Giant Bomb News

144 Comments

A Q&A With Stephen “Stepto” Toulouse on Xbox Live Security

Microsoft responds to Patrick's story through a conversation with the director of policy and enforcement for Xbox Live.

You'll often see Stephen "Stepto" Toulouse discussing banning, piracy at events like PAX.

I published a story Wednesday about how Xbox Live users with compromised accounts are waiting at least 25 days, and in excess of 90 days, until regaining access. It ran without a response from Microsoft.

I’d run my questions by Microsoft twice, but in both cases, the company failed to respond, and did not even even issue a simple no comment. Given the nature of the article, however, I wasn’t surprised.

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

Better late than never, right?

Toulouse is no stranger to getting hacked, either: it happened to him earlier this year.

What follows is a complete transcript of our conversation yesterday, in which we discuss how Toulouse’s team handles compromised accounts, the ways users can protect themselves, why FIFA 12 became a popular target for attackers, and how a 90 day response is unacceptable.

***

Giant Bomb: To be totally honest, I figured that [fraud] was not under your purview. Maybe that’s more my interpretation of your more public persona of talking more along users who have been banned and piracy.

Stephen Toulouse: It falls under a couple of people’s purview, to be honest. It’s a little bit of product support--that’s the recovery process. My team actually goes through and investigates what the bad guys are trying to do, and how we can implement new things to stop them. I say time and again that security in our industry is a journey, it’s not a destination. With every change, the attackers will pivot and come up with something new. It’s not fully under my purview, but I’m probably the person most versed in the questions that you’re asking.

GB: I know you can’t explicitly explain what you’re trying to push back against. The common techniques I hear are related to phishing scams, which are altered web pages or emails, and social engineering, which happens on the customer service side. Are those still accurate? Are those terms still relevant? How does your team address that?

Toulouse: There’s several pieces of overall advice that we have, and we’ve collected them all, by the way, on xbox.com/security. But just briefly, the attacker is going after the underlying Windows Live ID, and I think a lot of people don’t quite realize their gamertag, being tied to that Windows Live ID, there’s some things that they can do, there are some tools that are provided to help secure that, [which] help make it more difficult for attackers. For instance, we have the ability on Live.com, which is the Windows Live ID site, you can add secondary proofs to your account, secondary notifications when people are trying to take control of the account, for instance you can set up SMS, or you can set one of your PCs to be a trusted PC. There’s a whole series of steps that we’ve outlined on that website, xbox.com/security, that are proactive things that you can help do.

The most common stuff we run into fall into just generally three categories.

The first you just mentioned is phishing. Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured. Another thing is that sometimes people will get notifications on their Xbox or in an email saying "Hey, I can get you into the brand-new, super top secret Halo 4 beta and all you’ve gotta do is give me your password and I’ll put you on the list, and when you log in, it’ll download." Not realizing that they’re giving away their password to their Windows Live ID, and that could compromise their account. Phishing takes a number of [forms].

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, [like] trying to be careful about your personal information and when you give that out.

The last thing that we’re finding that’s becoming a bit of a problem is people sharing passwords, like using one password for all their gaming sites. If just one of them gets compromised, then suddenly that password list will get handed around to some pretty sophisticated rings of people, who will then try and start attacks of this nature. I think you covered an awful lot of this, I just wanted to confirm that, yeah, that’s the three things that we see that are the big threats.

Halo 3 prompted concerns about social engineering, as users targeting those with Recon armor.

GB: When they discover an unauthorized purchase or a change of their Avatar or something where they suspect their account has been compromised in some fashion, what is the immediate step they should take to start the process to take their account back to where it was before?

Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?

Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.

One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.

Toulouse claims account compromises often rise around the release of a big new game.

GB: They’re basically testing you so they can learn from the next time they try with another account. To filter out your process so their process can be more efficient.

Toulouse: Exactly, and we try to make our process better at the same time. It points back to that “security is a journey, not a destination” point. We’re like any system. I mean, this is not a problem that banks have solved, but we’re laser focused. We understand that when people has been out of their account for 45 days, that’s really a terrible experience. We certainly want to get better at that, we want to improve our process for those customers, and we’re definitely going to make sure that they’re credited that time and when we give them back their account, that they’re not on the hook for any of that stuff. There’s outliers that need to be done more quickly, absolutely.

GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?

Toulouse: If they saved their games in the cloud, with the new cloud saving feature, they would not be able to access them, but their local saved games would be fine. They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.

GB: Even though the account has been locked down from accessing Xbox Live specifically, they can still log into that local profile and so long as all their saves aren’t in cloud, they can access those, earn achievements, and unless some crazy outlier occurs, that will all just sync together once the account has been recovered.

Toulouse: Yeah. It depends on a couple of things, though, to be crystal clear. If it’s just a matter of giving them back the password, then that’s usually not going to be an issue. If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question. I can look into all the full scenarios if you like, but to be clear, they would still have access to their saved games and all their local stuff.

GB: As long as it’s on a memory card or your hard drive, you’re going to be able to keep playing your Skyrim save until everything gets worked out on Microsoft’s side.

Toulouse: Right.

If your account gets compromised, you can keep playing if you have locally saved games.

GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”

Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notifies them.

We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.

GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.

Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

GB: When your Xbox Live account becomes compromised, which is then tied to a Windows Live ID, which could also be tied to a Hotmail account, and if it is the primary email account of the user, what sort of complications does that involve, given that account has now been compromised?

Toulouse: If the underlying Windows Live ID of the gamertag is the primary email, then, yes, the attacker has control of the email with all of the associated things that [entails]. They can send mail, they can delete mail, and that’s one of the reasons we lock everything. That way, these attackers can’t take further action on the account.

Users have reported finding their accounts a target for FIFA Ultimate Team purchases.

GB: What is the additional step for the user in that scenario? It’s not like you’re calling customer service every day to get an update. Often times, you’re getting an emailed update that says “hey, the account’s been recovered, here are the steps that you need to take to reset your password, etc, etc.” In the situation where someone is completely involved in the Microsoft ecosystem, are they able to authorize a secondary email so those things can occur? Or does that all happen over the phone at that point?

Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened.

GB: I have to imagine you and your team must find yourselves in scenarios where during the phone conversations, you figure out this person isn’t who they say they are. What happens in that scenario, where you have the evidence to determine that someone is attempting to trick the system?

Toulouse: We politely end the call, and then that gets noted in the case notes.

GB: One situation I’d heard from users--and this isn’t unique to Microsoft or any company--is that if your account recovery is taking longer than the estimated time, the best thing that you can do is be persistent to make sure companies are aware of your account and you’re getting bumped up in the queue. You mentioned that you could dispute the charges and several users had talked to me about filing something with the Better Business Bureau, and then suddenly would find their accounts magically bumped up the queue. Is that part of the process, where if an outside vendor becomes involved, that it becomes moved up in terms of how it’s addressed?

Toulouse: No, that would be coincidental.

I mean, from our perspective, we can’t go down that route pretty much. We have to make sure that we are doing the cases on a case-by-case basis. Some cases are more complex than others. Many get solved far before the 25 day estimate, and, at that point, we certainly, if customers have not heard from us, we certainly encourage them to contact us. If you’ve hit the 25 day [window] and you haven’t heard from us, please call back in.

GB: A couple of users reported being told by customer service, as their account was being recovered or perhaps transferred to a new one, that certain licenses were more difficult to transfer than others. My theory from that was that there were certain games or services that were no longer available for purchase on Xbox Live, but you can still access if you purchased them in the past. Are some of the license issues related to that, or are they more extraneous circumstances?

Toulouse: They’re super-complex, and the reason that they’re complex is because the Xbox Live service has just evolved so much in the past six or seven years to encompass so many new types of data and licenses and things that customers can do that there’s all sorts of associated complexities when the attacker grabs the account and region migrates it to Russia. Now, there’s a whole bunch of license stuff that has to be repaired, in effect, to bring it back from that region. That’s just an example of some of the complexity. It’s both a function of the amount of different types of licenses, regional issues, whether or not those licenses are still owned or not. They’re just a ton of complexity.

GB: I know you probably can’t dole out the nuance of what your team does to recover an account, but if I had to try and express the frustration of users between what your team has to do in order to bring an account back, is that it should be more a matter of just flipping a switch. It’s in Russia, now change it to America. Can you illuminate a bit more of what’s involved there?

