Tell HN: Microsoft Skype Security Is Flawed

[samnwa]

I received an email today from Skype that someone had changed the email address on an old Skype account of mine. Presumably this means that they were able to gain access to a password. There was no mechanism in the email to block the action. Next, I received an email that said "Someone started a process to replace all of the security info for the Microsoft account." Again, there was no way to block this action.

Both emails encouraged me to contact customer support. I did so only to be met with a request to fill out an online form with an incredible amount of personal information to verify the account. Why would I provide 10X the personal info that might then be made accessible to a user whose email address was swapped into the account with no verification at all?

Does anyone have any advice on how to resolve or escalate to Microsoft? Ideally the original email address on the account would be restored and more broadly, Live / Skype should update their security procedures to avoid this type of "easy to steal accounts" security policy while hard to block the stealing of accounts.

Any help / suggestions appreciated.

[superkuh]

Skype security has been flawed ever since that series of odd buyout events that led to the sudden removal of end-to-end encrypted peer to peer operation.

First eBay bought what they thought was Skype but instead was only the license to the branding and users and not the p2p backend tech the swiss guys still owned. Then Microsoft stepped in out of nowhere to take the useless brand from eBay and the actual backend only to promptly throw away the entire backend and move to a centralized unencrypted model.

[colmmacc]

Skype's founders are Danish and Swedish, and the business had offices in London, Luxembourg, Estonia (well that's Blue Moon, where the p2p was developed) and more.

I'm not sure how much diligence Ebay ever did on their purchase of Skype, but it never seemed to me like they had a credible business plan for what to do with it. Something something about integrating with sellers. Felt more like the leadership there suffered from some Bay Area strategic acquisition envy. I remember being on painful calls with Ebay and Skype engineering who had very different ideas of how infrastructure should be deployed.

Anyway, Ebay spun off Skype (at a loss) to private equity ... not to MS. Skype floated around in PE for a few years before the (enormous) MS purchase. MS promptly put Skype in an advertising division of all places. I've heard rumors that the DoJ encouraged MS to make the acquisition ... to get Skype calls in the hands of an entity that would be more favorable to lawful interception requests. MS certainly has a painful history with the DoJ, but I really don't know if it's credible or not.

[easytiger]

My understanding, potentially flawed, was that the eBay purchase was so poorly overseen, that eBay didn't buy the Skype IP itself, retained in another company thus giving a neutered failure of a deal

[dragonshed]

They gradually removed[0] the peer to peer operation because it sucked - quality was bad, calls dropped, outages, bad mobile support.

[0] https://arstechnica.com/information-technology/2012/05/skype...

[fsflover]

Or for another reason:

https://news.ycombinator.com/item?id=18411779

[lern_too_spel]

Snowden's leaks showed that Skype allowed governments to wiretap its video calls since at least 2010, when those wiretaps were ingested into PRISM. That is before the Microsoft acquisition.

It amazes me that people parrot this conspiracy theory without doing 5 minutes of Google searching first before making themselves look silly.

[BiteCode_dev]

That's now how I remember it.

I used skype before I had ADSL, and was amazed at the quality.

After MS bought it, I noticed a drop in quality, as well as an increase in reports of said drop online.

[pulse7]

Quality was not bad, calls didn't drop, no outages, good mobile support. Because it's p2p couldn't be hacked, it was replaced.

[vetinari]

Quality was good and calls didn't drop, but the mobile support was poor. The original design assumed that it can use both cpu time and bandwidth of peers, and that isn't very good for devices on battery and metered data plans.

[mycall]

Maybe if data caps greatly increase with 5G, something p2p like Skype would could be retried.

[duskwuff]

And it meant that random users' computers were being drafted into running a supernode and relaying traffic for other users, without permission or even any notice. Not only did this consume CPU time and bandwidth on the affected users' computers, but it also put anyone running a supernode in a position to observe and tamper with network traffic between other users.

[inetknght]

Isn't that the point of having end-to-end encryption? I know Skype doesn't have that but perhaps that would have been a different solution

[duskwuff]

End-to-end encryption reduces what an attacker in this position would be able to do, but it doesn't make the situation safe. Even if they can't observe or directly tamper with the data they're relaying, they can still observe metadata, like who the peers are and how much bandwidth is being relayed. Even just measuring the pattern of packet sizes can be disturbingly revealing:

https://www.cs.jhu.edu/~cwright/oakland08.pdf

Besides, end-to-end encryption doesn't do anything to allay concerns about abuse of users' resources.

[nelaboras]

Skype was Estonian, not Swiss.

[harryf]

Also Swedes (hence the Swiss mistake here)... https://en.wikipedia.org/wiki/Skype

> First released in August 2003, Skype was created by the Swede Niklas Zennström and the Dane Janus Friis, in cooperation with Ahti Heinla, Priit Kasesalu, and Jaan Tallinn, Estonians who developed the backend that was also used in the music-sharing application Kazaa. In September 2005, eBay acquired Skype for $2.6 billion.[11] In September 2009,[12] Silver Lake, Andreessen Horowitz, and the Canada Pension Plan Investment Board announced the acquisition of 65% of Skype for $1.9 billion from eBay, which attributed to the enterprise a market value of $2.92 billion. Microsoft bought Skype in May 2011 for $8.5 billion. Skype's division headquarters are in Luxembourg, but most of the development team and 44% of all the division's employees are still situated in Tallinn and Tartu, Estonia.

