Xbox Live is an extremely popular service, featuring a bunch of users with credit cards oh-so-conveniently attached to their accounts, so it’s an obvious target for scammers. Getting emails from users who’ve been had their accounts compromised is nothing new; it happens every single day. Tide goes in, tide goes out.
There was something different about the stream of emails from the past week, with a bunch of users mentioning FIFA. The first confusing tip-off these users had was finding FIFA 11 in their game library, despite never having played it.
“12th october 2011, i get a phone call while i am at work off my brother,” wrote one user. “he asks me what on earth am i doing at home and why the hell am i playing Fifa 12 ( he knows i hate football) i explain i am at work and i would not play fifa 12 even if i was being forced by a knife point held at my groin with the imminent threat of genital removal.”
“I had my account hacked back at the beginning of August,” said another. “First time that had happened on any system. I had my account suspended the day it happened but it took over a month to get my account restored. The crazy part was they didn't buy anything with my points. When I got my account back the only activity was they played some FIFA '12.”
Similar stories can be found inside my inbox from dozens of different readers. Something was up. A few noticed achievements for FIFA 11 or FIFA 12 had been unlocked, others found hundreds of dollars missing from their bank accounts thanks to a series of point purchases, and many noticed the people accessing their account were interested in purchasing tons and tons of cards for FIFA Ultimate Team.
The common thread, however, was FIFA. But why? How? FIFA? A Google search brings up exponentially more stories of digital soccer woes from users of Xbox Live. To Microsoft’s credit, many appear quickly resolved.
“With the popularity of FIFA globally, and the sheer number of players playing the game online, FIFA is an obvious target for phishers and frauds,” said an Electronic Arts representative to me. “This is why we try to educate FIFA players to take measures to keep their accounts safe.”
EA outlines steps to protect your account in a message board post, which is comprehensive and worth reading, but its sheer existence suggests account exploitation has been an issue EA has been forced to pay attention to.
“We haven’t seen a spike or increase in reports of FIFA 12 players having their accounts hacked,” said the rep. “With the launch of FIFA 12 it likely has just shifted renewed focus onto this particular game.”
Microsoft, however, seemed to acknowledge there had been a spike in activity lately.
“We do not have any evidence the Xbox Live service has been compromised,” said a representative. “We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts.”
The company did outright reject any running theories--of which I’ve heard many at this point--running around the Internet about a major security glitch exploitable in the FIFA games.
“It’s not a title-specific issue and is coincidental that FIFA has been tied to a number of compromised accounts,” said the rep.
The largest issue facing Xbox Live and similar services is social engineering, in which outsiders attempt to trick customer service systems into unlocking accounts. I filed a story with MTV News back in 2008 about Xbox Live’s problems with social engineering, where even Bungie Studios employees were not safe. At the time, users were being targeted because their accounts had gained access to Halo 3’s elusive multiplayer “Recon” armor, which could not be unlocked in the game. It was special.
Think about how much information about you is on the Internet. Can you imagine it being terribly difficult for someone to fill in the blanks? How many different security codes are linked to your mother’s maiden name, which is probably featured on her not-properly-secured Facebook page?
Then, remember the PlayStation Network information implosion. And the Gawker Media incident. The list goes on.
"People don't hack accounts by using programs and any other bullsh-- that you hear around [Xbox Live]," said a user who publicly admitted to compromising Microsoft’s systems back in 2008. "It's as simple as picking up the phone."
It's more complicated than that, of course, but the underlying point remains the same.
Microsoft has made reforms to its system, but no system is perfect, and social engineering remains a threat. As we become more comfortable with more information available, there will be more ammunition for those hoping to take advantage of us.
Halo 3 spurred these issues three years ago, today it’s FIFA 12. Different day, different game, same issues.
In the meantime, maybe change your password and alter your mom's Facebook privacy settings.
Coincidence!?
Top Men
Sure, EA, suuuure.
It's ultimate team. Websites that sell accounts for cheap with a lot of points stored on them have started going out of their way to steal people's gamertags to sell on to other people, mainly to buy things in FIFA 11 and 12. It's been going on a lot for the last few years, but this year there's been a lot of gamertag hacking.
So If I were to put a gun and a copy of Fifa 12 on a table and told him to use one... He'd off himself?
The secret answer to my secret question is just another password, not actually my hometown. :p
Where there are a ton of people spending time/money, nasty people will find a why to steal their money.
This actually happened to me 2 weeks ago while I was at work. Saw bunch of emails of xbox live about buying points. who ever got my account bought 300 bucks worth of points. I call Microsoft and my account got put on hold. I asked the Microsoft person if this has been happening a lot. she told me not at all. Then called Visa and the manager told me he say this very thing happen 8 times that day. As a customer of Microsoft and EA they should warn people about this. and i have to wait 30 days to get money back. not cool.
Actually this happened to me too. My XBL account got hacked and when I got it back FIFA was suddenly there on my achievements list. FUCK FEEFAAA.
The Nigerian Prince gives FIFA 12 5 stars. In stores now.
You know... I once turned on my PS2 and my memory card suddenly had a save for FIFA 2008. I didn't play a FIFA game since FIFA 97. The save is still there to this day. True story.
I was hoping for more from this article but.... well there really isnt anything else to say.
I hope Microsoft doesn't try to play this down like it's no big thing.
On NeoGAF there were literally dozens and dozens of victims in a single thread, and not just people having access to your identity, but actual theft, hundreds of dollars being charged from their bank accounts.
@Poki3: I put that there. Thought you'd like it.
My Live account was hacked in the beginning of September. The hijackers charged my account for about $70 in points. I immediately suspended the account with Microsoft and I am still waiting to get it reactivated. 6 weeks of call center hell so far.
Same thing happened to me, I noticed when I saw the fraudelent charges show up on my credit card statement. But since I haven't and now can't log into my account, I couldn't see exactly what the points were spent on. Now I just logged onto my account via the Xbox website and lo and behold, the most recently played game was Fifa 2012. #FIFAconspiracy
People that play Fifa are terrible people confirmed?
Really though, there are people that think credit card theft is worth it to get some stupid fucking virtual cards for a fucking soccer game?
What makes this all even worse is that Microsoft has made it a huge pain in the ass to protect yourself against this kind of stuff. You cannot remove any credit or debit cards tied to your account because of their auto-renew bullshit. You have to call them to convince them to remove it.
Ring up. Say you want it NOW or you'll take further action. They'll fix it asap. They did after 3 weeks of hell when I had to call for another reason. After threatening that they fixed it 40 minutes later.