Toulouse: I don’t think people realize, because they’re only in one region, that the reality is that if you live in the UK, you see a much different--a dramatically different--set of content on Xbox Live than you do in the United States. Likewise, [in] Canada, you see a completely different set of content than you’d see in the United States. And that has a lot to do with just the fact that licensing in a worldwide service is really complex, and there’s different studios and different content delivery entities don’t want their stuff necessarily available in certain ways in certain markets and everybody, by the way, has to deal with these challenges. It’s not just Xbox. That’s just one facet of the complexity that people don’t realize.

Having said that, there is no denying that we can’t to get better at this or we want to get faster at this, and get customers’ accounts in their hands as quickly as possible. There’s both a complexity, which, yeah, I certainly want to communicate and have people understand that it’s not as simple as flipping a switch, but at the same time, we hear their feedback that we need to get better and faster at this.

GB: You mentioned the 25 day average. I did hear from a number of users that had it wrapped up in 10 days or less, depending on the complexity of their account and what had occurred. Does that number change through the year, based on how many people use the service? I have to imagine during the holidays, having sold 1.7 million machines, that there’s a lot of people going online, and there’s a lot more people that can be exposed to the worst parts of the Internet.

Toulouse: I think it’s both seasonal, as well as targets of opportunity. By that, I mean when a big title that has something that’s very lucrative and attractive. While, yes, there are ebbs and flows to what the attackers try to do, our goal is to always get that 25 days lower, regardless of how many users, regardless of the attacks--we want to continually try and lower that number.

Patrick Klepek on Google+
144 Comments
  • 144 results
  • 1
  • 2
  • 3
Posted by Stahlbrand

Toulouse seems very reasonable, his explanation of MS's perspective was straight-forward and plausible. As somebody with fleeting familiarity with the issues of regional licensing complexity he mentioned, I can sympathize with the headache that un-fucking an account must be. Still it would be terrible to be victimized and then have to wait a super long time to get everything back. There is no easy solution to a problem like this in this age - too many borders and too much 20th century thinking, nothing will ever work as smoothly as it should where the interconnected 'online world' brashly tramples across political boundaries.

Also, LOL at the guy who said he was 101% sure he'd never been fished. That is the same as saying you're sure you've never been conned.

Posted by lockwoodx

@kingschiebi said:

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

Correct. I put off getting a smart phone for 4 years longer than I needed simply because I had no practical use for one and didn't feel like/didn't have the time for learning a new platform atm.

Posted by trjp

The worrying thing here isn't just that there's clearly a security problem they're ignoring (and have been for at least a year as Googling shows cases going back to at least late 2010) - it's the sheer scale of the problem.

If it's taking MS over a month to deal with each case - how many cases do they have?? I mean I cannot imagine it takes more than a few minutes for someone to look into an account and see what happened, so even if only 1 person were doing it, that's several hundred cases a day (and in reality it's probably 100 times that!?)

If that doesn't tell them they need to tighten-up security - I've no idea what will.

To back this up - just mention XBL accounts being hacked on any gaming forum and you'll find people instantly who've been through this - I don't know all that many people with 360s (hence my disinterest in Gold) but of the dozen-or-so I know, 2 were hacked before me and 3 have been hacked since - that's a fairly high percentage!!

You have to be an idiot to assume this is all down to phishing or social engineering - it's just too widespread. I'm 101% convinced that MS are just fronting - thinking if they say "XBL is a closed and secure system" that it will be believed - but it's clearly far, FAR from that.

Posted by blacklab

Bald guy with goatee is bald guy with goatee is bald guy with goatee.

Posted by VibratingDonkey

@kingschiebi said:

@VibratingDonkey said:

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

...

The answer is usability.

...

An unverified system only needs to be verified once. Using this security feature is optional.

Even if it is just one step more, it is one step too much. Same reason why online shops try to do their best in making the actual shopping as painless as somehow possible. (i.e. Amazon 1-Click) and still there are people who are put off by that. It is getting less and "we" (for simplicity sake, I assume that people here are somewhat proficient with computers and the internet) is not the problem. It's the average person on the street that is having problems with that.

It is the same reason why Apple is tremendously successful with their IOS devices and why Microsoft is working hard on making Metro as accessible as possible.

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

That's partly why it is optional and the user needs to actively seek it out and enable it. It doesn't affect the usability for anyone in the slightest, apart from making it easier for users to keep their accounts secure. If you prefer to make it easier for criminals to steal your account and money then you're free to do so without being inconvenienced.

