Xbox Live security concerns continue to grow

Our investigation into the Xbox Live hacks continues. Today, we look at the Windows Live ID and ask Microsoft whether or not it has been compromised.

17
Additional reporting provided by Alexander Sliwinski, News Editor for Joystiq. Last week, Shacknews explored a series of hacks plaguing Xbox Live users, the most notable of which revolved around the use of EA's FIFA 12 to launder money out of the service. By accessing Xbox Live accounts, hackers are purchasing FIFA 12's in-game 'Ultimate Team' cards with the intention of trading and selling the content. According to some of those affected, saved payment methods on hacked accounts had also been used to purchase more Microsoft points in order to facilitate the purchase of more content. The variety of ways in which accounts can be attacked--via FIFA 12, PayPal, etc--has painted an inconsistent story amongst consumer complaints. However, there is a common thread running between each story: Microsoft's Windows Live ID. Windows Live ID lets users adjust Xbox Live account information, add and remove payment methods, link PayPal accounts, and more. "In October--right when Gears of War 3 came out of all things--I woke up to find my Xbox region changed," COTV's Robert Welkner told me. "All my Microsoft Points [were] used up, the months on my Gold swallowed up, and an attempt to get more Microsoft Points was made on my debit card." Robert's Xbox Live account has been locked since, while Microsoft investigates the situation; however, he expects a resolution soon. Justin Heard's story is similar, though his account was compromised and used to purchase a Games for Windows Live title. Speaking with Joystiq, Heard says his account was used to purchase the Collector's Edition of Rift--a PC-exclusive title--along with several point bundles and a Family Gold package, which he believes was used to transfer the purchased points to new accounts. Heard's account is also locked while Microsoft investigates the situation. "I can state we've not been made aware of anything like that either from users or PayPal to my knowledge--a partner we work with closely," Xbox Live Director of Policy and Enforcement Stephen Toulouse told Shacknews. "I just checked with a counterpart at PayPal who said they have no idea what that source is talking about," he added in response to one report claiming PayPal was becoming flooded with customer service complaints regarding unauthorized Xbox Live charges.

Multiple charges appeared on my own account, following a FIFA 12-related hack.

In our reports, none of the users felt they had fallen victim to phishing or social engineering scams--which includes my own situation reported last week. In my particular case, the Windows Live ID linked to my Xbox Live account was an address I rarely use. When first reporting the FIFA 12 hack, Ben Kuchera of Ars Technica--the first site to report the FIFA 12 hack--told Joystiq that he would take every precaution with his own Xbox Live account. "The easiest way to limit your exposure is to remove your credit cards and just use point cards for purchases and to pay for your account. It's slightly inconvenient, but I feel much safer," he said. Xbox.com's security page reveals a number of 'best practices' for users to protect their accounts; however, the majority of the site's security is linked to a single log in and password exchange between the user and the service. Meaning, once you log into an account you're free to make any account changes you wish. There are no security checkpoints along the way. In fact, once you log in you're free to examine every aspect of an account, giving hackers access to information such as your full name, phone number, and mailing address. Making substantial changes, like switching account regions, is a simple process. Why isn't Microsoft calling users or using other measures to verify account changes of this magnitude? Surely the volume of Xbox Live users switching accounts from the United States to Eastern Europe isn't enough to slow down customer service. In response to our inquires about the state of Windows Live ID, Microsoft says the service has not been compromised and maintains phishing and social engineering are to blame. "Windows Live ID was not compromised. The FIFA 12 and other similar incidents are cases of social engineering or phishing, which are industry wide problems," a company spokesperson told Shacknews. "Microsoft constantly audits its systems and reviews its processes in an effort to help protect customers from such issues. To help avoid becoming a victim of phishing, people can use the guidance found at the Microsoft Hotmail: Serious About Safety site. They can also visit the Windows Live Hotmail Help Center, if they believe their account was compromised." Our own recommendation is that users look to change their Windows Live ID and get into the habit of switching the passwords every few months. The headache now will be far less painful than the frustration later. If you have more information to provide, please feel free to contact us.

