Editorial: EA's response to FIFA 12 'money laundering' on Xbox Live, part two

Part two of our investigation on Xbox Live's FIFA 12 'money laundering' scam problems, with response from EA regarding its franchise being used as a profit tool for attackers.

Last night, Shacknews detailed a hack that has been plaguing Xbox 360 users for a few months. Some players have seen their Xbox Live accounts hijacked and--with the use of EA's FIFA 12--charges have been made to purchase content that can be traded to other users. Hackers go in, purchase the content, transfer it to a "front" account, and sell the content for real world money. Microsoft is aware of the issue, but says the situation isn't widespread. EA on the other hand, has not issued a statement regarding the Xbox Live attacks--until now. "A small number of gamers continue to report being impacted by fraudulent activity related to FIFA Ultimate Team on Xbox Live," an EA spokesperson told Shacknews. "We have worked directly with Microsoft to enable new security measures to try to keep players safe, and we will continue to help fight criminal activity--protection of our players, their accounts and data is extremely important. We appreciate the fans who continue to help self-police our communities, and we encourage anyone who is impacted in any way to contact us immediately at help.ea.com." I asked the representatives what EA is doing for Xbox Live users that have been hacked. Isn't that a Microsoft security issue? Is EA offering any other help or compensation for those impacted by this situation? No response to these questions were offered at the time of publishing. The startling realization I made while investigating this story is that gamers continue to place blame on Microsoft and EA. Gamers are furious; painting both companies in a poor light. That's fine, but shouldn't the blame be squarely put on the shoulders of the hackers? Part of the issue for gamers is the amount of time Microsoft can take to recover hijacked Xbox Live accounts. It may seem like a simple switch must be flipped, but according to Microsoft, this is far from reality. Microsoft must track down accounts if they are completely taken over. That means contending with things like region changes, password switches, personal information swaps, and more. All of these tweaks made by hackers slow the process down. One reader who submitted his story to me detailed an ordeal that began in September 2011 and was only recently settled. Though his situation was not related to the FIFA 12 attacks, he was hit in a similar fashion. "This mail is confirmation that you successfully switched your Xbox Live account from United States to Russia. Your subscription to Prepaid 12M Xbox Live Gold in United States has been cancelled on Monday, September 05, 2011. In the meantime 5 month(s) has been exchanged from your subscription to Xbox Live Subscription Transfer in Russia," an email from Microsoft to Shacker Scott (a.k.a. soggybagel) read. "Initially I thought that this was a SPAM or phishing email," Scott told me. "The first thing I did was to turn on my Xbox 360 and when the dashboard popped up all the dashboard headers were in Russian text." According to emails forwarded to me by Scott, his ordeal ended 109 days later--on December 23. Initially he was told the process would take 25 days, and when that date drew closer Microsoft offered him a free month of Xbox Live to create a new account to use in the meantime. According to Scott, only after contacting the Better Business Bureau to complain about Microsoft did any progress get made on his situation--though there's no evidence that the complaint expedited the process. Based on conversations with Microsoft, it seems that his situation was the worst: a hijacked account, a region change, and more. These steps slow recovery down, Microsoft told me. After the 3 month and 18 day ordeal was over, Microsoft refunded Scott 1200 MS Points--which were stolen during the ordeal--and provided him with nine additional months of Xbox Live. Xbox Live Director of Policy and Enforcement Stephen Toulouse told me that this recompense is standard. "We make sure they are compensated for the time [plus] some extra (the amount varies by case) and fully refunded of any points or charges that occur. If the account takes an especially long time we give them a free gold account to play on while the original account is being recovered. They can choose to keep that account afterward in addition to their original account," he said. My situation was different, as my account details were never changed. Recovery wasn't necessary as I was able to switch my password before my Xbox Live account was altered. A few days later, my FIFA 12 account purchases were canceled and my points were returned. An EA spokesperson said the company is investigating the situation at multiple levels, which now also include taking down FIFA Ultimate Team phishing websites and scam attempts to "illegally re-sell FIFA Ultimate Team items." EA also states it continues to educate users regarding the importance of account safety, noting that information is available on its forum and website; though EA's security notices revolve around its own websites and account information, and not Xbox Live hack I experienced. Within the last month, the franchise's official Twitter account has only mentioned phishing issues once, which was only a response to a follower's inquiry about a scam site. More promotion of the issue is certainly needed, including adding account safety education in the actual game, which FIFA 12 lacks. EA tells me that "new security measures have been enabled" to combat this issue, though they wouldn't specify what those measure were. I was also told that EA will continue to "track data and collaborate with Microsoft to determine where further efforts should be focused." When asked why FIFA 12's trading feature was still available during the investigation and whether or not future EA titles would remove the ability, EA offered no response at the time of publishing.

