Xbox Live has a significant problem with its security. It’s not something that is easily provable, and Microsoft is still in denial over the issue, but there is clearly a problem. Pretending there isn’t won’t make it go away.
This is nothing new, of course. Xbox Live has had some sort of issue with accounts being compromised for some time. My own Xbox Live account was breached last summer. I went through the lengthy process of having it restored. Microsoft’s customer services department, who were incredibly pleasant to deal with (on the phone, emails were less helpful), talked me through the reporting process and ended the call by telling me that it all looked fairly clear-cut but needed to be referred to another team and would take 30 days before I had my account back.
The customer services representative I spoke to during this case offered me an extremely cheap renewal on my Xbox Live Gold subscription by way of an apology for the inconvenience. I gave him my card details over the phone and thanked him.
[drop2]I was told that there were no purchases showing on my account so I should be reassured that there was no problem with fraud. I’d never entered my credit card details on Xbox Live (I was especially careful after the springtime issues with PSN security) so I wasn’t too concerned. However, when I got access back, the Microsoft Points that had been in my account (somewhere over 1800) had gone. I had no proof and even less desire to spend more time on the phone arguing the case so I wrote off the loss and decided to just move on.When I finally got access to my Gamertag back, it wasn’t linked to my existing Windows Live ID, it was linked to an account generated by the investigations team. It took me another 60 days and the creation of a spare Windows Live ID to switch my accounts around (you can only switch once every 30 days) so that my Gamertag was linked to the original Windows Live ID once again. I’ll admit that I found this stage of the process incredibly confusing. I’m not sure I was doing it correctly and the email support was almost completely useless.
Around this time, I also saw reports of others who had their accounts compromised and I first saw mention of it being, in some way, related to FIFA Ultimate Team. This was interesting as the game which showed on my newly returned Gamertag as being the last one I played was FIFA 11 — a game I’ve never owned on Xbox 360.
Obviously, following all of that trouble and Microsoft’s continuing insistence that their customer’s security woes were the result of them foolishly supplying nefarious individuals with their passwords, I made sure my new password was only used for that account. I never wrote it down and I picked something that should be difficult to guess or force. My Xbox Live account had a completely unique password.
This past Thursday, I got a couple of emails that said I’d bought 6000 Microsoft Points and a digital copy of Alice: Madness Returns via Xbox Live. I was annoyed that I would apparently have to go through the laborious reclamation process but not too worried, as I’d never stored my credit card details so it couldn’t be my money they were spending.
Today, I managed to get a few minutes to log into my account online and check. The password no longer worked, so I reset that immediately. The reset link emailed to my own email address and another that I didn’t recognise but I was quick to verify the email and get my password changed. When I logged in, there were no other email addresses linked to my account but my credit card was, somehow, stored there. I can only guess that giving my card details to the customer services representative for my cheap Gold renewal the last time my account was breached means that they stored them. Ironic that this actually means I’ve now lost money.
My purchase history shows purchases of 45 tracks and track packs, I assume for some music rhythm or dancing game that I’ve never played. It also shows the Alice: Madness Returns purchase (at £29.99) and Plants Vs Zombies from the Xbox Live Arcade. I had more than 3000 Microsoft Points on my account last time I checked. Now I have 30.
I can’t know how access was gained to my account but I am sure that my password was never in a position where it could have been seen by a third party, at least on my side. This is not a phishing problem, as Microsoft has repeatedly asserted. There is a bigger issue here, I’m not sure what it is but, worryingly, it doesn’t seem like Microsoft have any idea either. And denying it is a problem isn’t solving anything.
I believe that there’s enough anecdotal evidence around forums and message boards to warrant a full scale investigation by Microsoft. If needs be, I think they should take down the whole service to investigate and test until they’re as sure as anyone can ever be that there are no security holes. The alternative is to continue to deny an issue that is leaving many of their paying customers victims of theft and with the not-inconsiderable inconvenience of reclaiming stolen Live IDs and Gamertags.
