Xbox Live security concerns continue to grow

Additional reporting provided by Alexander Sliwinski, News Editor for Joystiq.Last week, Shacknews explored a series of hacks plaguing Xbox Live users, the most notable of which revolved around the use of EA’s FIFA 12 to launder money out of the service. By accessing Xbox Live accounts, hackers are purchasing FIFA 12’s in-game ‘Ultimate Team’ cards with the intention of trading and selling the content. According to some of those affected, saved payment methods on hacked accounts had also been used to purchase more Microsoft points in order to facilitate the purchase of more content.The variety of ways in which accounts can be attacked–via FIFA 12, PayPal, etc–has painted an inconsistent story amongst consumer complaints. However, there is a common thread running between each story: Microsoft’s Windows Live ID.Windows Live ID lets users adjust Xbox Live account information, add and remove payment methods, link PayPal accounts, and more.”In October–right when Gears of War 3 came out of all things–I woke up to find my Xbox region changed,” COTV’s Robert Welkner told me. “All my Microsoft Points [were] used up, the months on my Gold swallowed up, and an attempt to get more Microsoft Points was made on my debit card.”Robert’s Xbox Live account has been locked since, while Microsoft investigates the situation; however, he expects a resolution soon.Justin Heard’s story is similar, though his account was compromised and used to purchase a Games for Windows Live title. Speaking with Joystiq, Heard says his account was used to purchase the Collector’s Edition of Rift–a PC-exclusive title–along with several point bundles and a Family Gold package, which he believes was used to transfer the purchased points to new accounts.Heard’s account is also locked while Microsoft investigates the situation.”I can state we’ve not been made aware of anything like that either from users or PayPal to my knowledge–a partner we work with closely,” Xbox Live Director of Policy and Enforcement Stephen Toulouse told Shacknews. “I just checked with a counterpart at PayPal who said they have no idea what that source is talking about,” he added in response to one report claiming PayPal was becoming flooded with customer service complaints regarding unauthorized Xbox Live charges.Multiple charges appeared on my own account, following a FIFA 12-related hack.In our reports, none of the users felt they had fallen victim to phishing or social engineering scams–which includes my own situation reported last week. In my particular case, the Windows Live ID linked to my Xbox Live account was an address I rarely use.When first reporting the FIFA 12 hack, Ben Kuchera of Ars Technica–the first site to report the FIFA 12 hack–told Joystiq that he would take every precaution with his own Xbox Live account. “The easiest way to limit your exposure is to remove your credit cards and just use point cards for purchases and to pay for your account. It’s slightly inconvenient, but I feel much safer,” he said.Xbox.com’s security page reveals a number of ‘best practices’ for users to protect their accounts; however, the majority of the site’s security is linked to a single log in and password exchange between the user and the service. Meaning, once you log into an account you’re free to make any account changes you wish. There are no security checkpoints along the way. In fact, once you log in you’re free to examine every aspect of an account, giving hackers access to information such as your full name, phone number, and mailing address. Making substantial changes, like switching account regions, is a simple process. Why isn’t Microsoft calling users or using other measures to verify account changes of this magnitude? Surely the volume of Xbox Live users switching accounts from the United States to Eastern Europe isn’t enough to slow down customer service.In response to our inquires about the state of Windows Live ID, Microsoft says the service has not been compromised and maintains phishing and social engineering are to blame. “Windows Live ID was not compromised. The FIFA 12 and other similar incidents are cases of social engineering or phishing, which are industry wide problems,” a company spokesperson told Shacknews. “Microsoft constantly audits its systems and reviews its processes in an effort to help protect customers from such issues. To help avoid becoming a victim of phishing, people can use the guidance found at the Microsoft Hotmail: Serious About Safety site. They can also visit the Windows Live Hotmail Help Center, if they believe their account was compromised.”Our own recommendation is that users look to change their Windows Live ID and get into the habit of switching the passwords every few months. The headache now will be far less painful than the frustration later.If you have more information to provide, please feel free to contact us.