As someone who works in the security industry and has a lot of contact to customers that handle different fraud scenarios (mostly in Europe), I'd like to point something out. Fraud is defined by almost all of them as an act where a 3rd party abuses the given service infrastructure and harms the service provider financially or creates a denial of service condition.

Interestingly enough, if one of their customers is the victim, it is not considered as fraud damage, but as a support case.

At least until it becomes public in some manner and gets a higher priority due to the PR damage inflicted.

I am not familiar with the way that Microsoft (or Sony/Nintendo) defines that particular issue, but I just wanted to put that out as food for thought.

I can't help but feel suspect when I see how much of this is passed off as the users' faults: claiming they fell for social engineering, really basic and transparent phishing methods like his example provided, and malware. I think its being vastly overplayed in a way that completely undermines what is important here; it isn't ever alright to blame your customers for being exposed to having their personal information and finances compromised through the services you as a company are responsible for and provided. It is your responsibility as the company to protect your customers from these threats, if customers are able to have their accounts and information compromised through using your services that represents a flaw in your services, not your customer's usage. This isn't complicated, Microsoft, you're a company act like a successful company: do not blame your customers, recognize that there is a problem in your system which is exposing your customers to risk and allowing attackers to exploit the system to an obviously high degree of success, change the system. Providing additional links and steps for some to take is not how you do it, either require those steps outright if that's your security solution, or increase security within your system some other way. There's an obvious right way into handle situations and it isn't by enforcing a combative relationship with your stakeholders when there's a problem.

Nicely done Patrick! Hope all you bitches out there critizing this fine supple man can see his greatness shines through. Really well done, hard questions, great way to approach someone with respect. Unlike that goofball some of you retards defend. Yeah, Alex would never be able to do some serious shit like this. Hope you guys can stop suckin his balls and see this is what real journalism is about.

@Foggen said:

@MordeaniisChaos: Jesus Christ. Rant a bit more, will you? If you read the article you'd know that some of these peoples' accounts were compromised due to vulnerabilities in what are almost certainly Microsoft web browsers. And that's without getting into vulnerabilities that probably exist on EA's side.

Yeah I was just going to ignore Mordeaniis post. It was a little surprising to see, the logic is well..haha *shrug* I don't think hes really thought about this critically. But hey since you acknowledged, I'm in.

@MordeaniisChaos:

This probably will come off as a pretty mean insult. But sit on your comments, read them out loud. Maybe tell them to some one in person. Perhaps you will not come off as a ranting asshole next time. Yeah, yeah, I'm being a snarky dick about it right now. Just wanted to point it out.

I had to skim this due to time, but is the same FIFA DLC not on PSN? If it is, that seems like you can't pass it off as "hey, this thing is popular so it's a target" if we haven't seen evidence of other services being able to sell it without issues.

@PresidentOfJellybeans: try deleting your cookies if you've not tried it. Sometimes I get the same thing and deleting xbox.com related cookies always solves my issue. This never used to happen to me, it's a fairly recent thing that happens sporadically.

Great article Patrick. I had my account jacked and all my points spent on Fifa12 items, so the article was a somewhat relieving. Though most of Toulouse's answers boiled down to; we want to be faster, we gotta do what we gotta do, and shits complex. Basically answers I was expecting, no chance a security guy would get into the nitty-gritty.

@PresidentOfJellybeans: I had that same issue happen when xbox.com changed some of its systems a few months back. Try deleting any Microsoft-related cookies (xbox.com, live.com) and restart your browser. That cleared it up for me.

Great interview, Patrick! Nice to hear a more detailed response to this issue.

Edit: Hah, looks like I was beaten to it by a few minutes. :)

Cool, I'll read through this when I get the time. I saw most of the panel they had at PAX East 2011 and it was pretty interesting.

So basically the company line is that it's 100% the user's fault for their accounts being compromised, and we're all lying about how long the recovery process takes? I've never heard of a single person having this resolved in less than 25 days, but somehow anyone who takes longer than 25 days to have their account unlocked is an "outlier".
 
He doesn't even allow for the possibility of Microsoft being partly responsible for stolen accounts. He should read up on how people used to steal account by repeatedly calling up MS customer support with tiny bits of personal information.

@ValiantGoat @Swimm That worked, thanks much!

Patick delivers.

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it. It's just really weird that they do not prioritize preemptive measures. Suppose it's good that they've introduced a couple of things that makes it easier for them/you to recover your account after it has gotten hijacked, but what the shit?

And Stepto says a lot about wanting to improve things. Well, what steps are you taking in order to make that happen, and is there a timeframe for when we should start seeing results?

Since investigations can be resolved relatively quickly (ask Geoff Keighley how long his took) it seems to me like the length of investigations is an issue of manpower more than it being technically difficult, which it really shouldn't be. After you've established who's the perp and who's the vic, what else is there to investigate? Recover the account to its rightful owner and unlock it. This process should not be complicated for accounts that have not gotten region migrated.

