Xbox Live has a significant problem with its security. It’s not something that is easily provable, and Microsoft is still in denial over the issue, but there is clearly a problem. Pretending there isn’t won’t make it go away.
This is nothing new, of course. Xbox Live has had some sort of issue with accounts being compromised for some time. My own Xbox Live account was breached last summer. I went through the lengthy process of having it restored. Microsoft’s customer services department, who were incredibly pleasant to deal with (on the phone, emails were less helpful), talked me through the reporting process and ended the call by telling me that it all looked fairly clear-cut but needed to be referred to another team and would take 30 days before I had my account back.
The customer services representative I spoke to during this case offered me an extremely cheap renewal on my Xbox Live Gold subscription by way of an apology for the inconvenience. I gave him my card details over the phone and thanked him.
[drop2]I was told that there were no purchases showing on my account so I should be reassured that there was no problem with fraud. I’d never entered my credit card details on Xbox Live (I was especially careful after the springtime issues with PSN security) so I wasn’t too concerned. However, when I got access back, the Microsoft Points that had been in my account (somewhere over 1800) had gone. I had no proof and even less desire to spend more time on the phone arguing the case so I wrote off the loss and decided to just move on.When I finally got access to my Gamertag back, it wasn’t linked to my existing Windows Live ID, it was linked to an account generated by the investigations team. It took me another 60 days and the creation of a spare Windows Live ID to switch my accounts around (you can only switch once every 30 days) so that my Gamertag was linked to the original Windows Live ID once again. I’ll admit that I found this stage of the process incredibly confusing. I’m not sure I was doing it correctly and the email support was almost completely useless.
Around this time, I also saw reports of others who had their accounts compromised and I first saw mention of it being, in some way, related to FIFA Ultimate Team. This was interesting as the game which showed on my newly returned Gamertag as being the last one I played was FIFA 11 — a game I’ve never owned on Xbox 360.
Obviously, following all of that trouble and Microsoft’s continuing insistence that their customer’s security woes were the result of them foolishly supplying nefarious individuals with their passwords, I made sure my new password was only used for that account. I never wrote it down and I picked something that should be difficult to guess or force. My Xbox Live account had a completely unique password.
This past Thursday, I got a couple of emails that said I’d bought 6000 Microsoft Points and a digital copy of Alice: Madness Returns via Xbox Live. I was annoyed that I would apparently have to go through the laborious reclamation process but not too worried, as I’d never stored my credit card details so it couldn’t be my money they were spending.
Today, I managed to get a few minutes to log into my account online and check. The password no longer worked, so I reset that immediately. The reset link emailed to my own email address and another that I didn’t recognise but I was quick to verify the email and get my password changed. When I logged in, there were no other email addresses linked to my account but my credit card was, somehow, stored there. I can only guess that giving my card details to the customer services representative for my cheap Gold renewal the last time my account was breached means that they stored them. Ironic that this actually means I’ve now lost money.
My purchase history shows purchases of 45 tracks and track packs, I assume for some music rhythm or dancing game that I’ve never played. It also shows the Alice: Madness Returns purchase (at £29.99) and Plants Vs Zombies from the Xbox Live Arcade. I had more than 3000 Microsoft Points on my account last time I checked. Now I have 30.
I can’t know how access was gained to my account but I am sure that my password was never in a position where it could have been seen by a third party, at least on my side. This is not a phishing problem, as Microsoft has repeatedly asserted. There is a bigger issue here, I’m not sure what it is but, worryingly, it doesn’t seem like Microsoft have any idea either. And denying it is a problem isn’t solving anything.
I believe that there’s enough anecdotal evidence around forums and message boards to warrant a full scale investigation by Microsoft. If needs be, I think they should take down the whole service to investigate and test until they’re as sure as anyone can ever be that there are no security holes. The alternative is to continue to deny an issue that is leaving many of their paying customers victims of theft and with the not-inconsiderable inconvenience of reclaiming stolen Live IDs and Gamertags.
I need to phone customer services tomorrow when I have a chance to talk to them and I have no doubt that I’ll get my card details removed from the account and all funds returned, although I worry that my missing Microsoft Points will never be refunded. Perhaps that’s unfair but that kind of virtual currency always feels like it’s disposable.
