I published a story Wednesday about how Xbox Live users with compromised accounts are waiting at least 25 days, and in excess of 90 days, until regaining access. It ran without a response from Microsoft.

I’d run my questions by Microsoft twice, but in both cases, the company failed to respond, and did not even even issue a simple no comment. Given the nature of the article, however, I wasn’t surprised.

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

Better late than never, right?

Toulouse is no stranger to getting hacked, either: it happened to him earlier this year.

What follows is a complete transcript of our conversation yesterday, in which we discuss how Toulouse’s team handles compromised accounts, the ways users can protect themselves, why FIFA 12 became a popular target for attackers, and how a 90 day response is unacceptable.

***

Giant Bomb: To be totally honest, I figured that [fraud] was not under your purview. Maybe that’s more my interpretation of your more public persona of talking more along users who have been banned and piracy.

Stephen Toulouse: It falls under a couple of people’s purview, to be honest. It’s a little bit of product support--that’s the recovery process. My team actually goes through and investigates what the bad guys are trying to do, and how we can implement new things to stop them. I say time and again that security in our industry is a journey, it’s not a destination. With every change, the attackers will pivot and come up with something new. It’s not fully under my purview, but I’m probably the person most versed in the questions that you’re asking.

GB: I know you can’t explicitly explain what you’re trying to push back against. The common techniques I hear are related to phishing scams, which are altered web pages or emails, and social engineering, which happens on the customer service side. Are those still accurate? Are those terms still relevant? How does your team address that?

Toulouse: There’s several pieces of overall advice that we have, and we’ve collected them all, by the way, on xbox.com/security. But just briefly, the attacker is going after the underlying Windows Live ID, and I think a lot of people don’t quite realize their gamertag, being tied to that Windows Live ID, there’s some things that they can do, there are some tools that are provided to help secure that, [which] help make it more difficult for attackers. For instance, we have the ability on Live.com, which is the Windows Live ID site, you can add secondary proofs to your account, secondary notifications when people are trying to take control of the account, for instance you can set up SMS, or you can set one of your PCs to be a trusted PC. There’s a whole series of steps that we’ve outlined on that website, xbox.com/security, that are proactive things that you can help do.

The most common stuff we run into fall into just generally three categories.

The first you just mentioned is phishing. Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured. Another thing is that sometimes people will get notifications on their Xbox or in an email saying "Hey, I can get you into the brand-new, super top secret Halo 4 beta and all you’ve gotta do is give me your password and I’ll put you on the list, and when you log in, it’ll download." Not realizing that they’re giving away their password to their Windows Live ID, and that could compromise their account. Phishing takes a number of [forms].

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, [like] trying to be careful about your personal information and when you give that out.

The last thing that we’re finding that’s becoming a bit of a problem is people sharing passwords, like using one password for all their gaming sites. If just one of them gets compromised, then suddenly that password list will get handed around to some pretty sophisticated rings of people, who will then try and start attacks of this nature. I think you covered an awful lot of this, I just wanted to confirm that, yeah, that’s the three things that we see that are the big threats.

GB:When they discover an unauthorized purchase or a change of their Avatar or something where they suspect their account has been compromised in some fashion, what is the immediate step they should take to start the process to take their account back to where it was before?

Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?

Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.

One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.

GB: They’re basically testing you so they can learn from the next time they try with another account. To filter out your process so their process can be more efficient.

Toulouse: Exactly, and we try to make our process better at the same time. It points back to that “security is a journey, not a destination” point. We’re like any system. I mean, this is not a problem that banks have solved, but we’re laser focused. We understand that when people has been out of their account for 45 days, that’s really a terrible experience. We certainly want to get better at that, we want to improve our process for those customers, and we’re definitely going to make sure that they’re credited that time and when we give them back their account, that they’re not on the hook for any of that stuff. There’s outliers that need to be done more quickly, absolutely.

GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?

Toulouse: If they saved their games in the cloud, with the new cloud saving feature, they would not be able to access them, but their local saved games would be fine. They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.

GB: Even though the account has been locked down from accessing Xbox Live specifically, they can still log into that local profile and so long as all their saves aren’t in cloud, they can access those, earn achievements, and unless some crazy outlier occurs, that will all just sync together once the account has been recovered.

Toulouse: Yeah. It depends on a couple of things, though, to be crystal clear. If it’s just a matter of giving them back the password, then that’s usually not going to be an issue. If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question. I can look into all the full scenarios if you like, but to be clear, they would still have access to their saved games and all their local stuff.

