I published a story Wednesday about how Xbox Live users with compromised accounts are waiting at least 25 days, and in excess of 90 days, until regaining access. It ran without a response from Microsoft.
I’d run my questions by Microsoft twice, but in both cases, the company failed to respond, and did not even even issue a simple no comment. Given the nature of the article, however, I wasn’t surprised.
After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.
Better late than never, right?
Toulouse is no stranger to getting hacked, either: it happened to him earlier this year.
What follows is a complete transcript of our conversation yesterday, in which we discuss how Toulouse’s team handles compromised accounts, the ways users can protect themselves, why FIFA 12 became a popular target for attackers, and how a 90 day response is unacceptable.
Giant Bomb: To be totally honest, I figured that [fraud] was not under your purview. Maybe that’s more my interpretation of your more public persona of talking more along users who have been banned and piracy.
Stephen Toulouse: It falls under a couple of people’s purview, to be honest. It’s a little bit of product support--that’s the recovery process. My team actually goes through and investigates what the bad guys are trying to do, and how we can implement new things to stop them. I say time and again that security in our industry is a journey, it’s not a destination. With every change, the attackers will pivot and come up with something new. It’s not fully under my purview, but I’m probably the person most versed in the questions that you’re asking.
GB: I know you can’t explicitly explain what you’re trying to push back against. The common techniques I hear are related to phishing scams, which are altered web pages or emails, and social engineering, which happens on the customer service side. Are those still accurate? Are those terms still relevant? How does your team address that?
Toulouse: There’s several pieces of overall advice that we have, and we’ve collected them all, by the way, on xbox.com/security. But just briefly, the attacker is going after the underlying Windows Live ID, and I think a lot of people don’t quite realize their gamertag, being tied to that Windows Live ID, there’s some things that they can do, there are some tools that are provided to help secure that, [which] help make it more difficult for attackers. For instance, we have the ability on Live.com, which is the Windows Live ID site, you can add secondary proofs to your account, secondary notifications when people are trying to take control of the account, for instance you can set up SMS, or you can set one of your PCs to be a trusted PC. There’s a whole series of steps that we’ve outlined on that website, xbox.com/security, that are proactive things that you can help do.
The most common stuff we run into fall into just generally three categories.
The first you just mentioned is phishing. Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured. Another thing is that sometimes people will get notifications on their Xbox or in an email saying "Hey, I can get you into the brand-new, super top secret Halo 4 beta and all you’ve gotta do is give me your password and I’ll put you on the list, and when you log in, it’ll download." Not realizing that they’re giving away their password to their Windows Live ID, and that could compromise their account. Phishing takes a number of [forms].
The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, [like] trying to be careful about your personal information and when you give that out.
The last thing that we’re finding that’s becoming a bit of a problem is people sharing passwords, like using one password for all their gaming sites. If just one of them gets compromised, then suddenly that password list will get handed around to some pretty sophisticated rings of people, who will then try and start attacks of this nature. I think you covered an awful lot of this, I just wanted to confirm that, yeah, that’s the three things that we see that are the big threats.
GB: When they discover an unauthorized purchase or a change of their Avatar or something where they suspect their account has been compromised in some fashion, what is the immediate step they should take to start the process to take their account back to where it was before?
Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.
GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?
Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.
When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.
One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.
GB: They’re basically testing you so they can learn from the next time they try with another account. To filter out your process so their process can be more efficient.
Toulouse: Exactly, and we try to make our process better at the same time. It points back to that “security is a journey, not a destination” point. We’re like any system. I mean, this is not a problem that banks have solved, but we’re laser focused. We understand that when people has been out of their account for 45 days, that’s really a terrible experience. We certainly want to get better at that, we want to improve our process for those customers, and we’re definitely going to make sure that they’re credited that time and when we give them back their account, that they’re not on the hook for any of that stuff. There’s outliers that need to be done more quickly, absolutely.
GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?
Toulouse: If they saved their games in the cloud, with the new cloud saving feature, they would not be able to access them, but their local saved games would be fine. They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.
GB: Even though the account has been locked down from accessing Xbox Live specifically, they can still log into that local profile and so long as all their saves aren’t in cloud, they can access those, earn achievements, and unless some crazy outlier occurs, that will all just sync together once the account has been recovered.
Toulouse: Yeah. It depends on a couple of things, though, to be crystal clear. If it’s just a matter of giving them back the password, then that’s usually not going to be an issue. If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question. I can look into all the full scenarios if you like, but to be clear, they would still have access to their saved games and all their local stuff.
GB: As long as it’s on a memory card or your hard drive, you’re going to be able to keep playing your Skyrim save until everything gets worked out on Microsoft’s side.
GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”
Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notifies them.
