Dear Microsoft,, Please Plug These Holes.

Over the past several months Xbox Live accounts (including mine) have been getting hacked en masse. Once the hacker has taken control of the victim’s account, they’re buying up as many Microsoft Points as they can, and spending them all on in game currency for FIFA 11 or FIFA 12. Then, from within their FIFA game of choice, the hacker buys up items for FIFA Ultimate Team, and presumably sends those items off to their personal XBL account.

After contacting Microsoft about the issue, victims are forced to wait a whopping 25 business days to hear back about the security breach, during which time their account is locked down.

As anyone who has ever worked in the IT department can tell you, there’s no way to anticipate every potential security hole, but you should always try anyway. Microsoft could stand to go back to basics when it comes to Xbox Live security. By using two simple tricks other companies have been implementing for a while now, they could significantly reduce the number of hacked XBL accounts.

For years now hackers have been gaining access to Xbox Live accounts by using a little bit of social engineering on Xbox Live customer service reps. There’s absolutely no way to put a complete stop to this – as long as humans are involved in the customer service process, human error will also be involved. Microsoft could, however, take steps to be sure that they’re dealing with the right person.

I’m not talking about asking security questions, or having a customer verify their address – the customer service reps already do those things, but sometimes that’s not enough. By taking just one extra step, Microsoft could weed out a significant number of fraudulent phone calls – email the owner of the account about the phone call.

If a customer calls in to change their account password or any other piece of sensitive information, sending an email to the account holder with a link to verify the change would almost certainly decrease the number of hijacked accounts.

Before a hacker can do any damage to an Xbox Live account, they first have to log into it either from their computer, or their Xbox 360. If only someone could come up with a validation system for each device you access an account from… oh wait…

Steam totally does that already! I’m not a programmer, nor do I know enough about programming and Xbox Live infrastructure to speak in an educated manner on this topic, but it seems to me that it would at least be possible to implement something similar on Xbox Live. By putting up a road block the first time you access your Windows Live account from a new computer or a new Xbox 360, Microsoft would be able to thwart plenty of hackers before they ever get the chance to do any harm.

Neither of these measures are perfect; in fact, both could be nullified by hacking an Xbox Live user’s primary email address. Still, implementing additional security measures can’t make matters any worse than they already are, and standing still when it comes to security won’t solve anything. If Microsoft wants to earn their customers’ trust, it’s time for them to step up their security game.

The Tale of a Hacked Xbox Live Account

On September 6th, just after 9 AM, I received an email informing me that my purchase of 1600 Microsoft points had been unsuccessful. This was something of a surprise, as I had not attempted to buy any Microsoft points that day, so I logged into my Xbox Live account to find out what was going on.

Sure enough, all of the Microsoft points that were stored in my XBL account had been spent on in game items for FIFA 11 (I don’t own that game… hell, I don’t even like soccer video games) and whoever spent my MS points had then tried to purchase more. Presumably, when that purchase failed, they abandoned my account and went on to steal from some other unsuspecting gamer.

Upon making this discovery, I promptly called Xbox customer support. An apathetic young man who’s name escapes me at the moment answered, and after asking me a long series of questions designed to verify my identity, he told me that my account would be locked for “up to 25 days” while the issue was investigated.  He ended the call by reminding me to check out Xbox.com for more information on all the cool services I wouldn’t be using for the next month, adding insult to injury.

After about two weeks had passed, I decided to call in just to see if there was any news on the investigation. After navigating through the series of prompts 1-800-4-MY-XBOX had to offer, a woman with a thick Indian accent informed me that it would actually take 21 business days, not 25 calendar days, and she said I’d probably hear back sometime in October.

Finally on Monday October 3rd my Xbox Live account was reinstated, and Microsoft provided a code for a free month of XBL without my having to ask for it. Unfortunately, after following the instructions provided by Microsoft’s customer service department via email, I was unable to redeem that code. It turns out that by recovering my gamertag to my console I actually flagged the account to be locked again. Fortunately, this issue was corrected by a five minute phone call to customer service.

Once my account was back in order, I replied to the email I received with several questions I wanted answered. Below is an excerpt from that email.

First, how was my account breached? I don’t do anything with my windows live ID other than visit Xbox.com, and log into my Xbox 360, and I don’t give out passwords. For my protection, I’d like to know how the breach happened so I can take any necessary actions to prevent it in the future.

Second, which parts of my account were accessed by the hacker? If they accessed my credit card information in any way, I need to know about it so that I can contact any of the cards that may have been affected in order to prevent fraudulent charges.

Third, how do I go about removing all of my credit cards from my account? I will use cards purchased from stores to up my XBL subscription, and to purchase MS points – I no longer need, nor want any credit cards associated with this account, as it has proven to be insecure. email.

All of those points seemed like reasonable requests to me. Connecticut Senator Richard Blumenthal would most likely agree with me, given that he had some choice words for Sony earlier this year when the Playstation Network was hacked, and millions of customers had their personal information stolen. In a letter to Jack Tretton, president and CEO of SCEA, Senator Blumenthal said the following:

When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

Microsoft doesn’t quite see eye to eye with me, or Senator Blumenthal, as evidenced by their response to my request.

Dear Xbox LIVE Customer:

We apologize, but we are not at liberty to explain our investigation process. However $ 16.03 has been refunded to your account. Refunds could take up to 5-10 business days prior to displaying in your billing activity. It may take 30 days or longer to appear on your statement, depending on your financial institution’s policies.

If you have any concerns regarding this notice, you may either reply to this message or contact Xbox Customer Support directly using the information available at http://www.xbox.com/support/contact and reference the Service Request number above.

Sincerely,

The Xbox LIVE Escalations Team

I emailed them back to let them know that I did appreciate the refund, but that I’d still need to know how my personal information was accessed in order to take any necessary precautions, and as of this writing, I haven’t received a response (though I’ll update this post if I do).

It’s also worth noting that they completely dodged the bit about removing credit cards from my XBL account. That’s because you have to have at least one payment method associated with your Xbox Live account. If you want to remove the credit card associated with Xbox Live autobilling, you’ll first have to associate a different card, or your Paypal account with XBL.

So, after a month long investigation, Microsoft will only acknowledge what I knew on September 6th – that someone other than myself accessed my Xbox Live account. They are either unable, or unwilling to give me any information about how my account was accessed, or about which (if any) pieces of my personal information were taken by the hacker. In other words, someone gained access to my account, may or may not have accessed my personal information, and spent my Microsoft points, and Microsoft does not intend to help to protect me from any of the potential hazards associated with having my personal information accessed.

At least when Sony gave out my personal information they offered identity theft protection to make up for it.

I reached out to Xbox Live’s Director of Policy and Enforcement Stephen Toulouse prior to writing this article for information on Microsoft’s end of the investigation process, but unfortunately, he did not return my email.

With no word from Microsoft on what information the hacker may have accessed, and no concrete information from Toulouse on Microsoft’s hacked account investigation process, I’m left feeling like my Xbox Live account may wind up being a security liability.

UPDATE: Both Ars Technica and Gizmodo have received the following response from Microsoft after inquiring about the recent rash of XBL hacking:

We do not have any evidence the Xbox LIVE service has been compromised. We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at www.xbox.com/security to protect your account

Well, at least the entirety of Xbox Live wasn’t hacked – that’s good news, right? This is still a fairly widespread issue if the comments and forums across the internet are any indication, and Microsoft would do well to consider additional security measures to prevent future hacking attempts from being successful.