Microsoft, Fix Your Security Problems

While not a security breach in name, Xbox Live's recent spat of security woes makes it hard to tell the difference.

Late last week, the ongoing Xbox Live FIFA Ultimate Team scams bubbled up in the news cycle again when a particularly compelling customer service horror story was recounted on the Hacked on Xbox Tumblr blog. In the blog, a woman referring to herself as Susan T described her struggles with Microsoft as an outside party logged into her Xbox Live account and racked up charges on her credit card--even after Microsoft said it had blocked access to the profile while an investigation was conducted.

There's much more to her story, and it's well worth reading the entire saddening, frustrating account. The problem is that her story is by no means unique among Xbox Live gamers. While 2011 was the year Sony lost the personal information of some 100 million customers with hacks to the PlayStation Network and Sony Online Entertainment databases, anecdotal evidence about which platform endured the most troublesome identity theft was weighted heavily toward the Xbox 360. For Microsoft's part, the company insists that Xbox Live security hasn't been compromised, as in the following statement issued after Susan T's blog got traction in the news cycle:

FIFA 12's Ultimate Team mode has inspired a wealth of online hooliganism.

"Microsoft can confirm that there has been no breach to the security of our Xbox LIVE service. In recent cases, some Xbox LIVE members appear to have been victims of malicious scams. Unfortunately this is something that affects many Internet based services. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. However, we are aware that a handful of customers have experienced problems getting their accounts restored once they've reported an issue. We are working directly with those customers to restore their accounts as soon as possible and are reviewing our processes to ensure a positive customer support experience."

I believe Microsoft when it says Xbox Live hasn't suffered a security breach. But that doesn't mean Xbox Live isn't suffering from a security problem. The problem is that Microsoft seems content to merely reassure people whose accounts have been compromised that the company wasn't the weak point in the security chain. That's fine from a legal liability standpoint, but it's pretty shortsighted for a company to tell victimized customers, "Don't blame me; I didn't lose your info," and carry on as if nothing happened. Instead, Microsoft should be doing a better job of taking away a crook's incentive and ability to cheat its user base.

I believe Microsoft when it says Xbox Live hasn't suffered a security breach. But that doesn't mean Xbox Live isn't suffering from a security problem.

Take the FIFA scam, for example. There are a number of variations on it, but the basics are that a scammer gets hold of an Xbox Live member's user name and password and logs into that account. If the account is already linked to a credit card, the crook stocks up on Microsoft points and uses them to buy FIFA Ultimate Team card packs. The cards from those packs are then sold online outside of Xbox Live, and once buyers have been found, the transaction is completed in-game by trading the card directly to the purchaser's gamertag.

The solution here is simple, and it is one borne out of Microsoft's hold on the Xbox experience. Because the Xbox 360 is a closed system, Microsoft ultimately has control over what happens on its console and in its games. That level of control means Microsoft can impose the rules by which publishers must play, and it can forbid such direct transfer of any paid downloadable content from one gamertag to another. An illicit secondhand market for these cards can't really exist if a would-be seller can't ensure those pilfered wares wind up in the hands of the proper buyers.

Obviously, this would be bad for business to an extent. Without the ability to trade cards directly, the Ultimate Team-playing community may not thrive in the same way. And EA would no doubt be unhappy at having its options for how to structure its business model limited. But the question is whether or not Microsoft and its third-party partners see protecting their consumers from rampant fraud to be more valuable than the incremental revenues they reap by having a system open for continued abuse. Or in more pragmatic terms, whether or not they are willing to put up with how scummy it looks to have these stories circulating online while EA executives brag to investors that, "We see people spending $500, $600, $700 on digital card packs to play Ultimate Team simulation mode."

In another, more narrowly defined instance of Xbox Live fraud, one gamer conveyed to GameSpot a tale of scammers attempting to steal the gamertags of himself and his friend. Both were members of the original Xbox Live beta, and so they had simple handles that were free of superfluous numbers, characters, or "xXX-XXx" prefixes and suffixes. They were the sort of gamertags that would have been not at all out of place if used as nicknames for American Gladiators. When his friend's account was hacked, American Gladiator 1 (we'll call him "Gemini," though that wasn't his real gamertag) messaged his friend's account (let's go with "Turbo") to see what the thief would say. Perhaps surprisingly, the squatter acknowledged what he'd done and explained that he was planning to sell the handle online. While Xbox Live users can't actually give their handle to another gamer, they can coordinate name changes. When one account uses Microsoft's gamertag name change feature, it instantly frees up the old gamertag for a second account to come in and claim it.

