Xbox

This Was The Xbox Problem. Here Is The Solution.

No one ever thinks they will be the victim of a phishing scam or account hacking until it finally happens to them. A hacked Xbox LIVE account is an inconvenience at the very least, but how bad can it get and what should you do if you’re a victim? Read more to find out.

Andy Bates is a QA engineer from San Jose, California. On July 22, 2011, he made his first phone call to Xbox support after discovering that two unauthorised purchases totaling $US124.95 had been made using his account. He provided the support staff with his details and was told that his account would be suspended for 21 days to ensure that no other fraudulent activity could occur while they investigated the hacking.

Eighteen days later, Bates received an email from Xbox notifying him that his LIVE Gold 12-month subscription had been automatically renewed.

“This annoyed me,” Bates says. “It should have also tipped me off that something was wrong. If my account had really been suspended, it should not have auto-renewed.”

Two days later, Bates called Xbox support again. A day away from the end of the 21-day investigation, the status of his case was “still being investigated.”

The Letter

On February 7 the General Manager of Xbox LIVE, Alex Garden, wrote a letter for all Xbox LIVE users. In this letter he detailed the new security measures that the service was putting in place to protect LIVE accounts, which included an important line that said hacked accounts could be returned to owners as soon as three days after an investigation is opened.

For many people, perhaps with the exception of Andy Bates, this letter seemed like a mere formality, not a response to a real problem — after all, 2011 was the year of the PlayStation Network hackings after hackers gained access to the information of an estimated 70 million PSN accounts — Xbox LIVE’s problems paled in comparison.

But a pale problem is still a problem. The extent of hacked Xbox LIVE accounts may not have spilled into the millions, but it was more widespread than most believed. Most people were aware of the FIFA-related Xbox LIVE attacks, but beyond that many other accounts were being compromised on a regular basis.

The Problem

While we cannot put a figure on the number of Xbox LIVE accounts hacked in 2011, a thread about Xbox LIVE account hackings on the popular gaming forum NeoGAF had no problem drawing hundreds of responses from victims within days of being posted. The problem wasn’t simply that these accounts had been compromised, it was Xbox’s poor handling of the cases.

Victims were told that their accounts would be suspended anywhere from 21 to 27 days while the accounts underwent investigation, but many of these investigations far exceeded the time frame and were often inconclusive.

Many of the posts went as such: account hacked in September 2011, still not resolved by mid-November; account hacked early October, still not resolved by mid-November, account hacked in June, still no resolution, compensation or remuneration from Microsoft, account hacked mid-July, still no remuneration by November; account hacked in August, still nothing from Microsoft at the time of writing. While there were cases where Microsoft resolved the problem in a timely manner, it was evident that many customers were left hanging and dissatisfied.

The Problem That Got Worse

Twenty-seven days since his first call to Xbox support — a whole week after his case was meant to have been resolved — Andy Bates called Xbox support again. He was informed that his case had been closed… with no resolution. When Bates asked why it had been closed, he was told that they had lost or misfiled information, so there wasn’t enough information to investigate the fraud.

Bates says: “The rest of the conversation went something like this:

‘Me: I don’t understand why you would close the investigation if you didn’t have enough information to resolve it.

Xbox: We did resolve it: we resolved it as Not Enough Information.

Me: Why didn’t you leave it open until you could get more information from me?

Xbox: We didn’t have a way to get a hold of you.

Me: Well, you have my email address on file, why didn’t you email me?

Xbox: Since your account had been compromised, that email could have been compromised too.

Me: But I provided you with an alternate email address specifically so you could get a hold of me!

Xbox: We didn’t have that information.’”

Bates says he was told that he would have to wait another 21 days for the case to be resolved.

In September Bates’ friends notifiy him that his account has been seen logging onto Xbox LIVE to play games, even though Bates is locked out and the account is supposedly suspended. By mid-September, Bates’ account is returned to him — without any information on the findings of the investigation. He is promised a refund of the credits used by hackers back in July, but he finds that additional games were bought with his account while it was suspended and his entire Friends list has been wiped. In fact, his purchase history shows that games were still being bought during the months of August and September.

“So I call them and they escalate my complaints to a supervisor,” he says.

“This is how she dealt with the issues: ‘I am very sorry, I apologise. No, I can’t recover your Friends list, no I don’t know why your account wasn’t locked, sorry I can’t forward you to my manager – there is no one above me, this is escalated as far as it can go.”

Two months later, Bates still doesn’t receive his credit refund and calls again, at which point he is told that his refund will come soon.

“So that’s the story,” Bates tells Kotaku AU.

“I am amazed at the repeated incompetence at dealing with customer issues, the lost data, and the failure to lock my account, and the complete unwillingness to provide any free credits to make up for it.”

The Solution

Bates’ story is not a common one, but it does highlight the inconsistent way in which Microsoft handled hacking cases. Some people have had their accounts returned to them — refunds and all — within 21 days with no problems whatsoever. Others have had their cases dragged out for months. This is why Xbox LIVE’s recent letter to its users is significant and should not be ignored.

In his letter, Alex Garden urges Xbox LIVE users to take extra care to safeguard their accounts from attacks, such as setting difficult passwords, routinely changing them, using a valid email and unique password for each service signed up for, and reducing the amount of personal information shared online.

Additional security measures that Xbox LIVE has put in place to prevent hackings include implementing CAPTCHA, an industry-standard anti-scripting measure designed so that an actual human has to answer the question, and account lock-outs for those who try and fail multiple times at logging in.

The 21-day investigation period that caused Xbox LIVE users so many headaches has also been reduced.

Garden writes:

“Recovering compromised accounts — in a timely manner — is also a priority and an area where we’ve made and will continue to make improvements.

“We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days.

“For users who had added extra strong proofs to their accounts, this may be as fast as 24-hours.”

Garden writes that some cases might still take longer, the boost in resources aims to dramatically reduce the waiting period.

Long live LIVE

If you suspect that your Xbox LIVE account may have been compromised, check bank statements to see if any transactions have gone through and call your bank and Xbox Support immediately to prevent further transactions from taking place. The number for Xbox Support for Australians is 1800-555-741.

Time will tell whether Xbox LIVE’s new security and investigation measures will improve the way Microsoft handles hacked accounts. While the hacked accounts of yesteryear may have had to put up with an inconsistent system, hopefully cases like Andy Bates’ will be a thing of the past.