Giant Bomb News

144 Comments

A Q&A With Stephen “Stepto” Toulouse on Xbox Live Security

Microsoft responds to Patrick's story through a conversation with the director of policy and enforcement for Xbox Live.

You'll often see Stephen "Stepto" Toulouse discussing banning, piracy at events like PAX.

I published a story Wednesday about how Xbox Live users with compromised accounts are waiting at least 25 days, and in excess of 90 days, until regaining access. It ran without a response from Microsoft.

I’d run my questions by Microsoft twice, but in both cases, the company failed to respond, and did not even even issue a simple no comment. Given the nature of the article, however, I wasn’t surprised.

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

Better late than never, right?

Toulouse is no stranger to getting hacked, either: it happened to him earlier this year.

What follows is a complete transcript of our conversation yesterday, in which we discuss how Toulouse’s team handles compromised accounts, the ways users can protect themselves, why FIFA 12 became a popular target for attackers, and how a 90 day response is unacceptable.

***

Giant Bomb: To be totally honest, I figured that [fraud] was not under your purview. Maybe that’s more my interpretation of your more public persona of talking more along users who have been banned and piracy.

Stephen Toulouse: It falls under a couple of people’s purview, to be honest. It’s a little bit of product support--that’s the recovery process. My team actually goes through and investigates what the bad guys are trying to do, and how we can implement new things to stop them. I say time and again that security in our industry is a journey, it’s not a destination. With every change, the attackers will pivot and come up with something new. It’s not fully under my purview, but I’m probably the person most versed in the questions that you’re asking.

GB: I know you can’t explicitly explain what you’re trying to push back against. The common techniques I hear are related to phishing scams, which are altered web pages or emails, and social engineering, which happens on the customer service side. Are those still accurate? Are those terms still relevant? How does your team address that?

Toulouse: There’s several pieces of overall advice that we have, and we’ve collected them all, by the way, on xbox.com/security. But just briefly, the attacker is going after the underlying Windows Live ID, and I think a lot of people don’t quite realize their gamertag, being tied to that Windows Live ID, there’s some things that they can do, there are some tools that are provided to help secure that, [which] help make it more difficult for attackers. For instance, we have the ability on Live.com, which is the Windows Live ID site, you can add secondary proofs to your account, secondary notifications when people are trying to take control of the account, for instance you can set up SMS, or you can set one of your PCs to be a trusted PC. There’s a whole series of steps that we’ve outlined on that website, xbox.com/security, that are proactive things that you can help do.

The most common stuff we run into fall into just generally three categories.

The first you just mentioned is phishing. Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured. Another thing is that sometimes people will get notifications on their Xbox or in an email saying "Hey, I can get you into the brand-new, super top secret Halo 4 beta and all you’ve gotta do is give me your password and I’ll put you on the list, and when you log in, it’ll download." Not realizing that they’re giving away their password to their Windows Live ID, and that could compromise their account. Phishing takes a number of [forms].

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, [like] trying to be careful about your personal information and when you give that out.

The last thing that we’re finding that’s becoming a bit of a problem is people sharing passwords, like using one password for all their gaming sites. If just one of them gets compromised, then suddenly that password list will get handed around to some pretty sophisticated rings of people, who will then try and start attacks of this nature. I think you covered an awful lot of this, I just wanted to confirm that, yeah, that’s the three things that we see that are the big threats.

Halo 3 prompted concerns about social engineering, as users targeting those with Recon armor.

GB: When they discover an unauthorized purchase or a change of their Avatar or something where they suspect their account has been compromised in some fashion, what is the immediate step they should take to start the process to take their account back to where it was before?

Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?

Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.

One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.

Toulouse claims account compromises often rise around the release of a big new game.

GB: They’re basically testing you so they can learn from the next time they try with another account. To filter out your process so their process can be more efficient.

Toulouse: Exactly, and we try to make our process better at the same time. It points back to that “security is a journey, not a destination” point. We’re like any system. I mean, this is not a problem that banks have solved, but we’re laser focused. We understand that when people has been out of their account for 45 days, that’s really a terrible experience. We certainly want to get better at that, we want to improve our process for those customers, and we’re definitely going to make sure that they’re credited that time and when we give them back their account, that they’re not on the hook for any of that stuff. There’s outliers that need to be done more quickly, absolutely.

GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?

Toulouse: If they saved their games in the cloud, with the new cloud saving feature, they would not be able to access them, but their local saved games would be fine. They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.

GB: Even though the account has been locked down from accessing Xbox Live specifically, they can still log into that local profile and so long as all their saves aren’t in cloud, they can access those, earn achievements, and unless some crazy outlier occurs, that will all just sync together once the account has been recovered.

Toulouse: Yeah. It depends on a couple of things, though, to be crystal clear. If it’s just a matter of giving them back the password, then that’s usually not going to be an issue. If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question. I can look into all the full scenarios if you like, but to be clear, they would still have access to their saved games and all their local stuff.

GB: As long as it’s on a memory card or your hard drive, you’re going to be able to keep playing your Skyrim save until everything gets worked out on Microsoft’s side.

Toulouse: Right.

If your account gets compromised, you can keep playing if you have locally saved games.

GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”

Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notifies them.

We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.

GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.

Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

GB: When your Xbox Live account becomes compromised, which is then tied to a Windows Live ID, which could also be tied to a Hotmail account, and if it is the primary email account of the user, what sort of complications does that involve, given that account has now been compromised?

Toulouse: If the underlying Windows Live ID of the gamertag is the primary email, then, yes, the attacker has control of the email with all of the associated things that [entails]. They can send mail, they can delete mail, and that’s one of the reasons we lock everything. That way, these attackers can’t take further action on the account.

Users have reported finding their accounts a target for FIFA Ultimate Team purchases.

GB: What is the additional step for the user in that scenario? It’s not like you’re calling customer service every day to get an update. Often times, you’re getting an emailed update that says “hey, the account’s been recovered, here are the steps that you need to take to reset your password, etc, etc.” In the situation where someone is completely involved in the Microsoft ecosystem, are they able to authorize a secondary email so those things can occur? Or does that all happen over the phone at that point?

Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened.

GB: I have to imagine you and your team must find yourselves in scenarios where during the phone conversations, you figure out this person isn’t who they say they are. What happens in that scenario, where you have the evidence to determine that someone is attempting to trick the system?

Toulouse: We politely end the call, and then that gets noted in the case notes.

GB: One situation I’d heard from users--and this isn’t unique to Microsoft or any company--is that if your account recovery is taking longer than the estimated time, the best thing that you can do is be persistent to make sure companies are aware of your account and you’re getting bumped up in the queue. You mentioned that you could dispute the charges and several users had talked to me about filing something with the Better Business Bureau, and then suddenly would find their accounts magically bumped up the queue. Is that part of the process, where if an outside vendor becomes involved, that it becomes moved up in terms of how it’s addressed?

Toulouse: No, that would be coincidental.

I mean, from our perspective, we can’t go down that route pretty much. We have to make sure that we are doing the cases on a case-by-case basis. Some cases are more complex than others. Many get solved far before the 25 day estimate, and, at that point, we certainly, if customers have not heard from us, we certainly encourage them to contact us. If you’ve hit the 25 day [window] and you haven’t heard from us, please call back in.

GB: A couple of users reported being told by customer service, as their account was being recovered or perhaps transferred to a new one, that certain licenses were more difficult to transfer than others. My theory from that was that there were certain games or services that were no longer available for purchase on Xbox Live, but you can still access if you purchased them in the past. Are some of the license issues related to that, or are they more extraneous circumstances?

Toulouse: They’re super-complex, and the reason that they’re complex is because the Xbox Live service has just evolved so much in the past six or seven years to encompass so many new types of data and licenses and things that customers can do that there’s all sorts of associated complexities when the attacker grabs the account and region migrates it to Russia. Now, there’s a whole bunch of license stuff that has to be repaired, in effect, to bring it back from that region. That’s just an example of some of the complexity. It’s both a function of the amount of different types of licenses, regional issues, whether or not those licenses are still owned or not. They’re just a ton of complexity.

GB: I know you probably can’t dole out the nuance of what your team does to recover an account, but if I had to try and express the frustration of users between what your team has to do in order to bring an account back, is that it should be more a matter of just flipping a switch. It’s in Russia, now change it to America. Can you illuminate a bit more of what’s involved there?

