Tell HN: Microsoft Skype Security Is Flawed

153 pointssamnwa5y ago41 comments

I received an email today from Skype that someone had changed the email address on an old Skype account of mine. Presumably this means that they were able to gain access to a password. There was no mechanism in the email to block the action. Next, I received an email that said "Someone started a process to replace all of the security info for the Microsoft account." Again, there was no way to block this action.

Both emails encouraged me to contact customer support. I did so only to be met with a request to fill out an online form with an incredible amount of personal information to verify the account. Why would I provide 10X the personal info that might then be made accessible to a user whose email address was swapped into the account with no verification at all?

Does anyone have any advice on how to resolve or escalate to Microsoft? Ideally the original email address on the account would be restored and more broadly, Live / Skype should update their security procedures to avoid this type of "easy to steal accounts" security policy while hard to block the stealing of accounts.

Any help / suggestions appreciated.

41 comments

superkuh5y ago

Skype security has been flawed ever since that series of odd buyout events that led to the sudden removal of end-to-end encrypted peer to peer operation.

First eBay bought what they thought was Skype but instead was only the license to the branding and users and not the p2p backend tech the swiss guys still owned. Then Microsoft stepped in out of nowhere to take the useless brand from eBay and the actual backend only to promptly throw away the entire backend and move to a centralized unencrypted model.

colmmacc5y ago

Skype's founders are Danish and Swedish, and the business had offices in London, Luxembourg, Estonia (well that's Blue Moon, where the p2p was developed) and more.

I'm not sure how much diligence Ebay ever did on their purchase of Skype, but it never seemed to me like they had a credible business plan for what to do with it. Something something about integrating with sellers. Felt more like the leadership there suffered from some Bay Area strategic acquisition envy. I remember being on painful calls with Ebay and Skype engineering who had very different ideas of how infrastructure should be deployed.

Anyway, Ebay spun off Skype (at a loss) to private equity ... not to MS. Skype floated around in PE for a few years before the (enormous) MS purchase. MS promptly put Skype in an advertising division of all places. I've heard rumors that the DoJ encouraged MS to make the acquisition ... to get Skype calls in the hands of an entity that would be more favorable to lawful interception requests. MS certainly has a painful history with the DoJ, but I really don't know if it's credible or not.

easytiger5y ago

My understanding, potentially flawed, was that the eBay purchase was so poorly overseen, that eBay didn't buy the Skype IP itself, retained in another company thus giving a neutered failure of a deal

dragonshed5y ago

They gradually removed[0] the peer to peer operation because it sucked - quality was bad, calls dropped, outages, bad mobile support.

[0] https://arstechnica.com/information-technology/2012/05/skype...

fsflover5y ago

Or for another reason:

https://news.ycombinator.com/item?id=18411779

1 more reply

BiteCode_dev5y ago

That's now how I remember it.

I used skype before I had ADSL, and was amazed at the quality.

After MS bought it, I noticed a drop in quality, as well as an increase in reports of said drop online.

pulse75y ago

Quality was not bad, calls didn't drop, no outages, good mobile support. Because it's p2p couldn't be hacked, it was replaced.

1 more reply

duskwuff5y ago

And it meant that random users' computers were being drafted into running a supernode and relaying traffic for other users, without permission or even any notice. Not only did this consume CPU time and bandwidth on the affected users' computers, but it also put anyone running a supernode in a position to observe and tamper with network traffic between other users.

1 more reply

nelaboras5y ago

Skype was Estonian, not Swiss.

harryf5y ago

Also Swedes (hence the Swiss mistake here)... https://en.wikipedia.org/wiki/Skype

> First released in August 2003, Skype was created by the Swede Niklas Zennström and the Dane Janus Friis, in cooperation with Ahti Heinla, Priit Kasesalu, and Jaan Tallinn, Estonians who developed the backend that was also used in the music-sharing application Kazaa. In September 2005, eBay acquired Skype for $2.6 billion.[11] In September 2009,[12] Silver Lake, Andreessen Horowitz, and the Canada Pension Plan Investment Board announced the acquisition of 65% of Skype for $1.9 billion from eBay, which attributed to the enterprise a market value of $2.92 billion. Microsoft bought Skype in May 2011 for $8.5 billion. Skype's division headquarters are in Luxembourg, but most of the development team and 44% of all the division's employees are still situated in Tallinn and Tartu, Estonia.

throwaway888abc5y ago

Curios, What happen to founders ? Is there any product based on original Skype p2p tech ?

jacobush5y ago

Didn't MS get money from the DoD at the same time?

rodolphoarruda5y ago

> Both emails encouraged me to contact customer support. I did so only to be met with a request to fill out an online form with an incredible amount of personal information to verify the account. Why would I provide 10X the personal info (...)?