Gamertags can be an in-demand commodity just like FIFA Ultimate Team cards.

Although this isn't the most widespread problem, it's still one Microsoft could almost entirely eliminate by placing old gamertags in quarantine for an unspecified period after each name change. That would not only reduce the likelihood of a scammer being able to reregister an account with the desired gamertag, but it would also give the original user an opportunity to notice the name change and lodge a complaint with Microsoft before someone new begins squatting on the old gamertag.

The thing is that the Xbox Live security problem has grown to the point where it's impacting customers who haven't had a dime stolen from them. After reading through the Hacked on Xbox account, I finally decided to remove my credit card information from my Xbox Live account and use nothing but Microsoft points cards going forward. But when I logged onto my account on Xbox.com to make that change, it wouldn't let me delete my credit card, saying it was being used for an active service. Because I had paid for my Xbox Live Gold account with a credit card, the system would not allow me to remove that card until the subscription had lapsed, which is a piece of information I was only able to get after using Microsoft's online tech support chat. The tech support person was friendly enough but could not simply remove the card from the account without cancelling my Xbox Live subscription because it had been less than 30 days since it was renewed. So it was suggested that I try back in a few weeks after that window has passed and see about having the card information removed then.

When I went to remove my credit card info from my PlayStation Network account, it was a straightforward process finished in under a minute through the PlayStation 3 itself. Come on, Microsoft. When you can look to Sony as a model of how to handle a customer's sensitive personal information, it's time to take a long, hard look at how you operate and make some changes.

Written By

Want the latest news about Xbox 360?

Xbox 360

Xbox 360

Discussion

146 comments
gcfreak898
gcfreak898

My account got fixed eventually after 3 different investigations.  I had to complain to the BBB to get my account finally fixed.  Now I have xbox live gold free for 13 months.  For the 6 months of inconveinence.

valdarez
valdarez

@BryanParksSuper Reading and reading comprehension obviously isn't your strong suit 'kid'. Let me see if I can provide a more simplistic explanation that you can follow: o XBox 360 Security Bad o PS3 Security Good (accounts not hacked)Hopefully you can decipher that complicated explanation. :)As I said before, if it were a phishing scheme it would be affecting both systems, not just one. Both XBox 360 / PS3 require you to use an email to register and thus both would be susceptible to phishing schemes. Yet it's only on the XBox 360 that people are experiencing problems.

BryanParksSuper
BryanParksSuper

@valdarez It's a Scam 360 people are doing. Read the article again. It doesn't mention PS3. Get ur facts straight before sending a PM kid.

valdarez
valdarez

@BryanParksSuper Exactly, it's not happening on PS3. If it were a phishing scheme, it would work on BOTH systems, not just Microsoft.

BryanParksSuper
BryanParksSuper

You people give out ur info that's the only way to get hacked. Xbots never learn. If think the Email is fishy don't open it. This doesn't happen to PS3 Version of FIFA 2012. MS security sucks. They don't even care.

valdarez
valdarez

Has anyone come across a single example of a phishing attack? Something that is non-email in nature? An article or link to one?

nexus126
nexus126

Got hacked and lost all microsoft points. My credit card attached to my account expired a few months ago, so I lucked out on that near disaster. Let's see if I am able to get my account with all the achievements back in a few weeks or send my sob story to http://www.hackedonxbox.com/

FuBi2k
FuBi2k

Got hacked. January 14, 2012. Cash and points stolen. FIFA 12 on my list. Very dissapointed.

Aeriscloud99
Aeriscloud99

@DireBadger :/ some of us have both PSN and Xboxlive accounts, just saying.