I need to phone customer services tomorrow when I have a chance to talk to them and I have no doubt that I’ll get my card details removed from the account and all funds returned, although I worry that my missing Microsoft Points will never be refunded. Perhaps that’s unfair but that kind of virtual currency always feels like it’s disposable.
The bigger issue I have is that I no longer have any faith in my account remaining secure — so I’ll be reluctant to use the service in the future. Surely that’s a big enough issue, given the number of accounts we hear being breached, to warrant some wider investigation? We’ll see.
lenn117
So they put your card to your a/c and then it got used to buy products?? Surely that’s not on! Mess-up on their part!
Uhyve
While this is absolutely no fault of Colossalblue, it is a lesson in never giving enough of your credit card details to make a purchase over the phone, since you never know what that person is going to do with those details. Entering them into the Xbox Live; one of the better possible outcomes.
I mean, you wouldn’t give those details to some random person on the street, hell I won’t even hand over my card in shops, I can put it in the card reader myself thanks. So why hand them to a person that you can’t even see? Again, MSs fault, Colossalblue should get his money back and then some.
As an aside:
“If needs be, I think they should take down the whole service to investigate and test until they’re as sure as anyone can ever be that there are no security holes.”
Never gonna happen now, not just because they wouldn’t be making money on sales but because it’s been so integrated into their Live system, that it would affect practically all of their services. An Example; in a few days the customer preview of Windows 8 is being released, in which, user accounts are tied to Live accounts and we get a taste of the Windows Store, which is essentially a Windows version of the Xbox Live Marketplace. Seriously, if there is a hole in Live security, we’ll definitely know about it when a good percentage of the worlds population is using it…
Huh, long post.
Paranoimia
I can’t believe they’re still denying a problem. They really need to admit there’s a (potential) problem and look into this. It’s happening to too many tech-savvy people to be down to stupidity or phishing scams.
cc_star
Great article Peter,
This back of this beast needs breaking.
Personally I can’t believe Microsoft’s stance on this, remember Sony’s execs all lined up bowing their heads in shame when Sony’s security was found not to be best practice, quite a contrast to Microsoft’s approach of blaming customers.
People shouldn’t forget that.
Also, it’s odd that the ‘big’ sites with big budgets haven’t made inroads into Microsoft’s stone-walling from an investigate journalist point of view involving security experts.
Hopefully the truth will out & if Microsoft have mislead people then people should never ever give Microsoft so much as an anonymous user-name, nevermind financial details.
Shameful passing the buck so far.
MadBoJangles
Amen to that.
Wonder if the internet kerfuffle over this will be on the same sort of scale as the Sony incident. Time will tell I guess.
Paranoimia
I don’t deny the PSN issue was bad, but I think Sony handled it very well. This Live thing is potentially worse, partly because it’s being done in a much more stealthy fashion, but mostly because there doesn’t appear to be even the slightest concern on Microsoft’s part – just complete, blanket denial.
They’re basically saying that *everyone* affected has either given their password away, or entered it on a dodgy website. In other words, they’re calling these people idiots and/or liars. Given that many of the stories I’ve read on this are from tech-savvy people, that seems very, very unlikely.
I got my 360 in December, and these stories make me reluctant to use it. I won’t put any points on it (either by credit card or other means), nor do I want to drastically increase my Gamerscore, simply because doing either will make the account more attractive to these thieves. Consequently, I’m not buying anything for it. I want ChopLifter HD, but am waiting for it to appear on the EU PSN store.
mmhmm
Sony responded publicly because they were outed. And cracking xbox live servers would be a hacking crown jewel. If it has happened it would be bragged by now. I simply can’t believe that some hacker or hackers have breached the “unbreachable” but have kept it a secret.
