UPDATE: 5/26/12
Happily, I was able to get all my points back. It felt like Microsoft had the whole process down to a science. That’s both a good thing and a bad thing. It’s good in the sense that they’re able to provide decent customer service instead of arguing with you back and forth as other companies do. But it’s bad when you consider that the reason they’ve gotten so good at it it because it’s reached epidemic levels and they’ve been getting a lot of practice at these calls.
Kotaku gave a fascinating account of how scammers are managing to gain access to our passwords. Microsoft is quick to blame the amount of fraud on “social engineering”, but what they fail to acknowledge is that what’s being socially engineered is their own customer service personnel.
I’m actually shocked that there hasn’t been a lot more outrage at the extent to which this is happening. There are a number of holes in the whole process that make this kind of fraud very easy on the Xbox. Microsoft should be identifying and prosecuting offenders (it’s not), should be providing much more upfront warnings to their customers (it’s not), should be patching up glaring holes that allow people to use one Xbox account on another unit (it’s only making this feature known reactively), and tightening up security at all its centers and its partners’ centers (it’s not).
Bottom line, until you stop seeing reports like mine pop on on the Web, and until you see substantive information from Microsoft addressing the issue, I’d say to NOT trust Microsoft with your credit card or PayPal information.
ORIGINAL POST
Something is rotten in the state of Xbox Live.
So, after reviewing Basketball Challenge, I browsed around Xbox Live and decided to start reviewing more downloadable Xbox Live games. I have a review of Junk Fu coming out in a few days, and I planned on purchasing more games that look like they have some exercise potential like Diabolical Pitch and Dance Party.
I had an Xbox Live card with 4000 points I’ve been holding for a while, so I entered the code on Sunday for a total of 4240 points. I had a balance of 3840 points after buying the Basketball Challenge for 400 points.
When I returned today, I found out that all 3840 points were used to purchase other games without my knowledge or consent.
Here’s the weird thing. I consider myself pretty savvy when it comes to computer security. I can spot a phishing email from a mile away, I have passwords that are made of gibberish characters, and so on.
Turns out I’m far from alone. A Google search for “Xbox Account Hacked” shows that this has been going on since about November 2011 and has since reached epidemic proportions. And a search on Twitter shows that it’s happening EVERY day.
When I reached the rep at Microsoft, it sounded like she knew the drill inside and out. She took down my information, informed me that my Live ID and my Xbox profile would both be locked, that they’ll investigate and get back to me in a few days.
So, let my experience be a warning to you. This world is full of idiots who have absolutely no conscience and no morals and who for some reason think that stealing from you online is somehow different than picking your pocket.
Here’s how to protect yourself:
1) Until you stop seeing these stories pop up on Twitter and Google on such a constant basis, do NOT trust Microsoft with your PayPal information or your credit card information. They cannot be trusted.
2) Change your Windows Live password to something complex, one that doesn’t use real words or personal information, and that does use numbers and symbols and at least 8 characters.
3) If you haven’t done so, go to Xbox.com and select Xbox 360 Profile Protection. Ensure that all your consoles require password to sign in (do this after you’ve changed your password to a more complex one.
Luckily, I hadn’t connected a credit card or PayPal, so all I lost was the 3840 points (which Microsoft said they’ll credit me after their investigation is done). So as for right now it’s just an annoyance. But let it be a reminder to you that the online world can’t be trusted, sadly enough.
UPDATE AS OF 4/28/12
So, I got a lovely email from Microsoft
Service Request Number: xxxxxxxxxxxxxxx
Current Gamertag: xxxxxxxxxxxxxxx
Current Windows Live ID: xxxxxxxxxxxxxxx
Dear Xbox LIVE Customer,
We have completed our investigation of the unauthorized access to your Xbox LIVE account. As part of our investigation, we took temporary control of your Xbox LIVE account and the associated Windows Live ID. This was done to protect your account until you could take back control of it.
Use the following steps to take control of your Xbox LIVE account:
Step 1: Reset your Windows Live ID password
1. Check your email in the next 24 hours for a password recovery email from the Windows Live Team.
2. Use the link in the email to reset your Windows Live ID password. The stronger your password, the better. For tips on creating strong passwords, see Creating a strong password for your email account.