Microsoft appears negligent. They didn't (and seemingly still don't care to) implement measures to prevent this problem from happening, they are incapable of dealing with affected users in a timely fashion, and they're non-committal about introducing any potential improvements.

Although this is good.

@Stepto said:

The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

Putting some pressure on EA to change their easily exploitable system that's attracting these criminal elements. Which needs to happen. Maybe it will next year, because EA's certainly not gonna shut down and redesign the thing when it means cutting off an active revenue stream.

@Stepto said:

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, trying to be careful about your personal information and when you give that out.

Think he misunderstood this one. The concern is about customer support being tricked into giving out information, not the user.

He should know about stuff like that since if customer support doesn't ask the user to verify with this secondary proof, then it's useless in this context.

Didn't bother asking why Geoff Keighley gets a personal message about his hacked account? lame

Glad to finally get something out of MS on this. Great job on following this incident up, Patrick, thanks for keeping us informed.

Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

So, basically, don't call them up and get your account locked out unless you really, really need to.

@tightestjeans said:

Great Interview Patrick, but you forgot to call him an asshole at the end.

Thanks for my daily laugh. All the serious comments then I ran into this one. :)

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it.

The answer is usability.

Consoles are entertainment devices and that makes things even more difficult than on the PC.

People would complain - a lot - for every additional time they have to enter a password, even to the extend that they go with another product. No vendor would risk that and rather takes the hit for a couple of compromises instead.

Steam just gets away with that because their audience does generally understand much better the risk and issues attached to an online service and are also much more familiar with these security procedures.

That is simply something that a vendor does not expect from the average family that bought the "gaming box" for the living room.

"Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened."

This answer really grinds my gears. I was able to lock my account but when they called me to un-suspend it, the name I gave was apparently not the name the account was created under (which is bs) and I'm still stuck with sinking money into a new account.

the giantbomb E3 podcast day 0 already has enough of stepto's microsoft damage control. I'm not buying it. A company known for refreshing its staff as often as they refresh their old tired policies, they don't deserve any respect. XboxLive is the only service with actual phishing scams, and theres still a debate over which system is better? Anyone else see this glitch in the matrix?

I noticed once that the original Gears of War was showing up on my recent activity list even though I hadn't touched it in months. Figuring that my account must have been compromised, I quickly went to change my password and contact support. Nothing seemed to have been altered or abused, but the guy on the phone apologized a lot and gave me a free 12 month subscription for Live. That was several years ago so I can't speak for the state of things now, but at least my experience was fairly painless.

My best friends account has been locked for 36 days (as of today) and he has had little to no response from Microsoft. I really appreciate this article, and the responses from Toulouse. However, I think that his positive attitude needs to be communicated better to Customer Service and a better system for updating the user needs to be in place. My friend (who cares very little for achievements, arcade games, or saved progress) finally got so frustrated that he just started a new gamertag and has no intention of ever using his old one again. Personally I would have a real hard time doing that. I am just kind of rambling here, but I appreciate the work Patrick put in and the response from Microsoft.

@SpudBug said:

I guarantee Sony wouldn't be as fast or reliable in retrieving and recovering online accounts that had been compromised as XBL support is.

That guarantee is just you making an assumption that fits with your fanboy beliefs. The fact is that PSN accounts are not getting hacked left and right and then being used to buy Fifa 12 DLC. That's happening on the 360.

Microsoft's attitude to the whole issue of XBL security is wrong-headed - they are absolutely convinced the system is 'secure' but all the evidence suggests otherwise. They claims it's only the behaviour of users which is causing a problem but the sheer scale of the problem suggests otherwise (and even if it was, it's upto them to make it more secure anyway surely?)

My account was hacked and I can categorically say that I wasn't phished, I have never shared my password and my 'secret question' was neither a dictionary word nor a logical answer to the question. I know people who've had dormant accounts hacked - that absolutely rules-out password sharing or phishing and points right back to a glaring security hole in the system somewhere.

Worse still, hackers have found a way to make money from breaching people's accounts - by using saved payment details (mandatory for Gold/Developer accounts) to buy FIFA cards which they then transfer to other accounts/turn into coins/points and ultimately sell via eBay (check it or other sites - there's always plenty of stuff for sale).

This has been going on for at least a year - my account was hacked in September and they came back after just under 60 days to say "there was no evidence of fraud" (yeah, I gave away £54's worth of DLC for a game I don't even own!!) My bank had already refunded the money by this time - something MS actually suggested I do anyway "if I wasn't happy with their findings" (does that scream "we know we're wrong but fuck you buddy" or what?)

