Giant Bomb News

191 Comments

Microsoft, EA Claim FIFA Isn't Causing Rash of Xbox Live Hacks

Hundreds of people are noticing FIFA showing up on their compromised accounts. What gives? Here's what we've found.

Xbox Live is an extremely popular service, featuring a bunch of users with credit cards oh-so-conveniently attached to their accounts, so it’s an obvious target for scammers. Getting emails from users who’ve been had their accounts compromised is nothing new; it happens every single day. Tide goes in, tide goes out.

There was something different about the stream of emails from the past week, with a bunch of users mentioning FIFA. The first confusing tip-off these users had was finding FIFA 11 in their game library, despite never having played it.

“12th october 2011, i get a phone call while i am at work off my brother,” wrote one user. “he asks me what on earth am i doing at home and why the hell am i playing Fifa 12 ( he knows i hate football) i explain i am at work and i would not play fifa 12 even if i was being forced by a knife point held at my groin with the imminent threat of genital removal.”

Xbox Live's interface has changed over the years, as has Microsoft's security responses.

“I had my account hacked back at the beginning of August,” said another. “First time that had happened on any system. I had my account suspended the day it happened but it took over a month to get my account restored. The crazy part was they didn't buy anything with my points. When I got my account back the only activity was they played some FIFA '12.”

Similar stories can be found inside my inbox from dozens of different readers. Something was up. A few noticed achievements for FIFA 11 or FIFA 12 had been unlocked, others found hundreds of dollars missing from their bank accounts thanks to a series of point purchases, and many noticed the people accessing their account were interested in purchasing tons and tons of cards for FIFA Ultimate Team.

The common thread, however, was FIFA. But why? How? FIFA? A Google search brings up exponentially more stories of digital soccer woes from users of Xbox Live. To Microsoft’s credit, many appear quickly resolved.

“With the popularity of FIFA globally, and the sheer number of players playing the game online, FIFA is an obvious target for phishers and frauds,” said an Electronic Arts representative to me. “This is why we try to educate FIFA players to take measures to keep their accounts safe.”

EA outlines steps to protect your account in a message board post, which is comprehensive and worth reading, but its sheer existence suggests account exploitation has been an issue EA has been forced to pay attention to.

“We haven’t seen a spike or increase in reports of FIFA 12 players having their accounts hacked,” said the rep. “With the launch of FIFA 12 it likely has just shifted renewed focus onto this particular game.”

A good portion of users with compromised accounts found evidence of card packs purchased for FIFA Ultimate Team.

Microsoft, however, seemed to acknowledge there had been a spike in activity lately.

“We do not have any evidence the Xbox Live service has been compromised,” said a representative. “We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts.”

The company did outright reject any running theories--of which I’ve heard many at this point--running around the Internet about a major security glitch exploitable in the FIFA games.

“It’s not a title-specific issue and is coincidental that FIFA has been tied to a number of compromised accounts,” said the rep.

Recon armor was something that had to be bestowed upon you, making those with it a target.

The largest issue facing Xbox Live and similar services is social engineering, in which outsiders attempt to trick customer service systems into unlocking accounts. I filed a story with MTV News back in 2008 about Xbox Live’s problems with social engineering, where even Bungie Studios employees were not safe. At the time, users were being targeted because their accounts had gained access to Halo 3’s elusive multiplayer “Recon” armor, which could not be unlocked in the game. It was special.

Think about how much information about you is on the Internet. Can you imagine it being terribly difficult for someone to fill in the blanks? How many different security codes are linked to your mother’s maiden name, which is probably featured on her not-properly-secured Facebook page?

Then, remember the PlayStation Network information implosion. And the Gawker Media incident. The list goes on.

"People don't hack accounts by using programs and any other bullsh-- that you hear around [Xbox Live]," said a user who publicly admitted to compromising Microsoft’s systems back in 2008. "It's as simple as picking up the phone."

It's more complicated than that, of course, but the underlying point remains the same.

Microsoft has made reforms to its system, but no system is perfect, and social engineering remains a threat. As we become more comfortable with more information available, there will be more ammunition for those hoping to take advantage of us.

Halo 3 spurred these issues three years ago, today it’s FIFA 12. Different day, different game, same issues.

In the meantime, maybe change your password and alter your mom's Facebook privacy settings.

Patrick Klepek on Google+
191 Comments
  • 191 results
  • 1
  • 2
  • 3
  • 4
Posted by patrickklepek

Xbox Live is an extremely popular service, featuring a bunch of users with credit cards oh-so-conveniently attached to their accounts, so it’s an obvious target for scammers. Getting emails from users who’ve been had their accounts compromised is nothing new; it happens every single day. Tide goes in, tide goes out.

There was something different about the stream of emails from the past week, with a bunch of users mentioning FIFA. The first confusing tip-off these users had was finding FIFA 11 in their game library, despite never having played it.