Note If the reset link expires or you can’t find the password recovery email, go to www.accounts.live.com, type in your Windows Live ID, and then click Forgot your Password? You can also respond to this email, and we’ll email you the password recovery email again.
3. Update the security information for your Windows Live ID. We strongly suggest that you not skip this step because it will help you protect your account from future attacks. Your security information includes your alternative email, secret question, mobile phone number, and trusted PC.
Once your Windows Live ID password is reset, you’re ready for Step 2.
Step 2: Download your Xbox LIVE profile on your console
For your security we have removed access to your profile from all consoles it was associated to. You must now re-download your profile.
Complete the following steps on your console:
1. If you’re signed into Xbox LIVE with another profile, press the Guide button on your controller, and then press X to sign out.
2. Press the Guide button again, and then select Download Profile.
3. Confirm that you would like to download your profile.
4. Enter your Windows Live ID and password when prompted.
5. Follow the on-screen instructions.
Step 3: Check for unauthorized account changes and purchases
1. Check to see if your gamertag was changed while your account was out of your control. If your gamertag was changed, we’ll give you 800 Microsoft Points so that you can change your gamertag back to what it was originally, or choose a new gamertag.
2. Check your avatar to make sure it wasn’t modified while the account was out of your control. If your avatar was modified, change your avatar so that it doesn’t violate the Xbox LIVE Terms of Use.
3. Check the charges on your account: Learn how to check your Xbox LIVE bill.
・ Our investigation revealed that purchases were made while your account was out of your control. We added 240 Microsoft Points to your account. Credits can take up to 1-2 billing cycles to appear on your credit card billing statement. If multiple purchases were made, each refund may appear separately on your statement.
xxxxxxxxxxx – 200 MS Points
xxxxxxxxxxx – 100 MS Points
Redeem this prepaid code on your Xbox LIVE account. (Learn how to redeem a prepaid code.)
To learn how to keep your account safe from scams and other attacks, go to xbox.com/security.
Thanks for your understanding and patience while we resolved this problem, and thanks for being a member of Xbox LIVE!
Sincerely,
The Xbox LIVE Investigations Team
Okay, I’ll give them credit for a timely reply. Here’s the problem. The person who hacked my account got away with 3840 points that were sitting in my account. Not only did I tell this to the customer service person, he and I walked through the purchase history and saw exactly what the hacker stole using my points.
In addition the Luke’s comment below, I’m seeing through Google searches that this has reached epidemic proportions. There is obviously a security flaw within Xbox Live that Microsoft is trying to sweep under the rug. Of all of us who are making a stink about it online, who knows the hundreds if not thousands of people who are being affected who don’t even know it or who don’t bother to deal with it.
I called Microsoft back, which took up yet another hour of my time. In it, I had to explain to a new customer service person the whole story. He said the usual thing, that “his department has no control over it”, but that he’d submit a request to the “Investigations Team”. He was very nice about it and agreed with me that it was clear that the points that were credited back to me were too few (in fact, my point balance still reads zero as of today). But then again, that’s what the last service guy told me. One has to wonder whether this was an honest mistake, or whether Microsoft is trying to deliberately get away with crediting users of hacked accounts with fewer points.
And so, that’s a few more days of waiting before I can start reviewing Xbox Marketplace games. I’ll let you know what Microsoft says. But in the meantime, my warning from above remains the same. Under NO circumstances should you trust Microsoft by storing your credit card or PayPal information in their system. And if you keep a balance of Microsoft Points, use them right away. Or you’ll probably be facing the same headache as so many of us are.
UPDATE AS OF 4/30/12
Okay, I have to hand it to Microsoft. They responded to my question quickly and send me another email. It was yet another form letter, but the good thing is that they provided the right number of points to me in the form of codes.
The dilemma I have, of course, is that now I’m afraid to carry any kind of balance in my account. But instead of spending all my points, I’m going to turn on profile protection and change my password to a really, really obscure one that is long, unique, and contains more funny characters than Miss Peregrine’s Home for Peculiar Children. We’ll see if hackers still get in after that–if so, there will really be something rotten in Xbox Land.
Mine got hacked today as well. Same thing – some FIFA stuff was bought. I now have 3 achievements in FIFA and I have never even played the game. I submitted a report to microsoft.