Now it is legitimately true that there was an epidemic of account thefts that took about 6 months to pass through the system and caused those 30 day delays you mention from your first time victimized. Those came from phishing EA who was spewing out customer details. Many or most customers had the exact same credentials for xbox accounts. That worked it’s way through the system a month or 2 ago and you will be pleased to find that it only takes a couple days to get your account back this time. There is no large number of account thefts happening anymore, but there certainly was. Those indeed came from phishing but not against MS or users. No idea how you were breached this time, but i’m pretty sure it’s not breach of the live servers.
Paranoimia
“Sony responded publicly because they were outed.”
Because of course they’d never have said a word otherwise, would they?
“cracking xbox live servers would be a hacking crown jewel. If it has happened it would be bragged by now.”
Perhaps. But it depends who cracked it. A lot of the accounts have been sold online, so if it has been hacked and the hacker is more interested in money than “fame”, they’re going the right way about it. Why crow about it and have them lock it down?
“Those came from phishing EA who was spewing out customer details.”
Nope, not at all true. I’ve read reports of this happening to people who do not have EA accounts.
You have read the story at hackedonxbox.com, right? Where MS were “unable” to lock a hacked account, told the user it was blocked, and the user lost even more money as a result?
http://www.hackedonxbox.com/microsoft/
People can make excuses for them all they want, but it seems pretty clear that MS *do* have a problem somewhere.
mmhmm
“Nope, not at all true. I’ve read reports of this happening to people who do not have EA accounts.”
Not saying every account theft that has ever happened was due to this. But the spike in thefts that is causing the perception of something big happening is because of that.
The story you linked is someone who got bad customer service from low paid people taking hudreds of calls and doing their best. Some are new, some are not well enough trained, some don’t care and do a lousy job, some are great and conscientious but still make mistakes here and there like anyone.
If the servers were cracked they would have people’s CC numbers etc. They do not. They are getting a hold of individual accounts by various methods and doing the only damage they can, which is spend money on xbox marketplace, or auction to someone else to do same using credit cards associated with the account (and I totally agree with everyone complaining about how they do everything possible to keep you CCs associated, that is customer unfriendly). But even while they have your account on their xbox, they cannot see your full CC info. Full CC info would be a dead giveaway that live was hacked, and indeed is what happened to psn and why that incident was so severe. These are individual account breaches, not systemic. Once again, the percieved large number is a past not current event and was caused by good old social engineering. What we are seeing now are just the “normal” number of account thefts that happen in many different ways, but no evidence of live server breach.
JesseDeya
mmhmm: If you’re going to make comparisons to the Sony breach at least get your facts right. Full CC details were NOT compromised in the Sony incident, CC data tables were encrypted, confirmed by Sony and the independent security firms hired to investigate the breach, and there has been no evidence to suggest otherwise. Apart from a handful (literally) of people who insist the credit card fraud they suffered afterwards ‘must’ have been as a result of the Sony breach, there have been no instances of people losing money to the PSN hack – apart from Sony of course, who bore the brunt of taking the system down for a full month to investigate. If only MS could be as brave.
While we’re on it, it’s largely irrelevant if the Live servers have been ‘cracked’ or not. The important thing is that customers are a) losing money b) losing days or months of access c) beings treated like idiots and d) powerless to stop it. To make it 100 times worse, MS are denying the whole thing. For all we know there is security issue on the Xbox’s themselves allowing hackers to sniff data packets leaving the machine, or perhaps they have a way to remotely compromise the box directly. We don’t know, and neither will MS until they actually take this seriously.
As Paranoimia says, the apparent difference here is the Sony hackers were in it for notoriety and revenge, whereas these Live hackers are clearly in it for profit.
If what you and MS are alleging is true – that all these users are victims of phishing – why isn’t this happening on the PSN? Surely a massive EA customer data leak would have also been seen on other systems outside of Live? Surely people dumb enough to use the same password on Live as other websites would also be dumb enough to use it on PSN?