This by itself looks like a phishing attack. Did you click a link to Skype support in the second email message or find it by yourself going to the Skype website and browsing around?

gmaster14405y ago

Also very confident that this is a phishing attack, have received similar emails for Office 365 as well. If you examine the email headers you'll notice a suspicious "From:" address.

dfxm125y ago

This was my thought, too, but then I remembered that Blizzard asked me for a photo of a government issued ID card to delete my Battle Net account for some reason, and no, that wasn't a phishing attempt; it's in their documentation: https://us.battle.net/support/en/article/2659

So, maybe it could be legit.

buboard5y ago

Thats how i lost my last account. They were asking me details like the account creation date which was > 15 years old

rabboRubble5y ago

yeah, i read about that requirement. there is a way to interrogate skype's windows desktop client install to extract the account creation date. even squirreled away a support link about how to do this which of course is now broken.

Edit: new link here

https://answers.microsoft.com/en-us/skype/forum/all/skype-ac...

samnwaOP5y ago

Were you worried at all about the culprit using the access to figure out other accounts? My account had a balance so I assume it had some old credit card info in it or something similar.

buboard5y ago

I did manage to get them to block the account because it was obviously stolen. But unable to reclaim it. I was more worried they d spam my friends.

2 more replies

nip5y ago

Somewhat related, I ran (and am still running) into a very uncanny issue related to another product of Microsoft: Live / Outlook.

When Live and Outlook got merged (IIRC a couple of years ago), my @msn.com address got an @outlook.com alias.

Unfortunately, this "alias" shouldn't have been one and the email was actually owned by someone else.

By some sort of failed merging, I hence ended up getting access to someone else' emails: PayPal related emails, Dropbox access connected to this email account, private email exchanges, etc...

I tried to reach out to Microsoft but hit (expectedly) a wall.

aksss5y ago

Anyone using [insert service here] should be using MFA of some sort. This would solve so many of these problems. It does sound like OP is being hit by a phishing attack, but assuming it's not that, this can only be a lesson for everyone to turn on MFA now if you haven't already. Yes, MS' consumer platform (live, hotmail, outlook, etc) supports it.

rlpb5y ago

Without widespread U2F support, the list of individual MFA secrets I would have to maintain would be unmanageable. It's not yet reasonable to expect users to have MFA on all of their accounts; only their most important ones.

stephenr5y ago

I have MFA setup for 29 things, and I don’t really see how adding another 229 would make it any less usable.

It’s arguable that something like u2f is more secure but with a good TOTP app usability is not the problem.

z3t45y ago

Try to contact all your contacts and tell them that your Skype account have been hacked. Also don't give away any personal details unless you are 100% sure you are dealing with the official support. Your account will likely be used to scam your friends and family. If you have your voice online somewhere they can fake it, or just use the chat to impersonate you. Your personal details and chat history will make it very convincing.

Hi, this is Samnwa, your brother, we talking yesterday about xyz, how is that going? btw, could you help me login to my bank, can't find my key card, can I use yours? Cool, alright, Just enter this number... Ooops I entered it wrong, lets try this number...

kuzee5y ago

I experienced the same problem with a very old Skype account. There's no way to reset my password because it says my Microsoft account doesn't exist. My guess is they botched the account migrations from Skype to MSFT in a way that means we cannot prevent account takeovers not access the Skype account. I received an email saying my account was being taken over and given no way to disavow or prevent it. I'm very frustrated with MSFT security. I'm not even sure how one can report such a big.

Iolaum5y ago

If the password to the account hasn't changed, log in, change back the email and change the password.

samnwaOP5y ago

Unfortunately it appears that the password has changed.

2rsf5y ago

How old was the account ? a few years ago they (tried to) move all the accounts to be Microsoft accounts with better security and policies

gruturo5y ago

That's a scary amount of information which is being asked of you. Are you sure the site asking for it is a genuine Microsoft asset?

Svip5y ago

I lost my password to go through the same process a few years ago, so I can confirm that yes, they do ask you for a lot of personal information. I did not get an email asking for it, I went to Skype's website to find support.