Toulouse: I don’t think people realize, because they’re only in one region, that the reality is that if you live in the UK, you see a much different--a dramatically different--set of content on Xbox Live than you do in the United States. Likewise, [in] Canada, you see a completely different set of content than you’d see in the United States. And that has a lot to do with just the fact that licensing in a worldwide service is really complex, and there’s different studios and different content delivery entities don’t want their stuff necessarily available in certain ways in certain markets and everybody, by the way, has to deal with these challenges. It’s not just Xbox. That’s just one facet of the complexity that people don’t realize.

Having said that, there is no denying that we can’t to get better at this or we want to get faster at this, and get customers’ accounts in their hands as quickly as possible. There’s both a complexity, which, yeah, I certainly want to communicate and have people understand that it’s not as simple as flipping a switch, but at the same time, we hear their feedback that we need to get better and faster at this.

GB: You mentioned the 25 day average. I did hear from a number of users that had it wrapped up in 10 days or less, depending on the complexity of their account and what had occurred. Does that number change through the year, based on how many people use the service? I have to imagine during the holidays, having sold 1.7 million machines, that there’s a lot of people going online, and there’s a lot more people that can be exposed to the worst parts of the Internet.

Toulouse: I think it’s both seasonal, as well as targets of opportunity. By that, I mean when a big title that has something that’s very lucrative and attractive. While, yes, there are ebbs and flows to what the attackers try to do, our goal is to always get that 25 days lower, regardless of how many users, regardless of the attacks--we want to continually try and lower that number.

Patrick Klepek on Google+
144 Comments
  • 144 results
  • 1
  • 2
  • 3
Posted by kingschiebi

As someone who works in the security industry and has a lot of contact to customers that handle different fraud scenarios (mostly in Europe), I'd like to point something out. Fraud is defined by almost all of them as an act where a 3rd party abuses the given service infrastructure and harms the service provider financially or creates a denial of service condition.

Interestingly enough, if one of their customers is the victim, it is not considered as fraud damage, but as a support case.

At least until it becomes public in some manner and gets a higher priority due to the PR damage inflicted.

I am not familiar with the way that Microsoft (or Sony/Nintendo) defines that particular issue, but I just wanted to put that out as food for thought.

Posted by Ragemachine

I can't help but feel suspect when I see how much of this is passed off as the users' faults: claiming they fell for social engineering, really basic and transparent phishing methods like his example provided, and malware. I think its being vastly overplayed in a way that completely undermines what is important here; it isn't ever alright to blame your customers for being exposed to having their personal information and finances compromised through the services you as a company are responsible for and provided. It is your responsibility as the company to protect your customers from these threats, if customers are able to have their accounts and information compromised through using your services that represents a flaw in your services, not your customer's usage. This isn't complicated, Microsoft, you're a company act like a successful company: do not blame your customers, recognize that there is a problem in your system which is exposing your customers to risk and allowing attackers to exploit the system to an obviously high degree of success, change the system. Providing additional links and steps for some to take is not how you do it, either require those steps outright if that's your security solution, or increase security within your system some other way. There's an obvious right way into handle situations and it isn't by enforcing a combative relationship with your stakeholders when there's a problem.

Posted by SimplyTron

Nicely done Patrick! Hope all you bitches out there critizing this fine supple man can see his greatness shines through. Really well done, hard questions, great way to approach someone with respect. Unlike that goofball some of you retards defend. Yeah, Alex would never be able to do some serious shit like this. Hope you guys can stop suckin his balls and see this is what real journalism is about.

Edited by Gunharp

@Foggen said:

@MordeaniisChaos: Jesus Christ. Rant a bit more, will you? If you read the article you'd know that some of these peoples' accounts were compromised due to vulnerabilities in what are almost certainly Microsoft web browsers. And that's without getting into vulnerabilities that probably exist on EA's side.

Yeah I was just going to ignore Mordeaniis post. It was a little surprising to see, the logic is well..haha *shrug* I don't think hes really thought about this critically. But hey since you acknowledged, I'm in.

@MordeaniisChaos:

This probably will come off as a pretty mean insult. But sit on your comments, read them out loud. Maybe tell them to some one in person. Perhaps you will not come off as a ranting asshole next time. Yeah, yeah, I'm being a snarky dick about it right now. Just wanted to point it out.