“12th october 2011, i get a phone call while i am at work off my brother,” wrote one user. “he asks me what on earth am i doing at home and why the hell am i playing Fifa 12 ( he knows i hate football) i explain i am at work and i would not play fifa 12 even if i was being forced by a knife point held at my groin with the imminent threat of genital removal.”

Xbox Live's interface has changed over the years, as has Microsoft's security responses.

“I had my account hacked back at the beginning of August,” said another. “First time that had happened on any system. I had my account suspended the day it happened but it took over a month to get my account restored. The crazy part was they didn't buy anything with my points. When I got my account back the only activity was they played some FIFA '12.”

Similar stories can be found inside my inbox from dozens of different readers. Something was up. A few noticed achievements for FIFA 11 or FIFA 12 had been unlocked, others found hundreds of dollars missing from their bank accounts thanks to a series of point purchases, and many noticed the people accessing their account were interested in purchasing tons and tons of cards for FIFA Ultimate Team.

The common thread, however, was FIFA. But why? How? FIFA? A Google search brings up exponentially more stories of digital soccer woes from users of Xbox Live. To Microsoft’s credit, many appear quickly resolved.

“With the popularity of FIFA globally, and the sheer number of players playing the game online, FIFA is an obvious target for phishers and frauds,” said an Electronic Arts representative to me. “This is why we try to educate FIFA players to take measures to keep their accounts safe.”

EA outlines steps to protect your account in a message board post, which is comprehensive and worth reading, but its sheer existence suggests account exploitation has been an issue EA has been forced to pay attention to.

“We haven’t seen a spike or increase in reports of FIFA 12 players having their accounts hacked,” said the rep. “With the launch of FIFA 12 it likely has just shifted renewed focus onto this particular game.”

A good portion of users with compromised accounts found evidence of card packs purchased for FIFA Ultimate Team.

Microsoft, however, seemed to acknowledge there had been a spike in activity lately.

“We do not have any evidence the Xbox Live service has been compromised,” said a representative. “We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts.”

The company did outright reject any running theories--of which I’ve heard many at this point--running around the Internet about a major security glitch exploitable in the FIFA games.

“It’s not a title-specific issue and is coincidental that FIFA has been tied to a number of compromised accounts,” said the rep.

Recon armor was something that had to be bestowed upon you, making those with it a target.

The largest issue facing Xbox Live and similar services is social engineering, in which outsiders attempt to trick customer service systems into unlocking accounts. I filed a story with MTV News back in 2008 about Xbox Live’s problems with social engineering, where even Bungie Studios employees were not safe. At the time, users were being targeted because their accounts had gained access to Halo 3’s elusive multiplayer “Recon” armor, which could not be unlocked in the game. It was special.

Think about how much information about you is on the Internet. Can you imagine it being terribly difficult for someone to fill in the blanks? How many different security codes are linked to your mother’s maiden name, which is probably featured on her not-properly-secured Facebook page?

Then, remember the PlayStation Network information implosion. And the Gawker Media incident. The list goes on.

"People don't hack accounts by using programs and any other bullsh-- that you hear around [Xbox Live]," said a user who publicly admitted to compromising Microsoft’s systems back in 2008. "It's as simple as picking up the phone."

It's more complicated than that, of course, but the underlying point remains the same.

Microsoft has made reforms to its system, but no system is perfect, and social engineering remains a threat. As we become more comfortable with more information available, there will be more ammunition for those hoping to take advantage of us.

Halo 3 spurred these issues three years ago, today it’s FIFA 12. Different day, different game, same issues.

In the meantime, maybe change your password and alter your mom's Facebook privacy settings.

Staff
Posted by eclipzen

Coincidence!?

Online
Posted by MarximusPrime

Top Men

Posted by Swoxx

Sure, EA, suuuure.

Posted by Baillie

It's ultimate team. Websites that sell accounts for cheap with a lot of points stored on them have started going out of their way to steal people's gamertags to sell on to other people, mainly to buy things in FIFA 11 and 12. It's been going on a lot for the last few years, but this year there's been a lot of gamertag hacking.

Posted by Malphye

So If I were to put a gun and a copy of Fifa 12 on a table and told him to use one... He'd off himself?

Posted by Rukus

The secret answer to my secret question is just another password, not actually my hometown. :p

Posted by Baltimore

Where there are a ton of people spending time/money, nasty people will find a why to steal their money.

Posted by Gamer_152

Great story Patrick. If the Fifa connection is just a coincidence though, that's a pretty huge coincidence.

Moderator
Posted by nicebento

This actually happened to me 2 weeks ago while I was at work. Saw bunch of emails of xbox live about buying points. who ever got my account bought 300 bucks worth of points. I call Microsoft and my account got put on hold. I asked the Microsoft person if this has been happening a lot. she told me not at all. Then called Visa and the manager told me he say this very thing happen 8 times that day. As a customer of Microsoft and EA they should warn people about this. and i have to wait 30 days to get money back. not cool.

