“Your report of unauthorized access to your Xbox LIVE account has been received by our fraud investigations team.”
That’s the line that begins the process of recovering your Xbox Live account. 25 days is the average time it’s taking for users who wake up to compromised Xbox Live accounts to have them returned, based on the users I’ve been talking to.
Sometimes the fix is shorter, perhaps a turnaround of 10 days, and sometimes it’s far longer, as has been the case for player James DeKay, who has been waiting more than 90 days to access to his account.
“My account was jacked on September 3rd,” said DeKay to me recently. “I heard several different numbers from different customer service reps. 21 days. 21 business days. 25 days. 27 days. They still have not fixed my account and will not give me an ETA. It's been [over] 90 days and no end in sight.”
The consequence of being a popular device is becoming a target for the Internet’s worst, including leveraging social engineering tricks used so that customer service representatives will unlock accounts. It’s not an issue exclusive to Xbox 360, but many game players are social creatures, and this exposes them to Internet jerks looking for victims.
The platform's been hit with ugly FIFA 12 phishing scams lately, in which users find their accounts used to purchase cards for Electronic Arts’ FIFA Ultimate Team service. When I talked to both EA and Microsoft about the problem in October, neither company said the other was at fault.
“With the popularity of FIFA globally, and the sheer number of players playing the game online, FIFA is an obvious target for phishers and frauds,” said an EA representative to me at the time. “This is why we try to educate FIFA players to take measures to keep their accounts safe.”
Those measures are outlined on EA’s message boards, but users have told me it’s still happening.
Granted, when asking Xbox 360 owners to share stories about customer support, you’re more likely to hear from someone with a bad experience than the opposite. I asked Microsoft about how it’s approaching customer service during the holiday season, one in which Microsoft recently sold more than 1.7 million Xbox 360s during the month of November, and didn’t hear back.
Specifically, I asked them the following questions:
- When a user believes their account has been compromised, what is the first course of action they should take?
- What is the average wait time between an account being "investigated" and it being available to use again?
- I've received conflicting reports where customer service can make their "investigated" account usable offline by making it Silver, which would allow them to keep playing offline games, ala Skyrim. What is the standard policy?
- The average "wait" time I've heard is 25 days. If that period passes, what action should a customer take?
- Is Microsoft experiencing a larger-than-average influx of accounts that need to be "investigated"?
Microsoft did not even issue a “no comment.”
The stories I hear suggest the customer service representatives for Xbox Live are nice, helpful, and seem to be trying their best, but have their hands tied and often cannot offer users much in the way of helpful advice. Customer service does not actually investigate accounts, and all customer service can do is flag the account again and ask the customer to call back.
“My account was hacked about two weeks ago thanks to the whole FIFA debacle,” said Xbox 360 owner Anthony Matarese. “I was told by the MS rep my only option was to suspend my account for at least 25 days and open a new ‘temp to use’ account if I wanted to ‘satisfy my gaming fix.’”
This is the most common response by customer service, according to the users I’ve spoken to. When you ask Microsoft to investigate your account, the gamertag is disconnected from the consoles it’s registered at, and the account is put on lock down. This means you cannot log into that profile until the investigation team gives the thumbs up, which also means you cannot access downloaded games or saved games. Not being able to jump in and play online-only Battlefield 3 is one thing, it’s quite another to be told your 100-hour journey into The Elder Scrolls V: Skyrim is suddenly on-hold due to bad luck.
Before the account is fixed, users are typically offered a free month of Xbox Live, which can either be applied to a brand-new account or saved until the compromised account is recovered. Randall Bennit was one such user.
“I'm hesitant to start the stack of games I bought for my Xbox on my wife’s account in case I get my account back,” said Bennett, whose account was affected way back on August 13, and has since filed a complaint to the Better Business Bureau. “Skyrim and Gears of War 3 will just be collecting dust in the meantime.”
One user told me customer service promised to temporarily convert his account to Silver, giving him access to his precious saves, but it never happened, and no one else was able to relay a similar tale.
Greg Dobson, for example, hasn’t been able to use Xbox Live since October 16, after discovering someone had used his account to buy $70 worth of FIFA 12 Ultimate Team Cards. He called Microsoft the day after, and was told his account wold be “locked down” for 25 days. Nothing has changed, so he called Microsoft yesterday, and was told by a representative that his account would be flagged for review again, and to check back in 10 business days if his account remains unchanged.
“He said I should keep an eye on my account,” said Dobson, “and if I don't see the money in 10 business days call back and have someone resubmit my claim, and then wait another 10 business days to see if the money gets deposited. So now it seems like I'm in some vicious cycle of incompetence. I don't think my next phone call to 1-800-4-MY-XBOX is going to be a pleasant one.”