Posted by Ehker

I had to skim this due to time, but is the same FIFA DLC not on PSN? If it is, that seems like you can't pass it off as "hey, this thing is popular so it's a target" if we haven't seen evidence of other services being able to sell it without issues.

Posted by ValiantGoat

@PresidentOfJellybeans: try deleting your cookies if you've not tried it. Sometimes I get the same thing and deleting xbox.com related cookies always solves my issue. This never used to happen to me, it's a fairly recent thing that happens sporadically.

Great article Patrick. I had my account jacked and all my points spent on Fifa12 items, so the article was a somewhat relieving. Though most of Toulouse's answers boiled down to; we want to be faster, we gotta do what we gotta do, and shits complex. Basically answers I was expecting, no chance a security guy would get into the nitty-gritty.

Edited by Swimm

@PresidentOfJellybeans: I had that same issue happen when xbox.com changed some of its systems a few months back. Try deleting any Microsoft-related cookies (xbox.com, live.com) and restart your browser. That cleared it up for me.

Great interview, Patrick! Nice to hear a more detailed response to this issue.

Edit: Hah, looks like I was beaten to it by a few minutes. :)

Posted by natetodamax

Cool, I'll read through this when I get the time. I saw most of the panel they had at PAX East 2011 and it was pretty interesting.

Posted by sixghost

So basically the company line is that it's 100% the user's fault for their accounts being compromised, and we're all lying about how long the recovery process takes? I've never heard of a single person having this resolved in less than 25 days, but somehow anyone who takes longer than 25 days to have their account unlocked is an "outlier".
 
He doesn't even allow for the possibility of Microsoft being partly responsible for stolen accounts. He should read up on how people used to steal account by repeatedly calling up MS customer support with tiny bits of personal information.

Posted by PresidentOfJellybeans

@ValiantGoat @Swimm That worked, thanks much!

Edited by Tennmuerti

Patick delivers.

Edited by VibratingDonkey

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it. It's just really weird that they do not prioritize preemptive measures. Suppose it's good that they've introduced a couple of things that makes it easier for them/you to recover your account after it has gotten hijacked, but what the shit?

And Stepto says a lot about wanting to improve things. Well, what steps are you taking in order to make that happen, and is there a timeframe for when we should start seeing results?

Since investigations can be resolved relatively quickly (ask Geoff Keighley how long his took) it seems to me like the length of investigations is an issue of manpower more than it being technically difficult, which it really shouldn't be. After you've established who's the perp and who's the vic, what else is there to investigate? Recover the account to its rightful owner and unlock it. This process should not be complicated for accounts that have not gotten region migrated.

Microsoft appears negligent. They didn't (and seemingly still don't care to) implement measures to prevent this problem from happening, they are incapable of dealing with affected users in a timely fashion, and they're non-committal about introducing any potential improvements.

Although this is good.

@Stepto said:

The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

Putting some pressure on EA to change their easily exploitable system that's attracting these criminal elements. Which needs to happen. Maybe it will next year, because EA's certainly not gonna shut down and redesign the thing when it means cutting off an active revenue stream.

@Stepto said:

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, trying to be careful about your personal information and when you give that out.

Think he misunderstood this one. The concern is about customer support being tricked into giving out information, not the user.

He should know about stuff like that since if customer support doesn't ask the user to verify with this secondary proof, then it's useless in this context.

Posted by MrBungle

Didn't bother asking why Geoff Keighley gets a personal message about his hacked account? lame

Posted by cmblasko

Glad to finally get something out of MS on this. Great job on following this incident up, Patrick, thanks for keeping us informed.

Posted by Ronald
Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

So, basically, don't call them up and get your account locked out unless you really, really need to.

Posted by slyely

@tightestjeans said:

Great Interview Patrick, but you forgot to call him an asshole at the end.

Thanks for my daily laugh. All the serious comments then I ran into this one. :)

Posted by kingschiebi

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it.

The answer is usability.

Consoles are entertainment devices and that makes things even more difficult than on the PC.

People would complain - a lot - for every additional time they have to enter a password, even to the extend that they go with another product. No vendor would risk that and rather takes the hit for a couple of compromises instead.