DireBadger
DireBadger

When PSN went down for about a month, Xbox users taunted mercilessly. Now we see Microsoft isnt any better, but at least its free on PS3.

valdarez
valdarez

@djjman Read the link, no way the password I used was brute force hacked. It'd take years to do it. Plus, the brute force hack doesn't explain the oddness we were seeing with the force login not working on the console. Whatever was done to the account, there was no way we could force a password check on the XBox 360 console after the hack even after changing the setting on the console itself and restarting. The XBox 360 support staff didn't know what to say.... other than 'that shouldn't be happening'. No kidding... lol

valdarez
valdarez

@djjman Haven't read your article/link yet, but my guess was that when you download the profile, the check is in the profile itself as you can turn it on/off on the console itself. Figure if they find the right bit, change it, then they can use the service without ever logging in. Just a SWAG though. If it's that easy to do though, Microsoft should get the hell sued out of them, especially after what Sony/PS3 went through with their security breach.

valdarez
valdarez

@gcfreak898 How did you learn your account was migrated to Brazil? Mine was hacked on 1/11, but when I viewed the console that last logged into it, the date was 1/12, which led me to believe it was done overseas as the date was a server date (meaning not based on someone's console date setting).

valdarez
valdarez

@Maximum_Evil77 Whatever, no way anyone guessed my password, or that I fell victim to a social network 'hack'. There is a security issue and sooner or later Microsoft is going to have to fess up to problem. IMHO they haven't figured it out yet. Microsoft has NEVER been good on the security side.

valdarez
valdarez

@Aeriscloud99 Yes, the account is locked now, but it didn't lock right away. The support staff sent it to the investigation team which locked it. The support person said it should be locked when I was on the phone, but it took a couple of hours before it kicked me off XBox 360 and nearly a day before I was unable to log into my hotmail account. So it definitely didn't lock right away. Ironically, though my account is locked, I have not received an email to that effect yet.

Maximum_Evil77
Maximum_Evil77

It's a decent article with some nice points, but all that I'm taking away from it is that people need to either make harder passwords or not take part in such shady behavior like trying to trade gamertags and what-not. I mean, yeah, MS could do some things to make this even safer for the consumer, but to me it still sounds like the main problem is that people are just not thinking and making poor decisions when dealing with their passwords and interacting with shady people.

Kane04
Kane04

@ djjman Just followed your link and idk if I should laugh or cry. Specially after all the SW treads about the PSN outage, and how MS service is paid but it's solid and something like that would never happen. By the sound of it even I can cook up a script that would do that and I'm no hacker.

Aeriscloud99
Aeriscloud99

@Valdarez Has Microsoft locked your account, They told me they would lock mine, I even recieved an email about it, yet I can still log in. This is quite troubling.

Aeriscloud99
Aeriscloud99

This just happened to me 2 days ago, Microsoft needs to act now, instead of acting like nothing is happening.

Kane04
Kane04

Before anything I have to say this must be one of the worst written articles I've ever seen on gamespot. I think the main point in this is, how the hell are people getting the passwords and how can MS say that's not a security problem? And Mr Brendan Sinclair, this isn't 2008 where you can bash the PS3 like you did on your last remark. Amazing how every bit of bad luck Sony comes across is instantly used to bash and radicalized the product/service, but when MS does little things like delete forum threads about FM3 bugs and inducing RRODs, that just gets a free pass.

gcfreak898
gcfreak898

Someone migrated my account to Brazil on Aug28th2011 then used my credit card attached to my account to purchase 133 dollars worth of gamerpoints(11,000). This issue is still not resolved I was overseas when this happened and I was serving my country. This is how a xbox live gold member gets treated. I've been a gold member since FEB2006 this is how I get treated. The issue still isn't resolved and the representatives on the phone assure me their team is doing the best they can to fix my account. Poppy Cock this issue should have been fixed by now I refuse to redeem the two gold pass codes for another account. I want my original account fixed this is a big head ache. I suggest that everyone on xbox live remove their credit cards and turn auto renew off. Always buy the 12 month gold cards from the store and ms points cards from the store. Then, change your account password to something unique. This xbox live security is a joke and they should take it serious instead of blaming it on "FIFA" EA game to cover up the breach of security. Microsoft should tighten up their security.

valdarez
valdarez

@Daemoroth Software developer myself, and use the same when creating passwords. There was no way for my password to be guessed, or brute force hacked, but they did it. The username/password is not used anywhere else either, which is why I believe this to be a Microsoft security issue. This is the only time any username/site I've been on has been hacked in nearly 20 years of online usage.

valdarez
valdarez

@RandomAssZero Good question. The social hacking explanation from M$ is pure bunk. There's a security flaw that the hackers have found that Microsoft either isn't fessing up to, or worse, doesn't know/understand yet.