My account shows I've played FIFA 12, but it's all part of the scam.

It's still unclear whether or not the companies involved are sharing profits for the hijacked account purchases, as they would standard DLC. According to Toulouse, details on license transactions cannot be discussed, "but suffice to say both sides work together to help ensure the attackers do not profit." That's the core here; the attackers are to blame. It's easy to get mad at Microsoft and EA because we--as members of the gaming community--can point to them as a "known enemy." The issue is we don't know who the attackers are, so we point place the blame on them. EA and Microsoft certainly need to streamline the process of recovery and investigation, but as long as FIFA 12 Ultimate Team Packs have a real-world value attached to them, some of us are going to be caught in the crossfire. Next week, we conclude our investigation with a look at more Microsoft policies, including security measures beyond the initial log in of Xbox.com and how easy it is to move your online persona to the snowy region of Russia.

Xav de Matos was previously a games journalist creating content at Shacknews.

From The Chatty
  • reply
    December 29, 2011 10:00 AM

    Xav de Matos posted a new article, Editorial: EA's response to FIFA 12 'money laundering' on Xbox Live, part two.

    Part two of our investigation on Xbox Live's FIFA 12 'money laundering' scam problems, with response from EA regarding its franchise being used as a profit tool for attackers.

    • reply
      December 29, 2011 10:21 AM

      How dumb. People are pissed off an pointing at MS and EA because the former takes 3 months to resolve an issue, and the latter sells transferrable DLC.

    • reply
      December 29, 2011 10:23 AM

      I'll repost what I wrote as a response in the other thread as it relates to putting the blame on not only the hackers but also in particular Microsoft:

      no you are wrong here, the thing is that with live if you attach you debit/credit card to your account ( which is not only common, almost mandatory as they made you run trough barbedwire and feces to remove it once you used it on live), there was absolutely no additional security when using it on Live, none.
      Not even a small pin code (as lets say app store), if anyone could have access to your account for any reason, no matter the strength of the password, they would also have access to your credit card without any hindrance what so ever.

      This is where they have it wrong, nowhere else is it accepted that the store (or whatever) keep your credit card details and never ever let you verify when you use it, nowhere. Its just bafflingly stupid and mindbogglingly idiotic.

      Add this the system of 'recovering' your profile to any other xbox and the possibility of *one-way* migration to another country without verification. hello ?

      You can perhaps fault people for having a less secure password for a on-line gaming service, yes they should know better, but the magnitude of the damage is completely up to microsoft, there is absolutely no way that the amount of suffering you have to go through is correlated to the only fault the user *maybe* has done is to use the same password on another site and/or an to simple password.

      Once you are an customer to a company you have an two-way trust, in this specific issue I think Microsoft is completely dropping the ball and let the user take *all* of the downfall.

      • reply
        January 1, 2012 8:06 PM

        I have to say I think you hit the nail on the head with all but one point. Steam is another provider that keeps your card on file without any extra steps to make purchases, however they do have that VAC guard which does help.

        The reason why I think most customers of Microsoft are so upset about this is because so much of this damage could have been prevented so easily. Account transfers between regions shouldn't be so easy to do. I get that in Europe and the North Americas that consoles do migrate but I doubt it happens at such a volume that would justify no security checks.

        Second Microsoft's inability (and still ongoing) to allow the user to remove their credit card from their accounts is the height of absurdity. I get companies want to mine data about their users, but working in a profession were highly confidential information comes to me on a daily bases and how I can lose my ability to practice my craft with one screw up, it just irks me to no end that such large companies are allowed to store and retain against their users will such information., never mind any expectation of security.

        I, along with many other users I feel are just sitting here scratching our heads at how badly Sony, and now Microsoft have handled these security issues.

    • reply
      December 29, 2011 12:18 PM

      What I find absurd that while it takes over 3 months for MS to recover Xbox account, Valve can recover Steam account in 1-2 business days.