Steam just gets away with that because their audience does generally understand much better the risk and issues attached to an online service and are also much more familiar with these security procedures.

That is simply something that a vendor does not expect from the average family that bought the "gaming box" for the living room.

Posted by FrankTheGank

"Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened."

This answer really grinds my gears. I was able to lock my account but when they called me to un-suspend it, the name I gave was apparently not the name the account was created under (which is bs) and I'm still stuck with sinking money into a new account.

Edited by jasondesante

the giantbomb E3 podcast day 0 already has enough of stepto's microsoft damage control. I'm not buying it. A company known for refreshing its staff as often as they refresh their old tired policies, they don't deserve any respect. XboxLive is the only service with actual phishing scams, and theres still a debate over which system is better? Anyone else see this glitch in the matrix?

Posted by Slaker117

I noticed once that the original Gears of War was showing up on my recent activity list even though I hadn't touched it in months. Figuring that my account must have been compromised, I quickly went to change my password and contact support. Nothing seemed to have been altered or abused, but the guy on the phone apologized a lot and gave me a free 12 month subscription for Live. That was several years ago so I can't speak for the state of things now, but at least my experience was fairly painless.

Edited by Brian333

My best friends account has been locked for 36 days (as of today) and he has had little to no response from Microsoft. I really appreciate this article, and the responses from Toulouse. However, I think that his positive attitude needs to be communicated better to Customer Service and a better system for updating the user needs to be in place. My friend (who cares very little for achievements, arcade games, or saved progress) finally got so frustrated that he just started a new gamertag and has no intention of ever using his old one again. Personally I would have a real hard time doing that. I am just kind of rambling here, but I appreciate the work Patrick put in and the response from Microsoft.

Posted by Curufinwe

@SpudBug said:

I guarantee Sony wouldn't be as fast or reliable in retrieving and recovering online accounts that had been compromised as XBL support is.

That guarantee is just you making an assumption that fits with your fanboy beliefs. The fact is that PSN accounts are not getting hacked left and right and then being used to buy Fifa 12 DLC. That's happening on the 360.

Posted by trjp

Microsoft's attitude to the whole issue of XBL security is wrong-headed - they are absolutely convinced the system is 'secure' but all the evidence suggests otherwise. They claims it's only the behaviour of users which is causing a problem but the sheer scale of the problem suggests otherwise (and even if it was, it's upto them to make it more secure anyway surely?)

My account was hacked and I can categorically say that I wasn't phished, I have never shared my password and my 'secret question' was neither a dictionary word nor a logical answer to the question. I know people who've had dormant accounts hacked - that absolutely rules-out password sharing or phishing and points right back to a glaring security hole in the system somewhere.

Worse still, hackers have found a way to make money from breaching people's accounts - by using saved payment details (mandatory for Gold/Developer accounts) to buy FIFA cards which they then transfer to other accounts/turn into coins/points and ultimately sell via eBay (check it or other sites - there's always plenty of stuff for sale).

This has been going on for at least a year - my account was hacked in September and they came back after just under 60 days to say "there was no evidence of fraud" (yeah, I gave away £54's worth of DLC for a game I don't even own!!) My bank had already refunded the money by this time - something MS actually suggested I do anyway "if I wasn't happy with their findings" (does that scream "we know we're wrong but fuck you buddy" or what?)

I have zero desire to be their customer any longer and so the XBOX is boxed and ready for sale (it's that or hack it - I'm not giving them a brass cent any other way) - and I'd STRONGLY remind people that keeping payment details up-to-date on XBL is a bad idea (pay with PayPal and then scrap the account!!) :)

Posted by insanejedi

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

Edited by VibratingDonkey

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it.

The answer is usability.

Consoles are entertainment devices and that makes things even more difficult than on the PC.

People would complain - a lot - for every additional time they have to enter a password, even to the extend that they go with another product. No vendor would risk that and rather takes the hit for a couple of compromises instead.

Steam just gets away with that because their audience does generally understand much better the risk and issues attached to an online service and are also much more familiar with these security procedures.

That is simply something that a vendor does not expect from the average family that bought the "gaming box" for the living room.

An unverified system only needs to be verified once. Using this security feature is optional.

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

Aw, does GB not allow animated gifs?

