One of the most important aspects of any online gaming service is how you pay for it. As gamers, we’re willing to spend a substantial amount of cash with companies that we trust. These days it’s not just boxed games and MMO subscriptions either – publishers offer us a range of in-game items and downloadable content to extend and enhance the games we play.
The cornerstone of all of this is trust. Do we trust the games companies to use our payment details safely? Will we be left out of pocket when things go wrong? Can we rely on them to put things right quickly, or are we likely to be left without service for an extended time?
For most of us these questions remain unanswered until it’s too late. Recently there’s been an upswell of reports that Microsoft’s xBox Live service was costing people large amounts of cash, as criminals run up huge bills on compromised accounts before selling them on third party sites on the backwaters of the internet.
It’s the kind of news that you can put down to “phishing attempts”, “social engineering” or other bland terms that tend to push responsibility back to the customer. But what if it’s Microsoft’s service design that actually exposes us to greater risk and creates a greater market for purloined accounts?
Some First-Hand Experience
Last month my wife decided she wanted to buy the downloadable content for Mass Effect 2. It was late one evening, so she keyed in her Paypal details and was downloading the extras within minutes. She’s been replaying both the original game and the sequel in order to have the perfect save ready for Mass Effect 3 when it comes out in March.
This morning someone had accessed her xBox Live account through her hotmail-based Windows Live login. From there they changed the password, secret question details, linked password and reset email address.
They then went on a shopping spree. Email alerts trickled to her iPhone to say that she had five Paypal transactions of £17 each. Turns out that someone had been buying batches of 5000 Microsoft Points at a grand total of £85.
We did the usual job of contacting the bank, Paypal and Microsoft. The Microsoft call was the most interesting due to the difficulty in proving that the account was ours. We didn’t have a card associated with the account (one of their standard security questions) and everything else had been changed. Not a good start.
Then came the real eye-watering experience – we’d have to wait roughly 25 days for the Fraud team to examine the issue, during which time her xBox Live account would be blocked. We were also told it would likely take a further 25 days for a refund to arrive.
This is simply not good enough.
For a company providing an online gaming experience, blocking people from online play for the best part of a month is obscene – imagine being locked out of World of Warcraft, SWTOR or Rift for this long while investigations take place. To then compound the issue by sitting on the money for two months is obscene. With online play now being a pivotal part of our gaming experience, such blocks are hard to stomach.
A Common Occurrence
As you can imagine, at this point I started to do some research of my own. I was soon linked the recent Hacked By xBox blog where Susan Taylor describes her own recent problems with her compromised account. her own experience was worse than ours with some $300 billed through her Paypal account. She’s not alone either – my own Twitter feed has been busy with people saying that they had the same problem.
So why are xBox Live accounts such a tempting target?
To start with, getting hold of a compromised xBox Live account is fairly straightforward. No-one’s hacking Microsoft to get this information. Instead, criminals use a variety of tools to harvest and process accounts. Microsoft’s already admitted that criminals have used their phone support to perform social engineering – something that’s still going on today.
Once the account is compromised, the situation is compounded when the it’s used to make further purchases. If you’ve provided your Paypal or card details to buy Microsoft points in the past then you’ll never be asked to re-verify them. Even something as simple as asking for the card CVV number or Paypal password when making further purchases would likely stop the issue.
With the compromised xBox Live Account now loaded with Microsoft points, the fraudster only has a limited time to offload the account before it gets blocked. The most common target is third party websites offering Microsoft Points at knock-down prices. Places like Tradetang have over a thousand listings for people looking to offload accounts with Microsoft Points attached. These auctions usually come with a “2 hour warranty”, indicating that it’s from a fraudulent source.
Someone buying the compromised account can then attach it to their own console and use the points to buy games and downloadable content. Even if the account is blocked it doesn’t matter – the games are still on their console and can still be played as long as they don’t delete them from the hard drive. They won’t be able to download the content again, but that’s a small price to pay for a bargain.