      Steam is similar in size to Xbox life (last official info from both services is that they have over 35 million active users) and Valve has much less resources than MS and still they are able to resolve such situations much much faster.

      It might also help if MS used something similar to SteamGuard, so that hijacker would need more than username and password to hijack someones account.

      • reply
        December 30, 2011 6:16 AM

        There is a lot more content and more diversity of content on Xbox than on Steam. I would assume Microsoft is a much bigger target than steam so they get attacked more often.

        • reply
          December 30, 2011 9:23 PM

          You sure about that?

        • reply
          January 1, 2012 8:12 PM

          I don't think diversity of content has anything to do with it, It's a matter of how their system stores and manages profiles or accounts.

          If the only way to track or call up an account is the gamer tag then a name change (no unique, unchangeable ID number) it can be exceptionally difficult to track an account that has undergone multiple name changes, let alone region changes which might move it from one database to another.

    • reply
      December 29, 2011 12:32 PM

      You are startled people place blame at MS and EA? What planet do you live on? You call them gamers but what you forget is that they really are customers. Not only did they buy the Xbox and the game but they pay monthly for a service. A service. Customers don't really care about the details, they buy something and they expect it to work right. If it doesn't work right then the company who made the product fixes it or if the customer is paying monthly the business is even more obligated to fix it and fast, because otherwise, wtf is the customer paying for. Of course MS and EA get blamed, they need to avoid allowing situations like this, get better security, and fix things in a timely manner.

      Customers, not gamers.

      • reply
        December 29, 2011 12:46 PM

        Agreed, Microsoft and EA are hosting the service, so it's their duty to protect that service, and go after the hackers themselves. If you want an environment where end users are responsible for all account security, then what's the point of a closed online service?! We should just go back to open customer-hosted dedicated servers and master servers at that point.

        I feel that EA just doesn't want to have to shut down a marquee service for them, the FIFA Ultimate Team, since it's probably earning lots for an "add-on" service, perhaps on the order of some free-to-play games.

      • reply
        January 1, 2012 8:16 AM

        this, Xav, no sympathy here for EA and MS.

    • reply
      December 29, 2011 12:36 PM


      • reply
        December 29, 2011 4:02 PM

        I heard rumours that it might be possible to bypass the login somehow, as in an hacked xbox can spoof some kind of hash/token to take over another account once itself has logged in as an 'correct' account.
        But I agree, yet the magnitude makes me suspicious, my brother and his kids have been hacked twice now, and he promise me that no one knows his login and its never used anywhere else. To make matter worse, he has a parent account for his three sons, who has separate accounts, when his is compromised all the others goes to the shitter to.

    • reply
      December 29, 2011 12:43 PM

      "That's the core here; the attackers are to blame."

      True in the case of Sony as well. When it comes down to it its all about removing the vulnerability and that is the job of MS, EA, Sony, etc...

    • reply
      December 29, 2011 12:57 PM

      Xav, didn't you have a problem with not being able to transfer your Canadian XBox Live Gold account to the US after you moved? Did you ask Toulouse about that, and why it's so easy for region transfers from the US to Russia to happen at the frequency they're happening? I'd personally think that there would be a few legitimate transfers from US to Russia (somebody moving, or on an extended business trip), but not at the rate we're seeing people say their accounts got flipped over to the Russia region.

      • reply
        December 31, 2011 7:34 PM

        That's not a security issue. I talked to customer service about that. The issue there is about licenses for certain content... mostly media content. Since the eastern block (at least at the time) didn't have things like Netflix available that differed from the US version (which Canada does) it isn't an issue to switch the profile to that region.

        The real reason it exists, also, is because Xbox Live wasn't available in some regions and people who imported their system would select neighbouring regions in order to access the service. As Live expanded, the tool was created to get those people in the right areas.

    • reply
      December 29, 2011 1:12 PM

      it's pretty simple to just disallow region transfers without going through human interaction. I can see instead of staffing a team to investigate the hacks you could just pay one guy to surf Shacknews all day and deal with the call levels for those requests.