The bigger issue I have is that I no longer have any faith in my account remaining secure — so I’ll be reluctant to use the service in the future. Surely that’s a big enough issue, given the number of accounts we hear being breached, to warrant some wider investigation? We’ll see.
hypermidget101
Another case of double standards between the gaming companies, its a shame really that Microsoft seems to be getting away scot free with a serious issue like this, while anyone else would be (and has been) dragged through the ground.
hazelam
i’ve never believed the phishing excuse ms came out with.
it just doesn’t add up, so many people and all on only one service?
the logical conclusion is that service is the problem.
either they’ve got clever hackers or ms have left a big hole somewhere.
given ms’s history the latter is not outside the realms of possibility.
also, i think this has gone far beyond the point where it should no longer be a matter for ms alone, this as far as i can see is now a matter for the police.
firstly, there’s theft here, and it seems fairly widespread.
secondly there’s ms failing to live up to their legal obligations under the data protection act.
in the uk at least if they take people’s information and store it digitally, they have to protect the information, clearly they’re not doing that.
they’ve had information on this coming in for months.
but it’s still happening.
and they’re still blaming the users.
i can only hope for the sake of everybody who has card details stored with ms that even though they are publicly burying their head in the sand over this they are actually doing something about it in the background.
but if they are, it doesn’t seem to be working.
ms have always had a backwards idea of security.
to them security is about protecting their income rather than their customers.
looks at how easy it is to use a card and spend unlimited amounts on live.
then compare that to the hassle they give you if you want to stop spending with them.
i still don’t think they actually let you remove your card details from their system.
that’s why those “live for a £/$” things ms do are such a scam, they just want your card details, and look how many people who got charged for a live sub even after cancelling.
lastly, i reckon they’re doing this to try and avoid the kind of negative media sony suffered after their hack.
but i think they’re going about it the wrong way.
sure, it’s working well enough so far, i’ve not seen mention of this outside the gaming press.
but the pressure is building, the longer they hold it back the bigger the bang will be when it eventually does blow up in their face.
on a personal note, this is just another thing putting me off downloadable games.
among all the other issues around ownership of my purchases, there’s also now the issue of security.
if i go into a shop and pay cash for a game, that leaves no opening for any hacker half way round the world, no matter how clever, to steal from me.
Tuffcub
Two friends of mine were hacked over the weekend.
SpikeyMikey23
Have now removed my card details and the mrs’ from our xbox accounts.
monkeyspoon
If it gets on tv on watchdog or something M$ will have to take action.
Sympozium
Yes its a bit ridiculous wouldn’t surprise me if the Xbox was there.
rSp8
Sony can feel very smug about this. Their response to a similar situation, while not ideal- close everything down until they are sure any breaches are fixed and give out freebies to their customers when everything is back in order. Microsoft- consistently claim there is no problem and blame their customers. To make matters worse Sony’s service is free whereas Microsoft’s as to be paid for.
The Lone Steven
MS shouldn’t be ignoring the problem as they are driving some of their customers away and are damaging customer confidence in them. They should come out and admit it’s a problem, shut down the entire network whilst they investigate it. Sure, it will cost them a fair bit to do but in the long run, it will ressure people that they care about them instead of blaming everyone.
I’m surprised that noone has sued MS for this and that it’s not been covered much by the bigger sites. :o I hope they will get off their arse and do something about it.
Sympozium
They can bring it down.. but I still believe EA needs to do the same since its there game that seems to be linked.
I don’t think I’d either use each service with my card details, totally shocking.
colmshan1990
It’s definitely more a problem on Microsoft’s side rather than EA- FIFA came out on everything from PS2 to iPhone, and this is only happening on Xbox 360.
Also, Microsoft would have to approve every game that’s released on their system, just like Sony and Nintendo. So that’s their QA which is performing sub par too.
Maybe it’s a case of a lethal combination- a hole in FIFA lining up perfectly with a hole in Live, but as it’s Live accounts, not EA accounts that are being hit, this is Microsoft’s issue.
Omac_brother
Even though Im not a MS fan (had 6 RRoD consoles so have 0% confidence in the xbox as a product), I feel sorry for the call centres that have to deal with these calls. They obviously have no idea how to deal with these correctly or the expertise to investigate what they suspect is hacking. Instead, they have to fob off customers saying “You got phished” and refund what they can.
MayContainEvil
This really is shocking, Sony really were exemplary compared to this behaviour. It’s terrible this isn’t being reported on as much as it should be, really says something about the ethics of some game sites, profit before truth. But we already knew that.
jaksmakndaxter
Peter, I’m sorry you had to go through so many problems with Microsoft,and I appreciate stories like your own because it gives light to a more informed future purchase (I still don’t own a 360, been on-the-fence about it ever since the RROD debacle). It’s horrible that Microsoft has such a hardcore dedicated following of customers and seem willing to dangle them over the fire so easily,with little or no hope of a positive resolution. I believe MS owes you and all other affected customers (and the gaming community as a whole,even)the dignity of investigating this matter so as to ensure that its leading online service remains secure for current and potential future customers. I’m angry for you and all affected users,as I am a gamer. In one way or another this matter affects us all equally.