GB: As long as it’s on a memory card or your hard drive, you’re going to be able to keep playing your Skyrim save until everything gets worked out on Microsoft’s side.

Toulouse: Right.

GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”

Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notifies them.

We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.

GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.

Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

GB: When your Xbox Live account becomes compromised, which is then tied to a Windows Live ID, which could also be tied to a Hotmail account, and if it is the primary email account of the user, what sort of complications does that involve, given that account has now been compromised?

Toulouse: If the underlying Windows Live ID of the gamertag is the primary email, then, yes, the attacker has control of the email with all of the associated things that [entails]. They can send mail, they can delete mail, and that’s one of the reasons we lock everything. That way, these attackers can’t take further action on the account.

GB: What is the additional step for the user in that scenario? It’s not like you’re calling customer service every day to get an update. Often times, you’re getting an emailed update that says “hey, the account’s been recovered, here are the steps that you need to take to reset your password, etc, etc.” In the situation where someone is completely involved in the Microsoft ecosystem, are they able to authorize a secondary email so those things can occur? Or does that all happen over the phone at that point?

Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened.

GB: I have to imagine you and your team must find yourselves in scenarios where during the phone conversations, you figure out this person isn’t who they say they are. What happens in that scenario, where you have the evidence to determine that someone is attempting to trick the system?

Toulouse: We politely end the call, and then that gets noted in the case notes.

GB: One situation I’d heard from users--and this isn’t unique to Microsoft or any company--is that if your account recovery is taking longer than the estimated time, the best thing that you can do is be persistent to make sure companies are aware of your account and you’re getting bumped up in the queue. You mentioned that you could dispute the charges and several users had talked to me about filing something with the Better Business Bureau, and then suddenly would find their accounts magically bumped up the queue. Is that part of the process, where if an outside vendor becomes involved, that it becomes moved up in terms of how it’s addressed?

Toulouse: No, that would be coincidental.

I mean, from our perspective, we can’t go down that route pretty much. We have to make sure that we are doing the cases on a case-by-case basis. Some cases are more complex than others. Many get solved far before the 25 day estimate, and, at that point, we certainly, if customers have not heard from us, we certainly encourage them to contact us. If you’ve hit the 25 day [window] and you haven’t heard from us, please call back in.

GB: A couple of users reported being told by customer service, as their account was being recovered or perhaps transferred to a new one, that certain licenses were more difficult to transfer than others. My theory from that was that there were certain games or services that were no longer available for purchase on Xbox Live, but you can still access if you purchased them in the past. Are some of the license issues related to that, or are they more extraneous circumstances?

Toulouse: They’re super-complex, and the reason that they’re complex is because the Xbox Live service has just evolved so much in the past six or seven years to encompass so many new types of data and licenses and things that customers can do that there’s all sorts of associated complexities when the attacker grabs the account and region migrates it to Russia. Now, there’s a whole bunch of license stuff that has to be repaired, in effect, to bring it back from that region. That’s just an example of some of the complexity. It’s both a function of the amount of different types of licenses, regional issues, whether or not those licenses are still owned or not. They’re just a ton of complexity.

GB: I know you probably can’t dole out the nuance of what your team does to recover an account, but if I had to try and express the frustration of users between what your team has to do in order to bring an account back, is that it should be more a matter of just flipping a switch. It’s in Russia, now change it to America. Can you illuminate a bit more of what’s involved there?

Toulouse: I don’t think people realize, because they’re only in one region, that the reality is that if you live in the UK, you see a much different--a dramatically different--set of content on Xbox Live than you do in the United States. Likewise, [in] Canada, you see a completely different set of content than you’d see in the United States. And that has a lot to do with just the fact that licensing in a worldwide service is really complex, and there’s different studios and different content delivery entities don’t want their stuff necessarily available in certain ways in certain markets and everybody, by the way, has to deal with these challenges. It’s not just Xbox. That’s just one facet of the complexity that people don’t realize.

Having said that, there is no denying that we can’t to get better at this or we want to get faster at this, and get customers’ accounts in their hands as quickly as possible. There’s both a complexity, which, yeah, I certainly want to communicate and have people understand that it’s not as simple as flipping a switch, but at the same time, we hear their feedback that we need to get better and faster at this.