Posted by Curufinwe

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

Read the post below yours instead of just drinking the Microsoft kool-aid and blithely accepting that everyone who has been hacked was phished.

Posted by mrsmiley

I noticed that he didn't say much about how they deal with people who call up pretending to be you. I've worked in the phone support business for many years now, and in doing so have traveled around to many different business locations. Giving out personal information to callers is a HUGE deal. I really hope Microsoft is taking that seriously, because that's how my account was stolen many years ago. Someone called impersonating me almost 10 times.

Posted by kingschiebi

@VibratingDonkey said:

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

...

The answer is usability.

...

An unverified system only needs to be verified once. Using this security feature is optional.

Even if it is just one step more, it is one step too much. Same reason why online shops try to do their best in making the actual shopping as painless as somehow possible. (i.e. Amazon 1-Click) and still there are people who are put off by that. It is getting less and "we" (for simplicity sake, I assume that people here are somewhat proficient with computers and the internet) is not the problem. It's the average person on the street that is having problems with that.

It is the same reason why Apple is tremendously successful with their IOS devices and why Microsoft is working hard on making Metro as accessible as possible.

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

Posted by Kerned

Mr. Klepek has really been doin' it up lately. Nice work!

Posted by mythrol

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

You're a dumbass. My account was not hacked due to phishing because I never give anyone my password, nor do I ever respond to BS emails trying to trick me into giving my password away. I honestly think there is a weakness in EAs system which allowed peoples accounts to get hacked because the passwords were the same.

As far as the interview goes, Fuck Microsoft. Im one of those people who's account was locked out for almost 90 days. Not due to "complexity of the situation" but because Microsoft screwed up MULTIPLE TIMES during the recovery process and they have a horrible notification process to let people know something went wrong or they need additional information. The ONLY way you can get something processed is if you take it upon yourself to continually call them for updates. They WILL NOT contact you.

Ive spent hours on the phone with their CSRs in regards to my account and like I told them, they are really lucky that the alternative options SUCK (PSN is no better). All it will take is one company to offer a service that does it right and I and many others will jump ship. The way they handle this stuff is horrible. Im not even a PC gamer but I might become one just because Steam is so much better.

Posted by joelalfaro

I fall on the side of liking Stepto. Great job Patrick.

Posted by trjp

One thing I should add - when you report that you've been hacked, one of the things they ask for is your console serial number.

In my case, they came back after about 35 days and said I'd given them "the wrong console serial number". Now I only have 1 console - I've only EVER had one - I've never logged-in to another console and when I confirmed the serial number, the guy on the phone said it was "the same as they already had and he couldn't understand what the problem was".

Later, when they concluded that "no fraud had taken place" they said that the transaction had "taken place on my console". If that's the case - why did they initially conclude that I'd given them "the wrong console serial number"?! There's almost no way someone could know my console serial number (nor could I know the hacker's serial number and if I were trying to defraud them - I'd have made one up!?)

I'm pretty convinced that there's a security hole somewhere - one of the things hackers do is buy Zune Points (not MS Points) and I'm wondering why that is?? It suggests that they're not operating the hack from a console directly - or even that the hack exploits a specific security hole which only permits Zune and not normal MS points to be bought!?

I'm 101% sure I've not been phished (I can't even remember receiving an XBL-related scam email) - MS confirmed I've never called to access my account (so no social engineering) and my account has only even been Silver (so I've never played online). They said that "it appeared my account was reset using my secret question' and I know that wasn't me because I made that some random shit and even I couldn't remember what it was (which means I cannot possibly have told anyone it!!

Posted by SolidSeminole

Thanks Patrick! Appreciate all you've done for those of us are still in limbo. It's nice to get some answers.

Edited by George_Hukas

I am convinced Ill never access my Live account again. Those calls to customer service make sense though, now that I realize they simply believed I was trying to scam them and wasn't who I said I am. 25 days? Try 4 months.

Posted by JesseCherry

Keep up the good work, Patrick.

Posted by Curufinwe

The best way to get real action from MS on this issue is for people who have been hacked to bombard them with complaints and requests for help on Twitter, Facebook, etc. Only when the issue gets really embarrassing for Microsoft will they take action; see RROD.

Edited by vinsanityv22

Patrick is such a nuisance, even Microsoft can't ignore him? Jeez laweez.

