Over the past several months Xbox Live accounts (including mine) have been getting hacked en masse. Once the hacker has taken control of the victim’s account, they’re buying up as many Microsoft Points as they can, and spending them all on in game currency for FIFA 11 or FIFA 12. Then, from within their FIFA game of choice, the hacker buys up items for FIFA Ultimate Team, and presumably sends those items off to their personal XBL account.
After contacting Microsoft about the issue, victims are forced to wait a whopping 25 business days to hear back about the security breach, during which time their account is locked down.
As anyone who has ever worked in the IT department can tell you, there’s no way to anticipate every potential security hole, but you should always try anyway. Microsoft could stand to go back to basics when it comes to Xbox Live security. By using two simple tricks other companies have been implementing for a while now, they could significantly reduce the number of hacked XBL accounts.
For years now hackers have been gaining access to Xbox Live accounts by using a little bit of social engineering on Xbox Live customer service reps. There’s absolutely no way to put a complete stop to this – as long as humans are involved in the customer service process, human error will also be involved. Microsoft could, however, take steps to be sure that they’re dealing with the right person.
I’m not talking about asking security questions, or having a customer verify their address – the customer service reps already do those things, but sometimes that’s not enough. By taking just one extra step, Microsoft could weed out a significant number of fraudulent phone calls – email the owner of the account about the phone call.
If a customer calls in to change their account password or any other piece of sensitive information, sending an email to the account holder with a link to verify the change would almost certainly decrease the number of hijacked accounts.
Before a hacker can do any damage to an Xbox Live account, they first have to log into it either from their computer, or their Xbox 360. If only someone could come up with a validation system for each device you access an account from… oh wait…
Steam totally does that already! I’m not a programmer, nor do I know enough about programming and Xbox Live infrastructure to speak in an educated manner on this topic, but it seems to me that it would at least be possible to implement something similar on Xbox Live. By putting up a road block the first time you access your Windows Live account from a new computer or a new Xbox 360, Microsoft would be able to thwart plenty of hackers before they ever get the chance to do any harm.
Neither of these measures are perfect; in fact, both could be nullified by hacking an Xbox Live user’s primary email address. Still, implementing additional security measures can’t make matters any worse than they already are, and standing still when it comes to security won’t solve anything. If Microsoft wants to earn their customers’ trust, it’s time for them to step up their security game.