Microsoft's responded to The Sun's latest "exclusive" claiming that the Xbox firm is 'covering up' Xbox Live hacks.
A spokesperson said:
"As we commented on Tuesday, the Xbox LIVE service has not been hacked. However, we are investigating a number of recent customer complaints relating to Xbox Live customer service - particularly in the way that we have processed refunds to customers that have been victims of phishing related fraud.
"Consequently, we are taking several steps to address and resolve these particular issues as soon as possible and working closely with our affected customers to investigate and resolve any unauthorized charges made to their accounts resulting from recent phishing scams.
"Finally we would like to apologise to any customers who have not experienced a good service from us."
Earlier this week, The Sun's front page boldly shouted of "Xbox cyber fraud" in a "crime exclusive", but ultimately pointed to phishing scams, which have been around for at least four years in the world of Xbox.
Microsoft responded with a statement simply stating "Xbox Live has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox LIVE service."
In today's retort, The Sun claims "dozens of angry readers contacted [us] to tell how crooks bought Microsoft Points on their accounts to trade on to users in countries like China, Nigeria and Russia - even though they didn't pass on any personal details or visit phishing websites."
Comments
11 comments so far...
svd_grasshopper on 24 Nov '11 said:
'hacked' is a very loose term. obviously it doesn't pertain to phishing, but a technophobe (or a paper looking for a headline) wouldn't really know better.
StormyV3 on 24 Nov '11 said:
Well to be fair this wouldn't be the first time "The Sun" has made a mountain out of a molehill "/ "dozens" of people?! Well considering how many million's of people are members of Xbox live, this story isn't exactly up there with the breaking news of 9/11 is it :-/ I've had Xbox live for 6 years and never had a problem at all! Then again I don't reply to "send your email address and password to recieve 1 million MS points" messages
If your daft enough to put your details at risk then well, tough tits really "/
karlrobert23uk on 24 Nov '11 said:
And of cause anything but the Leveson inquire on the front page as it is doing a good job of destroying our parent company and we may also be very much involved in the phone hacking scandal and would not want to tarnish our own reputation any further so we decided it would be better to have a go at xbox live and run a four year old story about pishing scams instead.
JakeyBaby on 24 Nov '11 said:
Someone totally hacked my fridge yesterday - fishing for my mayonaise! I was having chicken burgers that night too. Well gutted.
middle finger on 24 Nov '11 said:
I'm not saying it was, but for how long Microsoft was denying rrod?
I'd say they both worth each other.
LordVonPS3 on 24 Nov '11 said:
Sorry to have to rant like this but... It's about time these mainstream services (over 100,000 registered customers) adopt and implement dual factor authentication. There's a number of choices already available and on the market. What are they waiting for?
Here are 5 dual factor options (off the top of my head) for once the user has entered a username / password...
1.) Send customers a mobile phone text message (with token #).
2.) Send customers an automated phone call / leave VM recorded message (with token #).
3.) E-mail customers a token #.
4.) Give customers a RSA SecurID token to generate a token #.
5.) Implement a X360 / PS3 firmware based algorithm to receive a token #.
For added security the token # above should need to be appended to a registered and known - 4 digit PIN number, hence you would authenticate as follows...
STEP 1.) Login: LordVonPS3. Password: *****************
STEP 2.) PIN: 1234/567890
To add to this - IF it's not already there, these services must e-mail and prepare a monthly statement for download just as credit card companies do, in order to let you know what you've purchased and how much money has been spent on your account. Every purchase or account change should result in an e-mail notification linking back to XBL / PSN for further details.
All PSN / XBL * PURCHASES * or * PERSONAL DATA / ACCOUNT SETTINGS CHANGES * should be subject to a dual factor implementation (as per the 5 options above or other suitable). One could even argue that just to login to PSN / XBL you should have to go through this dual factor procedure.
I don't see why anyone should care if Microsoft says XBox Live hasn't been hacked. REAL people's accounts ARE getting hacked and these companies have a responsibility to ensure the public's security as best they can. Clearly these companies are not doing all that they can and I would regard that as NEGLIGENT.
Seriously, I find it funny how people rate XBL / PSN so highly when simple but VERY IMPORTANT things like this are missing.
-- Lord Von.
djm99 on 24 Nov '11 said:
It could just be down to EA being hacked, and the hackers using that info to get to Xbox live accounts, thats how it happened with me.
LordVonPS3 on 24 Nov '11 said:
EA has reported on phishing scams in their own forums. i.e. They are warning customers to beware of such phishing scams. Arguably they are covering themselves in the cheapest (most cost effective) way by notifying you of such scams (whether by their forums, by e-mail, etc). Again, for EA to report on phishing scams does not indicate that their service & systems have been hacked, it is merely the case that a number of their user accounts have been hacked.
There is a difference... If you hack the service you get all usernames, passwords, personal data and everything stored unencrypted in the database (or that can be "cracked" if lesser-grade encryption is used). Hacking an account by using someone's username and password is an "isolated case". Of course this doesn't mean you can't have dozens, hundreds or thousands of "isolated cases"...
The main problem is that customers are using the same username and password for their EA profile as their XBox Live profile (and no doubt other websites as well). The likes of Microsoft will tell you that this is a 'user problem' - it's your problem not theirs. I don't entirely agree with this viewpoint, particularly in the case where Corporate X does not provide the technology / means to improve your security. Naturally, it is still down to you to use the technology as intended (i.e. back to education again).
The likes of Gawker (Kotaku, Lifehacker, etc), Steam, Bethesda, Nintendo, Codemasters, etc, have all been hacked (i.e. some proportion of their database has been illicitly accessed - but through no direct fault of any independent user). If you've been using the same password across these sites (and others) - you'll hopefully have had the common sense to change your password EVERYWHERE else as well as on that site to a different password for each and every site.
A number of sites are now using Single Sign On authentication, whereby you can login using your Twitter ID or your Facebook ID, etc... This is ultimately DOOMED to the same vulnerability. If someone hacks Twitter / Facebook, etc (or hacks YOUR Twitter account / Facebook, etc - account), then they'll have access to every service that enables Twitter / Facebook, etc - authentication for YOU. What this effectively does is push us ever faster onto the next most important security layer and that is...
We are now in requirement of a 2nd factor of authentication to mitigate the increased risk of consolidating usernames and passwords. Unfortunately not everyone is as well versed in such matters of security as others and it * IS * the responsibility of these Corporations to cater for the blind, mute, deaf AND "innocent".
-- Lord Von
svd_grasshopper on 24 Nov '11 said:
haha, the lord is awesome.
djm99 on 24 Nov '11 said:
The Lord speaks the truth, Signing up with EA asking for your Windows ID and password, you're bound to put in the same one as your live account...if you're not careful.
PS3UberTool on 25 Nov '11 said:
No one will admit to being the victim of a phishing scam... it means admitting that they are sh!t thick and give their details out to anyone who asks and thus they can't blame someone else.