Microsoft "Cares Deeply" About Hijacked Accounts, Asks For "Trust In Us"

Offering the company's first detailed and dare I say it human response to a recent flood of hijacked Xbox Live accounts, Microsoft's Alex Garden, General Manager of Xbox LIVE, has issued the following statement:

(I've bolded what I think are the important bits!)

Your Security is Important to Me

Since today is Safer Internet Day, I thought it'd be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.

As all of us know, account hijacking across the Internet continues to grow. It's a thriving — albeit illegal — industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.

It's in this vein I'm reminded how important it is to listen to you, our members — to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.

Security is an ongoing battle. No matter how well we work to improve security — and we are working every day to bring new forms of protection to Xbox LIVE — our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.

That's why I believe it's more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.

What you'll see here is the most common sources of attack continue to involve:

· social engineering to gather information about the user to guess the password;

· phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;

· malicious software on the computer that has captured the password; or

· using the same password from another online service that has been breached.

I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you're signing in from a PC that isn't your own. Working together we can prevail over the criminals.

I realise it may fall flat when we don't share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.

Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.

Recovering compromised accounts — in a timely manner — is also a priority and an area where we've made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we're making great strides. We hope our customers are experiencing the improvements firsthand.

We do not take lightly the frustrations we've heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers' individual and collective concerns. For now, if you have a problem we haven't yet resolved, please email me. Also tune into Major Nelson's podcast this week to hear more about our work in the war on fraud.

With my sincere commitment to listen and take action,

Alex Garden

Email: Alex dot Garden at Microsoft dot com

General Manager, Xbox LIVE

It's great hearing Microsoft respond to the attacks by improving the turnaround time for hijacked accounts. It's also nice to hear some kind of summary of the company's defences, even if they're expressed in the vaguest terms.

But the bulk of this still places the "blame", so to speak, at the foot of the user, implying that the loss of their accounts is due to phishing, or scamming, or someone using a tired old password. Something I find, given the sheer scale of the incidents (both in terms of readers contacting us and Microsoft's investment in turning them around), the targeted nature of them and the recent timeframe involved, a little hard to believe.


Comments

    I for one blame the psychics on channel 74. They are just so damn amazing with what they can divine from the thought auras in the conscious sphere. But they are drunk with power and take zero responsibility for the information they give out to people. Everyone is ringing them and asking for Live passwords and the psychics, so careless of our insignificance, will give it out with no care for the consequences.

    Damn you TV4ME. Damn you.

    "While we here at Xbox have no evidence of a security breach in the Xbox LIVE service"... What, aside from the large number of users complaining of hijacked accounts? The sudden increase in FIFA DLC sales? Yea, nothing to see there.

      It's clear some of the blame is on their end. I had the FIFA hack happen to me a while ago and I'm stumped as to how or why someone can use my points without recovering my gamertag. I was one of the lucky ones that didn't have a card attached to my account so the damage wasn't too severe, however to add insult to injury to have my points rightfully returned to me they wanted to block access to my account for what they said might take a month or more. Way to kick a man while he's down Microsoft.

        Also on another note I believe I may have been phished out while applying for the SWTOR beta. Apparently when you went to confirm you're acceptance into the beta hackers were intercepting the log in details somehow. Then if you have you're xbox live account attached to that EA account your looking at copping the FIFA hack. Also apparently it's extremely easy to use plain old social engineering to get passwords from EA if you have the email for said account. Either way I copped it and it's not fun at all. All is all it's a combination of Microsoft and EA's fault and they both need to take some of the blame. Denial isn't making them look any better to the people who know that they're to blame.

          I had my XBL account hijacked too, they spent 2000MSP on FIFA DLC and changed my password. Never signed up for TOR beta, honestly don't know how they got into mine (poor 5yo password aside). I didn't have a card attached to my account either, so no major damage. It was a pretty simple affair to get everything sorted out - a week after I talked to XBL support, I had my points back, my account had been unlocked, and got a free month of XBL... which, considering I've been a satisfied free member for years, is pretty worthless to me, but I'm glad it got sorted out so quickly.

