Major Nelson: Xbox Live Users Victims of "Social Engineering"

Last week we reported on a number of cases of Xbox Live users claiming that their paid accounts had been hijacked and, in some cases, their credit cards used to purchase high quantities of Xbox Live Marketplace currency. In that piece, we noted that these security breaches appeared to be due not to an infiltration of the network by technical means, but rather through diligent identity fraud conducted via phone conversations with Microsoft support representatives. Many such cases seemed to be the work of player clans dedicated to such activity. As more reports came in, that explanation for the phenomenon, which appeared to see an odd increase in frequency the weekend prior, seemed increasingly likely. Later in the day, Microsoft's Larry "Major Nelson" Hryb made a blog post in response, calling the cases "a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account." Since then, Hryb has made a followup post in which he spoke more openly on the issue. Hryb was apparently contacted by security researcher Kevin Finisterre, who was largely responsible for breaking the story last week. Finisterre had released an audio recording of a Microsoft support call relating to his own account being commandeered. After listening to the recording, Hryb wrote that the Microsoft support team has begun "examining [its] policies" relating to account security and retraining its staff to better deal with such situations. He used the term "social engineering" when describing the malicious actions. "There's no other way to say it; this situation shouldn't have happened," admitted Hryb. "Our customers deserve better." For users experiencing account problems, Microsoft has created a new page on Xbox.com related to troubleshooting Xbox Live access issues.