Alert: Skype account hijack technique may affect all users

Alert: Skype account hijack technique may affect all users

Summary: After six malicious takeovers of his Skype account, a frustrated security researcher has posted his attempts to get Skype's help. Here's how to protect yourself.

SHARE:
TOPICS: Security
78

According to security researcher @TibitXimer (A.K.A. Dylan) his Skype account was stolen six times, and now claims all Skype user accounts are vulnerable to the same fate due to Skype's flimsy account recovery practices - which are especially thin, as he discovered the hard way, when contacting customer service.

skype-icon

When he contacted Skype support, reps didn't appear to acknowledge that the issue was immediate... and repeating. 

Perhaps that is because his account had been hijacked through basic social engineering techniques and not hacked - as then he learned that the problem was with contacting customer service itself.

New update Monday April 10:20am PST: Response from Microsoft/Skype suggests customers will need to solve this problem themselves. Microsoft/Skype tells ZDNet through our contact form, "We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification" and "our customer support agents remain available to help customers as needed." See the entire statement at page bottom.

Four hours ago (as of this writing) @TibitXimer explained what happened when his account was repeatedly hijacked and the too-simple reclamation process he repeated each time in detail on the Skype community forums:

It was stolen around 3pm on the first day. I recovered it through Skype support (...) within 30 minutes. In less than 2 hours after recovering my account, it was stolen by another person. [My] skype then was [re-]recovered by a friend of mine while I was at dinner.

When I got back and changed the info to my own again, it was stolen later that evening. Another friend recovered it for me and tried to keep the scammer out of my account. 

According to @TibitXimer, Skype only requires three points for account recovery:

  • 3-5 of the Skype account holder's contacts
  • One email address the account holder used on Skype at any point
  • Account holder's first and/or last name

@TibitXimer goes on to relate that a spammer commandeered his account - and holds Skype responsible:

(...) because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used scam people out hundreds of dollars along with damaging my reputation for my product's security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support's fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case).

In @TibitXimer's description of his account's theft-and-recovery ordeal, when the account was nabbed as he slept, his colleague got Skype support on chat (image of chat here, personal information redacted).

Thankfully support added a further query - whether Dylan had purchased Skype premium in the past.

Dylan's colleague answered yes, and obtained the account by then using @TibitXimer's name, email address, and:

5 people he knew I had added on Skype since I had over 800 contacts, and a random month (he used March 2013, which I was not a Skype premium customer at that time and haven't been since last November).

Dylan has since emailed Skype support twice attempting to have his account suspended to stop the situation, but as of this writing, account suspension had not been put into effect.

A Skype account email-hijack issue surfaced previously five months ago, when it was learned on a Russian website that hijackers could signup for a new account with an email already in use, and could continue setting up the account to receive the victim's password reset notification and token. Skype fixed the issue within hours.

However, Skype has never had a good track record for verifying actual ownership of email addresses.

Time to change Skype's recovery policy?

Frustrated and worried, @TibitXimer suggests that Skype add the following to its customer security practices as soon as possible: He has strongly suggested that these security practices be put in place:

  • Security Questions
  • 2-factor Authentification
  • Good Support that looks into these issues
  • Support that can understand plain English and follow through with the request correctly instead of mistaking the my clear request for something different. 
  • 24/7 support
  • A real security policy to actually verify ownership of accounts

In the meantime, a strong recommendation for Skype users would be to change their Skype account email address to an email address that is unique (not used anywhere else).

One suggestion would be to modify your Gmail address with these techniques. Another good idea would be to learn how to protect yourself from basic social engineering - read Veracode's Hacking The Mind: How and Why Social Engineering Works.

ZDNet has reached out to Skype for comment, and will update this piece with developments.

Update Sunday April 27, 7:38pm PST: Skype has not responded to request for comment, yet email and comments relate more instances of account hijacking with the same technique. Via ZDNet contact form:

In regards to the article you did on the skype account hijacking, I would like to say that it also happened to me. I also tried the "method" on a skype account I own and I only needed 3-5 contacts and a country! I actually wrote "I am not sure" or "I forgot this" was answers to most of the questions Skype Support gave me to recover an account. It's ridiculous how easy it is and it needs to be fixed! If you want more information, please email me.

Update Monday April 29, 2:12 am PST: @TibitXimer has contacted ZDNet to say that a Skype forum moderator has deleted similar issue reports but has "escalated the problem to whom I report." After four attempts @TibitXimer cannot get his Skype account suspended (despite Skype claiming otherwise) and he adds,

I've talked to at least 6-7 support agents myself and another 4-6 agents gave away my account to those that were hijacking it without actually verifying ownership of my account. It's clearly not just one or two support agents, but the entire support system and Skype's lack of a clear, secure, & efficient security policy.

Update Monday April 29, 10:20am PST: A Skype spokesperson has now provided the following statement via the ZDNet contact form.

