Late this past August, my friend noticed she had a large number of unauthorized charges on her credit card. Someone, somewhere, had gained access to her Xbox Live account and charged an enormous amount of Microsoft Points. Immediately, she phoned Microsoft’s customer support service, who claimed to have put the account on hold and will take up to 21 days for the investigation to find results. Despite this claim of account suspension, the unauthorized user was still able to purchase additional points and she was able to watch these points diminish slowly but surely on the official Xbox site, seeing them spent on downloadable content for EA Sports’ FIFA 2011 soccer game. We took to Google immediately and found a related post on the site Giant Bomb. It wasn’t much help, but we at least saw a degree of comfort that she was not the first.
My friend naturally disputed these charges with her bank, barely. They needed information from Microsoft, which Microsoft does not give out but that an investigation was underway. Microsoft also claimed several times they would actually give her a call and update her the investigation. They did not. Ever. Unfortunately, because of some strange technicalities in their terms of service, Microsoft customer support claimed they saw no problem, that they could not help her in any way and that communications between the customer representatives and the agents of the fraud department are limited to the point where the reps don’t know some of the things the customer is even talking about. After successfully contesting the issues with the bank, Microsoft actually tried to dispute the claim filed and say that these charges are legitimate. My friend is no fan of soccer, so naturally she would never touch a FIFA game in her life, but now FIFA 2011 sits in her game history like a stain on a nice carpet. Not only that, but regardless of how many Microsoft Points you may have had prior to this breach, Microsoft is inclined to perform a points adjustment and you may be left with less than the amount you originally had, if any at all.
I took the search to perhaps the largest game forum on the internet, NeoGAF. I discovered that this was bigger than I had anticipated. Several of the forum’s users have been attacked by these thieves in the same fashion: charge points, purchase FIFA content, get away scot-free. Success with disputing these charges has been rather up and down, it would seem:
Thread 1 – Started May 24
Thread 2 – June 13
Thread 3 – August 30
One issue seems to stem from Xbox Live’s recent Family Account option, that allows a user to create additional accounts for family members and “gift” them Microsoft Points and edit their user options. Unauthorized users may access your email associated with the account, or the account itself, purchase this family pack and a points pack for resale across a number of sites like eBay.
Taken from my friend’s letter to Microsoft reps:
From what I can tell, hackers can gain access to the victim’s accounts in a couple of different ways. One way is by calling Xbox Support and pretending to be the victim. They speak to a representative long enough to get a bit of information on the account, and then hang up and call back and use that new little tidbit to get a little further with the next rep. They do this until they have enough information about the victim’s account to gain complete access.
Another way that I have read about seemed specific to FIFA ’11, where a hacker can e-mail EA support with some jargon that confuses the EA server into sending the hacker the victim’s Xbox and EA account information. I’m not sure of the legitimacy of this claim but during my search I found videos about it on YouTube, as well as websites explaining how to do it.
I’ve also seen reports of phishing sites offering free points for the victim to click and stupidly enter their account information.
Once the hacker has access to the victim’s account and purchases the points, they can create a family account and restore your gamer tag to their console to make it part of the family account. This way they are able to use your points even when your account is locked.
They also seem to be selling accounts with the stolen points on sites like tradetang to customers who unwittingly buy them, thinking they are getting a great deal. The auctions for these accounts make claims such as “Dear friends: Since the points might expire, please use up the points within the warranty time” and “The accounts are not gold. And it is better not to buy gold membership for the account because it won’t last too long.” How that doesn’t send red flags is beyond me.
Besides the unauthorized charges themselves, the unfortunate thing is how unreliable Microsoft’s Xbox site as well as their Windows Live site can be. Many users experience error pages that prevent them from successfully editing their account passwords and other details in order to increase security. Microsoft has also notoriously made removing credit card information and disabling auto-renewal payments for Xbox Live a hassle. Customers can either phone customer support and ask for the options to be removed, or remove it from the Xbox Live Dashboard but needing to add another credit card, which possibly negates the entire reason for removing your information in the first place. I recommend at least purchasing a prepaid Xbox Live card from a local retailer, as well as Microsoft Points cards. It’s unfortunate that we cannot depend on security like this from a major corporation, let alone two, right, Sony? We have to do our part as well, and although this sounds like common sense, this could happen to even the most experienced users: make sure to have a strong password, never give out credit information if you can help it, and don’t click on shady, suspicious links that claim to have amazing prizes and what have you.
I think sites need to make this issue aware, and Microsoft and all corporations that ask us for credit information for utilization of a service, to please work on updating your security measures and not just casually pat the customer on the shoulder and say “We’ll see.”
Microsoft Xbox Support