Xav de Matos was previously a games journalist creating content at Shacknews.

Filed Under
From The Chatty
  • reply
    January 4, 2012 9:00 AM

    Xav de Matos posted a new article, Xbox Live security concerns continue to grow.

    Our investigation into the Xbox Live hacks continues. Today, we look at the Windows Live ID and ask Microsoft whether or not it has been compromised.

    • reply
      January 4, 2012 9:07 AM

      Stallion83 even got social engineered and his account stolen for a while. I don't know if it's his status as a prominent user or what, but he got it returned within 24-hours IIRC.

    • reply
      January 4, 2012 9:24 AM

      I would not mind the hassle of a double-authentication (ala Google's) to lock down these accounts.

      • reply
        January 4, 2012 9:51 AM

        Yea, I really wish they'd implement that since the WLID is tied to so many things now (your WP7 phone, XBL, GFWL, etc).

    • reply
      January 4, 2012 9:30 AM

      So, just wondering aloud...Could this "rash" of XBox Live issues be related to the PSN problem? Think about it, how many of those PSN users used the exact same ID/email/password on XBox Live? This potentially could just be some bad guys going through that massive list of PSN stuff and trying to login to XBox Live.

      • reply
        January 4, 2012 9:36 AM

        I think this is worth looking into.

        • reply
          January 4, 2012 10:10 AM

          We already are... along with SOE logins, Valve, and more.

          • reply
            January 4, 2012 11:58 AM

            It would be cool if you mentioned this in one of the articles. Or in general complied a list of hacks that were reported last year. I appreciate you guys doing the reporting on this kind of story. I think you have done a good job of just feeding the conspiracy theorist.

            • reply
              January 4, 2012 12:06 PM

              The story is ongoing.

              I don't think, if you read the second part of this story which is linked to this, we're doing anything to feed conspiracies... in fact I mention that I'm disappointed people are forgetting about the real jerks -- the hackers.

              • reply
                January 4, 2012 12:21 PM

                Sorry I meant to say not feeding the conspiracy theorist.

              • reply
                January 4, 2012 10:14 PM

                That's great and all but the responsibility for security still lies with Sony and Microsoft.

            • reply
              January 4, 2012 12:13 PM

              ^ Seconded

          • reply
            January 4, 2012 9:45 PM

            My Live account was hacked back in August. I did not have a PSN account at the time of that hack. I know for a fact my information was not in the gawker hack. My compromise predates the Valve hack. If hackers are really using login credentials from third party hacks it's likely that they are compiling information from many sources, not necessarily ones that were well reported.

            • reply
              January 5, 2012 6:10 AM

              The question I would have is did you have the same account password/email combination for something else. There was a rash of hack announcements that were not gaming related around the PSN takedown.

      • reply
        January 4, 2012 2:55 PM

        Well, obviously this would be moot if the two compromised accounts listed in the article above only have a x360 or a different account name between both systems.

      • reply
        January 4, 2012 3:35 PM

        I think this is how most accounts are compromised at this point.

      • reply
        January 4, 2012 4:28 PM

        A fair number of them have that problem, I'm sure. However, some of the problems appear to be related to bizarre Microsoft policies and practices.

        Account Thief: "Hi, I want to move my XBox Live region to Russia!"
        Live Support: "Sure, no problem....aaaaand, done!"

        The next day
        Real Account Owner: "WTF, my account was hijacked and you let them move it to Russia? Move it back!"
        Live Support: "Sorry, we're going to need a form submitted in triplicate, copies of three forms of ID, a blood sample, a semen sample, and proof that you possess an immortal soul. Also, it will take three to seven months."

        • reply
          January 4, 2012 4:57 PM

          I was told Friday that they had to let the charges to my card go through. They were still pending and could have been killed on their end. Yet to add a new email address to my stupid Live ID that isn't used for anything Xbox Live I was never contacted on the original email account. They're doing some dumb stuff.