            Well that's not too bad at all. They didn't even get my account, i used different email for my EA account and my Xbox live account. I lost 1000, not much but still enough to irritate me. From now on I'll just make sure not to have 1000+ points sitting on my account.

    i dont find it hard to believe the hijacks are user related to some extent...

    although i wasnt affected on xbox, my email/hotmail account was hijacked... i have NO idea how... not bloody clue at all. a very unique 15 character password, a secret question answered by asldfkjal;sdjlf;asdjf of some sort.

    but somehow, it happened. one day i got an email from a friend, one of those "my accounts been compromised and ill send spam to all my contacts" kinda email that i laugh at how poor their password keeping skills are... 3 hours later it happened to me

    no idea how, i didnt open the email, i only recieved it and binned it, then 3 hours later my friend sms'd me telling me i had been "haxx0rd", and indeed i logged in and found alot of underliverable mail messages etc.

    i got my account back... but how it got compromised ill never know - ive never told my password to anybody, i scanned my pc for key loggers, i went into overdrive and started to check everything on my pc, including security logs etc... no trace, no answer, no solution

    could easily happen again, but how it happened i dont know...

      How, you ask? It's Hotmail, that's why.

    I guess we should be grateful that "Safer Internet Day" is today and not in June or July sometime.

    How about starting with some greater transparency in their review process? An automated e-mail response doesn't tell people what's happening. Give them someone to talk to, either via, e-mail, chat or phone, and give that person the power to actually find out what's happening, why it's happening, and how long the process will take.

    That opening picture is really clever.

    Anyway, people wouldn't be so worried about security on the xbox if they actually let you remove all credit card details from your account (you are required to have at least one, once you've put one in. You can remove that one by putting a new one in.)

      Only while you're using it for a xbox live gold subscription. If you're not then you can delete it without any issues.

        How? I don't have gold and they wouldn't let me? Seriously, if you can do it, I want to know how!

      You have to call them on the phone but it can be done. The thing that bugs me the most (and it did happen to me in January and M$ were very quick getting everything fixed so kudos to their people) is why FIFA? Of all the things you can be buying or playing why that??

      Also as others have mentioned the hacks were done from a PC and I never had to recover my gamertag afterwards - so presumably none of this stolen DLC has been transferred to a console?

    Hey Alex, any chance of getting those 2 fifa achievements removed from my gamertag? That or letting the compromised users keep the copy of fifa12 as a consolation prize? The free month of live gold was nice but it did only JUST cover the downtime my account had in the first place...

    When it happens to PS3 users everyone throw a stink and for good reason.
    When it happens to Microsoft they actively deny it even happening and consumers start to blame other consumers as if it were their fault. Despite the fact this is happening on mass.

    My mind cannot comprehend the stupidity going on here.

    I call bullshit.

    My XBox Live account was hijacked in August last year, transferred to Russia and used to buy up tens of thousands of points, all of which were somehow on-sold in a matter of about half an hour while I was asleep.

    It was an organised and "professional" job.

    Now, six months down the track and after having to contact Microsoft numerous times, they have finally concluded their "investigation" and I have control of my account back. They also "generously" refunded the points that were scammed. Problem is, despite me telling them on many separate occasions, I didn't purchase the points and had no need or desire for them.

    Now I start another round of contacting MS to get my money refunded.

    Microsoft is "really listening to really hear" what I was saying and asking? Rubbish. Their customer service reps have rigid scripts that they follow and when you ask to be transferred to a manager or someone with authority you get told that it can't be done.

    It seems that customer service managers either don't exist at MS, or they are cowards who hide behind their front line staff.

    Personally, I'll be doing my utmost to ensure MS never sees another cent of my money.

Join the discussion!