Quit being a MS apologist and accept this for what it blatantly is.
Omac_brother
If a hacker was able to access other peoples XBL accounts and download what they like with any available MS Points, why would they brag?
They have a way of downloading whatever they like off XBL for free, and bragging about it would surely mean that MS would have to investigate.
I do get that this isnt the mentality of most hackers, but a clever hacker would know when they are onto a good thing (free games and addons in this case) and keep quiet.
colmshan1990
At what point do regulatory authorities get involved?
I seem to recall that SCEA were called to Congress, why is there no action against Microsoft?
This head in the sand approach is despicable.
Gamoc
It shocks me not only that Microsoft could have the gall to deny their fault in this situation but also that there isn’t more of a pissing uproar. Sony had security issues and immediately did everything correctly, short perhaps of keeping the public up to speed, and the uproar was stupendous.
Microsoft specifically denying their involvement in this despite all evidence to the contrary and blaming it on their users whilst apparently doing nothing to solve the problem? Nope, that’s fine. MS’ behaviour is disgusting and I hope a comeuppance of some description is soon at hand to maybe teach their unworthy arses a lesson.
teflon
It’s like the exact opposite of the huge public stink that the RRoD issue caused, and the secretive pseudo-denials of culpability from Sony around YLoD.
tantalus_blank
Hmm interesting observation
skibadee
that YLOD issue is always strange to me I had to 360s break in months of having them, had 3 PS3S not one has ever had the YLOD touch wood.
rossthebassist
the problem is some peoples 360’s died day 1 from rrod at launch. Ylod affected a much smaller amount of customers after a much longer period of time, and was nearly always caused by high use and poor maintainace.
not saying one is right and one is wrong. but the first ones deffinatly wrong.
aerobes
This is a truly remarkable read. Not because of the account being breached but because of Microsoft’s non-approach to the situation. Disgraceful.
And to think of some the things that were written and spoken about Sony. Things can always be worse, and here we are.
PoolieMike
As I’ve said on other forums, how on earth is this any less serious than what happened to Sony last year?
herotoozero
It happened to me about 2 weeks ago, i caught it pretty much immediately when i saw the eamil for 5000points jumbo pack and stopped my card.
You will get the points back, i had nealry 3000 too which got reinstated alomng with the £42.50 took from my card.
Good news is it’s a 3 day turn around too as long as their is not loads of transactions, so if nothing else this gets sorted quicker.
Same as the article writer FIFA was showing up on my acc and ultimate team, i also don’t own it for 360 either.
herotoozero
And to be fair, siding with Sony or saying they handled it better is just silly. IIRC they left unencrypted details on a server and the “situation” lasted way too long if you ask me.
Fact is there is always someone more intelligent out there and if these people want to commit crimes to make money no company can be 100% secure, they just drew the short straw if the thieves decide it’s their turn.
TROPtastic
Actually, Sony DID handle this better. After all, they acknowledged the problem, took down the PSN to investigate, hired private investigators, and publically apologised (in person) for the hacking.
I know that Sony made pretty bug mistakes in their security policy, but they handled the crisis pretty well. In stark contrast, Microsoft have stuck their heads in the sand, pretended the problem doesn’t exist, and told their customers it is their fault.
In addition, very few persons (if any) have lost money from the PSN, while many people have lost money from the Live hacks.
nofi
Customer Services stored the card details against your account? That’s utterly mental.
herotoozero
I think it’s optinal mate, i registered a card to renew live or buy points at some stage i think.
I *thought* card purchases needed to be authorised with that secure password thing but that doesen’t seem to happen any more with halifax.
Needless to say i have since removed all card details from other online services and am buying points/virtual currency wherever possible now.
herotoozero
What is particularly bad is i could not remove my card as it was attached to my current 12 minth live deal (just remembered) CS had to cancel my existing sub with 4 months left and gave me 2 codes for 3 months each once the card was removed.