It's thought that this tale started in September, but the first reports about it didn't truly begin to trickle in until October rolled around. A sudden upsurge in the number of account hacks on Xbox LIVE, at least according to anecdotal evidence, began in the wake of FIFA 12's release. The alleged hackers often used newly compromised accounts to purchase DLC for the soccer game's "Ultimate Team" mode, as it allowed for the trading of this DLC between accounts. For this reason, the incidents became known as "the FIFA hacks," and, despite evidence from both consumers and members of the media who were hacked, Microsoft ardently denied any serious form of security flaw in its account system.
The holidays came and the holidays went, reports becoming increasingly sparse as the incidents faded into the media backdrop in light of the packed release schedule, end-of-the-year award shows, and SOPA. It wasn't until last week, on January 5, that the subject of Xbox LIVE account security leapt back into the gaming limelight. Enter Susan Taylor and her story of fraud prevention gone woefully awry.
Susan, on the second day of the new year, received a series of emails from Microsoft's Xbox division, thanking her for a series of purchases that she was certain she hadn't made. They included an Xbox LIVE Gold Family Plan and 10,000 Microsoft Points, totaling $215 plus taxes, all removed from her bank account (which was linked to her PayPal account and that, in turn, to her Xbox LIVE identity). Susan immediately contacted customer service and her complaint was sent to the Fraud Department, which would lock her account for 30 days while they investigated the nature of the activity. She received email confirmation that the account had been locked a day later.
It was two days after that when she had a further $125 worth of Microsoft Points purchased by her still-active account and transferred to another. Understandably outraged, she contacted Microsoft again, only to be told that they had been unable to lock her account. Susan's story continues from there, and ends happily with a new account and a full refund of all of the unauthorized charges. The terrifying aspect of the ordeal, however, is the lengths to which Susan had to go to receive her justified end.
To put it mildly, she had to raise a stink. She had to publicize the ludicrous nature of her journey to such a degree that the torch of her story was picked up by the gaming media until Microsoft had to take unprecedented steps to reinstate an account that, due to the machinations of her hacker, Susan could no longer verify as her own. And while her personal tale ends with a positive resolution and a mother and child assured of food for the month, other individuals' odysseys continue. Susan chronicles those, both the ones that have been resolved and those that are ongoing, on the newly-formed HackedOnXbox.com.
There are questions raised by the issue, of course. How is it that the hackers obtain access to Xbox LIVE accounts? What do they do with the purchases they have made in others' names? What's the benefit that justifies this activity to them? Most importantly, however, is the question of Microsoft's response, what they are or aren't doing to combat these malicious activities.
The easiest to answer are those of what the hackers do with their booty and how they benefit, since they go hand-in-hand. The unifying feature of both the earlier FIFA hacks and the more recent Xbox LIVE Gold Family Plan hackings has been that purchases made on another's account were all transferable. FIFA "Ultimate Team" DLC can be freely traded while, with the Family Plan, hackers could make dummy accounts under this multi-user Xbox Live plan, capable of transferring points between one another. The point-loaded accounts are then sold online, often with the disclaimer that they should be used quickly, lest they disappear. This does little to discourage less-than-scrupulous individuals from buying these booty-laden accounts, as Susan discovered when she actually had the chance to converse with one of the buyers, whose new account was still listed in her Xbox LIVE friend list. The benefit to the hacker is financial, accruing money through illicit sales.
Our other questions, though—those of method and Microsoft's response—prove to be a murkier area. The immediate assumption would be a phishing scam of some kind, convincing users of Xbox LIVE and/or PayPal to login on seemingly legitimate sites that, instead, merely exist to capture their credentials for more nefarious purposes. Susan, however, asserts that this wasn't so for her, as she has never logged into either her Xbox account or her PayPal account through anything other than their respective websites. That leaves a possibility that Microsoft's servers have been infiltrated, and that personal information held therein has been compromised. The company maintains, however, that there is no glaring security flaw in Xbox LIVE that would allow such a thing, referring everyone back to the scamming argument instead.
This causes a two-headed problem. On the one, Microsoft is effectively blaming its customers for being hacked without any proof that this is what has occurred. It is an assumption predicated on the notion that the fault cannot lie with them, and therefore must, instead, fall to the consumer. Given the inept nature of their response to Susan's complaint, and individuals who have been sitting on locked Xbox LIVE Gold accounts since September with no apparent recourse from the Fraud Department's investigations, as well as the massive breach of Sony's security earlier last year, it's difficult to believe that Microsoft can assert with any real authority that Xbox LIVE's security is truly beyond reproach.
This brings us to issue number two: Microsoft wants your credit card and/or PayPal information tied to your account. It makes it easier to convince you to purchase items on impulse if you can simply stock your account with more points in a few clicks, rather than running out to the store to purchase a card, redeeming that card's code, and then trying to figure out what you'll do with the 600 points you didn't use this time. If your card is attached, they can also set your Xbox LIVE Gold membership to automatically renew. If it's true that their service has been compromised in such a way that your personal information's sanctity is threatened, it makes individuals less confident in attaching that information to the account in the first place, which hurts Microsoft economically.
In a way, it's a "damned if they do, damned if they don't" situation regarding acknowledging potential security flaws in their system. It either displays a lack of respect to their consumer base or a lack of confidence in their own network security that means those consumers will, in turn, be less confident in their ability to keep private information private.
As it stands now, Susan's site contains four cases of "resolved" Xbox LIVE account hacks to seven "unresolved" situations. With that sort of track record, just how confident are you in Microsoft's Fraud Department; will it influence your purchasing habits on the service? Should it?
Date: January 10, 2012
*The views expressed within this article are solely the opinion of the author and do not express the views held by Cheat Code Central.*