Fortunately my account was not in the process of being hacked, so I was more willing to provide information. Yet despite that, they would not provide me access to my account, and thus I have not used Skype since.

confeit5y ago

Did you reuse the password at any other site? Check your haveibeenpawned.

dev_tty015y ago

Typo. I think you meant haveibeenpwned.com.

rakibtg5y ago

This is most probably a phishing attack.

samnwaOP5y ago

You would think so but feel free to try a reset / recovery at live.com and you will see that this is their standard form. That's what is so absurd -- change an email with no verification, but require next-level verification for the original owner to secure the account.

j / k navigate · click thread line to collapse

41 comments

superkuh5y ago

Skype security has been flawed ever since that series of odd buyout events that led to the sudden removal of end-to-end encrypted peer to peer operation.

colmmacc5y ago

Skype's founders are Danish and Swedish, and the business had offices in London, Luxembourg, Estonia (well that's Blue Moon, where the p2p was developed) and more.

easytiger5y ago

My understanding, potentially flawed, was that the eBay purchase was so poorly overseen, that eBay didn't buy the Skype IP itself, retained in another company thus giving a neutered failure of a deal

dragonshed5y ago

They gradually removed[0] the peer to peer operation because it sucked - quality was bad, calls dropped, outages, bad mobile support.

[0] https://arstechnica.com/information-technology/2012/05/skype...

fsflover5y ago

Or for another reason:

https://news.ycombinator.com/item?id=18411779

1 more reply

BiteCode_dev5y ago

That's now how I remember it.

I used skype before I had ADSL, and was amazed at the quality.

After MS bought it, I noticed a drop in quality, as well as an increase in reports of said drop online.

pulse75y ago

Quality was not bad, calls didn't drop, no outages, good mobile support. Because it's p2p couldn't be hacked, it was replaced.

1 more reply

duskwuff5y ago

1 more reply

nelaboras5y ago

Skype was Estonian, not Swiss.

harryf5y ago

Also Swedes (hence the Swiss mistake here)... https://en.wikipedia.org/wiki/Skype

throwaway888abc5y ago

Curios, What happen to founders ? Is there any product based on original Skype p2p tech ?

jacobush5y ago

Didn't MS get money from the DoD at the same time?

rodolphoarruda5y ago

This by itself looks like a phishing attack. Did you click a link to Skype support in the second email message or find it by yourself going to the Skype website and browsing around?

gmaster14405y ago

Also very confident that this is a phishing attack, have received similar emails for Office 365 as well. If you examine the email headers you'll notice a suspicious "From:" address.

dfxm125y ago

So, maybe it could be legit.

buboard5y ago

Thats how i lost my last account. They were asking me details like the account creation date which was > 15 years old

rabboRubble5y ago

Edit: new link here

https://answers.microsoft.com/en-us/skype/forum/all/skype-ac...

samnwaOP5y ago

Were you worried at all about the culprit using the access to figure out other accounts? My account had a balance so I assume it had some old credit card info in it or something similar.

buboard5y ago

I did manage to get them to block the account because it was obviously stolen. But unable to reclaim it. I was more worried they d spam my friends.

2 more replies

nip5y ago

Somewhat related, I ran (and am still running) into a very uncanny issue related to another product of Microsoft: Live / Outlook.

When Live and Outlook got merged (IIRC a couple of years ago), my @msn.com address got an @outlook.com alias.

Unfortunately, this "alias" shouldn't have been one and the email was actually owned by someone else.

By some sort of failed merging, I hence ended up getting access to someone else' emails: PayPal related emails, Dropbox access connected to this email account, private email exchanges, etc...

I tried to reach out to Microsoft but hit (expectedly) a wall.

aksss5y ago

rlpb5y ago

stephenr5y ago

I have MFA setup for 29 things, and I don’t really see how adding another 229 would make it any less usable.

It’s arguable that something like u2f is more secure but with a good TOTP app usability is not the problem.

z3t45y ago

kuzee5y ago

Iolaum5y ago

If the password to the account hasn't changed, log in, change back the email and change the password.

samnwaOP5y ago

Unfortunately it appears that the password has changed.

2rsf5y ago

How old was the account ? a few years ago they (tried to) move all the accounts to be Microsoft accounts with better security and policies

gruturo5y ago

That's a scary amount of information which is being asked of you. Are you sure the site asking for it is a genuine Microsoft asset?

Svip5y ago

confeit5y ago

Did you reuse the password at any other site? Check your haveibeenpawned.

dev_tty015y ago

Typo. I think you meant haveibeenpwned.com.

rakibtg5y ago

This is most probably a phishing attack.

samnwaOP5y ago

j / k navigate · click thread line to collapse