Posted by StarvingGamer

Actually this happened to me too. My XBL account got hacked and when I got it back FIFA was suddenly there on my achievements list. FUCK FEEFAAA.

Posted by DFSVegas

The Nigerian Prince gives FIFA 12 5 stars. In stores now.

Posted by Poki3

You know... I once turned on my PS2 and my memory card suddenly had a save for FIFA 2008. I didn't play a FIFA game since FIFA 97. The save is still there to this day. True story.

Edited by Darkstar_KoP

 
I was hoping for more from this article but.... well there really isnt anything else to say.

Posted by Thor_Molecules

I hope Microsoft doesn't try to play this down like it's no big thing.

On NeoGAF there were literally dozens and dozens of victims in a single thread, and not just people having access to your identity, but actual theft, hundreds of dollars being charged from their bank accounts.

Posted by Binman88

@Poki3: I put that there. Thought you'd like it.

Posted by LiK

Of course they'll deny it

Posted by jimmdogg

My Live account was hacked in the beginning of September. The hijackers charged my account for about $70 in points. I immediately suspended the account with Microsoft and I am still waiting to get it reactivated. 6 weeks of call center hell so far.

Posted by zigx

Same thing happened to me, I noticed when I saw the fraudelent charges show up on my credit card statement. But since I haven't and now can't log into my account, I couldn't see exactly what the points were spent on. Now I just logged onto my account via the Xbox website and lo and behold, the most recently played game was Fifa 2012. #FIFAconspiracy

Edited by DougQuaid

People that play Fifa are terrible people confirmed?

Really though, there are people that think credit card theft is worth it to get some stupid fucking virtual cards for a fucking soccer game?

What makes this all even worse is that Microsoft has made it a huge pain in the ass to protect yourself against this kind of stuff. You cannot remove any credit or debit cards tied to your account because of their auto-renew bullshit. You have to call them to convince them to remove it.

Posted by Metal_Mills
@jimmdogg said:

My Live account was hacked in the beginning of September. The hijackers charged my account for about $70 in points. I immediately suspended the account with Microsoft and I am still waiting to get it reactivated. 6 weeks of call center hell so far.

Ring up. Say you want it NOW or you'll take further action. They'll fix it asap. They did after 3 weeks of hell when I had to call for another reason. After threatening that they fixed it 40 minutes later.
Posted by Elijah

This happened to me just a few days ago. I'm glad this story was put up... I'm not convinced it's "social engineering" or "phishing" as EA/Microsoft are eager to think. My Live account has been inactive for some time (which is lucky, I was only outed a couple hundred points that were leftover on my account since my credit card on file had expired). I definitely haven't had any phishing attempts in my email, I've never shared my account information with anyone, my Live password is unique... To me, it seems that there's some kind of exploit that is being used.

Posted by Sammo21

So did we ever confirm people had fraudulent activity on cards because of the Sony mess?

Posted by nyv

For once I'm happy being a poor student and not having enough money on my card to buy those 5000 points. I too was hacked on August, but after being unsuccessful with one purchase, the bastard just left the account as it was. All I've got is a mail, that I didn't have enough money on my credit card for 5000 points.

As I said... sometimes, being low on cash ain't that bad.

Posted by Mesoian

Well...I changed my password anyway.

Posted by Elijah

@Sammo21: Nah, I don't think so. If I remember correctly the CC's that were leaked were from years ago and most, if not all of them, were expired.

Edited by 234r2we232

So you don't even have to own an EA game to be screwed over by that company? Fantastic.

Posted by Sammo21

@Elijah: That's what I thought. Seems like every couple of months I hear a new XBL account hijack.

Posted by MulletStorm

This exact thing happened to my brother about 2 months ago. They purchased about $70 worth of points from his account. When he called Microsoft they froze his account, it took about a month to get back. One of the things he noticed is when he went to check out all the account info on xbox.com, his security question had been changed and was in chinese.

Posted by Jumanji

This story is insufficient. I have seen many anecdotal counterfactuals to the claim that the hacks are " just social engineering" or "same shit, different day". 
 
If games journalism has any redeeming social value it's as an advocate for consumers against the few big players that control the marketplace. Please do your jobs and dig more diligently.

Posted by BraveToaster

And Microsoft attempts to down-play the entire situation. A few complaints is too many complaints.

Posted by Hairydutchman

"i would not play fifa 12 even if i was being forced by a knife point held at my groin with the imminent threat of genital removal"

This guy deserves it

Posted by The_Tolman

I knew nothing good would come from football/ soccer/ whatever the kids call it these days.