Personally I find the idea of a person being bothered by the presence of an optional security feature fucking bananas. In case that wasn't clear.

Also Microsoft has relatively recently implemented like three or four optional security features, two of which are enabled on or otherwise incorporates your console. Two step authentication could've been used in place of a bunch of them, improving usability by making all that stuff simpler.

Edited by CptBedlam

Nicely done, Patrick. Great Interview. And kudos to MS/Stepto as well.

Gotta say, the scope of these "hacks" surprised me quite a bit. MS really needs to get behind this.

Posted by mlipkin

Just got off with support this morning to check on the status of my investigation, and either MS support is the most poorly informed in the biz or Toulous was lying to you Patrick.

He said 25 days was an outlier--support said it will take a minimum of 25-30 days and to not bother calling back until then.

Also, Toulouse told you: "They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.[But] If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question."

Support said in almost all cases of fraud, you lose all the achievements earned while playing on the local profile. The only time you get to keep that progress is when the account does not need to be recovered to that particular console, i.e. some weird case where your roommate is the one that hacked you. So whey he says they should synchronize, that's bull.

Posted by mlipkin

Update: After being told by support this morning that my case was still in the queue and should expect a result around Christmas, I tweeted Stepto about how his 25 day as outlier was BS, 15 minutes later, I magically have an account reset e-mail in my inbox. I'm obviously happy this got sorted out for me, but furious at how many lies I've been told during this whole process.

Posted by Airship

Good job on this whole story, Klepek. Thank God someone in the game press had the balls to write what had to written.

Posted by Gunharp

@mlipkin said:

Update: After being told by support this morning that my case was still in the queue and should expect a result around Christmas, I tweeted Stepto about how his 25 day as outlier was BS, 15 minutes later, I magically have an account reset e-mail in my inbox. I'm obviously happy this got sorted out for me, but furious at how many lies I've been told during this whole process.

For real? Just like that for bothering Stepto?

Posted by Brendan

@MideonNViscera said:

The whole reason these things take forever is because they have to cover their asses so hard. Or at least they did. Maybe now that you can't sue them for every little thing it can speed up a bit haha

You can still sue them for every little thing, you just can't do it in a group now.

Online
Posted by YOUNGLINK

No new news, but Patrick got the most he could out of stepto.

Posted by mlipkin

@Gunharp: For real. Tweeted him twice, including one that including this article. Almost immediately got an e-mail from MS telling me the investigation was completed and they were refunding me the money.

Edited by trjp

@Stahlbrand said:

Also, LOL at the guy who said he was 101% sure he'd never been fished. That is the same as saying you're sure you've never been conned.

I can honestly say I've never, ever, ever been caught by any sort of phishing scam for the following reasons

1 - I've worked with networks since before most people knew they existed - I've worked with network security, email and the web for decades - I ever wrote anti-phishing browser plugins back when such things were popular - I know how stuff gets done, I know how scams work and phishing is really, really, really obvious to me - I just don't fall for it - ever.

2 - I cannot ever remember receiving an email asking me to login to XBOX Live for any reason anyway - I've had them for PayPal and every Bank/Finance site you can think of but I cannot ever remember seeing one for XBL (and as I said earlier, I don't click on anything in emails - ever - anyway)

3 - I know I've not been phished in this case because they accessed my account using my secret question and I DONT KNOW WHAT THAT IS - I just hammered the keyboard to make it up - so I cannot possibly have surrendered it to anyone! :)

You (and MS) can keep kidding yourself that this is entirely a "user problem" but I strongly suspect there's more to it and that, sooner or later, you may well find yourself on the wrong end of it.

Meanwhile it must be costing MS a fortune to deal with all the cases - but then they'll be making a fortune from people who don't check their accounts carefully and get scammed and never notice (which, if it transpires this is MS's problem and not just a 'user problem' - makes them a party in fraud surely?)

Posted by magus213

@Rincewind said:

Patrick Klepek dropping bombs on this issue.

I prefer the phrase "dropping Hot Scoops."

Edited by KaneRobot

Of course Microsoft ignored the requests for info on people having to wait that long, they don't give a damn about individual customer problems. It took getting a story published on a major gaming site to get them to respond.

