This week, my Xbox Live account was hacked. This is the story of what happened, my response to it, and the questions about security that it has raised.
At twelve minutes past midnight on Tuesday night, just as I was finishing up some work, I received an email to say that I had purchased 6,000 Microsoft Points. My first thought was to laugh it off as spam, as I hadn’t bought any points for months, but I thought I should check my console anyway. On switching on my Xbox, I found that I could no longer access my account.
A quick Google search revealed that other Xbox users had been experiencing similar problems, and I realized that my account had been compromised. I tried to contact Xbox Live support, but its helpline was unhelpfully shut for the night.
Trying to think clearly, despite my somewhat bleary late-night state of mind, I logged into my Microsoft account on my PC, and changed the password. I then went through the process of recovering my Xbox Live account on my console dashboard, which involved entering my Windows Live ID and the new password. On seeing my account again, I was relieved, but also surprised to note that it had been used to play FIFA 12, the popular Electronic Arts soccer game.
My next move was to contact my credit card provider. The customer service adviser at the bank revealed that there had indeed been a transaction to Xbox Live that night, for £51 (about $80), and they immediately cancelled my card. I was told to phone again once the transaction went through, as it would then be reversed, and dealt with as fraud. Thankfully I use a decent bank and the issue was dealt with quickly and efficiently from that end. I am not sure that every victim of such an attack will be so lucky with their card issuer.
The next morning, I successfully contacted Xbox Live support, explaining in detail what had happened. The adviser confirmed that my account had been used to purchase 6000 Microsoft Points, and intimated that these points had been spent on FIFA 12 Ultimate Team packs. To add insult to injury, it seemed that the hacker had also used up my own, admittedly rather paltry, supply of MS Points during their spending spree.
Confirmation of these Ultimate Team card purchases was found when I checked my console, to find these three new achievements staring back at me:
New Club in Town – 5G – Create your FIFA 12 Ultimate Team club
I’ll Have That One – 10G – Open your first pack in FIFA 12 Ultimate Team
How Great is That? – 20G – Find a team of the week player in an Ultimate Team pack
Quite a kick in the teeth, but hey, at least someone got some pleasure out of those 35G.
The Ultimate Team packs of football cards that were purchased, containing various players that can be used in the game, are apparently transferable between Xbox Live accounts. This allows a hacker to buy them with a hijacked account and then send them to their own account, for their own purposes. Scouring the internet, it appears that the rarer cards are being traded for cash, through forums and online auction sites, with some fetching as much as $280 .
I was told by Microsoft Customer Support that my account would be suspended, pending an investigation, which could take between 21 and 30 days to complete. My existing points would apparently be restored once the investigation was complete, and the £51 that had been fraudulently spent would also be refunded (I said this was not necessary, due to the actions being taken by my bank). In the meantime, I would be unable to access my Xbox Live account, and would only be able to play my console offline.
A widespread problem?
Such hacking of Xbox Live accounts, particularly for the purchase of FIFA items, has been widely reported in the past few weeks, both in the specialist and mainstream press. There have also been multiple occurrences of such hacking reported on a variety of websites, including the official Xbox forum and Twitter.
Questions have been asked of Microsoft, as to whether its security is up to scratch, and the response has been that this is not a wider security breach, but rather individual cases of malicious activity.
I approached Microsoft with some questions on this hacking issue, and a spokesman responded with the following statement:
“It is important for us to reconfirm that the Xbox Live service has not been hacked. Some of our customers have been the victims of internet fraud on their accounts. This is a frequent issue that all internet and e-commerce sites and services experience every day. These threats include phishing, brute force attacks, malware, third-party security breaches and in-game scamming / social engineering.
Customers who use the same identity and log-in details across multiple online sites and services are more vulnerable against these everyday internet threats. As ever, we advise customers to be vigilant, and provide further advice on account security across Xbox 360, internet websites and email at www.xbox.com/security.
Of the tens of millions of Xbox Live customers (there are 35 million active members) using the service daily, these issues are affecting a very small percentage of users globally.