GB: You mentioned the 25 day average. I did hear from a number of users that had it wrapped up in 10 days or less, depending on the complexity of their account and what had occurred. Does that number change through the year, based on how many people use the service? I have to imagine during the holidays, having sold 1.7 million machines, that there’s a lot of people going online, and there’s a lot more people that can be exposed to the worst parts of the Internet.

Toulouse: I think it’s both seasonal, as well as targets of opportunity. By that, I mean when a big title that has something that’s very lucrative and attractive. While, yes, there are ebbs and flows to what the attackers try to do, our goal is to always get that 25 days lower, regardless of how many users, regardless of the attacks--we want to continually try and lower that number.

I published a story Wednesday about how Xbox Live users with compromised accounts are waiting at least 25 days, and in excess of 90 days, until regaining access. It ran without a response from Microsoft.

I’d run my questions by Microsoft twice, but in both cases, the company failed to respond, and did not even even issue a simple no comment. Given the nature of the article, however, I wasn’t surprised.

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

Better late than never, right?

Toulouse is no stranger to getting hacked, either: it happened to him earlier this year.

What follows is a complete transcript of our conversation yesterday, in which we discuss how Toulouse’s team handles compromised accounts, the ways users can protect themselves, why FIFA 12 became a popular target for attackers, and how a 90 day response is unacceptable.

***

Giant Bomb: To be totally honest, I figured that [fraud] was not under your purview. Maybe that’s more my interpretation of your more public persona of talking more along users who have been banned and piracy.

Stephen Toulouse: It falls under a couple of people’s purview, to be honest. It’s a little bit of product support--that’s the recovery process. My team actually goes through and investigates what the bad guys are trying to do, and how we can implement new things to stop them. I say time and again that security in our industry is a journey, it’s not a destination. With every change, the attackers will pivot and come up with something new. It’s not fully under my purview, but I’m probably the person most versed in the questions that you’re asking.

GB: I know you can’t explicitly explain what you’re trying to push back against. The common techniques I hear are related to phishing scams, which are altered web pages or emails, and social engineering, which happens on the customer service side. Are those still accurate? Are those terms still relevant? How does your team address that?

Toulouse: There’s several pieces of overall advice that we have, and we’ve collected them all, by the way, on xbox.com/security. But just briefly, the attacker is going after the underlying Windows Live ID, and I think a lot of people don’t quite realize their gamertag, being tied to that Windows Live ID, there’s some things that they can do, there are some tools that are provided to help secure that, [which] help make it more difficult for attackers. For instance, we have the ability on Live.com, which is the Windows Live ID site, you can add secondary proofs to your account, secondary notifications when people are trying to take control of the account, for instance you can set up SMS, or you can set one of your PCs to be a trusted PC. There’s a whole series of steps that we’ve outlined on that website, xbox.com/security, that are proactive things that you can help do.

The most common stuff we run into fall into just generally three categories.

The first you just mentioned is phishing. Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured. Another thing is that sometimes people will get notifications on their Xbox or in an email saying "Hey, I can get you into the brand-new, super top secret Halo 4 beta and all you’ve gotta do is give me your password and I’ll put you on the list, and when you log in, it’ll download." Not realizing that they’re giving away their password to their Windows Live ID, and that could compromise their account. Phishing takes a number of [forms].

The second is really about social engineering. I think that’s a fairly well understood space, even though there’s not a whole lot, in general, that can be done from a product standpoint, as much as there is from a user education standpoint, [like] trying to be careful about your personal information and when you give that out.

The last thing that we’re finding that’s becoming a bit of a problem is people sharing passwords, like using one password for all their gaming sites. If just one of them gets compromised, then suddenly that password list will get handed around to some pretty sophisticated rings of people, who will then try and start attacks of this nature. I think you covered an awful lot of this, I just wanted to confirm that, yeah, that’s the three things that we see that are the big threats.

GB:When they discover an unauthorized purchase or a change of their Avatar or something where they suspect their account has been compromised in some fashion, what is the immediate step they should take to start the process to take their account back to where it was before?

Toulouse: The first thing that they should do is to go to Live.com and try to login and try to change the password on the account. Sometimes the attacker won’t change the password. Once that’s done, they’ve re-assumed control of the account, and they should recover their gamertag to their console--or attempt to. Then, they can dispute the charge with their bank or they can give us a call and we can start the process to refund the points. If they cannot log into Live.com or recover the account, they should immediately call us.

GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?

Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.

One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.

GB: They’re basically testing you so they can learn from the next time they try with another account. To filter out your process so their process can be more efficient.

