Poor Skype account verification allows account hijacking
A security researcher and hacker that does by the online handle of TibitXimer claims that his Skype account has been hijacked six times in one day due to Skype’s poor account recovery practices.
He says that any Skype account can be hijacked if the attacker contacts Skype support and provides the user’s first and/or last name, one email address the user has used on Skype at any point, and 3 to 5 contacts added by the user.
“Due to my account being stolen (not hacked) through skype support (because Skype support didn’t verify if the person owned the account or not, just wanted those 3 points mentioned above) my account was used to scam people out hundreds of dollars along with damaging my reputation for my product’s security due to thinking I had low security on my skype account or email address, when in reality, it was Skype Support’s fault my account was stolen, multiple times, and had nothing to do with End-users (me in this case),” he wrote in a post on the The Skype Community.
He also provided links to a few screenshots he and his friend made while chatting with Skype support agents, which apparently prove that the agents requested only the aforementioned information before successfully verifying TibitXimer’s account.
A Skype administrator replied to his comments by saying that their unlock policy require more that just the information he has quoted. “We are checking where the failure happened during the required steps of verification,” he wrote.
But TibitXimer says it’s all “BS,” and that he has talked to 6-7 support agents himself and another 4-6 agents obviously gave away his account to the hijackers. He is currently trying to get his account suspended so that it doesn’t get hijacked and misused again.
“It’s clearly not just one or two support agents, but the entire support system and Skype’s lack of a clear, secure, and efficient security policy,” he insists. “This was a massive failure by Skype support. While they may ask more questions during the verification process, they did not require that all questions were answered. Majority of the time they only required those 3 steps as enough for the verification of the account owner.”
He asks why does Skype not employ good security support and security questions, and a better security policy for verifying the ownership of accounts. “Hopefully this will bring attention to the issue and prevent issues like this from harming others like it has done to me,” he concluded.
UPDATE: “We take the security of our customers extremely seriously, and have been making ongoing enhancements to help protect customers,” a Skype spokesperson commented for Help Net Security.
“We have processes in place that would help protect against password reset scenarios such as this, and our customer support agents remain available to help customers as needed. We encourage customers to use Microsoft account to log into Skype, which helps make their accounts more secure using two-step verification. For more information about individual accounts, customers can contact Skype by visiting: https://support.skype.com/en/faq/FA1170/how-can-i-contact-skype-customer-service.”