RBwd
RBwd

got my xbox live back and was happy with gettin 2 months live for free but just literaraly had 6000 points / £51 taken from my paypal. worse thing is i had to add my paypal account as microsoft said they couldnt access my details without my old card details or a paypal account number. so i only added it to sort out the previous hack where they stole 2400 points

RandomAssZero
RandomAssZero

im confused...... how did these hackers get the passwords for thr usernames in the first place?

valdarez
valdarez

Just had my XBox 360 Account hacked. Used 4000+ points to buy Fifa 12 cards. Thankfully my credit card was out of date. Called support and they said my account had to be locked while they 'investigated', which should take 25+ days. *sigh* Thankfully I have my PS3 to play in the mean time. One thing we found while working with xbox 360 support was that even though I changed my password, and waited up to an hour after the change synch, the xbox 360 would never require me to enter my password. We even changed the setting on the console to force a password request every time for the account, but it would auto-login on each and every attempt effectively ignoring the password change and force password request. IMHO that is the security flaw that's been exploited on the XBox 360's. Somehow the hackers have disabled the password check for the account, effectively allowing auto-login on an XBox 360 console.

lostinusa
lostinusa

u can take ur credit card off there is a way round it make paypal account take credit card of then take off microsoft of trusted site on paypals end

lostinusa
lostinusa

someone hacked my account at 12:20 on the 1/1/12 mircosoft have shut me out of my account since then the hacker has put fifa 12 on my account and spent my microsoft points and charged 4000/1600/400 microsoft points to my paypal account... paypal has refunded me the money but my bank account was over so have to pay bank fees.... microsoft have not given me any info on what is going on with my account...

Duke_51
Duke_51

Any company that denies you the ability to remove your credit card information from their servers is blatantly corrupt. This just goes to show that they couldn't care less about the people who buy their product... let's face it, we are nothing but an outlet for these people. There's no reason in arguing over which system is better, because they really couldn't care less about what we - the insignificant masses - think about them.

acer7x
acer7x

Yeah I tried to remove my credit card from my account and it wouldn't let me. I think that is BS since I already paid for the whole year

Mkherkzen
Mkherkzen

Amen. I totally agree with the article. I can also add that there are also other, more shocking examples of security breach. For instance, I know about cases of scammers who steal accounts, and either: 1. Sell them with MSP accumulated by the owner, or 2. Buy MSP using the credit card connected to the account, send the points to other accounts using the Family Pack and then sell those on auctions. One person on my friendlist have already reported loss of 3000 MSP which was on their account. He never played any FIFA game on it. That's some serious sh*t MS - better do something about it or face the consequences.

GOGOGOGURT
GOGOGOGURT

I agree. MS is still cool. But they need to get their security problems straight. Until then I will remove my credit card and use only point cards.

inaka_rob
inaka_rob

that really $$$$s. I read the blog. looked it over anyway. man... that would ruin my day. my friend got mugged in San fransico. I guess we should blame that city too becuase they dont have cops on every street corner. nothing is 100% safe and sequre. NOTHING. we all try our best. its not like micrsoft did this on purpose. there are what 37 million xbox live users. They cant have a support team to laser in on ever problem in milli sec. I really feel for this girl and any one this has happaned too... but its life in the digital age. I have a PSN account and had to go through that whole ordel. I wasnt happy. but I was not like oh! efff sony! down with sony! that would be dumb. they messed up big time. but the digital world is growing so fast it isnt funny.

Giancarlo
Giancarlo moderator

@Llama345 That's not what's happening.

Llama345
Llama345

how does one person getting their password guessed have to do with the security of the whole system?

