Xbox Live has a significant problem with its security. It’s not something that is easily provable, and Microsoft is still in denial over the issue, but there is clearly a problem. Pretending there isn’t won’t make it go away.
This is nothing new, of course. Xbox Live has had some sort of issue with accounts being compromised for some time. My own Xbox Live account was breached last summer. I went through the lengthy process of having it restored. Microsoft’s customer services department, who were incredibly pleasant to deal with (on the phone, emails were less helpful), talked me through the reporting process and ended the call by telling me that it all looked fairly clear-cut but needed to be referred to another team and would take 30 days before I had my account back.
The customer services representative I spoke to during this case offered me an extremely cheap renewal on my Xbox Live Gold subscription by way of an apology for the inconvenience. I gave him my card details over the phone and thanked him.
Lightning strikes twice?
When I finally got access to my Gamertag back, it wasn’t linked to my existing Windows Live ID, it was linked to an account generated by the investigations team. It took me another 60 days and the creation of a spare Windows Live ID to switch my accounts around (you can only switch once every 30 days) so that my Gamertag was linked to the original Windows Live ID once again. I’ll admit that I found this stage of the process incredibly confusing. I’m not sure I was doing it correctly and the email support was almost completely useless.
Around this time, I also saw reports of others who had their accounts compromised and I first saw mention of it being, in some way, related to FIFA Ultimate Team. This was interesting as the game which showed on my newly returned Gamertag as being the last one I played was FIFA 11 — a game I’ve never owned on Xbox 360.
Obviously, following all of that trouble and Microsoft’s continuing insistence that their customer’s security woes were the result of them foolishly supplying nefarious individuals with their passwords, I made sure my new password was only used for that account. I never wrote it down and I picked something that should be difficult to guess or force. My Xbox Live account had a completely unique password.
This past Thursday, I got a couple of emails that said I’d bought 6000 Microsoft Points and a digital copy of Alice: Madness Returns via Xbox Live. I was annoyed that I would apparently have to go through the laborious reclamation process but not too worried, as I’d never stored my credit card details so it couldn’t be my money they were spending.
Today, I managed to get a few minutes to log into my account online and check. The password no longer worked, so I reset that immediately. The reset link emailed to my own email address and another that I didn’t recognise but I was quick to verify the email and get my password changed. When I logged in, there were no other email addresses linked to my account but my credit card was, somehow, stored there. I can only guess that giving my card details to the customer services representative for my cheap Gold renewal the last time my account was breached means that they stored them. Ironic that this actually means I’ve now lost money.
My purchase history shows purchases of 45 tracks and track packs, I assume for some music rhythm or dancing game that I’ve never played. It also shows the Alice: Madness Returns purchase (at £29.99) and Plants Vs Zombies from the Xbox Live Arcade. I had more than 3000 Microsoft Points on my account last time I checked. Now I have 30.
I can’t know how access was gained to my account but I am sure that my password was never in a position where it could have been seen by a third party, at least on my side. This is not a phishing problem, as Microsoft has repeatedly asserted. There is a bigger issue here, I’m not sure what it is but, worryingly, it doesn’t seem like Microsoft have any idea either. And denying it is a problem isn’t solving anything.
I believe that there’s enough anecdotal evidence around forums and message boards to warrant a full scale investigation by Microsoft. If needs be, I think they should take down the whole service to investigate and test until they’re as sure as anyone can ever be that there are no security holes. The alternative is to continue to deny an issue that is leaving many of their paying customers victims of theft and with the not-inconsiderable inconvenience of reclaiming stolen Live IDs and Gamertags.
I need to phone customer services tomorrow when I have a chance to talk to them and I have no doubt that I’ll get my card details removed from the account and all funds returned, although I worry that my missing Microsoft Points will never be refunded. Perhaps that’s unfair but that kind of virtual currency always feels like it’s disposable.
The bigger issue I have is that I no longer have any faith in my account remaining secure — so I’ll be reluctant to use the service in the future. Surely that’s a big enough issue, given the number of accounts we hear being breached, to warrant some wider investigation? We’ll see.