    • reply
      January 4, 2012 9:36 AM

      While this is concerning, the thing that gets me with all of these stories on the various gaming blogs is there's always an implied security breach that might be happening, but nobody can truly point to evidence of how it's going down.

      On another gaming site I frequent, several people have been affected in the forum, however, about half of them have found trojans or other malware on systems they've used to access Live or their MSN/Hotmail accounts.

      Add in the fact that way too many people use the same passwords over and over again on sites, and you wonder if at least another part of the problem is bleed over from the PSN and other database hacks of 2011.

      I just think this is a lot of anecdotal stuff that at this point has no cohesive evidence that's been dug up that this is some kind of vulnerability in MS's systems that being exploited.

      I think the shameful thing here is the horribly slow recovery process that at least some users are having getting control of their IDs back. I know these things can be complicated, but MS needs to either develop better resolution tools, up staff to handle the volumes, or somehow improve the process.

      • reply
        January 4, 2012 9:58 AM

        I'm almost sure there is a security flaw in the account recovery process. The theory I like best is that Live is relying on the Xbox console to validate the user is legit without needing to transfer the password to live. I believe this hole was introduced once you could transfer your id to any usb key. All they really need is your live id. Initially I thought modded 360s were being used but now I think it is a emulator program that fools Microsoft's servers into thinking it's a 360 console with a "confirmed" user is legit and allowing them to take control.

    • reply
      January 4, 2012 10:26 AM

      This exact thing happened to me a few months ago....

    • reply
      January 4, 2012 12:29 PM

      This is quite the situation and I don't personally think its given enough attention from big news sources. There is a new thread every few hours on the xbox.com forums with peoples accounts suffering the same fate. One user says he uses different passwords for everything 12 characters long with symbols and caps and numbers....like fuck someone is going to socially engineer that.

      • reply
        January 4, 2012 3:40 PM

        Sounds like they may have a serious problem on their hands.

      • reply
        January 4, 2012 4:13 PM

        What normally happens with the social engineering, is they call support to get a little piece of personal information by impersonating the person owning the account. They hang up, rinse, repeat. Eventually they get enough information to either do the password reset question, which is vastly weaker than the password most of the time.

        • reply
          January 4, 2012 6:00 PM

          I wish that "security questions" on accounts didn't exist; they only really serve to take the majority of password reset burden off of a support department, but are a gaping security hole. The most secure way to deal with it is to fill it in with another password, or with garbage random data that is forgotten, and just forgo the "security question" step (though some services may not like that).

    • reply
      January 4, 2012 3:20 PM

      Has Microsoft said anything about what auditing certifications its Windows Live ID service has undergone in the past 3 years? If they process credit card transactions internally, they should be undergoing a PCI merchant audit yearly.

    • reply
      January 4, 2012 4:04 PM

      I got hit last week, still waiting to get my account back to play my stack of Xmas games :-(

      Stupid FIFA

    • reply
      January 4, 2012 4:22 PM

      WTF? The CC I have in my account can't be removed because it's associated with my Xbox LIVE Gold: Prepaid 12+2M Xbox LIVE Gold?

      • reply
        January 4, 2012 9:59 PM

        switch it to paypal, remove credit card, and then remove paypal account.

      • reply
        January 5, 2012 10:05 AM

        I had the same issue, I had to contact Microsoft and the only way they could remove it was to cancel my Gold subscription then reissue me a code for the remaining time. It got removed but the whole ordeal was laughable.

