Alex Garden, Xbox Live's general manager, has issued a lengthy statement regarding the ongoing battle against Xbox Live hackers and online fraud, offering users security tips in the process.
"I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats," says Garden.
"Security is an ongoing battle. No matter how well we work to improve security - and we are working every day to bring new forms of protection to Xbox LIVE - our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services."
It was reported last month that insufficient security measures on the official Xbox.com website may be to blame for the growing number of Xbox Live account thefts.
While Garden notes that last year "there was a surge of personal information being compromised and sold," he maintains the same response MS has had to previous questioning: "We here at Xbox have no evidence of a security breach in the Xbox LIVE service".
His advice is the usual stuff - difference and strong passwords for each online service and the like.
Here's the full statement from Garden:
Your Security is Important to Me
Since today is Safer Internet Day, I thought it'd be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.
As all of us know, account hijacking across the Internet continues to grow. It's a thriving - albeit illegal - industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.
It's in this vein I'm reminded how important it is to listen to you, our members - to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.
Security is an ongoing battle. No matter how well we work to improve security - and we are working every day to bring new forms of protection to Xbox LIVE - our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.
That's why I believe it's more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.
What you'll see here is the most common sources of attack continue to involve:
social engineering to gather information about the user to guess the password;
phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
malicious software on the computer that has captured the password; or
using the same password from another online service that has been breached.
I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you're signing in from a PC that isn't your own. Working together we can prevail over the criminals.
I realize it may fall flat when we don't share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.
Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.
Recovering compromised accounts - in a timely manner - is also a priority and an area where we've made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we're making great strides. We hope our customers are experiencing the improvements firsthand.
We do not take lightly the frustrations we've heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers' individual and collective concerns. For now, if you have a problem we haven't yet resolved, please email me. Also tune into Major Nelson's podcast this week to hear more about our work in the war on fraud.
With my sincere commitment to listen and take action,
Alex Garden
Email: Alex dot Garden at Microsoft dot com
General Manager, Xbox LIVE
Comments
15 comments so far...
jrb251990 on 8 Feb '12 said:
I had my xbox live account stolen about 2 years ago and it was not a fun time. Luckily my brother is on my friends list and was able to notify me about my account soon after the hacker changed my gamertag. Microsoft was able to get me my gamertag back within a week and I was mostly satisfied speed and helpfullness. I still don't know how or why my account was stolen but Microsoft assured me that they put extra security on my account which I'm sure they were just telling me to make me happy but at least they told me a lie that made me feel all warm and fuzzy inside lol
BenThomasFoster on 8 Feb '12 said:
Either you had an easy security question, easy password or you gave out you password. Even giving it to a friend can be bad ect ect. But seriously don't have you password as monkey ect ect you have to think of it in terms of bank card... Would you rally have 1234 as your bank card?
general-gaming on 8 Feb '12 said:
http://i42.tinypic.com/2zf75v5.gif
Another bulls**t Press Release from Microsoft. Anyone who's had their gamertag / MSN hacked and call Xbox Live Support will know that they're told 15-30 working days for their case to be investigated. Even if you mention Trading Standards and Citizens Advice, Microsoft will not budge it further. It's faster to resolve the situation yourself.
Any fraudulent transactions made on Xbox Live on your Xbox Live Gold Gamertag can take anything upto 2-4 weeks. You can get it sooner if you tell your bank who put pressure on Microsoft to honour the refund.
To add salt to the wound of any hacked victim on Xbox Live, the best one can hope for is a 1 month pass on Xbox Live Gold. The same 1 month pass they offer to you for a £1 the Xbox dashboard they offer to all silver members.
Your money isn't safe on Xbox Live. The customer support say under contract they can't remove your card details but tell them the law and your consumer rights and this little stunt is wavered.
http://i40.tinypic.com/v79x6e.jpg
That's a bald face lie. If you believe this CVG article, you might as well believe Cliffy B in Narnia land that next gen consoles will render to the same quality as James Cameron's Avatar.