    • reply
      December 29, 2011 1:14 PM

      From part 1: http://www.shacknews.com/article/71700/editorial-fifa-12-xbox-live-money-laundering

      "When I first discovered an issue with my account, I took it to Twitter. It was Shacknews editorial director Garnett Lee who first tipped me to the FIFA 12 hack. "Check your Xbox Live account, see if FIFA is in your recent played games." Not only does FIFA 12 appear on my list--a game I have never played--I have two achievements in the game. Both achievements are associated with FIFA's 'Ultimate Team' feature, which the digital card packs are linked to."

      I'd like to highlight this part, "a game I have never played"

      There has got to be some blame put on the companies for this. Some, not all; (for the hackers are the main culprits) but man, you never played the game before!

      The easiest solution seems to me is to keep some contact information on file. If a region change or a transfer of money/content that is known to be associated with a scam is initiated, then call or e-mail the owner of the account, and ask for verification. If the individual says no, then you know something is going on.

    • reply
      December 29, 2011 1:27 PM


    • reply
      December 29, 2011 1:54 PM

      Hahahaha, oh all of a sudden a great many things make sense. Apparently someone bought 4000 points on my account using that stupid hack, and I didn't think anything of it for a bunch of reasons, not the least of which the day it happened was the day I checked out of the military and gave zero fucks.

      *slaps head*

      I'll probably just eat the cost if alternative is losing one of my most used items for 3 months. Fuck that.

    • reply
      December 30, 2011 12:23 AM

      I know you said in your previous post that you didn't want special treatment, but there is no way in hell you got your points back so quickly without it. At minimum your account should have been locked for an investigation and that takes two weeks if you're lucky. Hell, you had the head of security explicitly tell you what seemed to happen to your account. I'm lucky if the tech support person I talk to will acknowledge that I am who I say I am.

      Most of us are not fortunate enough to be able to speak with anyone with any power at Microsoft. The anger and frustration vented at Microsoft and EA is I think in part because the recovery process is so shrouded in mystery. When a person who isn't a journalist calls, they get to speak with a tech support person. The only thing this person can do is give you a service request number and add notes to your account. They don't (or claim they cannot) speak with the escalation team or the security team, and so you can only hope that the notes are being read.

      The second time I was hacked I regained control of my account myself before calling Microsoft. I was fortunate enough to get various emails telling me that security options were being removed and managed to reset my password before losing my profile.

      They did, however, add points to my account and change my gamertag. After calling support they locked my account and took a month to do nothing. They really did nothing. They gave me 800 points to change my gamertag back but never freed up my original gamertag. I have been waiting 2 more weeks so far for them to just give me my gamertag back. It's insane.

      TLDR: If Microsoft added an opt-in authentication service similar to Google two step verification or Blizzard's authenticator, 98 percent of these cases would cease to exist.

      • reply
        December 30, 2011 12:34 AM

        Oh, and if crime gets too high in an area, it is perfectly logical and justified to get upset at an ineffective police force (as well as the criminals.).

        Similarly, if I pay for a service that demands my credit card I expect a competent level of security and that they hold themselves accountable for any mistakes. "...shouldn't the blame be squarely put on the shoulders of the hackers?" No, not squarely. They should take responsibility, and Microsoft should attempt to prosecute them; but Microsoft and EA are displaying Gross Negligence, and as such some blame should be applied to them as well.

      • reply
        December 30, 2011 3:43 AM

        I explained that I didn't want special treatment... I cannot control whether or not they did anything without my knowledge.

        I only got into contact with Stephen in order to write these stories, which he was made aware of. I did not contact him in order to get my account "fixed."

        • reply
          December 30, 2011 4:07 AM

          I know, I'm not accusing you of anything or saying you explicitly did anything wrong. It just seems highly likely that Microsoft expedited your case.

    • reply
      December 30, 2011 12:34 AM

      Mine was hacked similar to Scott's on Sept 24th of this year. I was on vacation at the time, but I saw it on the 26th, changed my password, and "reclaimed" my account. I got back from vacay on the 1st of October, and reported it on the 2nd. I STILL have yet to get it back, but then again, I'll "only" be at 3 months as of January 2nd. Sadly, I'm in the same boat as Scott: my region was changed from Canada (EN) to Czech, 6000 MSP x3 billed to my CC (which was on file, but will never again be).

      All I can really do is wait. :(

    • reply
      January 3, 2012 6:21 PM

      Ironically, my xbox live account was hacked from December 29th through January 1st, while I was away on vacation. Hopefully I can get my money refunded. EA and MS need to fix this problem!

Hello, Meet Lola