Security in the technology industry is an ever-evolving challenge. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time, account security features have been added to help protect our customers’ accounts, and we will continue to add features and processes.
As always, Xbox Live customers who have any queries or concerns should contact Xbox Live Customer Service on 0800 587 1102 [in the UK] or visit www.xbox.com/security.”
So, according to Microsoft, this issue is only affecting a small percentage of global users, but that does not stop it being an issue that raises some pretty big questions, and it is deserving of further investigation.
How is this happening?
The Microsoft statement suggests that these breaches are caused by account details being obtained, via a variety of malicious methods. The nature of Xbox Live is such that an account can be ‘recovered’ on a second console, as long as you have access to the Windows Live ID and password of that user. That results in the account being locked on the original console, as I experienced. With card details being stored on the Microsoft servers, anyone hijacking an account in this way is then able to make purchases on Xbox Live, using the payment card linked to that account.
While I cannot dispute that I may have been hacked through some third-party breach, I would be surprised if that was actually the case. I am pretty careful with my passwords, having four or five that I tend to use for different websites, which I regularly change. I have never responded to a fake ‘phishing’ email and I keep my PC clean, using anti-virus and anti-spyware software.
Looking at other reports of Xbox Live hacking, it is clear that I am not the only one asking this question – a question that remains unanswered.
Given the fact that the FIFA Ultimate Team cards can be bought and then traded between accounts, it seems clear that these cards represent a cash making opportunity. Given the price that some of the cards sell for, there is definitely a viable market for them, and where there is a market, someone will be looking to exploit it. The tradable and saleable nature of FIFA cards makes them a perfect item to buy on a hacked Xbox Live account.
I approached Electronic Arts to ask some questions about the issue of hacking, relating to FIFA and Xbox Live. I received the following statement in reply:
“We do our best to educate FIFA players to take measures to keep their accounts safe. Below are a couple of articles that we published at the launch of FIFA 12 on our website and in our forums to help gamers play safe.
For questions regarding Xbox Live accounts, those should be directed to Microsoft.”
With dedicated pages set up on the EA Forums to deal with this issue, at least the company is admitting that there is a problem. This much is clear from the following entry on the second forum post “The majority of people playing Ultimate Team are honest. Unfortunately, there are a very small percentage of individuals who are cheats, and they are looking to steal your account information.”
Why Xbox Live?
This is the one question that has repeatedly nagged at me throughout this incident. Microsoft and EA both admit that there are dishonest people currently looking to exploit honest gamers’ accounts. But why are all these reports of FIFA related hacking coming from Xbox Live, with no similar tales emerging from the Playstation Network?
While I am no security expert, and I can by no means claim to provide a definitive answer, there is one big difference that strikes me, when looking at the Playstation 3 and Xbox 360 side by side.
It appears to me that it is far too easy to recover someone’s full Xbox Live account, including profile and payment details, to another 360 console. If a hacker manages to get access to a linked Windows Live ID and password, it seems they can recover the account, access the profile information, and use the stored credit card details to make purchases.
On Playstation 3, registering an existing account on a new console is just as simple, also requiring the email address and password of the user. However, if there is a credit card linked to the account, Sony requires you to verify this information, by providing the expiry date and security number on the card. Failure to do so results in the stored card details being wiped before you are allowed access to the account.
It is such a small difference, but maybe it is the one thing currently limiting this wave of hacking to the Xbox Live network. I have contacted Microsoft to ask for comment on this issue, and am awaiting a reply.
Lessons to be learned?
All the advice given by EA and Microsoft relating to the maintenance of safe accounts certainly makes sense. Choosing unusual passwords, swapping them often, and not using the same password across multiple sites is good practice, and may help to prevent hacking. But while it is easy to shrug these incidents off, blaming them on the security practices of affected Xbox Live users, and a number of malicious hackers, could it be that Microsoft needs to look at its own security protocol and ask if it is good enough?