Editorial: EA's response to FIFA 12 'money laundering' on Xbox Live, part two

Last night, Shacknews detailed a hack that has been plaguing Xbox 360 users for a few months. Some players have seen their Xbox Live accounts hijacked and--with the use of EA's FIFA 12--charges have been made to purchase content that can be traded to other users. Hackers go in, purchase the content, transfer it to a "front" account, and sell the content for real world money. Microsoft is aware of the issue, but says the situation isn't widespread. EA on the other hand, has not issued a statement regarding the Xbox Live attacks--until now. "A small number of gamers continue to report being impacted by fraudulent activity related to FIFA Ultimate Team on Xbox Live," an EA spokesperson told Shacknews. "We have worked directly with Microsoft to enable new security measures to try to keep players safe, and we will continue to help fight criminal activity--protection of our players, their accounts and data is extremely important. We appreciate the fans who continue to help self-police our communities, and we encourage anyone who is impacted in any way to contact us immediately at help.ea.com." I asked the representatives what EA is doing for Xbox Live users that have been hacked. Isn't that a Microsoft security issue? Is EA offering any other help or compensation for those impacted by this situation? No response to these questions were offered at the time of publishing. The startling realization I made while investigating this story is that gamers continue to place blame on Microsoft and EA. Gamers are furious; painting both companies in a poor light. That's fine, but shouldn't the blame be squarely put on the shoulders of the hackers? Part of the issue for gamers is the amount of time Microsoft can take to recover hijacked Xbox Live accounts. It may seem like a simple switch must be flipped, but according to Microsoft, this is far from reality. Microsoft must track down accounts if they are completely taken over. That means contending with things like region changes, password switches, personal information swaps, and more. All of these tweaks made by hackers slow the process down. One reader who submitted his story to me detailed an ordeal that began in September 2011 and was only recently settled. Though his situation was not related to the FIFA 12 attacks, he was hit in a similar fashion. "This mail is confirmation that you successfully switched your Xbox Live account from United States to Russia. Your subscription to Prepaid 12M Xbox Live Gold in United States has been cancelled on Monday, September 05, 2011. In the meantime 5 month(s) has been exchanged from your subscription to Xbox Live Subscription Transfer in Russia," an email from Microsoft to Shacker Scott (a.k.a. soggybagel) read. focalbox "Initially I thought that this was a SPAM or phishing email," Scott told me. "The first thing I did was to turn on my Xbox 360 and when the dashboard popped up all the dashboard headers were in Russian text." According to emails forwarded to me by Scott, his ordeal ended 109 days later--on December 23. Initially he was told the process would take 25 days, and when that date drew closer Microsoft offered him a free month of Xbox Live to create a new account to use in the meantime. According to Scott, only after contacting the Better Business Bureau to complain about Microsoft did any progress get made on his situation--though there's no evidence that the complaint expedited the process. Based on conversations with Microsoft, it seems that his situation was the worst: a hijacked account, a region change, and more. These steps slow recovery down, Microsoft told me. After the 3 month and 18 day ordeal was over, Microsoft refunded Scott 1200 MS Points--which were stolen during the ordeal--and provided him with nine additional months of Xbox Live. Xbox Live Director of Policy and Enforcement Stephen Toulouse told me that this recompense is standard. "We make sure they are compensated for the time [plus] some extra (the amount varies by case) and fully refunded of any points or charges that occur. If the account takes an especially long time we give them a free gold account to play on while the original account is being recovered. They can choose to keep that account afterward in addition to their original account," he said. My situation was different, as my account details were never changed. Recovery wasn't necessary as I was able to switch my password before my Xbox Live account was altered. A few days later, my FIFA 12 account purchases were canceled and my points were returned. An EA spokesperson said the company is investigating the situation at multiple levels, which now also include taking down FIFA Ultimate Team phishing websites and scam attempts to "illegally re-sell FIFA Ultimate Team items." EA also states it continues to educate users regarding the importance of account safety, noting that information is available on its forum and website; though EA's security notices revolve around its own websites and account information, and not Xbox Live hack I experienced. Within the last month, the franchise's official Twitter account has only mentioned phishing issues once, which was only a response to a follower's inquiry about a scam site. More promotion of the issue is certainly needed, including adding account safety education in the actual game, which FIFA 12 lacks. EA tells me that "new security measures have been enabled" to combat this issue, though they wouldn't specify what those measure were. I was also told that EA will continue to "track data and collaborate with Microsoft to determine where further efforts should be focused." When asked why FIFA 12's trading feature was still available during the investigation and whether or not future EA titles would remove the ability, EA offered no response at the time of publishing.

My account shows I've played FIFA 12, but it's all part of the scam.

It's still unclear whether or not the companies involved are sharing profits for the hijacked account purchases, as they would standard DLC. According to Toulouse, details on license transactions cannot be discussed, "but suffice to say both sides work together to help ensure the attackers do not profit." That's the core here; the attackers are to blame. It's easy to get mad at Microsoft and EA because we--as members of the gaming community--can point to them as a "known enemy." The issue is we don't know who the attackers are, so we point place the blame on them. EA and Microsoft certainly need to streamline the process of recovery and investigation, but as long as FIFA 12 Ultimate Team Packs have a real-world value attached to them, some of us are going to be caught in the crossfire. Next week, we conclude our investigation with a look at more Microsoft policies, including security measures beyond the initial log in of Xbox.com and how easy it is to move your online persona to the snowy region of Russia.