I have zero desire to be their customer any longer and so the XBOX is boxed and ready for sale (it's that or hack it - I'm not giving them a brass cent any other way) - and I'd STRONGLY remind people that keeping payment details up-to-date on XBL is a bad idea (pay with PayPal and then scrap the account!!) :)

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

Why is no one asking about that? Microsoft keeps reiterating that they're very concerned with the online security of their customers etc. PR speak blablah, yet they haven't once mentioned this obvious solution in the form of a security measure designed specifically to protect against account hijacks.

And they literally have everything in place for it too. I don't understand why they haven't done it already, or said anything about doing it.

The answer is usability.

Consoles are entertainment devices and that makes things even more difficult than on the PC.

People would complain - a lot - for every additional time they have to enter a password, even to the extend that they go with another product. No vendor would risk that and rather takes the hit for a couple of compromises instead.

Steam just gets away with that because their audience does generally understand much better the risk and issues attached to an online service and are also much more familiar with these security procedures.

That is simply something that a vendor does not expect from the average family that bought the "gaming box" for the living room.

An unverified system only needs to be verified once. Using this security feature is optional.

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

Aw, does GB not allow animated gifs?

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

Read the post below yours instead of just drinking the Microsoft kool-aid and blithely accepting that everyone who has been hacked was phished.

I noticed that he didn't say much about how they deal with people who call up pretending to be you. I've worked in the phone support business for many years now, and in doing so have traveled around to many different business locations. Giving out personal information to callers is a HUGE deal. I really hope Microsoft is taking that seriously, because that's how my account was stolen many years ago. Someone called impersonating me almost 10 times.

@VibratingDonkey said:

@kingschiebi said:

@VibratingDonkey said:

I see a lot of words but none of them are about two-step authentication.

...

The answer is usability.

...

An unverified system only needs to be verified once. Using this security feature is optional.

Even if it is just one step more, it is one step too much. Same reason why online shops try to do their best in making the actual shopping as painless as somehow possible. (i.e. Amazon 1-Click) and still there are people who are put off by that. It is getting less and "we" (for simplicity sake, I assume that people here are somewhat proficient with computers and the internet) is not the problem. It's the average person on the street that is having problems with that.

It is the same reason why Apple is tremendously successful with their IOS devices and why Microsoft is working hard on making Metro as accessible as possible.

People tend to avoid everything that is even just slightly more complicated if they are not forced to use it in a more secure way and unless every vendor does adopt the same usage regulations, customers will simply go the way of least resistance. It simply comes down to being a business risk, especially if you would be the first in a specific segment to do something like that.

Mr. Klepek has really been doin' it up lately. Nice work!

@insanejedi said:

Phishing and social engineering is your responsibility to prevent, not MS or EA. The fact that they are helping you at all to get back your stuff is something extra their doing, not their obligation. You'd be lucky if they helped you at all as Valve won't lift a finger when it comes to the fact that your account was scammed on steam. Don't be a dumbass and give away your personal information and always check your emails if they sound too good to be true or giving you something free. Most companies will never email you about ANYTHING on your password, so don't expect it to start now.

You're a dumbass. My account was not hacked due to phishing because I never give anyone my password, nor do I ever respond to BS emails trying to trick me into giving my password away. I honestly think there is a weakness in EAs system which allowed peoples accounts to get hacked because the passwords were the same.

As far as the interview goes, Fuck Microsoft. Im one of those people who's account was locked out for almost 90 days. Not due to "complexity of the situation" but because Microsoft screwed up MULTIPLE TIMES during the recovery process and they have a horrible notification process to let people know something went wrong or they need additional information. The ONLY way you can get something processed is if you take it upon yourself to continually call them for updates. They WILL NOT contact you.

Ive spent hours on the phone with their CSRs in regards to my account and like I told them, they are really lucky that the alternative options SUCK (PSN is no better). All it will take is one company to offer a service that does it right and I and many others will jump ship. The way they handle this stuff is horrible. Im not even a PC gamer but I might become one just because Steam is so much better.

I fall on the side of liking Stepto. Great job Patrick.

One thing I should add - when you report that you've been hacked, one of the things they ask for is your console serial number.

In my case, they came back after about 35 days and said I'd given them "the wrong console serial number". Now I only have 1 console - I've only EVER had one - I've never logged-in to another console and when I confirmed the serial number, the guy on the phone said it was "the same as they already had and he couldn't understand what the problem was".

Later, when they concluded that "no fraud had taken place" they said that the transaction had "taken place on my console". If that's the case - why did they initially conclude that I'd given them "the wrong console serial number"?! There's almost no way someone could know my console serial number (nor could I know the hacker's serial number and if I were trying to defraud them - I'd have made one up!?)

I'm pretty convinced that there's a security hole somewhere - one of the things hackers do is buy Zune Points (not MS Points) and I'm wondering why that is?? It suggests that they're not operating the hack from a console directly - or even that the hack exploits a specific security hole which only permits Zune and not normal MS points to be bought!?

