When badly implemented security is actually worse than no security at all

Forums › Off topic › When badly implemented security is actually worse than no security at all

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#239317 11-Jul-2018 21:41

So last night I casually turn on the Xbox to try and get a bit of gaming in before doing some work. "Sorry, sign in using a controller". Huh, OK, do that. "Sorry, something's wrong. You need to sign in on the web". That's new, so off to the laptop to sign in - "Your Microsoft account has been temporarily suspended. Please contact customer support and we'll ask you some questions and help you make sure your account is secure".

Contact Support. No option to phone, or email, just fill in a form. Fill in the form, "we'll contact you within 24 hours". Sorry, what? You've locked me out of paid services for an indeterminate amount of time and the only recourse is filling in a form and we'll get back to you? Chat support - "no, you have to wait for online safety to get back to you". Partner support - "that's odd, let me try fix that. Try resetting your password using this link, that'll fix it" - great, two factor comes in handy! - nope, the authenticator code works, but it requires another factor and all of those are "service temporarily unavailable". "Sorry, you'll have to wait for online safety".

24 hours later and, you guessed it! No contact back. Still locked out of tons of paid services, and everyone just says "sorry the automated system locked you out, but you have to wait for online safety to review and fix it".

If you can't meet your own stated timeframes for a response to automatically locking people's accounts that actually have your 2-factor that's supposed to prevent this, I would submit maybe you shouldn't be automatically locking people's accounts!

Meanwhile, anyone know anyone at Microsoft?

freitasm

BDFL - Memuneh
80655 posts

Uber Geek
+1 received by user: 41053

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2054628 11-Jul-2018 22:02

Arghhhh. Sorry to hear that

@nathan is still there.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2054632 11-Jul-2018 22:08

It is a ... thrilling experience I do say! I'm not sure why companies put so much trust in their automated processes to take such drastic actions to be honest.

With that said though, I thought two factor authentication was supposed to make this sort of thing a thing of the past? We accept a minor inconvenience to our authentication to be secure in the knowledge that no-one else can access our accounts?

SaltyNZ

8866 posts

Uber Geek
+1 received by user: 9546

Trusted

2degrees

Lifetime subscriber

#2054707 12-Jul-2018 07:44

Kyanar:

It is a ... thrilling experience I do say! I'm not sure why companies put so much trust in their automated processes to take such drastic actions to be honest.

With that said though, I thought two factor authentication was supposed to make this sort of thing a thing of the past? We accept a minor inconvenience to our authentication to be secure in the knowledge that no-one else can access our accounts?

Indeed, you can easily see some less drastic compromises - for example, instead of locking you out of the account, perhaps merely lock new purchases or trades or in-game items. That way you can at least still play while the account problem is sorted out, and if your account *is* compromised, then the hacker can play your games, which affects nobody.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2054738 12-Jul-2018 09:00

SaltyNZ:

Indeed, you can easily see some less drastic compromises - for example, instead of locking you out of the account, perhaps merely lock new purchases or trades or in-game items. That way you can at least still play while the account problem is sorted out, and if your account *is* compromised, then the hacker can play your games, which affects nobody.

It's actually more drastic than that. I'm locked out of Partner Membership Centre and MAPS Licensing, Azure Admin Console, Office 365 Admin, and any third party websites where I use the Microsoft account to sign in.

Rest assured, one takeaway is I'll never trust Microsoft to be my authentication provider for third party services again.

Would you believe if you use a Microsoft account to sign into Windows, it even locks you out of your computer? And if you use Visual Studio or Office 365 licensed to that login, it literally expires your products?

With them tying this many paid (expensive even!) services to that login, "temporarily suspended" with no accountability is not an acceptable method of account security.

freitasm

BDFL - Memuneh
80655 posts

Uber Geek
+1 received by user: 41053

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2054756 12-Jul-2018 09:16

I will ask around.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

dolsen

1483 posts

Uber Geek
+1 received by user: 319

Trusted

Lifetime subscriber

#2054768 12-Jul-2018 09:29

Kyanar:

Would you believe if you use a Microsoft account to sign into Windows, it even locks you out of your computer?

Hmm, time to re-think my setup. I've just moved to using my Microsoft account for authentication on all of my machines instead of a local account. Looks like that was a mistake and I shouldn't be trusting of Microsoft for basic stuff like this.

AliExpress

Shop now on AliExpress (affiliate link).

paulb001

40 posts

Geek
+1 received by user: 16

Trusted

#2054776 12-Jul-2018 09:44

Hi there, sorry youve had an issue with your Microsoft Account. As this is a consumer service you can log a support request at https://support.microsoft.com/en-nz/help/10494/microsoft-account-get-back-compromised-account

We can try and help locally from MicrosoftNZ - please email the details of the case, including Microsoft Account email address, seperate backup mail address and contact number to nzcloud@microsoft.com and we will escalate to our consumer support team.