We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.
GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.
Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?
GB: When your Xbox Live account becomes compromised, which is then tied to a Windows Live ID, which could also be tied to a Hotmail account, and if it is the primary email account of the user, what sort of complications does that involve, given that account has now been compromised?
Toulouse: If the underlying Windows Live ID of the gamertag is the primary email, then, yes, the attacker has control of the email with all of the associated things that [entails]. They can send mail, they can delete mail, and that’s one of the reasons we lock everything. That way, these attackers can’t take further action on the account.
GB: What is the additional step for the user in that scenario? It’s not like you’re calling customer service every day to get an update. Often times, you’re getting an emailed update that says “hey, the account’s been recovered, here are the steps that you need to take to reset your password, etc, etc.” In the situation where someone is completely involved in the Microsoft ecosystem, are they able to authorize a secondary email so those things can occur? Or does that all happen over the phone at that point?
Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened.
GB: I have to imagine you and your team must find yourselves in scenarios where during the phone conversations, you figure out this person isn’t who they say they are. What happens in that scenario, where you have the evidence to determine that someone is attempting to trick the system?
Toulouse: We politely end the call, and then that gets noted in the case notes.
GB: One situation I’d heard from users--and this isn’t unique to Microsoft or any company--is that if your account recovery is taking longer than the estimated time, the best thing that you can do is be persistent to make sure companies are aware of your account and you’re getting bumped up in the queue. You mentioned that you could dispute the charges and several users had talked to me about filing something with the Better Business Bureau, and then suddenly would find their accounts magically bumped up the queue. Is that part of the process, where if an outside vendor becomes involved, that it becomes moved up in terms of how it’s addressed?
Toulouse: No, that would be coincidental.
I mean, from our perspective, we can’t go down that route pretty much. We have to make sure that we are doing the cases on a case-by-case basis. Some cases are more complex than others. Many get solved far before the 25 day estimate, and, at that point, we certainly, if customers have not heard from us, we certainly encourage them to contact us. If you’ve hit the 25 day [window] and you haven’t heard from us, please call back in.
GB: A couple of users reported being told by customer service, as their account was being recovered or perhaps transferred to a new one, that certain licenses were more difficult to transfer than others. My theory from that was that there were certain games or services that were no longer available for purchase on Xbox Live, but you can still access if you purchased them in the past. Are some of the license issues related to that, or are they more extraneous circumstances?
Toulouse: They’re super-complex, and the reason that they’re complex is because the Xbox Live service has just evolved so much in the past six or seven years to encompass so many new types of data and licenses and things that customers can do that there’s all sorts of associated complexities when the attacker grabs the account and region migrates it to Russia. Now, there’s a whole bunch of license stuff that has to be repaired, in effect, to bring it back from that region. That’s just an example of some of the complexity. It’s both a function of the amount of different types of licenses, regional issues, whether or not those licenses are still owned or not. They’re just a ton of complexity.
GB: I know you probably can’t dole out the nuance of what your team does to recover an account, but if I had to try and express the frustration of users between what your team has to do in order to bring an account back, is that it should be more a matter of just flipping a switch. It’s in Russia, now change it to America. Can you illuminate a bit more of what’s involved there?
Toulouse: I don’t think people realize, because they’re only in one region, that the reality is that if you live in the UK, you see a much different--a dramatically different--set of content on Xbox Live than you do in the United States. Likewise, [in] Canada, you see a completely different set of content than you’d see in the United States. And that has a lot to do with just the fact that licensing in a worldwide service is really complex, and there’s different studios and different content delivery entities don’t want their stuff necessarily available in certain ways in certain markets and everybody, by the way, has to deal with these challenges. It’s not just Xbox. That’s just one facet of the complexity that people don’t realize.
Having said that, there is no denying that we can’t to get better at this or we want to get faster at this, and get customers’ accounts in their hands as quickly as possible. There’s both a complexity, which, yeah, I certainly want to communicate and have people understand that it’s not as simple as flipping a switch, but at the same time, we hear their feedback that we need to get better and faster at this.
GB: You mentioned the 25 day average. I did hear from a number of users that had it wrapped up in 10 days or less, depending on the complexity of their account and what had occurred. Does that number change through the year, based on how many people use the service? I have to imagine during the holidays, having sold 1.7 million machines, that there’s a lot of people going online, and there’s a lot more people that can be exposed to the worst parts of the Internet.
Toulouse: I think it’s both seasonal, as well as targets of opportunity. By that, I mean when a big title that has something that’s very lucrative and attractive. While, yes, there are ebbs and flows to what the attackers try to do, our goal is to always get that 25 days lower, regardless of how many users, regardless of the attacks--we want to continually try and lower that number.