Not that they're any more nonchalant than other companies about some of their bullshit processes & problems (Tretton saying at E3 that PSN being dead for a month with user info stolen was "blown out of proportion" by the media, after all), but it's nice to see all these companies are fucking scumbags equally.

Posted by insanejedi

@mythrol said:

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

You're a dumbass. My account was not hacked due to phishing because I never give anyone my password, nor do I ever respond to BS emails trying to trick me into giving my password away. I honestly think there is a weakness in EAs system which allowed peoples accounts to get hacked because the passwords were the same.

As far as the interview goes, Fuck Microsoft. Im one of those people who's account was locked out for almost 90 days. Not due to "complexity of the situation" but because Microsoft screwed up MULTIPLE TIMES during the recovery process and they have a horrible notification process to let people know something went wrong or they need additional information. The ONLY way you can get something processed is if you take it upon yourself to continually call them for updates. They WILL NOT contact you.

Ive spent hours on the phone with their CSRs in regards to my account and like I told them, they are really lucky that the alternative options SUCK (PSN is no better). All it will take is one company to offer a service that does it right and I and many others will jump ship. The way they handle this stuff is horrible. Im not even a PC gamer but I might become one just because Steam is so much better.

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

Posted by Thumbrunner

Scoops always bringing in the great stories. I had not realized that during the process they had to relicense all of the material you had purchased after a hack. Great read.

Posted by Sekoku

@Krakn3Dfx said:

Pretty much reads like a support FAQ from their website, but okay.

Used to follow Stepto on Twitter. Guy comes across generally as a douche bag. I guess you kind of have to be in his role as Master of the XBL Hammer, but still.

He could have saved some time and just boiled it down into one sentence: "Yeah, we're going to try and be better about this...but not really."

Yeah, "Stepto" is a huge douche. People like Geoff Knightly, get bumped up in the queue of investigations faster than us plebes. What? That really makes no sense.

Also this interview could be boiled down to that, yeah. There really isn't anything interesting and if Patrick poked into it he could've asked how the accounts are regioned changed. Is that option available in the Live.com site? Why? Is there anyway to turn it off or have it have to be verified before the region is changed? Patrick didn't really poke/investigate the issue more.

Posted by trjp

@insanejedi said:

@mythrol said:

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

You can keep trolling us with your blind faith - but the fact you keep talking about passwords when most accounts are being compromised via their 'secret question' suggests you've not even bothered finding out about the problem you're blindly defending...

MS even got those 2 floppy-haired-fuckwits to do an in-dash video on how your 'secret question' should have a nonsense answer 'like another password' - I think it's clear they know this is the way into people's accounts (and resetting your password via your secret question does NOT generate an email so you don't know you've been hacked until the money is spent and you get the receipt by email).

End of the day MS are evidently besieged with people having problems and it doesn't matter who's "fault" it is, MS are the only people who can solve it and if they don't they should consider themselves likely for prosecution for aiding and abetting fraud.

Locking XBL accounts to specific devices would be a start (ala Steam's system) - as would putting a proper block on repeated attempts to guess secret questions (at this time it appears there's no limit on that - at least I lost patience trying it) - as would blocking repeated purchases of things like FIFA Gold Packs (better someone loses a few hundred points than thousands). New games should also have a system to verify that an account has a copy of a game they're trying to get DLC for - that will render the whole FIFA scam impossible.

Finally tho - if a customer calls and says they didn't buy some 'actually worthless online currency or digital download' then simply accept this with good grace, delete it from their account and don't fuck them around for months, lying to them and treating them like thieves eh??

Posted by VibratingDonkey

@YOUNGLINK said:

No new news, but Patrick got the most he could out of stepto.

His answers are not satisfactory. Fails to mention any measures to be implemented to address any of the issues people are having. Fails to mention duping of customer support staff at all. Which I believe is the most commonly believed cause for these hijacks. Stepto instead shifts blame onto the users, which is just plain old bad form. Especially when Microsoft is in a position to more or less stop account hijacking from being a thing.

"Look at all these various ways in which a criminal can steal your account! We're not doing anything to protect you against it. We could, but naaah. So it's all your fault if it happens."

I take issue with this stance.

But Stepto is surely in the same position as the people who said "Rumble is last-gen. Y'know things break."