Old Skool Gamer on 9 Feb '12 said:
Playfire.com is where this is all coming from, people being setup randomally and then it asks you for your login details for your account, once these have been entered it's then out in the wild, just found out 6 people have set me up on this site, not impressed at all as it has unauthorised access to my account without my permission.
MS need to get this site shut down ASAP!
WHERESMYMONKEY on 9 Feb '12 said:
Sorry mate it isn't. I had my account hacked a few weeks back and i got it reinstated in 24 hours. With a month extension to live and a 8200 free MS points for the trouble it caused plus my money back from paypal that got nicked off my card and i got to keep all the crap the bloke downloaded as well. ended up with a free season pass for gears 3, undead nightmare for red dead and crysis.
MS are doing a bloody good job considering the situation. So take it from someone who's actually had to deal with this, so long as you can provide them with all the relevent details. they'll get everything back to normal and then some in double quick time.
Toasted_PSP on 9 Feb '12 said:
Playfire.com tracks PSN and Steam accounts as well but these have not been compromised like LIVE meaning the issue still lies with MS somewhere. Whether its that the CAPTCHA system is broken like was suggested a couple of weeks ago or the fact the even those MS can see where you login from they don't care if you suddenly 5minutes after logging off in London login for the first ever time in Moscow and start spending money like mad, Credit Card companies flag that as strange activity and investigate by contacting you straight away, MS ignore it until you complain.
ensabahnur on 9 Feb '12 said:
Actually its not, mines was hacked a few weeks ago and MS had it returned to me in 3 days with an extra month code, all my points back and a few bonus ones as well. Ok i never noticed the email coming through and ended up waiting 7 before phoning them but they had sent it to my back up email which i hadn't checked yet.
But yes the 3 day thing is true. They do say it can take up to 30 but in most cases its returned in 3.
Now i believe you owe this man an apology.
I look forward to Avatar looking games and Cliffy B bringing us some rock back from Narnia. Good times.
KesMonkey on 9 Feb '12 said:
I think you're on to something there Old Skool. I was sent this web address from an XBL friend. As soon as it asked for my XBL login details, I became suspicious. I'll bet there are thousands of gamers out there (especially the achievement chasers) who are willingly handing over their XBL login details to this site.
Toasted, I think you've highlighted the weakness alright. Xbox.com allowing unlimited login attempts is/was extraordinarily careless on Microsoft's part.
Noobsaibot on 9 Feb '12 said:
There is some serious need of education here.
ATTENTION!!! IT IS NOT REALISTICALLY POSSIBLE TO HACK AN XBOX LIVE ACCOUNT!
I say realistically as to do so, you would need the gamertag, the email address of the gamertag and the password for said email (failing that, the answer to the security question plus access to the alternate email address). In short, unless you are an unbelievable good details guesser, it cannot really be done. So how else could details be compromised?
Well, there are three ways this could be happening:
1. You have inadvertently given away your email address and password. This likely happens to idiots/10th prestigers/achievement whores who give their details unwittingly to another person (even a friend) either through XBL parties & messages or through some other online forum (youtube videos/"hacking" forums).
Example: http://www.youtube.com/watch?v=yDsaL_mcxHs (Anyone stupid enough to do this deserves it frankly)
2. Poor security on a publishers servers within Xbox Live (IE: EA/Origin, Activision, Ubisoft etc... but mostly EA). The very reason why I hate a service within a service (live) system. Basically, people who have played EA games and were forced to create an EA account. Chances are, the username/email/password is the same as that of their XBL account. This is often how those Fifa ultimate team hackers obtain accounts. Haven't a breeze how they do it though it appears you don't even have had to play fifa for it to happen - seemingly any EA game which forced you to register with their service. I imagine they exploit some sort of "forgot password" system on the third party site which clearly is not as robust as MS' one.
3. Online tracker sites like playfire. Similar to number 2, you probably have XBL details the same. These 'tracker' sites may be easier to exploit in order to get details.
As for removing credit cards from your Xbox account, you can do so here as long as the card is not tied to an active subscription:
billing.microsoft.com
If it is, for shame. Pre paid codes are easier, safer and a hell of a lot cheaper. I hope the above info clarifies things for everyone (Might even make it my sig). To summarize, it is not Microsoft's fault this is happening. The only XBL account ever to be legitimetly hacked was Major Nelsons.