I invite you to update your article.

We take the security of our customers extremely seriously, and have been making ongoing enhancements to help protect customers. We have processes in place that would help protect against password reset scenarios such as this, and our customer support agents remain available to help customers as needed.

We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification. For more information about individual accounts, customers can contact Skype by visiting: https://support.skype.com/en/faq/FA1170/how-can-i-contact-skype-customer-service.  -A Skype Spokesperson

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • Social Engineering

    When someone falls for Social Engineering attacks I sometimes wonder how smart those people are.

    When you see something like 'Free McDonalds' and 'Check out how this lady kills herself on YouTube', you have to suspect there is something wrong.

    I've never been a victim of Social Engineering thus far. Why? Because I don't click on everything. And then they want to blame Microsoft, Apple or Facebook for their stupidity.
    Dreyer Smit
    • Just wondering ....

      .....the seriousness of this article.
      Wonder.man
      • I asked the same...

        I had something like this happen to my "community skype" account and the easiest fix was to change the attached email address and password to the account. Of course I did it from a non-compromised system for added measures and that was the end of that. Scanned the community system and it had a clean bill of state so I entered in the new login info and all good from there.

        I just wonder why he's making this harder than it needs to be. I mean really, either he has a infected system or this guy has an arterial motive. I'm not saying S.E. isnt a issues or Skype's recover process could improve, this is just odd to me.
        Free Webapps
        • arterial motive

          What the heck is an "arterial motive"?
          Tony R.
    • Really?

      Did you even read the article? It's not a social engineering victim it's a victim of a flawed system that skype didn't do right.
      CircuitDaemon
      • Perhaps you didn't read the article

        quote
        "When he contacted Skype support, reps didn't appear to acknowledge that the issue was immediate... and repeating.

        Perhaps that is because his account had been hijacked through basic social engineering techniques and not hacked - as then he learned that the problem was with contacting customer service itself."
        end quote
        wizard57m-cnet
        • What social engineering are you referring to?

          Accounts can be accessed via Skype's account recovery procedure.
          spinit
          • That IS "social engineering".

            What did you think Blue was referring to as "social engineering"? Someone other than the account holder calls customer support and impersonates the real account holder.
            mejohnsn
        • Social Engineering

          This is a confusing article, but it appears that the victim of social engineering (TibitXimer) was not the one who fell for it (Skype's Support). It's Skype's reset policy that is susceptible to the engineering - no really, I'm Joe Doe! See, I know my 5 buddies. Find someone who is a techie and for whom you cannot identify 5 "buddies" on-line. They exist, but are rare.
          Mr. Copro Encephalic to You
          • You are right: her writing is bad

            This is not the only way her article is confusing, nor is this the only article of hers written in such a confusing manner.

            No, rather, she does this so often, I am mystified that she has a job with ZDNet.
            mejohnsn
  • I have a better idea

    Don't use Skype! Instead, use Google Voice or some other non MS software.
    slickjim
    • Nah

      Skype has great potential as a mobile gaming app. Just change the name to 'Capture the Flag'.
      Rabid Howler Monkey
    • Right!

      Who cares if hackers own your account, when Google will sell your convos to advertisers already.
      Joe_Raby
      • Who cares that MS already does that.

        So whats the difference.
        jessepollard
        • Very big

          Do I have to explain?!
          AleMartin
          • Sure. Lets see some good fantasy.

            It is right there in the terms of use for Bing.
            jessepollard
    • Ridiculous

      You're trying to blame Microsoft? Really? The problems pre-date Microsoft's acquisition of the company and moreover Skype is a largely independent company that manages its own affairs with very little interference from Redmond. You can't pin this on Microsoft.
      Doctor Demento
      • Oh,Really?

        Why are you so sure they "run their own affairs with very little interference from Redmond"? Some of us can see the MSFT influence even in the ill-advised UI changes they made since the acquisition.
        mejohnsn
    • Just because its from

      Microsoft you don't want to use it? But would rather use google products? U've gotta be kidding me. Anyways I use both and Skype offers things that google voice doesn't.
      blazing_smiley_face
      • Re: Just because it is from Microsoft you don't want to use it

        For some people, this is enough of justification. Other/same people have the same stance towards "Just because it is from Google" (or Apple, or Oracle, or XYZ). Sometimes it applies to anything from XYZ, sometimes it applies from ABC from XYZ -- plus "we take everything else from XYZ with a grain of salt".

        You need to understand this has nothing to do with "fanboys". Some people out there might know things about certain company's processes that you don't and they might have decided that certain processes are not tolerable for their use. Case at point: IBM's refusal to let Siri on any of their iPhones. Note, IBM did not ban the iPhone, or "anything Apple" -- they however apparently had some clue how Siri functions and didn't agree.

        It is fun t watch/spur all the fanboy talk here, but please -- don't take yourself or your opinion too serious.
        danbi