Daemoroth
Daemoroth

@djjman, do you even understand how a "brute force" hack works? It's a process of systematically inputting every possible combination of allowed characters in the hope of getting it right eventually (Sometimes they'll use common words instead of characters, which is faster and can easily catch idiots with passwords using common words). The only way to protect against a brute force hack is for the USER to have a password that is not feasible to be broken through brute force. e.g. all my passwords use numbers, upper/lower case characters and are randomly generated (I use KeePass). On average they are 15 characters long, which means there's ~8.272e+72 possible combinations. Even if a brute force attack can test 1 MILLION passwords a second, it would take ~2.623e+59 YEARS to break that password. And guess what, I've never been hacked, in 15 years with MANY online accounts... Time for you to realise that YOU are responsible for how secure your account is. The companies (All of them) can only ensure that hackers don't get the data they have on your account through them, you need to do your part by making sure that you aren't a liability.

djjman
djjman

Sad thing is you guys probably pass the flaw in the xbox / windows live security everyday. This is a microsoft security practices issue and nothing more. No phishing or xbox live hacking but windows live id hacking through a process called brute force. I have replicated the process and have even tried contacting Microsoft on how to fix the issue. I have heard back from nobody because that would mean they would have to admit they may have an issue.

wiidsduelpack
wiidsduelpack

Glad that I read that my account would be automatically renewed every month when MS still has a deal to buy Gold for a buck or two. My solution was not to get it. I have FIFA but guess since I don't have gold yet, I will not get hacked. / This sounds like EA fault and not MS personally. We should not hate on Microsoft

RAGEofSTUNTS
RAGEofSTUNTS

@AiGeeEn1 Well at least there is a name change service and without charging something for it people will change their names ridiculously, think of how annoying it will be to get a "I have changed my name to...." message every two seconds. Also, there will be more people squatting on gamertags like it says in the article.

robram9
robram9

@LordSho The funny thing is your comment makes you sound like a little kid...

Jonwh18
Jonwh18

yea microsoft ifs freaking greedy lol It took 5 sec to put my credit card in and two hours and harshly worded conversation with the people in charge of the customer support people to get it removed. Also It kinda pisses me off that When it comes up "do you wish to automatically renew?" and I say no that useless to you take the card off the freaking system it continues to charge u the monthly rate anyway! I didn't realise it as still charging for another 4 months WTF microsatan!

Daemoroth
Daemoroth

@m4a5, so true! How should Microsoft prevent users from giving away their personal information? There's nothing any company on this earth can do about phishing. Tell the kids to stop using "JustinBieber" and "BabyBabyBaby" as a password and that's about it. It's these users' own stupidity that got them in that mess, and now they're just whining at Microsoft for not fixing their screw-ups instantly!

MEDzZ3RO
MEDzZ3RO

What was the saying going around on PC and PS3 articles last year? "you pay for what you get", yeah.. right... As I stated last year, hackers write the firmware so nothing is "un-hackable", no company is safe from it regardless of whether you pay or not. @deth420 That caught us out too, Microsoft conveniently charge your credit card automatically for your Xbox live yearly subscription whether you ask for it or not.

deth420
deth420

yeah i love that you can create an account, add personal data, and whatever through the xbox, but when you want to cancel the subscription, or like their saying with the removal of cc info, you have to call them on the phone. Microsoft you suck!

Vishant
Vishant

Pick a weird username and password, give a fake address i.e a neighbors and never use real world bank account or credit card info. There u go. More secure Live or PSN.

m4a5
m4a5

To call this a security problem would be like giving a robber your home security password and, when it doesn't stop said robber, blaming it on the company who made the security system... People need to learn what phishing is and what hacking is......

LordSho
LordSho

You people are completely retarded. "I guess Xbox Live is NOT more secure than PSN"... Durrr!! Eat ass! Xbox Live IS more secure. In the article it says "if you get a persons gamertag and password..." Make a REAL password that doesn't have your name or favorite song in it and you won't have to worry about it. I've been on xboxlive since I BETA TESTED IT, and not once have I had account security problems. I have a nice long password with letters and numbers in it, and no one could ever guess it. Xbox live wasn't hacked like PSN was, someone got that woman's gamertag and password... HER OWN FAULT! Quit the Fanboy Denial.. I own both systems. As far as online services go, PSN can't compare to Xboxlive... and if the $60 a year scares you away, you probably aren't old enough to play the games anyway.

starfox15
starfox15

Glad I'm not paying a monthly fee to Microsoft for this service.