Alert: Skype account hijack technique may affect all users

According to security researcher @TibitXimer (A.K.A. Dylan) his Skype account was stolen six times, and now claims all Skype user accounts are vulnerable to the same fate due to Skype's flimsy account recovery practices - which are especially thin, as he discovered the hard way, when contacting customer service.

When he contacted Skype support, reps didn't appear to acknowledge that the issue was immediate... and repeating. 

Perhaps that is because his account had been hijacked through basic social engineering techniques and not hacked - as then he learned that the problem was with contacting customer service itself.

New update Monday April 10:20am PST: Response from Microsoft/Skype suggests customers will need to solve this problem themselves. Microsoft/Skype tells ZDNet through our contact form, "We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification" and "our customer support agents remain available to help customers as needed." See the entire statement at page bottom.

@skypesupport my skype was given away to over 6 people in one day due to them just knowing my email, name, and 5 contacts on my account

— Tibit (@TibitXimer) April 25, 2013

Four hours ago (as of this writing) @TibitXimer explained what happened when his account was repeatedly hijacked and the too-simple reclamation process he repeated each time in detail on the Skype community forums:

It was stolen around 3pm on the first day. I recovered it through Skype support (...) within 30 minutes. In less than 2 hours after recovering my account, it was stolen by another person. [My] skype then was [re-]recovered by a friend of mine while I was at dinner.

When I got back and changed the info to my own again, it was stolen later that evening. Another friend recovered it for me and tried to keep the scammer out of my account. 

According to @TibitXimer, Skype only requires three points for account recovery:

• 3-5 of the Skype account holder's contacts
• One email address the account holder used on Skype at any point
• Account holder's first and/or last name

@TibitXimer goes on to relate that a spammer commandeered his account - and holds Skype responsible:

(...) because Skype support didn't verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used scam people out hundreds of dollars along with damaging my reputation for my product's security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support's fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case).

In @TibitXimer's description of his account's theft-and-recovery ordeal, when the account was nabbed as he slept, his colleague got Skype support on chat (image of chat here, personal information redacted).

@tibitximer @skypesupport I witnessed his account get stolen, was horrible. You should be ashamed in yourselves and your product.

— Eternal ☥ (@EternalTheGod) April 27, 2013

Thankfully support added a further query - whether Dylan had purchased Skype premium in the past.

Dylan's colleague answered yes, and obtained the account by then using @TibitXimer's name, email address, and:

5 people he knew I had added on Skype since I had over 800 contacts, and a random month (he used March 2013, which I was not a Skype premium customer at that time and haven't been since last November).

Dylan has since emailed Skype support twice attempting to have his account suspended to stop the situation, but as of this writing, account suspension had not been put into effect.

A Skype account email-hijack issue surfaced previously five months ago, when it was learned on a Russian website that hijackers could signup for a new account with an email already in use, and could continue setting up the account to receive the victim's password reset notification and token. Skype fixed the issue within hours.

However, Skype has never had a good track record for verifying actual ownership of email addresses.

Time to change Skype's recovery policy?

Frustrated and worried, @TibitXimer suggests that Skype add the following to its customer security practices as soon as possible: He has strongly suggested that these security practices be put in place:

• Security Questions
• 2-factor Authentification
• Good Support that looks into these issues
• Support that can understand plain English and follow through with the request correctly instead of mistaking the my clear request for something different. 
• 24/7 support
• A real security policy to actually verify ownership of accounts

In the meantime, a strong recommendation for Skype users would be to change their Skype account email address to an email address that is unique (not used anywhere else).

One suggestion would be to modify your Gmail address with these techniques. Another good idea would be to learn how to protect yourself from basic social engineering - read Veracode's Hacking The Mind: How and Why Social Engineering Works.

ZDNet has reached out to Skype for comment, and will update this piece with developments.

Update Sunday April 27, 7:38pm PST: Skype has not responded to request for comment, yet email and comments relate more instances of account hijacking with the same technique. Via ZDNet contact form:

In regards to the article you did on the skype account hijacking, I would like to say that it also happened to me. I also tried the "method" on a skype account I own and I only needed 3-5 contacts and a country! I actually wrote "I am not sure" or "I forgot this" was answers to most of the questions Skype Support gave me to recover an account. It's ridiculous how easy it is and it needs to be fixed! If you want more information, please email me.

Update Monday April 29, 2:12 am PST: @TibitXimer has contacted ZDNet to say that a Skype forum moderator has deleted similar issue reports but has "escalated the problem to whom I report." After four attempts @TibitXimer cannot get his Skype account suspended (despite Skype claiming otherwise) and he adds,

I've talked to at least 6-7 support agents myself and another 4-6 agents gave away my account to those that were hijacking it without actually verifying ownership of my account. It's clearly not just one or two support agents, but the entire support system and Skype's lack of a clear, secure, & efficient security policy.

Update Monday April 29, 10:20am PST: A Skype spokesperson has now provided the following statement via the ZDNet contact form.

I invite you to update your article.
We take the security of our customers extremely seriously, and have been making ongoing enhancements to help protect customers. We have processes in place that would help protect against password reset scenarios such as this, and our customer support agents remain available to help customers as needed.

We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification. For more information about individual accounts, customers can contact Skype by visiting: https://support.skype.com/en/faq/FA1170/how-can-i-contact-skype-customer-service.  -A Skype Spokesperson