Paper-Thin Security
It’s incredibly easy to blame the social engineers, phishers and fraudsters who obtain these accounts, just like it’s easy to point the finger at the people buying the accounts or the places that sell them. Ultimately though, Microsoft need to be held to account for the thin veneer of security they wrap around an xBox Live account and the substantial risk we’re exposed to when it happens. Would you lock the keys to your bank account behind a single username and password?
The big problem with keeping an xBox Live account safe isn’t due to hacking. Instead it’s due to the inherent weakness of having a single Windows Live account that’s used for multiple different services without further validation. The further weaknesses exposed by social engineering just serve to make that layer of security even thinner.
The weakness of not requiring further approval for purchases beyond reoccurring billing is probably the most damning problem with xBox Live today. Retailers need to take the approach that the internet is a hostile environment, and that further authorisation is needed before accepting a sale.
As commenters over at NeoGAF also point out, there’s a complete absence of two-factor authentication with the xBox Live platform. The idea of having a keyfob or snartphone app that generates a one-time code any time you want to log in or make any account changes is something that MMOs have been doing for some time. Microsoft has both a substantial phone presence and access to retail channels, so there’s no reason for them not to implement this.
Instead of shouting about the convenience of the buying experience, firms like Microsoft should be showing how they’re working to protect and help their customers. I think we would all happily trade a minor inconvenience when buying content in order to avoid a month offline due to fraud investigations.
Protecting Yourself
While xBox Live accounts remain an easily obtainable and highly attractive target for criminals it’s important to make sure that your account is as secure and risk-free as possible. The great thing is that none of this is rocket science.
- Go through the steps to add extra security to your xBox Live account, such as being able to add a mobile phone number to get text messages each time a password reset is requested. This won’t save you from social engineering attacks, but it helps.
- Remove reoccurring billing from your xBox Live account and remove any saved payment methods. If you must buy Microsoft Points or Gold access then buy scratchcards from your local gaming store.
- Don’t keep a points surplus on your account. Spend points as soon as you buy them and keep your points balance as low as possible. It means that you won’t be able to buy anything on impulse, but at least you won’t see your points balance wiped out.
- New – Don’t use your XBox Live account for anything else such as Hotmail email or Windows Live Messenger. If your account is blocked you’ll lose access to these services until the investigation is complete (30 days or more)
There may come a time when Microsoft changes their policies or business practices to make xBox Live account theft much less appealing to fraudsters and criminals, but until that happens we’re still going to be reading about it in the news. Other firms are fighting hard to win our money through security, so why not them?
We all enjoy playing games, we just don’t want to get ripped off as part of the experience.
Update 10th Jan
- We’ve managed to secure a refund through Paypal’s dispute resolution process instead of waiting on a refund through Microsoft. I’d suggest trying this out if you end up stuck in a similar position.
- We’ve been informed today that there’s a 10 day queue before cases get looked at by the XBox Fraud team. We’re also going to remain locked out of the hotmail and MSN messenger account until the investigation is complete. The care agent I spoke to estimated this at 30 days.
I know I’d be quite happy to deal with having to confirm a purchase before actually making it if it made my financial information more secure. Convenience is all well and good, but if that convenience comes at a cost the way Microsoft’s does, it’s not really worthwhile.
Indeed. Combine that “convenience” with a ready-made market for short shelf-life points and you have the perfect place for wholesale fraud.
Thank you for this exposure. It is a great read and gaining awareness is always priceless. I’m sorry to learn about the ordeal with your wife- I do hope the matter does resolve itself.
Regarding security practices: in today’s day and age I’m flabberghasted as to why companies aren’t using scrambled PINs (3 tries til lockout) and unique session IDs. That’s literally all it would take.
I appreciate your comments. I agree though – there’s probably hundreds of different things they could implement to resolve this issue.
Compromised accounts happen. When all they cost is a little inconvenience there’s an opportunity for the company to make a real fan out of them. When they cost the customer a substantial sum of money and then penalise them for months, it does exactly the opposite.
It’s incredibly sloppy business process design that’s resulted in Microsoft throwing customer care agents at the problem instead of actually fixing the issue.