Xbox Live has a significant problem with its security. It’s not something that is easily provable, and Microsoft is still in denial over the issue, but there is clearly a problem. Pretending there isn’t won’t make it go away.
This is nothing new, of course. Xbox Live has had some sort of issue with accounts being compromised for some time. My own Xbox Live account was breached last summer. I went through the lengthy process of having it restored. Microsoft’s customer services department, who were incredibly pleasant to deal with (on the phone, emails were less helpful), talked me through the reporting process and ended the call by telling me that it all looked fairly clear-cut but needed to be referred to another team and would take 30 days before I had my account back.
The customer services representative I spoke to during this case offered me an extremely cheap renewal on my Xbox Live Gold subscription by way of an apology for the inconvenience. I gave him my card details over the phone and thanked him.
[drop2]I was told that there were no purchases showing on my account so I should be reassured that there was no problem with fraud. I’d never entered my credit card details on Xbox Live (I was especially careful after the springtime issues with PSN security) so I wasn’t too concerned. However, when I got access back, the Microsoft Points that had been in my account (somewhere over 1800) had gone. I had no proof and even less desire to spend more time on the phone arguing the case so I wrote off the loss and decided to just move on.When I finally got access to my Gamertag back, it wasn’t linked to my existing Windows Live ID, it was linked to an account generated by the investigations team. It took me another 60 days and the creation of a spare Windows Live ID to switch my accounts around (you can only switch once every 30 days) so that my Gamertag was linked to the original Windows Live ID once again. I’ll admit that I found this stage of the process incredibly confusing. I’m not sure I was doing it correctly and the email support was almost completely useless.
Around this time, I also saw reports of others who had their accounts compromised and I first saw mention of it being, in some way, related to FIFA Ultimate Team. This was interesting as the game which showed on my newly returned Gamertag as being the last one I played was FIFA 11 — a game I’ve never owned on Xbox 360.
Obviously, following all of that trouble and Microsoft’s continuing insistence that their customer’s security woes were the result of them foolishly supplying nefarious individuals with their passwords, I made sure my new password was only used for that account. I never wrote it down and I picked something that should be difficult to guess or force. My Xbox Live account had a completely unique password.
This past Thursday, I got a couple of emails that said I’d bought 6000 Microsoft Points and a digital copy of Alice: Madness Returns via Xbox Live. I was annoyed that I would apparently have to go through the laborious reclamation process but not too worried, as I’d never stored my credit card details so it couldn’t be my money they were spending.
Today, I managed to get a few minutes to log into my account online and check. The password no longer worked, so I reset that immediately. The reset link emailed to my own email address and another that I didn’t recognise but I was quick to verify the email and get my password changed. When I logged in, there were no other email addresses linked to my account but my credit card was, somehow, stored there. I can only guess that giving my card details to the customer services representative for my cheap Gold renewal the last time my account was breached means that they stored them. Ironic that this actually means I’ve now lost money.
My purchase history shows purchases of 45 tracks and track packs, I assume for some music rhythm or dancing game that I’ve never played. It also shows the Alice: Madness Returns purchase (at £29.99) and Plants Vs Zombies from the Xbox Live Arcade. I had more than 3000 Microsoft Points on my account last time I checked. Now I have 30.
I can’t know how access was gained to my account but I am sure that my password was never in a position where it could have been seen by a third party, at least on my side. This is not a phishing problem, as Microsoft has repeatedly asserted. There is a bigger issue here, I’m not sure what it is but, worryingly, it doesn’t seem like Microsoft have any idea either. And denying it is a problem isn’t solving anything.
I believe that there’s enough anecdotal evidence around forums and message boards to warrant a full scale investigation by Microsoft. If needs be, I think they should take down the whole service to investigate and test until they’re as sure as anyone can ever be that there are no security holes. The alternative is to continue to deny an issue that is leaving many of their paying customers victims of theft and with the not-inconsiderable inconvenience of reclaiming stolen Live IDs and Gamertags.
I need to phone customer services tomorrow when I have a chance to talk to them and I have no doubt that I’ll get my card details removed from the account and all funds returned, although I worry that my missing Microsoft Points will never be refunded. Perhaps that’s unfair but that kind of virtual currency always feels like it’s disposable.
The bigger issue I have is that I no longer have any faith in my account remaining secure — so I’ll be reluctant to use the service in the future. Surely that’s a big enough issue, given the number of accounts we hear being breached, to warrant some wider investigation? We’ll see.
G_The_Enemy14
This is awful. I can’t believe that MS still haven’t done anything about it.
HisNameWasBen
Didn’t know about this. Any way I can avoid getting hacked like this?
teflon
Actually, I think it’s beyond just needing an internal investigation. You can bet those 30 MS points that if Google or Apple were having similar issues they’d be pulled before a Senate committee in the US, called up by the EU on privacy concerns, and there’d be a couple of class action lawsuits started.
This isn’t going away, and it needs to be sorted out by Microsoft in the past.
BigCheese
Mad how this just gets brushed under the carpet, whereas Sony’s was in your face at every opportunity and Microsoft fanboys just went exploded into rants saying how shit Playstation is etc. Makes no sense
colmshan1990
At this stage, I have to ask, where are the police?
CarBoyCam
I try to avoid putting my card details on any websites or online services these days. What with my PSN and (possibly) Steam accounts being compromised, I now use PayPal where possible.
No debit card on PSN or XBL anymore.
Sympozium
This is really sad and shocking that MS haven’t done anything about this.. maybe even EA could investiate this issue since its linked to there game.
JBoo
MicroSoft’s new slogan should be “Jump in…to my Account & buy & take what you want” :D
+ i am not laughing about this because it’s not nice when people get ripped off :-( I had my Visa card ripped off on the internet somehow once(nothing to do with this tho) Hopefully people will get their money back;)
Adiemus
There is one type of laughter perfect for this! The laughter of disbelief! How can this still be a problem!? Is there anyone ‘higher up’ that could be brought in to get them sort this mess out, such as trading standards etc?
gazzagb
Why isn’t there a massive uproar about this? How can MS be allowed to brush this under the carpet? It’s at times like these where I’d welcome sensationalist headlines in the papers, just to raise awareness and give MS the kick up the backside they need to sort this out.
colmshan1990
Everybody, we have letters to send to the Daily Mail and The Sun.
You with me? :P
Sympozium
I strongly believe EA should at least help out, far as I’m aware all this is sourced from Fifa so they must.
An-dz
That is acctually frightening that they could do all that, even when you never enterd the details and with a compleatly randomised password