Online
Posted by Dark_Lord_Spam

Isn't it great when companies use the mention of a brand name in a hacking scandal to promote how awesomely popular that brand is and how youshouldreallygobuyitrightnow?

Posted by Hameyadea

So in a nutshell: S.S.D.D.

Posted by sw0rdfish

I think there's more to it then this.

Social engineering can get your password reset. They cannot give he user your password. When I was hacked, my password was not changed, so this isn't a customer service issue, it's deeper than that. I don't know how, or why, but they got access to my account another way.

I spend a lot of time protecting my passwords and keeping things as random as possible, and while not password is un-hackable, I'd like to think if Microsoft saw someone trying to login with the same account some 50,000 times, they would do something to stop the brute force attack from happening.

Not to mention, the first thing you do when you access an account, is change the password, unless you don't want them to know you've been there. That goes out the window when you're buying MS points to transfer them. You'd change the password first, to stop people from logging in and stopping you, and then you'd go ahead with the transfer to give you as much time as possible.

I'm still convinced there's something more here.

Posted by Bam_D_Leprechaun

@Hairydutchman: Soccer sucks, this man is my hero

Posted by Darkstar_KoP
@sw0rdfish
Bro I feel you I really really do but, and this is a big fucking BUT. There are too many stupid motherfuckers out there that have "password" or other silly stupid bullshit as their pass and me and you are getting grouped right along side with them. Cross your fingers and wait for the real story to hit (if it ever does). I hope it does cause there is some deeper shit going on with this Fifa 12 breakout. Also check out my profile and I think you will see a creepy coincidence we share o_O
Posted by M3rlin

Always love your investigative articles, Patrick!

Posted by MoveTheBongos

@Metal_Mills: As a former Xbox support employee I can tell you that the first thing we do after a customer threatens "further actions" is laugh out loud and tell our collegues of the idiot who thinks he could cause a ruckus with Microsofts lawyers in the other ring corner. After hearing all these 15 year olds, who watched one to many court drama shows, tell you they are gonna sue it's almost akin to just saying "derpa-derp".

Trust me. Be friendly and reasonable is the best way to get the best service.

Posted by SerHulse

@Darkstar_KoP: Just so you know my password is silverfreude, so I'm not one of these "stupid motherfuckers" you refer to!

Posted by lumberingjackal

Dude... grammer...

Thanks for the read though!

Edited by RazeEverything

Like ive suggested on Microsofts boards i would love it if they implemented 2 stage verification even if it was just for when you try to login from an xbox or location you dont normally log in from. Google does it with their mobile phone app or by sending a text message to you. Blizzard does it with their key generator dongles or Mobile App. You would think someone signing into my xbox from another country might toss up a red flag.

My account was compromised last month and i called and gave then my serial number then waited 30 days and called again to see what was up and they said i never called in with my serial number... Went round with the tech support people before they finally unlocked my account.

My bank gave me a temporary refund and ive had to fill out 2 sets of paperwork and be issued a new bank card so far.

Edit: They bought a 6000 point card and a 4000 point card then spent it on Fifa. The Microsoft rep on the phone said it was a common problem lately and the points are used to buy Fifa items that are then in turn sold on Ebay and other Auction sites.

Posted by Rirse

Wonder if this is related to why I can't use my 360/GFWL Profile anymore. No matter what I do, I can't recover or login into it.

Posted by afahy

My account was hacked about two months ago. There was no FIFA connection, but there was a large amount of points purchased. MS reps at the time informed me that due to the large volume of account hacking investigations they were experiencing, the time to resolution would approximately triple (meaning it's only been recently--within the last two weeks--that my account had been restored to me). Other than the enormous amount of time without access to my account, I had no issues with the MS / Live customer service reps in getting everything restored.

Posted by Meowshi

So, this is what Jeff's phone message was about!

Posted by daggon55

Could it be thats people in America are placing too much emphasis on the whole FIFA thing because its not as popular.

For example if people got hacked and the hackers played Madden or Call of Duty, it probably wouldn't seem as "weird" because those are popular games in people minds. Also people might not notice the hack as readily if the game that was played was one they already had.

Maybe this really is a weird intersection of hackers from another region hacking American accounts but getting more noticed because the game they want to play is one that is not very popular in America.

Can anyone speak to how popular FIFA is internationally, is it on the level of Madden in the US?

Posted by evanomeara

Thats some messed up stuff, but I suppose with all the info we give out about ourselves its really ought to be considered that accounts can be easily accessed.

Edited by BlatantNinja23

@Hulsey90 said:

@Darkstar_KoP: Just so you know my password is silverfreude, so I'm not one of these "stupid motherfuckers" you refer to!

I see what you did there....

Posted by Darkstar_KoP
@Hulsey90
Aww man I cant wait to play me some Fifa ass Fifa on your account.
  • 191 results
  • 1
  • 2
  • 3
  • 4