Microsoft probes possible Xbox Live fraud

Microsoft is investigating possible fraud on its Xbox Live online gaming service, the company said Tuesday.

The investigation comes after gamers reported having their Xbox Live accounts hijacked and their credit cards used to buy "Microsoft Points," the virtual currency on Xbox Live, which has more than 6 million users.

"Recently, there have been reports of fraudulent activity and account theft taking place on the Xbox Live network," a Microsoft representative said in a statement provided to CNET News.com. "Security is a top priority for Xbox Live, and we are actively investigating all reports of fraudulent behavior and theft."

Gamers have been reporting the incidents for some time in online forums--including on Xbox.com--and to Microsoft's Xbox help desk. Many users of the Microsoft console have been frustrated with the software giant's response to date.

"My Xbox Live account was hacked and all credit card info was stolen and used to run up points...Microsoft says: 'Oh, well, better call your credit card companies, nothing we can do,'" one user wrote on the Xbox Web site last month.

Security researcher Kevin Finisterre was playing Halo on a recent night with several friends when some of their opponents threatened to steal their accounts, he said.

"Literally the next day my girl's account was locked out," Finisterre wrote in an e-mail Tuesday. "I received a message on my Xbox that said: 'We are sorry we must log you out of Xbox Live because someone else is using your Gamertag.'" The account was banned. A "Gamertag" is a person's account name on Xbox Live.

Finisterre said that calling Microsoft was no help and that he got the runaround from the support people who answer 1-800-4MY-XBOX, the official help line. "My account is currently being investigated after about seven frustrating calls," he wrote. An edited recording of several calls he made is available on Finisterre's Web site.

While some users believe the security of Xbox Live was breached, others suggest that users were tricked into giving up enough information while in a game so fraudsters could call Microsoft to change the account information. Users may also have been duped into giving up their account information through phishing scams.

Microsoft asks any Xbox user with a question about the security of their Xbox Live account to call in. "An Xbox customer service representative will help them understand our security policies and procedures," the representative said.

[MadKiwi]

MS and Security

"Security is a top priority for Xbox Live,..."

Just like it is with their operating systems, office applications and web browsers... nuff said.

[FusedAndCondazed]

Security requires you to be smart too!

I am waiting to find out just how many accounts were compromised. With a gamertag, there's more to it than just the tag and your passcode. They also have to be able to get past a few other security questions (more than it takes to get into my bank account online even after they added additional security). If this were only 10 out of 6 Million, is MS to blame, or the users for giving up too much information?

Social Engineering is a key flaw in any security model. I don't care what OS you have, who provided your security software, or even how smart you think you are. Chances are someone knows enough about you to make educated guesses at your account names and passwords.

[krushyou]

MS and Security

Just like it is with banks, the government, Linux, Apple, Sony, Home Security, dog food...the list goes on an on but I am not surprised, its the "cool" thing to slam Microsoft on everything.

You try supporting thousands upon thousands of configurations with people with the education level of a 5th grader. Let me know how that works out for you. Until PEOPLE evolve security is always going to be a problem.

[dahwai]

M$ does the best it can

While Windows security flaws are well known, OS X and linux have their own prblems but they will never be discovered as long as M$ owns 90%+ of the OS market. There is simply no profit for fishing scams, spyware or viruses with such few users. And those that do use windows should be smart enough not to click on everything they see online. I run Windows XP with no anti-virus and as long as I dont do anything stupid, I have no problems.

As for Xbox LIVE, I do not yet know of anybody that as had this problem but with all the mods I've seen so far, I'm sure that it's possible but I still often laugh at the empty threats given by angry punks that I pwn at GoW about having my acount shut down. I would'nt suggest that you give your credit card number to M$ and instead you should just opt for the prpaid cards sold in store.

If you share my views, wish to play with me or steal my account :),add Dino360 to your friends list!

[theprof00]

Expected

Of course something stupid like this happens, just when Sony is starting to tie its shoes, it all falls apart. We all know that cnet publishes biased reviews for sony, so I'm betting this is all just Sony propaganda.

[Penguinisto]

And here y'all thought that only happened to PC gamers...

*gasp* ...and I suppose that some craven soul will start using aimbots and game cheats next! Oh NOES!

I'll stick with my old-school computer-based first-person-shooters, thanks. As a bonus, it doesn't cost me anything to play 'em.

/P

[eeemang]

so what

some people live to play silly video games and post on these silly discussion flame boards

[RompStar_420]

get PS3, no CC Req. / Free

Get a Play Station 3, network service is free and no credit card is required, unless you want to buy things. You can do many of the things that you do with the Xbox Live and some extra.