    • reply
      January 4, 2012 6:32 PM

      Because I cant seem to get any where using xbox.com. I will try to shed a little light on my situation in case yours is comparialbe. i have been with the xbox live serivce since beta. my tag was RANGER, my windows live ID (WILD) was hacked around the beginning of december around the same time i started to use the new iphone app microsoft published. my tag was stolen and luckly my visa card had yet to have any purchases, as i notified with in 24 hours. i have received a email from Microsoft investigation team, and i was unable to grab my tag back. i called 1-800-microsoft help me, i was pushed back up the chain and waiting. i never have played or used FIFA and i wasn't attacked by a phishing scam. the individual got into my account for the tag, which is why i feel i was targeted, i think there is a hole in Microsoft security.

    • reply
      January 4, 2012 6:39 PM

      My account was compromised on 8/23. I filed a BBB complaint on 12/27 and just got my account back on the 2nd.

      • reply
        January 4, 2012 9:10 PM

        fuck :-( i really hope mine doesn't take this long

    • reply
      January 4, 2012 7:26 PM

      I finally was refunded my points just two days ago now. My initial call to Xbox Support was made on September 18th.

      A follow up was made about October 15th and I was informed I would be receiving an email "any day now." Nothing, nothing, nothing.

      I made a follow-up on December 15th in which they informed me they already emailed me. I did not receive said email on the date they mentioned, not even in my Spam folders after a lengthy search.

      As such, they had to make a NEW claim and it would take another period of ~25 days to sort out. Afterwards, I had been given a free month of Xbox Live from their rewards program.

      I redeemed it and used it for a few days while I waited for their email about my points being refunded after the hijacking from back in August.

      They suspended my account. I couldn't log into it and that free month of Gold was killed off.

      Finally, two days ago I received the email. Went through the steps. My points were refunded and they gave me one month of Gold for free.

      So, about 3-3.5 months of waiting to finally get it all resolved, points refunded, etc. I also lost all progress in Halo CEA I made during the past couple of weeks and my achievements aren't recording properly in it but... whatever. I just feel so defeated after this whole ordeal.

    • reply
      January 4, 2012 8:30 PM

      I bought a 360 bundle during black friday but now I'm afraid to hook it up. Hold me!

      • reply
        January 4, 2012 10:17 PM

        OMFG just hook it up and don't use a generic password (or one you use elsewhere), also if you are super worried don't register a credit card. Enjoy your Xbox.

    • reply
      January 5, 2012 4:20 PM

      My account was transferred to Columbia and "locked" for an "investigation" for over 3 months!! Calling CS was a joke, so I wish all the best if this happens to you too.

    • reply
      January 6, 2012 6:05 PM

      Great articles so far Xav. I'm glad that this issue is coming to light, but I think it is really sad that a gaming journalist had to have their account hacked before people really started to throw hard questions at Microsoft, Windows ID, and EA.

      I work for a large internet company, and have done account security work for them in the past, and of course the standard answer when someone asks about why an account was compromised is social engineering, phishing, or malware. But based on some of the fires that I have heard about and helped put out in my experiences at work, I can guarantee that there is more going on that the big guys won't talk about, even to you Xav.

      The biggest frustration to me is how quickly we can detect and proactively stop damage to a compromised account, and how quickly any changes can be reversed. We also have a much better and faster reactive process when something does slip through and a customer brings it to our attention. When my XBL account was hacked, I was floored when I was told it would take 28 days to have everything fixed. I was expecting to hear 28 minutes at the most!

      Every Xbox has its own unique ID number, so it should be very easy for MS to notice that a different Xbox is using my account, which has only ever been on 2 different consoles, and has only every been used in one state. The tools are there for MS to make this a better process for everyone, but they don't seem to be using them very well. Hacking is going to happen, that is inevitable, even if more authentication is added or anything else to try to prevent it. What needs to be improved is how quickly it can be detected, and how quickly it can be fixed.

    • reply
      May 28, 2014 11:21 PM

      I got $100 unrecognised charged on my one of the credit cards which is linked to my xbox account.
      I havent used my this account for many months now. From where did this happen?
      I did notified my bank of the disputed transaction and reported the transaction on
      http://www.vcharges.com/msft-xbox-live-7c

      Lets see how things turn out to be.

Hello, Meet Lola