In the midst of Microsoft’s customer “service,” we find a heroine.

Happy new year, everyone. This is not the first post I intended to open 2012 with, but this a very interesting development:

Back in late September, I had written a piece about my friend whose Xbox Live account saw unauthorized access and unauthorized charges to her credit card. What followed was an aggravating attempt to communicate with Microsoft, who claimed to have suspended her account in order to investigate the matter even though she was still able to access her account. They came up short. Furthermore, they flat out refused service on the basis that she used an alternate, shortened form of her name which violated their terms of service.

Yet according to Xbox Live Director of Policy Stephen Toulouse, no such policy exists. So, what’s up?

No solid answer has yet to surface. Some are claiming it is a Windows Live ID issue, according to at least one testimony in this article from Joystiq. Microsoft has denied otherwise. Their response is akin to running around like headless chickens or perhaps like an ostrich with its head in the sand.

I mean, Christ, there’s yet another NeoGAF thread about it made on January 6 of this year. In this entire mess, though, someone has gone the extra mile.

Her name is Susan, who was victimized and had her Xbox Live account stolen and sold overseas. She went above and beyond and tracked down where her account ended up and eventually made contact with the person who bought the account. She got all the information Microsoft failed to do.

You can read her story and the plight of other frustrated customers on her page: Hacked on Xbox

So thank you, Susan, for all of your efforts. I wish I could have helped out my friend more on the matter but hopefully Microsoft sees that this is not a problem to be swept under the rug.

To a productive year!

Extra Life Charity: Play Games. Heal Kids.

On Saturday, October 15, I’ll be participating in the Extra Life charity. I will be playing games in a 24-hour marathon session in the name of Children’s Specialized Hospital, part of the Children’s Miracle Network of hospitals in an effort to raise money for them. I think this is a fantastic cause and I encourage anyone to please help out and sponsor if you can. You can sponsor any amount you wish, with the minimum being $1, one dollar, an hour.

Thanks very much!

My Extra Life Page

Xbox Live users hacked, victims in the name of EA’s FIFA DLC.

Late this past August, my friend noticed she had a large number of unauthorized charges on her credit card. Someone, somewhere, had gained access to her Xbox Live account and charged an enormous amount of Microsoft Points. Immediately, she phoned Microsoft’s customer support service, who claimed to have put the account on hold and will take up to 21 days for the investigation to find results. Despite this claim of account suspension, the unauthorized user was still able to purchase additional points and she was able to watch these points diminish slowly but surely on the official Xbox site, seeing them spent on downloadable content for EA Sports’ FIFA 2011 soccer game. We took to Google immediately and found a related post on the site Giant Bomb. It wasn’t much help, but we at least saw a degree of comfort that she was not the first.

My friend naturally disputed these charges with her bank, barely. They needed information from Microsoft, which Microsoft does not give out but that an investigation was underway. Microsoft also claimed several times they would actually give her a call and update her the investigation. They did not. Ever. Unfortunately, because of some strange technicalities in their terms of service, Microsoft customer support claimed they saw no problem, that they could not help her in any way and that communications between the customer representatives and the agents of the fraud department are limited to the point where the reps don’t know some of the things the customer is even talking about. After successfully contesting the issues with the bank, Microsoft actually tried to dispute the claim filed and say that these charges are legitimate. My friend is no fan of soccer, so naturally she would never touch a FIFA game in her life, but now FIFA 2011 sits in her game history like a stain on a nice carpet. Not only that, but regardless of how many Microsoft Points you may have had prior to this breach, Microsoft is inclined to perform a points adjustment and you may be left with less than the amount you originally had, if any at all.

I took the search to perhaps the largest game forum on the internet, NeoGAF. I discovered that this was bigger than I had anticipated. Several of the forum’s users have been attacked by these thieves in the same fashion: charge points, purchase FIFA content, get away scot-free. Success with disputing these charges has been rather up and down, it would seem:

Thread 1 – Started May 24
Thread 2 – June 13
Thread 3 – August 30

One issue seems to stem from Xbox Live’s recent Family Account option, that allows a user to create additional accounts for family members and “gift” them Microsoft Points and edit their user options. Unauthorized users may access your email associated with the account, or the account itself, purchase this family pack and a points pack for resale across a number of sites like eBay.

Taken from my friend’s letter to Microsoft reps:

From what I can tell, hackers can gain access to the victim’s accounts in a couple of different ways.  One way is by calling Xbox Support and pretending to be the victim.  They speak to a representative long enough to get a bit of information on the account, and then hang up and call back and use that new little tidbit to get a little further with the next rep.  They do this until they have enough information about the victim’s account to gain complete access.

Another way that I have read about seemed specific to FIFA ’11, where a hacker can e-mail EA support with some jargon that confuses the EA server into sending the hacker the victim’s Xbox and EA account information.  I’m not sure of the legitimacy of this claim but during my search I found videos about it on YouTube, as well as websites explaining how to do it. 

I’ve also seen reports of phishing sites offering free points for the victim to click and stupidly enter their account information.  

Once the hacker has access to the victim’s account and purchases the points, they can create a family account and restore your gamer tag to their console to make it part of the family account.  This way they are able to use your points even when your account is locked.  

They also seem to be selling accounts with the stolen points on sites like tradetang to customers who unwittingly buy them, thinking they are getting a great deal.  The auctions for these accounts make claims such as “Dear friends: Since the points might expire, please use up the points within the warranty time” and “The accounts are not gold.  And it is better not to buy gold membership for the account because it won’t last too long.”  How that doesn’t send red flags is beyond me.

Besides the unauthorized charges themselves, the unfortunate thing is how unreliable Microsoft’s Xbox site as well as their Windows Live site can be. Many users experience error pages that prevent them from successfully editing their account passwords and other details in order to increase security. Microsoft has also notoriously made removing credit card information and disabling auto-renewal payments for Xbox Live a hassle. Customers can either phone customer support and ask for the options to be removed, or remove it from the Xbox Live Dashboard but needing to add another credit card, which possibly negates the entire reason for removing your information in the first place. I recommend at least purchasing a prepaid Xbox Live card from a local retailer, as well as Microsoft Points cards. It’s unfortunate that we cannot depend on security like this from a major corporation, let alone two, right, Sony? We have to do our part as well, and although this sounds like common sense, this could happen to even the most experienced users: make sure to have a strong password, never give out credit information if you can help it, and don’t click on shady, suspicious links that claim to have amazing prizes and what have you.

I think sites need to make this issue aware, and Microsoft and all corporations that ask us for credit information for utilization of a service, to please work on updating your security measures and not just casually pat the customer on the shoulder and say “We’ll see.”

Microsoft Xbox Support
@XboxSupport