Microsoft, Fix Your Security Problems
While not a security breach in name, Xbox Live's recent spat of security woes makes it hard to tell the difference.
We'll begin emailing you updates about %gameName%.
We'll begin emailing you updates about %gameName%.
Late last week, the ongoing Xbox Live FIFA Ultimate Team scams bubbled up in the news cycle again when a particularly compelling customer service horror story was recounted on the Hacked on Xbox Tumblr blog. In the blog, a woman referring to herself as Susan T described her struggles with Microsoft as an outside party logged into her Xbox Live account and racked up charges on her credit card--even after Microsoft said it had blocked access to the profile while an investigation was conducted.
There's much more to her story, and it's well worth reading the entire saddening, frustrating account. The problem is that her story is by no means unique among Xbox Live gamers. While 2011 was the year Sony lost the personal information of some 100 million customers with hacks to the PlayStation Network and Sony Online Entertainment databases, anecdotal evidence about which platform endured the most troublesome identity theft was weighted heavily toward the Xbox 360. For Microsoft's part, the company insists that Xbox Live security hasn't been compromised, as in the following statement issued after Susan T's blog got traction in the news cycle:
"Microsoft can confirm that there has been no breach to the security of our Xbox LIVE service. In recent cases, some Xbox LIVE members appear to have been victims of malicious scams. Unfortunately this is something that affects many Internet based services. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats. However, we are aware that a handful of customers have experienced problems getting their accounts restored once they've reported an issue. We are working directly with those customers to restore their accounts as soon as possible and are reviewing our processes to ensure a positive customer support experience."
I believe Microsoft when it says Xbox Live hasn't suffered a security breach. But that doesn't mean Xbox Live isn't suffering from a security problem. The problem is that Microsoft seems content to merely reassure people whose accounts have been compromised that the company wasn't the weak point in the security chain. That's fine from a legal liability standpoint, but it's pretty shortsighted for a company to tell victimized customers, "Don't blame me; I didn't lose your info," and carry on as if nothing happened. Instead, Microsoft should be doing a better job of taking away a crook's incentive and ability to cheat its user base.
I believe Microsoft when it says Xbox Live hasn't suffered a security breach. But that doesn't mean Xbox Live isn't suffering from a security problem.
Take the FIFA scam, for example. There are a number of variations on it, but the basics are that a scammer gets hold of an Xbox Live member's user name and password and logs into that account. If the account is already linked to a credit card, the crook stocks up on Microsoft points and uses them to buy FIFA Ultimate Team card packs. The cards from those packs are then sold online outside of Xbox Live, and once buyers have been found, the transaction is completed in-game by trading the card directly to the purchaser's gamertag.
The solution here is simple, and it is one borne out of Microsoft's hold on the Xbox experience. Because the Xbox 360 is a closed system, Microsoft ultimately has control over what happens on its console and in its games. That level of control means Microsoft can impose the rules by which publishers must play, and it can forbid such direct transfer of any paid downloadable content from one gamertag to another. An illicit secondhand market for these cards can't really exist if a would-be seller can't ensure those pilfered wares wind up in the hands of the proper buyers.
Obviously, this would be bad for business to an extent. Without the ability to trade cards directly, the Ultimate Team-playing community may not thrive in the same way. And EA would no doubt be unhappy at having its options for how to structure its business model limited. But the question is whether or not Microsoft and its third-party partners see protecting their consumers from rampant fraud to be more valuable than the incremental revenues they reap by having a system open for continued abuse. Or in more pragmatic terms, whether or not they are willing to put up with how scummy it looks to have these stories circulating online while EA executives brag to investors that, "We see people spending $500, $600, $700 on digital card packs to play Ultimate Team simulation mode."
In another, more narrowly defined instance of Xbox Live fraud, one gamer conveyed to GameSpot a tale of scammers attempting to steal the gamertags of himself and his friend. Both were members of the original Xbox Live beta, and so they had simple handles that were free of superfluous numbers, characters, or "xXX-XXx" prefixes and suffixes. They were the sort of gamertags that would have been not at all out of place if used as nicknames for American Gladiators. When his friend's account was hacked, American Gladiator 1 (we'll call him "Gemini," though that wasn't his real gamertag) messaged his friend's account (let's go with "Turbo") to see what the thief would say. Perhaps surprisingly, the squatter acknowledged what he'd done and explained that he was planning to sell the handle online. While Xbox Live users can't actually give their handle to another gamer, they can coordinate name changes. When one account uses Microsoft's gamertag name change feature, it instantly frees up the old gamertag for a second account to come in and claim it.
Although this isn't the most widespread problem, it's still one Microsoft could almost entirely eliminate by placing old gamertags in quarantine for an unspecified period after each name change. That would not only reduce the likelihood of a scammer being able to reregister an account with the desired gamertag, but it would also give the original user an opportunity to notice the name change and lodge a complaint with Microsoft before someone new begins squatting on the old gamertag.
The thing is that the Xbox Live security problem has grown to the point where it's impacting customers who haven't had a dime stolen from them. After reading through the Hacked on Xbox account, I finally decided to remove my credit card information from my Xbox Live account and use nothing but Microsoft points cards going forward. But when I logged onto my account on Xbox.com to make that change, it wouldn't let me delete my credit card, saying it was being used for an active service. Because I had paid for my Xbox Live Gold account with a credit card, the system would not allow me to remove that card until the subscription had lapsed, which is a piece of information I was only able to get after using Microsoft's online tech support chat. The tech support person was friendly enough but could not simply remove the card from the account without cancelling my Xbox Live subscription because it had been less than 30 days since it was renewed. So it was suggested that I try back in a few weeks after that window has passed and see about having the card information removed then.
When I went to remove my credit card info from my PlayStation Network account, it was a straightforward process finished in under a minute through the PlayStation 3 itself. Come on, Microsoft. When you can look to Sony as a model of how to handle a customer's sensitive personal information, it's time to take a long, hard look at how you operate and make some changes.