Still, while you have to sympathize with the guy to some extent, he needs to get hardballed in a couple of areas. Dig down a little until he's forced to make a difficult reply.

Posted by Gourdmaster

Actual game journalism?!?!?!!!!!! Bravo Patrick this is some of the first investigative game journalism ive seen. Great stuff.

Posted by insanejedi

@trjp said:

@insanejedi said:

@mythrol said:

You realize you just proved my point right? The passwords being the same? Who's the dumbass now who reuses passwords connected to accounts and email addresses of high value? And you accuse EA with absolutely no proof that they have a weakness in their system. I know for a fact that EA and MS both use 128 bit RC4 encryption, though I wish it was 256, 128 bit is adequate for most security concerns. Chances are, that the security problem is the human being and not the companies security. How many of the same passwords have you used in multiple sites that tie right back to your email or your XBLA account password?

You can keep trolling us with your blind faith - but the fact you keep talking about passwords when most accounts are being compromised via their 'secret question' suggests you've not even bothered finding out about the problem you're blindly defending...

MS even got those 2 floppy-haired-fuckwits to do an in-dash video on how your 'secret question' should have a nonsense answer 'like another password' - I think it's clear they know this is the way into people's accounts (and resetting your password via your secret question does NOT generate an email so you don't know you've been hacked until the money is spent and you get the receipt by email).

End of the day MS are evidently besieged with people having problems and it doesn't matter who's "fault" it is, MS are the only people who can solve it and if they don't they should consider themselves likely for prosecution for aiding and abetting fraud.

Locking XBL accounts to specific devices would be a start (ala Steam's system) - as would putting a proper block on repeated attempts to guess secret questions (at this time it appears there's no limit on that - at least I lost patience trying it) - as would blocking repeated purchases of things like FIFA Gold Packs (better someone loses a few hundred points than thousands). New games should also have a system to verify that an account has a copy of a game they're trying to get DLC for - that will render the whole FIFA scam impossible.

Finally tho - if a customer calls and says they didn't buy some 'actually worthless online currency or digital download' then simply accept this with good grace, delete it from their account and don't fuck them around for months, lying to them and treating them like thieves eh??

So if idiot's are driving toyota's and blaming toyota for something like failed brakes it's somehow magically toyota's fault when the facts and studies just show that these people are idiots? The social engineers would have only gotten your secret question if it was true and if you let it out somewhere to someone. If you had a facebook page where you advertised that your dog name was "bill" or your mom connected you Via facebook and also had other relatives that don't have their last name changed so you got her maiden's name.

Stop being entitled asshats and blaming that it's everyone's problem but your own. The suggestions you give could be some of the most sophisticated encryption and security entry ever, and it won't give two shits if the man behind the computer is a dumbass and gives out his personal information that links to the secret question or just blatantly gives out the password. Worst yet are people who don't even know that their doing this. Like I said if you have a facebook page with your mom on it, and your mom links to relatives on her side, you could find out what her maiden's name is as just one example. It's impossible to make anything foolproof because you'll just make better fools.

You realize that they can't simply remotely delete the download from your account. Even if they could would you really want Sony, Nintendo, Steam, MS to have that ability to kill whatever you have from your 360, PS3, or even PC hard drive remotely? A: The money has changed hands from MS to whoever other company which is EA at the moment. B: The download has been made and if there was a policy like that, no one would pay for content ever because they would simply download it, report to MS that they didn't actually buy it, and then keep the DLC on their hard drive.

At the end of the day, so long as the database has not been compromised which I have yet to see evidence of, YOU picked the password, YOU picked the answers the questions.

Posted by UnsolvedParadox

I attended Stepto's talk at PAX Prime 2011 regarding the Live platform, and was really impressed with both his approach and commitment to security. It was both classy and pragmatic for him to chastise one of the audience members who suggested that Sony's security issues at the time were to Microsoft's advantage, noting that they were both partners in the fight against intrusions.

Posted by Elyk247

I play FIFA 12 all the time. I guess I'm just lucky. (Knock on wood)

Posted by fupallstar

is it just me or does he kind of look like the Bryan Cranstonfrom Breaking Bad?