I'm 101% sure I've not been phished (I can't even remember receiving an XBL-related scam email) - MS confirmed I've never called to access my account (so no social engineering) and my account has only even been Silver (so I've never played online). They said that "it appeared my account was reset using my secret question' and I know that wasn't me because I made that some random shit and even I couldn't remember what it was (which means I cannot possibly have told anyone it!!

Thanks Patrick! Appreciate all you've done for those of us are still in limbo. It's nice to get some answers.

I am convinced Ill never access my Live account again. Those calls to customer service make sense though, now that I realize they simply believed I was trying to scam them and wasn't who I said I am. 25 days? Try 4 months.

Keep up the good work, Patrick.

The best way to get real action from MS on this issue is for people who have been hacked to bombard them with complaints and requests for help on Twitter, Facebook, etc. Only when the issue gets really embarrassing for Microsoft will they take action; see RROD.

Patrick is such a nuisance, even Microsoft can't ignore him? Jeez laweez.

It's just Xbox Live. It's not like a social security check being late. The world won't end, and you won't die, if you can't play online for a fucking month.

Seriously, this was a fascinating interview start to finish. Fucking amazing job, Patrick.

I've been waiting 74 days and counting to have access to my account restored. Fortunately - I think - the hacker didn't buy any new points or start any new games, they only made one purchase with points I already had on the account.

I would have thought that this would be a reasonably easy fix. But I just spent a half-hour on the phone only to be told that they haven't bothered to look at the case yet, much less do anything to it, and the only thing they can do would kick the case back to the end of the queue.

I call bullshit on 25 days being worst-case if they take three times that long to start looking at cases, much less complete them.

Thanks to the podcast he frequents, I can only read his last name as toll house...... Good work on this topic Patrick, there's some simple tips in there everyone should follow.

@mrsmiley: They do note when people fail to verify themselves and reps are more informed about giving up info now so that shouldn't happen anymore. Even if you give up some wrong info they should just move onto something else to verify you instead of letting you know what info is wrong so a crook wouldn't know what to correct.

It's a bummer Sony never gave you this much PR time. Microsoft is at least (somewhat) on it. If you can't run a service well, at least get the nice face to come out and give you the full rundown. Sometimes that's all you can do.

This was a great interview Patrick, and I really like how you very directly addressed very specific concerns. My only complaint is that there is not a video so that I can watch it all go down in action.

I find the people who work at Xbox support to be incredibly nice and competent. The problem is there is something wrong with the infastructure of the support organization itself that limits how effective these guys can be. It's just simply unacceptable and uncessary when you realize there are several other services around the internet that deal with higher traffic, have much more-slammed support ques and are even more frequent outlets of scams and abuse, that are able to solve these sorts of problems in minutes.

My account was hacked back in September. I had it back by Halloween. It was close to 25 days it was shutdown.

They took me for 95$ of points, and spent it all on FIFA product. This interview actually lines up with my experiences very very closely.

As far as them claiming it was a phishing scam... I don't really believe that. I use separate passwords for major websites (anything I have to put my credit card into), and my Windows Live ID was no different. I have no idea how they got a hold of my information, but I think there might be a bigger problem at hand here.

Best way to keep this from happening? Delete your card information from your account and console. If the information isn't stored on the XBox live server, it can't be used for fraudulent purchases. Annoying that you have to re-input the card for each purchase, but in this case, it's better safe than sorry.

-my two cents

I've been listening to the Major Nelson Podcast for years and it creeped me out to se what Major Nelson himself looked like and now Stepto looks nothing like I imagined. It's like when you read a book and create the characters in your mind and then they make a movie and they are very different.

This reminds me ... I need to get Stephen's book on Kindle.

All I can think from this guys nickname is Steptoe & Son. You dirty dirty old man! He grew up next door to my mum, so he did.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer.

I find this bit hard to believe, to be honest.

-Guy who hasn't had access to XBL since October 21

microsoft told me after the hacker did some crazy shit to my account he is now "still able to play" with my account but he can't buy anything, witch after reading this interview sounds completely random or a total lie. i assume i'm going to have to recover my gamertag which means i get to watch as all my rage and skyrim achievements go to shit. i don't have the fucking time to do all that again. BAH... sucks being deployed for all this to.

EDIT: oh and after checking xbox.com he has changed the account my email is attached to to "uranousdevotee9" and is just loving it right now with all my accounts purchases...

and yes i know i commented on another story with the same shit but i just found the rest of that out lol

The whole reason these things take forever is because they have to cover their asses so hard. Or at least they did. Maybe now that you can't sue them for every little thing it can speed up a bit haha

Seems like they should almost always disallow these region transfers, unless they have something signed in triplicate in blood or something. How many US Xbox users legitimately move to Russia?