It's just Xbox Live. It's not like a social security check being late. The world won't end, and you won't die, if you can't play online for a fucking month.

Posted by MayorFeedback

Seriously, this was a fascinating interview start to finish. Fucking amazing job, Patrick.

Edited by HamsterExAstris

I've been waiting 74 days and counting to have access to my account restored. Fortunately - I think - the hacker didn't buy any new points or start any new games, they only made one purchase with points I already had on the account.

I would have thought that this would be a reasonably easy fix. But I just spent a half-hour on the phone only to be told that they haven't bothered to look at the case yet, much less do anything to it, and the only thing they can do would kick the case back to the end of the queue.

I call bullshit on 25 days being worst-case if they take three times that long to start looking at cases, much less complete them.

Posted by UsbCable

Thanks to the podcast he frequents, I can only read his last name as toll house...... Good work on this topic Patrick, there's some simple tips in there everyone should follow.

@mrsmiley: They do note when people fail to verify themselves and reps are more informed about giving up info now so that shouldn't happen anymore. Even if you give up some wrong info they should just move onto something else to verify you instead of letting you know what info is wrong so a crook wouldn't know what to correct.

Posted by Goldanas

It's a bummer Sony never gave you this much PR time. Microsoft is at least (somewhat) on it. If you can't run a service well, at least get the nice face to come out and give you the full rundown. Sometimes that's all you can do.

This was a great interview Patrick, and I really like how you very directly addressed very specific concerns. My only complaint is that there is not a video so that I can watch it all go down in action.

Posted by rick9109

I find the people who work at Xbox support to be incredibly nice and competent. The problem is there is something wrong with the infastructure of the support organization itself that limits how effective these guys can be. It's just simply unacceptable and uncessary when you realize there are several other services around the internet that deal with higher traffic, have much more-slammed support ques and are even more frequent outlets of scams and abuse, that are able to solve these sorts of problems in minutes.

Edited by DSale

My account was hacked back in September. I had it back by Halloween. It was close to 25 days it was shutdown.

They took me for 95$ of points, and spent it all on FIFA product. This interview actually lines up with my experiences very very closely.

As far as them claiming it was a phishing scam... I don't really believe that. I use separate passwords for major websites (anything I have to put my credit card into), and my Windows Live ID was no different. I have no idea how they got a hold of my information, but I think there might be a bigger problem at hand here.

Best way to keep this from happening? Delete your card information from your account and console. If the information isn't stored on the XBox live server, it can't be used for fraudulent purchases. Annoying that you have to re-input the card for each purchase, but in this case, it's better safe than sorry.

-my two cents

Posted by dagas

I've been listening to the Major Nelson Podcast for years and it creeped me out to se what Major Nelson himself looked like and now Stepto looks nothing like I imagined. It's like when you read a book and create the characters in your mind and then they make a movie and they are very different.

Posted by CharlesAlanRatliff

This reminds me ... I need to get Stephen's book on Kindle.

Posted by Obinice

All I can think from this guys nickname is Steptoe & Son. You dirty dirty old man! He grew up next door to my mum, so he did.

Posted by LameImpala
When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer.

I find this bit hard to believe, to be honest.

-Guy who hasn't had access to XBL since October 21

Edited by freakydude20

microsoft told me after the hacker did some crazy shit to my account he is now "still able to play" with my account but he can't buy anything, witch after reading this interview sounds completely random or a total lie. i assume i'm going to have to recover my gamertag which means i get to watch as all my rage and skyrim achievements go to shit. i don't have the fucking time to do all that again. BAH... sucks being deployed for all this to.

EDIT: oh and after checking xbox.com he has changed the account my email is attached to to "uranousdevotee9" and is just loving it right now with all my accounts purchases...

and yes i know i commented on another story with the same shit but i just found the rest of that out lol

Posted by MideonNViscera

The whole reason these things take forever is because they have to cover their asses so hard. Or at least they did. Maybe now that you can't sue them for every little thing it can speed up a bit haha

Posted by incandenza137

Seems like they should almost always disallow these region transfers, unless they have something signed in triplicate in blood or something. How many US Xbox users legitimately move to Russia?

  • 144 results
  • 1
  • 2
  • 3