Posted by jimmdogg

Great article. But it does little so soothe my anger at the issue. My account was locked for 100 days. ONE HUNDRED DAYS. It doesn't matter if most issues are resolved in under 27 days if you are one of the outliers. I was never given any reason on why it took so long. I never had any communication with the fraud team. I never found out how my account was compromised, if charges were filed on the fraudulent party, or any other details about the incident. The only email I ever got from them, and I called in at least 10-15 times, was the one telling me my account was now unlocked. I was given a token for 3 months of live. In the meantime, I had started a new gamertag and put about 1200 Achievement points on it. Should I go back to my old account and give up 12 hours of playtime in MW3 and my Dark Souls and Skyrim saves. This is my Christmas quandary.

Posted by trjp

@insanejedi: @insanejedi said:

So if idiot's are driving toyota's and blaming toyota for something like failed brakes it's somehow magically toyota's fault when the facts and studies just show that these people are idiots? The social engineers would have only gotten your secret question if it was true and if you let it out somewhere to someone. If you had a facebook page where you advertised that your dog name was "bill" or your mom connected you Via facebook and also had other relatives that don't have their last name changed so you got her maiden's name.

Stop being entitled asshats and blaming that it's everyone's problem but your own. The suggestions you give could be some of the most sophisticated encryption and security entry ever, and it won't give two shits if the man behind the computer is a dumbass and gives out his personal information that links to the secret question or just blatantly gives out the password. Worst yet are people who don't even know that their doing this. Like I said if you have a facebook page with your mom on it, and your mom links to relatives on her side, you could find out what her maiden's name is as just one example. It's impossible to make anything foolproof because you'll just make better fools.

You realize that they can't simply remotely delete the download from your account. Even if they could would you really want Sony, Nintendo, Steam, MS to have that ability to kill whatever you have from your 360, PS3, or even PC hard drive remotely? A: The money has changed hands from MS to whoever other company which is EA at the moment. B: The download has been made and if there was a policy like that, no one would pay for content ever because they would simply download it, report to MS that they didn't actually buy it, and then keep the DLC on their hard drive.

At the end of the day, so long as the database has not been compromised which I have yet to see evidence of, YOU picked the password, YOU picked the answers the questions.

You really are a prize idiot - I'm not even sure why I reply to fanbois like you, utterly convinced of something which you know NOTHING about whatoever.

I know for a 101% solid fact that no-one got my password or secret question from me - that means whoever broke into my account either

a - did so using a brute-force attack (something only Microsoft can prevent)

b - did so via a means which has nothing to do with my password or secret question whatsoever

Even if I'm unique and everyone else is handing out their login details willy-nilly - that means you need to tighten up security MORE - not less.

MS can do MUCH MUCH more to reduce these issues. Requiring additional authorisation before moving accounts between devices (ala Steam's system) - requiring backup authorisation before allowing purchases (just asking for a card's CVC code before authorising a purchase would totally cripple the FIFA Points scam overnight).

They could upgrade login security to use an Authenticator-like code (see Blizzard, Google and most Banks for such systems) which would render phishing completely and totally obsolete (and costs next to nothing as you just release free Apps/desktop tools to do the Authentication)

Why don't MS do these things? My guess is that they think putting any other 'hurdles' in the path of people buying stuff will reduce their income - kids will have to bug parents for the code, adults will have to go find their card and might lose interest and not login - but it would increase security IMMEASURABLY from where it is now.

Given that MS make having a card on your account pretty-much mandatory for most Gold Subscribers (and I'm pretty sure XBLIG developers need to keep payment details up-to-date also) - it's not like most people have a choice about risking their account being hacked and money charged to their account.

The FIFA scam gives hackers a way of making money - so it's not just amusement and vandalism, they're doing this before it's FREE MONEY and thus it will continue until MS do something (or law enforcement gets sick of them doing nothing and starts kicking-in doors)

Posted by Warihay

It has now been about a month and a half for me since my account was hacked. Just now hearing that they are communicating with the engineering team due to the "complexity" of the hack on my account. Very irritating especially considered I just started my winter break from college and I can't progress my Battlefield 3 character. 1 month free of Live is nice and all but doesn't really mean anything when anything I do on a new account won't carry over. Only thing I really wish is that the fraud team communicated more with the user on what they are doing and what steps they are taking to resolve the problem. Anyway, still a good article Patrick.

Posted by darichardson

@jimto: Sorry for the late reply, but you didn't read what I said. I know he didn't flip a switch to hack my account. He hacked my account, and once inside, he flipped a switch to have the region transferred. If you had read my post it said that I never actually lost access to my account because the password was never changed. I never said the hacker was stupid or lazy, either.