[throwaway888abc]

Curios, What happen to founders ? Is there any product based on original Skype p2p tech ?

[jacobush]

Didn't MS get money from the DoD at the same time?

[rodolphoarruda]

> Both emails encouraged me to contact customer support. I did so only to be met with a request to fill out an online form with an incredible amount of personal information to verify the account. Why would I provide 10X the personal info (...)?

This by itself looks like a phishing attack. Did you click a link to Skype support in the second email message or find it by yourself going to the Skype website and browsing around?

[gmaster1440]

Also very confident that this is a phishing attack, have received similar emails for Office 365 as well. If you examine the email headers you'll notice a suspicious "From:" address.

[dfxm12]

This was my thought, too, but then I remembered that Blizzard asked me for a photo of a government issued ID card to delete my Battle Net account for some reason, and no, that wasn't a phishing attempt; it's in their documentation: https://us.battle.net/support/en/article/2659

So, maybe it could be legit.

[buboard]

Thats how i lost my last account. They were asking me details like the account creation date which was > 15 years old

[rabboRubble]

yeah, i read about that requirement. there is a way to interrogate skype's windows desktop client install to extract the account creation date. even squirreled away a support link about how to do this which of course is now broken.

Edit: new link here

https://answers.microsoft.com/en-us/skype/forum/all/skype-ac...

[samnwa]

Were you worried at all about the culprit using the access to figure out other accounts? My account had a balance so I assume it had some old credit card info in it or something similar.

[buboard]

I did manage to get them to block the account because it was obviously stolen. But unable to reclaim it. I was more worried they d spam my friends.

[samnwa]

In messaging with support, they advised that the system would 'automatically' identify the account as compromised and eventually block it. This doesn't seem that likely so I will ping them again in a few hours.

[samnwa]

That's good news. I will reach out again and try to get it blocked at least but so far they have been unwilling to do so.

[nip]

Somewhat related, I ran (and am still running) into a very uncanny issue related to another product of Microsoft: Live / Outlook.

When Live and Outlook got merged (IIRC a couple of years ago), my @msn.com address got an @outlook.com alias.

Unfortunately, this "alias" shouldn't have been one and the email was actually owned by someone else.

By some sort of failed merging, I hence ended up getting access to someone else' emails: PayPal related emails, Dropbox access connected to this email account, private email exchanges, etc...

I tried to reach out to Microsoft but hit (expectedly) a wall.

[aksss]

Anyone using [insert service here] should be using MFA of some sort. This would solve so many of these problems. It does sound like OP is being hit by a phishing attack, but assuming it's not that, this can only be a lesson for everyone to turn on MFA now if you haven't already. Yes, MS' consumer platform (live, hotmail, outlook, etc) supports it.

[rlpb]

Without widespread U2F support, the list of individual MFA secrets I would have to maintain would be unmanageable. It's not yet reasonable to expect users to have MFA on all of their accounts; only their most important ones.

[stephenr]

I have MFA setup for 29 things, and I don’t really see how adding another 229 would make it any less usable.

It’s arguable that something like u2f is more secure but with a good TOTP app usability is not the problem.

[z3t4]

Try to contact all your contacts and tell them that your Skype account have been hacked. Also don't give away any personal details unless you are 100% sure you are dealing with the official support. Your account will likely be used to scam your friends and family. If you have your voice online somewhere they can fake it, or just use the chat to impersonate you. Your personal details and chat history will make it very convincing.

Hi, this is Samnwa, your brother, we talking yesterday about xyz, how is that going? btw, could you help me login to my bank, can't find my key card, can I use yours? Cool, alright, Just enter this number... Ooops I entered it wrong, lets try this number...

[kuzee]

I experienced the same problem with a very old Skype account. There's no way to reset my password because it says my Microsoft account doesn't exist. My guess is they botched the account migrations from Skype to MSFT in a way that means we cannot prevent account takeovers not access the Skype account. I received an email saying my account was being taken over and given no way to disavow or prevent it. I'm very frustrated with MSFT security. I'm not even sure how one can report such a big.

[Iolaum]

If the password to the account hasn't changed, log in, change back the email and change the password.

[samnwa]

Unfortunately it appears that the password has changed.

[2rsf]

How old was the account ? a few years ago they (tried to) move all the accounts to be Microsoft accounts with better security and policies

[gruturo]

That's a scary amount of information which is being asked of you. Are you sure the site asking for it is a genuine Microsoft asset?

[Svip]

I lost my password to go through the same process a few years ago, so I can confirm that yes, they do ask you for a lot of personal information. I did not get an email asking for it, I went to Skype's website to find support.

Fortunately my account was not in the process of being hacked, so I was more willing to provide information. Yet despite that, they would not provide me access to my account, and thus I have not used Skype since.

[confeit]

Did you reuse the password at any other site? Check your haveibeenpawned.

[dev_tty01]

Typo. I think you meant haveibeenpwned.com.

[rakibtg]

This is most probably a phishing attack.

[samnwa]

You would think so but feel free to try a reset / recovery at live.com and you will see that this is their standard form. That's what is so absurd -- change an email with no verification, but require next-level verification for the original owner to secure the account.