Toasted_PSP on 10 Feb '12 said:
If what's is been said about the CAPTCHA system on xbox.com in true then you can just brute force password attack multiple accounts at once, no need to guess the password just set a bot to try every possible password over and over again, eventually you will get into an account, particularly if the password is weak.
Gamertags aren't hard to find so if the xbox.com problem is true then its pretty easy for hackers to just try multiple email address (There are likely many people with a gamertag@something.com type email address) against a gamertag until one return with the right password error rather than an account doesn't exist type error then attack those accounts with a brute force password attack.
Its easy to blame a poor third party system rather than MS' robust premium system, but these 3rd party site which force you to create an account are not exclusive to 360, PS3 games require accounts to be create on 3rd party systems as well but PSN users are not experiencing this problem. Either the 3rd party systems are only poor at storing data for 360 users or the problem lies somewhere closer to home on MS' system or the way MS talk to the 3rd party system.
Tracker sites are certainly an easy way to harvest large numbers of account names, but these cant been the sole problem as these sites also track PS3 and Steam accounts as well and those systems are not been effected. Again either these site store the 360 accounts in a far less secure way than they store PSN and Steam accounts or the problem also in part outside of these sites.
ricflair on 10 Feb '12 said:
Well noob worked for xbox support and has been very critical of MS in the past, so I am more inclined to believe him.
If it's possible to brute force any XBL account, I'd imagine that the vast majority of all accounts would have been hacked by now, so I don't know. Maybe they're just binding their time and not being greedy?
Whether MS's security is to blame or not, I don't know. I'm sure it makes some Sony fans sleep better at night thinking that it is.
Toasted_PSP on 10 Feb '12 said:
If that's the case lets hope he replies to clear up some of the quires I have with his initial post, I still dont understand why if this is all due to poor security on a 3rd party site is it only effecting 360 users when the 360 isnt the only system using these 3rd party sites.
The harder the password the long it takes, if you use a password of mixed numbers and letters it will take a lot longer than if you have word and numbers which in turn will take longer than a really simple one word password.
I am not sure why fraud been committed against people would make anyone happy whether its against Sony, MS or any company. You must live a bitter life if seeing a company or people suffer attacks or fraud makes you sleep better at night
ricflair on 10 Feb '12 said:
Come on, you must've read these article comment pages enough times to realise that loads of t**ts, on both sides, revel in bad sale figures, bad financial results, PR disasters etc, and equally people seem to stake their lives on defending these companies too when they've f**ked up.
As I said, I don't know if MS are to blame. You'd hope they'd learn from the RRoD shambles that denying the existence of a problem is ultimately foolish and would probably, with them being American and all, mean they get an astronomical amount of class action lawsuits!
I expect millions of people also have very basic passwords and they'd be using scripts to brute force the passwords, so it wouldn't take that long. Also aren't XBL accounts/passwords the same as Windows Live? It'd be massive and go way beyond gaming if their whole Live network was being hacked at will.
Toasted_PSP on 10 Feb '12 said:
I know a lot of people do that but its a mentality I just dont understand, I have no problem with people disliking companies but why hate on them for everything they do and why relish in their failures.
I haven't got a clue what the problem is. I have read multiple articles about the problem over the last year and the one thing that is clear is the problem is not been sorted by someone. If as MS claim this is due to phishing scams, poor security on 3rd party sites, tracker sites, weak passwords ect what I still don't understand is why its is only effecting LIVE users. All those possibilities would allow these fraudsters to hack not only LIVE accounts but PSN and Steam accounts as well which is not happening. I think there were a few initial "Fifa Hack" claims made by PSN users but these have since dried up and its only LIVE users suffering at the moment.
I am not claiming to know what is going on here past the fact that fraud is been committed and seemingly nobody is doing anything about it, publicly at least, is quite a worrying situation.
The Bossman on 10 Feb '12 said:
Only idiots would give away their details on anyone on their friends list, that's how this happens. Type random passwords in notepad, trim them down, print them out and type them in every time you want to log into Live. Then change them every month or so.