The switch that was flipped was the region transfer and nothing more. Additionally, I stated that Microsoft had already refunded me the money for what had been taken. THE ONLY THING LEFT is to have my region transferred back to the United States from Poland, yet Microsoft continues to drag its feet. This is the only switch that I was referring to, the region transfer part.

I will say, at the very least, that Microsoft has at least sent me another update email since I posted that with a 30 day code, but all that I really want is to have my region transferred back to the US.

Posted by Feddy

Great set of questions thanks Patrick.

Posted by LandGrinch

are the comments always so hostile

Edited by richard_m_morales

@MrTom: Same here. I don't have experience in IT. But I too use Malwarebytes and Super.

I received an email in Portuguese from billing@microsoft.com on December 21, 2011 stating that my account has been transferred from Brazil to the United States. So I thought I got my account back. I try to log in on the billing site and its still showing my account as being locked. So I phoned up support. Just to be told they wouldn't trust that email. That the final email will be from similar emails I have received before with a link to change my info and that it will be in English. I went from being happy thinking I had my account back to just being pissed off again. I even tried emailing Stepto about this on December 2, 2011. Never received a reply back. Been having this issue since July 9, 2011.

Here's my post on Xbox.com Forums about my issue.

http://forums.xbox.com/xbox_forums/xbox_support/f/12/t/150494.aspx?PageIndex=5

Posted by capgrass

Hot topic these days...

Posted by daemissary

I guess I got lucky because my account was hacked on Dec 18th and I just got the email saying the investigation was done today. I did file a dispute with my credit card company as well as calling Xbox Support, maybe that is why it was resolved so quickly?

Posted by calbags

@patrickklepek: great article. yo! Patrick, you have the connections, bring in Sterling. When you guys left i stopped watching feedback.

Posted by urbanterror

cool

Posted by LRavenwolf

Great insight - There is an issue that I have yet to see fixed where my account was hacked, and my Xbox Live membership was changed. To be fair, the 10k MS Points that were purchased and gifted by the hacker were refunded. However, I had 18 months of Xbox Live Gold purchased from previous sales and pre-paid cards that I lost because the hacker changed my plan to the Family Gold plan to gift the MS points. It has almost been a year and I still have not gotten that time back. I had given up on getting that back as its been almost a year and every time I call I get the same crap answer that they're looking into it but nothing ever happens. I may just pick up the issue again after reading this. It just pisses me off too much to let go.

Posted by Gunslinger0130

Excellent set of articles Patrick, well done!

Posted by Massive_basset

Account transferred to Russia back in Sept 25th here. Still Russian today. I used to netflix on my Xbox almost daily, now I almost bought a Roku on woot today... but its got to be almost over... right?

Posted by raikoh05
Posted by Griffinmills

Good to hear Microsoft being more forthcoming in regards to their security woes than I remember Sony being in agreeing to this interview.  Interesting set of questions here too!  Good stuff all around.

Posted by Xsheps

@Griffinmills: probably because microsoft is an american company and sony isn't.

Edited by Napalm

@Griffinmills said:

Good to hear Microsoft being more forthcoming in regards to their security woes than I remember Sony being in agreeing to this interview. Interesting set of questions here too! Good stuff all around.

I'd hardly call it "forthcoming". Microsoft needs to do damage control to prevent something like this from getting out of hand. They aren't actively trying to repair the problems at the core with this current flood of reported stolen accounts, and Stepto is only in the limelight to ease public opinion, say some nice things and talk about how they want to protect their users information.

Believing anything beyond that is really just being a little bit too gullible. Just a quick Google search yields dozens upon dozens of reports and subsequent comments from people who have had their accounts stolen, locked for ridiculous periods of time, or a combination of other awful scenarios. People on the Xbox/Microsoft security team are only pushed into the public to do damage control, and only fix the most public and damaging cases to uphold the public view that they, "are on top of the case and have solved the issues." It's the classic Superman scenario.

EDIT: I also don't want to make it sound like Stepto has ulterior motives, or isn't sincere in his job. I believe he is, but Microsoft as a company is questionable when it comes to these things, especially repairing internal processes and procedures to hopefully help the arisen issues.