a normal vector. The company is supposed to be smart enough to not divulge their customer's accounts through social engineering.
[+] [-] stygiansonic|13 years ago|reply
[+] [-] littletables|13 years ago|reply
Here it is in its entirety with updates as of ten minutes ago: http://www.zdnet.com/alert-skype-account-hijack-technique-ma...
[+] [-] thebadplus|13 years ago|reply
Thanks for bringing this to my attention.
[+] [-] dewiz|13 years ago|reply
[+] [-] Morphling|13 years ago|reply
Like you forgot your email address and/or password so you can't recover you skype account via that way?
[+] [-] plorkyeran|13 years ago|reply
[+] [-] uvdiv|13 years ago|reply
[+] [-] Sprint|13 years ago|reply
[+] [-] jacquesm|13 years ago|reply
[+] [-] hmottestad|13 years ago|reply
[+] [-] eksith|13 years ago|reply
What I did know was that the person who took over his (my friend's) account didn't have his laptop or PC hacked but the hijacker used Skype support instead and involved, what I'm assuming, the same information that the OP's thread mentions.
Interestingly, there's no link to what the moderator was mentioning here :
"Dear All,
The post in question was deleted from this thread as the information was duplicate-posted elsewhere. The post did not directly contribute to the topic.
This thread has been escalated to those to whom I report.
Regards,
Elaine
Community Moderator"
I'm curious to find where that "elsewhere" is. I've never seen a legitimate case of posts being deleted because content was "duplicate-posted elsewhere." At the most, the thread will get locked with a link to wherever "elsewhere" resides.
[+] [-] Guillaumeish|13 years ago|reply
[+] [-] Qantourisc|13 years ago|reply
[+] [-] oddshocks|13 years ago|reply
[+] [-] yoster|13 years ago|reply
[+] [-] kevinpet|13 years ago|reply
So, what? Is the author expecting Skype to just have some "does this person own the account" crystal ball? What do they want? If it's security questions, I don't consider those much of a solution because the questions tend to be very poor on the ratio of "things I can remember specifically" to "things people can't look up about me".
[+] [-] praptak|13 years ago|reply
* poor security question, which is up to the user to choose
* poor account recovery policy which is Microsoft choice, is the same for all users and which the user cannot do anything about
[+] [-] Dylan16807|13 years ago|reply