And eevery year as it passes, network service is free, not $50 a year.

[AdamMoore]

Too bad it's behind

The XBOX Live service is far better than PS3s market place. As free as it is, it's not as fun. Also the CC is only required for the subscription, and you only have to buy the other stuff if you want to buy it (sounds like PS3). You pay for the quality of service.

Not saying PS3s won't develope, but right now Xbox has a huge lead. I know people who took their PlayStation 3's back just so they could play XBOX Live.

[ReVeLaTeD]

The ultimate hacker's tool:

Stupidity.

If you're a stupid consumer, a hacker doesn't need to use fancy tools. They can just hustle the information out of you. This is especially true with females who get friendly with "that hot guy" who actually is just an identity thief.

I maintain that social engineering is the easiest way to hack anything consumer-based. Having been a mini-hacker about 10 years ago, I know all too well how easy it really is. And it's all because some people are just stupid. Additionally, some are way too trusting with information. I've been in a number of relationships and never have I given out my account information for anything. I refuse to, doesn't matter how long we've been together, doesn't matter if we're married.

[Dalkorian]

LOL!

Look people, the bottom line is this: anyone who is stupid
enough to trust Micro$loth with their personal data after
decades of security issues like this deserves to have this happen
to them. Period. Think "social Darwinism".

It's like leaving the doors and windows wide open to your house
and then whining that someone stole all your stuff.

Can any of you actually tell me this is a surprise to you without
lying?

[romo828]

Update for you all...

Since all the MSFT bashing continues, its been known that these Windows Live ID's were hijacked after bungie.net website got hacked. This has nothing to do with xbox live service or msft in any way. The problem is msft will need to clean up the mess.

[ralfthedog]

Why would Microsoft...?

Why would Microsoft share credit card information with this bungie.net? If Microsoft does, That would be a big security breach.

The most they would need to share would be scores.

[Thomas, David]

Re:Update

Who do you think owns Bungie?!

[mattumanu]

Pretexting is always wrong.

And microsoft shouldn't say that anyone else was duped but themselves. In many cases all you need is a name and phone number to get started at microsoft.

[wbenton]

Interesting conclusion.

Why is it that Microsoft ONLY probes possible flaws but NOT actual flaws. (* CHUCKLE *)

Is it because they're just slow on the security job or because they're in total denial or what?

Bottom Line: Microsoft needs to stop Probing and start patching...

Walt

[mentalas1]

Bank account hacked

My sons Xbox live account was hijacked yesterday and when I checked my bank account to-day,over £200 was missing. I contacted my bank who confirmed this money had been used to purchase something from microsoft xbox so I contacted Xbox who were very helpful and have located the person responsible. My question is this......if microsoft have had so many problems in the past,why is it still happening?

[autumn8101]

how did you get them to give you your money back? My mom is going through the same thing and I am trying to help here. Please let me know. Thank you

[kimbracmoore]

I think that those of us that are being mishandled by xbox live's breach of our credit card info should start a class action lawsuit to get our money back! Anyone interested in joining me?

[autumn8101]

My mom's account just got hacked about 600 dollars and xbox is playing around and it's got to stop....if you are serious I am sure we could find enough people!!

[wrath_of_khan]