One user passed along the final email they received from Microsoft, and allowed me to share it with you. The email details the many steps a user must take in order to find yourself back on the right path.
“We have completed our investigation of the unauthorized access to your Xbox LIVE account,” reads the standardized email. “As part of our investigation, we took temporary control of your Xbox LIVE account and the associated Windows Live ID. This was done to protect your account until you could take back control of it. Use the following steps to take control of your Xbox LIVE account.”
Read the email below:
You can’t do much to protect yourself from social engineering, but if you think your standard Internet password was compromised in one of the many leaks over the past few years, you might want to get on that really soon.
One avenue that some users have had success with, however, is the @XboxSupport account on Twitter, which is known for being extremely fast to respond. Some users reported finding themselves suddenly bumped up in waiting queues.
The best advice from those already affected is to remain persistent. If your account becomes compromised, get in touch with Microsoft immediately, and continue to ask them about its status when the estimated time customer service provided arrives.
It’s the holidays, which means even Xbox 360s are being sold every day, and more and more of them will hop online over the next few weeks, as gifts are unwrapped and plugged into a nearby TV. Make sure you’re keeping a close eye on your account.
Oh, that sucks.
I had to wait over a month. It sucked.
Yeah, That situation's annoying as hell... :(
I gave them 25 days, they failed to return control of my account to me or issue my refund. I have now given them a second 25 days and still counting... still unable to access my account and still no refund.
Bummer.
Guess I'm lucky. I've never had any issues with my X360, be it hardware or XBL.
I too am stuck in an incompetence loop.
They 'completed' my investigation but totally botched it and didn't refund me. I called back to try and sort it out and they wanted to start over from scratch, which would take another 30 days.
I am currently waiting on someone from their fraud department (ie not a first level support person) to call me back which they said would take 6 or 7 business days. They have 1 day left before I just call Visa and issue a charge back.
Doesn't Xbox make it abundantly clear that they would never ask for your password?
I still haven't really heard exactly how this stuff happens. And I know its hard because people forget and they're really sensitive about turning over their info and admitting a mistake on their part.
Modern consoles are really terrible. There's no excuse for the way paying customers are being treated. I don't own a 360 because I'm not willing to pay a monthly fee for something that's completely free on other platforms, not to mention having to deal with godawful customer support and shenanigans like this. It's really a shame. I hope the next generation of consoles does a little better.
I'm praying no one gets into my account. I'd be lost!!!
It took over 60 days for me.
I'm amazed to see any negative news based around the services of Microsoft's Xbox 360.
All the same, this stuff is pretty tame, apart from the locking you out of single player content.
This article has a much more apologetic tone than the many that surrounded the PS3 downtime, which is probably a lesson learned from those attacks and, of course, the many attacks that strike online services every day.
Shit happens, and it takes a while to fix. Same as anything, I suppose.
Could someone fill me in on how the accounts were compromised again? I thought it was just a phishing scandal, and I thought only idiots fell for that stuff.
My account was hacked a couple of months ago and I had an extremely quick turnaround. Instead of contacting Xbox Live immediately, I got in touch with my bank(since I use a debit card on my Live account) and disputed the charges. Within a few days my money was back in my account and my Live account was active the whole time. After I was hacked though, I changed my password to be a lot tougher and I haven't been compromised since then. Also, in October my Xbox Live Gold Subscription ended so when I renewed I removed the debit card from my account and used a prepaid 1-year Gold Subscription code from Amazon to keep my subscription going.
I recommend anyone who has been hacked follow these same steps, as it worked well for me.
1. Contact your bank/credit card company and dispute the FIFA-related charges.
2. Change your Xbox Live password to something more secure.
3. Remove the credit/debit card from your account ASAP and redeem codes from Amazon or other outlets instead of using your card.
So how many of these cases are actual social-engineering against Microsoft employees instead of just people choosing shitty passwords for the e-mail address associated with the LIVE account?
I got hit once , I was on top of it since MS froze someone elses account (the rep didnt type my account correctly)
I just quickly went to forgot password and changed it while I was talking to the rep. from MS. She said " well , your secret password or another piece was incorrect" I said... "yes , I know as they changed my secret to something in Chinese that I can't understand but I am fixing my own account as we speak."
Was great doing the legwork myself.....
Don't know if it's just me, but I haven't been able to visit xbox.com for like a week. Results in a redirect loop on both Chrome and Firefox.
Going three months without your Xbox profile must suck something awful. Especially since its not even your fault that the account was compromised in the first place. Thanks for another informative piece, Patrick.
I also don't use a weak-ass password so that's bullshit too.
@Doctorchimp said:
He means social engineering like:
Hacker calls X Box and tricks minimum wage CSR in to thinking they are you, and resetting your password.