Thanks for the heads up Mauricio!

Paul Bowkett
Microsoft New Zealand
http://microsoft365.com
http://twitter.com/paulbowkett
http://linkedin.com/in/paulbowkett

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2054826 12-Jul-2018 10:19

Thanks Paul, much appreciated. I would suggest for Microsoft it might be worth a review into whether this type of case should result in disabling access to Windows and other local software such as Visual Studio. I know that the Windows support team can unlink your Microsoft account remotely (or at least, I think that's what they were saying when I asked?) but calling support by phone is unlikely to be the first thing a consumer thinks of when Windows says "Sorry, something's wrong with your account. Sign in on the web" (which has its own set of issues if that's their only PC).

gehenna

8667 posts

Uber Geek
+1 received by user: 3883

Moderator

Trusted

Lifetime subscriber

#2054833 12-Jul-2018 10:28

Kyanar:

It's actually more drastic than that. I'm locked out of Partner Membership Centre and MAPS Licensing, Azure Admin Console, Office 365 Admin, and any third party websites where I use the Microsoft account to sign in.

I'm curious as to why you're using the same account for a personal service like Xbox as you are for corporate services like Azure and 365?

paulb001

40 posts

Geek
+1 received by user: 16

Trusted

#2054941 12-Jul-2018 12:17

gehenna:

Kyanar:

It's actually more drastic than that. I'm locked out of Partner Membership Centre and MAPS Licensing, Azure Admin Console, Office 365 Admin, and any third party websites where I use the Microsoft account to sign in.

I'm curious as to why you're using the same account for a personal service like Xbox as you are for corporate services like Azure and 365?

Agree, best practice would be a consumer account for "consumer stuff". I suspect the O365 one is a personal subscription to a retail version of O365 [Home/Personal]. Azure can and should be switched to OrgID/Azure AD, and MPN [Partner network, Microsoft Action Pack etc] etc should be a separate MSA account.

The account must have been compromised in some way.....For anyone reading this, if you dont have MFA turned on, do it now...the Internet can be a bad place!

Paul Bowkett
Microsoft New Zealand
http://microsoft365.com
http://twitter.com/paulbowkett
http://linkedin.com/in/paulbowkett

paulb001

40 posts

Geek
+1 received by user: 16

Trusted

#2054946 12-Jul-2018 12:22

Kyanar:

Thanks Paul, much appreciated. I would suggest for Microsoft it might be worth a review into whether this type of case should result in disabling access to Windows and other local software such as Visual Studio. I know that the Windows support team can unlink your Microsoft account remotely (or at least, I think that's what they were saying when I asked?) but calling support by phone is unlikely to be the first thing a consumer thinks of when Windows says "Sorry, something's wrong with your account. Sign in on the web" (which has its own set of issues if that's their only PC).

Quick update, we have escalated this internally. You should not be relying on a consumer login service as your only authentication to Windows, or O365, or VS - If you are a business, then you should use O365 Commerical services (you cannot use O365 Home/Personal for business use), which gives you an Azure AD account, and you can use this to join your device and access other services!

https://docs.microsoft.com/en-nz/azure/active-directory/device-management-azuread-joined-devices-frx

Paul Bowkett
Microsoft New Zealand
http://microsoft365.com
http://twitter.com/paulbowkett
http://linkedin.com/in/paulbowkett

Lego

Shop now for Lego sets and other gifts (affiliate link).

Kyanar

4089 posts

Uber Geek
+1 received by user: 1684

ID Verified

Trusted

#2055179 12-Jul-2018 16:08

paulb001:

Agree, best practice would be a consumer account for "consumer stuff". I suspect the O365 one is a personal subscription to a retail version of O365 [Home/Personal]. Azure can and should be switched to OrgID/Azure AD, and MPN [Partner network, Microsoft Action Pack etc] etc should be a separate MSA account.

The account must have been compromised in some way.....For anyone reading this, if you dont have MFA turned on, do it now...the Internet can be a bad place!

The account does have MFA - which is what confuses me. Anyways, it's mostly a case of an ancient legacy - I created the account so long ago back when I couldn't be bothered maintaining multiple accounts for things (since then I use password managers with complex passwords I couldn't remember if I tried, except for my online banking which is literally the weakest login I have).

The O365 and Azure admin stuff is actually attached to the AAD Tenant (good news) but annoyingly, MPN and MAPS refuse to allow attaching to an AAD account. Which is weird, because if you're signed into one when you go to PMC it actually says you're logged in but it can't find a partner association, it's just the onboarding that won't accept it for no good reason :(

Hopefully everyone is learning what you should and shouldn't do with an MSA though! We've long been prodded to use it as a way of logging into third party sites and even Windows itself, and it seems that may not actually be a good idea...