This message is intended as a warning or alert to other Xbox Live subscribers so you can be aware of this situation and take action before your account is hacked too and you are defrauded. Here is our experience and some background. My son is an avid Xbox Live player and he has been carefully schooled not to reveal any personal information about himself or his whereabouts online. He is 11 years old, does not know our email address and has no access to any type of credit card information. His Xbox Live account has parental controls in place. The other day, my son alerted me to the mysterious appearance of two Xbox themes which were mysteriously downloaded to his Xbox desktop late at night when he was asleep. A short while later our home email received an advice from Xbox Live thanking us for and confirming the purchase of 1000 Xbox points which were charged to my credit card. The credit card number was stored in a Windows Live account. The password of this Windows Live account was changed and I could no longer access it. I Googled "Xbox Live" and "fraud" and immediately pulled up numerous blogs, messages and alerts with very similar circumstances reported as far back as 2006 and with an alarming number of news reports dated March 21 2007 saying Microsoft was investgating possibility of fraud. I immediately called my credit card company and cancelled my credit card. I then contacted Xbox Live support to report the issue. My son was immediately blamed by Xbox Live Support for the incident. We had carefully validated and cross checked his story before contacting Xbox LIVE Support. The person I was dealing with was insistent my son was to blame. I clearly explained the circumstances, told them my son had zero to do with it and referenced the body of information available on the web under the same circumstances to support my story. The tone changed. I was put on hold, then given a trouble ticket number, then told to ask for a supervisor and passed over to another help desk number. After a lengthy wait I was put in touch with a very helpful individual at the supervisory level who reviewed my story, acknowledged the possibility that my son's account had been hacked and gave me detailed instructions and assistance in resetting the password on my Windows Live account - which was done online while they waited. Once that was accomplished, I was told there would be a lengthy delay while Microsoft processed a refund of the amount defrauded from my charge card - at which point I let know my credit card company was coming after them for a chargeback! As part of the overall process, my son's Xbox Live account was suspended for 15 business days - so he has to cool his heels and he can't play online. I pointedly and clearly asked how Microsoft, being self-professed leaders in web security and ecommerce could allow this problem to have continued to happen after being aware of the security breach for over 18 months and done nothing to correct the problem, failed to alert their loyal subscribers to the potential problem, and merely issued a low-key notice that they (Microsoft) were looking into it (oh, and very recently issued a report saying there was no merit to, or findings of any fraud! (Wankers!)). Needless to say, this line of question was deflected and the supervisor said she "really couldn't comment" and was "in no position to do so" (quite right too, I guess), but the bottom line remains there is no official acknowledgement that a problem even exists. This superisor who, I have to say in their defence was young, sympathetic and trained in "what not to say" despite clearly wanting to say what they were trained "not to say". So, I changed tactics and asked how Microsoft (as leaders in their field) officially expected me to be able to subscribe to their Xbox Live service and not have this problem occur again. There was a brief silence, then I was asked to hold the line - which I agreed to do. The supervisor came back on the line but clearly on different kind of connection, was walking away from their area/workstation where they took my original call where as they walked advised my in a quiet voice NOT to use the Windows Live account, NOT to use my credit card there, not to store themy credit card information there but and the only safe thing was TO USE the pre-paid card service with a pin number to subscribe . They went on to say, that "they" and their friends don't / won't use their credit card to subscribe to Xbox Live !. Incredible.

So in summary, my Windows Live account (only used for the Xbox Live subscription and to buy the occaisional bunch of Xbox points) was hacked, taken over and the password changed.
My credit card was fraudently accessed used to authorize purchase of 1000 Xbox Live points.
My son's Xbox 360 account was hacked to received two Xbox theme downloads never requested.
Microsoft knows of the problem and has done little or nothing to alert their subscribers or deter the perpetators of the theft
Microsoft cannot prevent the hack and is exposing millions of accounts and credit cards to abuse.
My 11 year old is without the use of a favoured activity.
Some hacker(s) have their middle fingers up and LOL.
Not impressed. Be warned and be on your guard. Remove your credit card info from your Windows Live account. Microsoft can't and won't protect you in this matter

[Jared41886]

Sir. My name is Jared Spotts I live in PA. I am currently filing charges against microsort xbox live . If you'd like my number is 8144821088 i can update you and let you know how I'm doing and if we can make a class act suit out of this if we get enough people they have no right to cost us gammers all the time and money we invested. I filed with local police , FTC, and district and state attorney. I'm not entirely sure if I'm really going to get anywhere but I'm more then happy to let you know just let me know who you are mind I'm 22 have alot of things going on now sueing microsoft is another one...

[Jared41886]

Yea to you #%$#%$ WHO think the people getting hacked are doing things wrong why would they have a privacy statement. It's like you get somebody telling you yea we will protect your car but hey if we leave the window down and it's stolen that's not us at all.. But I am bringin charges to microsofts doorstep I lost a rough estimate of about $8,000. Time and money was seriously invested into my 360. I don't drink, I don't smoke, I don't go drinking, I PLAY XBOX ,

[x-sposed]

My sons xbox live account was stolen .credit card card charged for xbox points..run around by support.He never gave anyone any information.

[x-sposed]

My sons xbox live account was stolen .credit card charged for xbox points..run around by support.He never gave anyone any information.

[idamon]

This has not happened to me yet but I have been threatened so I did a little investigating... evidently, if you are playing with a "hacker" it is very easy for him/her to turn on an IP sniffer which will sniff out peoples IP addresses as they die. Then you take that IP address and log into xboxlive.com or Windows live to change the persons password to whatever you want, and then you can log into their account on your xbox. The trick is to not have a saved password associated with your IP address. In other words, that little box that asks you to remember your computer, you really need to not click that. This is just one way to protect your info... but I am pretty sure it is impossible to protect your xbox live account indefinitely.