According to security researcher @TibitXimer (A.K.A. Dylan) his Skype account was stolen six times, and now claims all Skype user accounts are vulnerable to the same fate due to Skype’s flimsy account recovery practices – which are especially thin, as he discovered the hard way, when contacting customer service.
When he contacted Skype support, reps didn’t appear to acknowledge that the issue was immediate… and repeating.
Perhaps that is because his account had been hijacked through basic social engineering techniques and not hacked – as then he learned that the problem was with contacting customer service itself.
New update Monday April 10:20am PST: Response from Microsoft/Skype suggests customers will need to solve this problem themselves. Microsoft/Skype tells ZDNet through our contact form, “We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification” and “our customer support agents remain available to help customers as needed.” See the entire statement at page bottom.
@skypesupport my skype was given away to over 6 people in one day due to them just knowing my email, name, and 5 contacts on my account
Four hours ago (as of this writing) @TibitXimer explained what happened when his account was repeatedly hijacked and the too-simple reclamation process he repeated each time in detail on the Skype community forums:
It was stolen around 3pm on the first day. I recovered it through Skype support (…) within 30 minutes. In less than 2 hours after recovering my account, it was stolen by another person. [My] skype then was [re-]recovered by a friend of mine while I was at dinner.
When I got back and changed the info to my own again, it was stolen later that evening. Another friend recovered it for me and tried to keep the scammer out of my account.
According to @TibitXimer, Skype only requires three points for account recovery:
- 3-5 of the Skype account holder’s contacts
- One email address the account holder used on Skype at any point
- Account holder’s first and/or last name
(…) because Skype support didn’t verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used scam people out hundreds of dollars along with damaging my reputation for my product’s security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support’s fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case).
In @TibitXimer’s description of his account’s theft-and-recovery ordeal, when the account was nabbed as he slept, his colleague got Skype support on chat (image of chat here, personal information redacted).
@tibitximer @skypesupport I witnessed his account get stolen, was horrible. You should be ashamed in yourselves and your product.
Thankfully support added a further query – whether Dylan had purchased Skype premium in the past.
Dylan’s colleague answered yes, and obtained the account by then using @TibitXimer’s name, email address, and:
5 people he knew I had added on Skype since I had over 800 contacts, and a random month (he used March 2013, which I was not a Skype premium customer at that time and haven’t been since last November).
Dylan has since emailed Skype support twice attempting to have his account suspended to stop the situation, but as of this writing, account suspension had not been put into effect.
A Skype account email-hijack issue surfaced previously five months ago, when it was learned on a Russian website that hijackers could signup for a new account with an email already in use, and could continue setting up the account to receive the victim’s password reset notification and token. Skype fixed the issue within hours.
However, Skype has never had a good track record for verifying actual ownership of email addresses.
Time to change Skype’s recovery policy?
Frustrated and worried, @TibitXimer suggests that Skype add the following to its customer security practices as soon as possible: He has strongly suggested that these security practices be put in place:
- Security Questions
- 2-factor Authentification
- Good Support that looks into these issues
- Support that can understand plain English and follow through with the request correctly instead of mistaking the my clear request for something different.
- 24/7 support
- A real security policy to actually verify ownership of accounts
One suggestion would be to modify your Gmail address with these techniques. Another good idea would be to learn how to protect yourself from basic social engineering – read Veracode’s Hacking The Mind: How and Why Social Engineering Works.