Toulouse: Exactly, and we try to make our process better at the same time. It points back to that “security is a journey, not a destination” point. We’re like any system. I mean, this is not a problem that banks have solved, but we’re laser focused. We understand that when people has been out of their account for 45 days, that’s really a terrible experience. We certainly want to get better at that, we want to improve our process for those customers, and we’re definitely going to make sure that they’re credited that time and when we give them back their account, that they’re not on the hook for any of that stuff. There’s outliers that need to be done more quickly, absolutely.

GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?

Toulouse: If they saved their games in the cloud, with the new cloud saving feature, they would not be able to access them, but their local saved games would be fine. They would be able to continue to play on a local profile, earning achievements and doing everything else and then when they finally get to Xbox Live, once we recover the account for them, and give them the account back, then they should synchronize.

GB: Even though the account has been locked down from accessing Xbox Live specifically, they can still log into that local profile and so long as all their saves aren’t in cloud, they can access those, earn achievements, and unless some crazy outlier occurs, that will all just sync together once the account has been recovered.

Toulouse: Yeah. It depends on a couple of things, though, to be crystal clear. If it’s just a matter of giving them back the password, then that’s usually not going to be an issue. If they have to recover the account again to their Xbox, that’s a case where it will overwrite the profile that’s local. There are some circumstances where they might lose achievements that they’ve earned. I don’t know all the edge cases, by the way, that’s more of a support question. I can look into all the full scenarios if you like, but to be clear, they would still have access to their saved games and all their local stuff.

GB: As long as it’s on a memory card or your hard drive, you’re going to be able to keep playing your Skyrim save until everything gets worked out on Microsoft’s side.

Toulouse: Right.

GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”

Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notifies them.

We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.

GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.

Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?

GB: When your Xbox Live account becomes compromised, which is then tied to a Windows Live ID, which could also be tied to a Hotmail account, and if it is the primary email account of the user, what sort of complications does that involve, given that account has now been compromised?

Toulouse: If the underlying Windows Live ID of the gamertag is the primary email, then, yes, the attacker has control of the email with all of the associated things that [entails]. They can send mail, they can delete mail, and that’s one of the reasons we lock everything. That way, these attackers can’t take further action on the account.

GB: What is the additional step for the user in that scenario? It’s not like you’re calling customer service every day to get an update. Often times, you’re getting an emailed update that says “hey, the account’s been recovered, here are the steps that you need to take to reset your password, etc, etc.” In the situation where someone is completely involved in the Microsoft ecosystem, are they able to authorize a secondary email so those things can occur? Or does that all happen over the phone at that point?

Toulouse: It does have to happen on the background because we can’t, again, as I mentioned, the attackers call us all the time. We also don’t want to get into a situation where if I don’t like you, I just call up and say I’m you and get your account locked. “Hey, I’m Patrick and my account’s been stolen, I need you to lock it--quick, quick!” We have to do a whole set of who is really who in this case, and this involves taking a step back and looking at a lot of data to understand not just what we’re being told, but what really happened.

GB: I have to imagine you and your team must find yourselves in scenarios where during the phone conversations, you figure out this person isn’t who they say they are. What happens in that scenario, where you have the evidence to determine that someone is attempting to trick the system?

Toulouse: We politely end the call, and then that gets noted in the case notes.

GB: One situation I’d heard from users--and this isn’t unique to Microsoft or any company--is that if your account recovery is taking longer than the estimated time, the best thing that you can do is be persistent to make sure companies are aware of your account and you’re getting bumped up in the queue. You mentioned that you could dispute the charges and several users had talked to me about filing something with the Better Business Bureau, and then suddenly would find their accounts magically bumped up the queue. Is that part of the process, where if an outside vendor becomes involved, that it becomes moved up in terms of how it’s addressed?

Toulouse: No, that would be coincidental.

I mean, from our perspective, we can’t go down that route pretty much. We have to make sure that we are doing the cases on a case-by-case basis. Some cases are more complex than others. Many get solved far before the 25 day estimate, and, at that point, we certainly, if customers have not heard from us, we certainly encourage them to contact us. If you’ve hit the 25 day [window] and you haven’t heard from us, please call back in.

GB: A couple of users reported being told by customer service, as their account was being recovered or perhaps transferred to a new one, that certain licenses were more difficult to transfer than others. My theory from that was that there were certain games or services that were no longer available for purchase on Xbox Live, but you can still access if you purchased them in the past. Are some of the license issues related to that, or are they more extraneous circumstances?

Toulouse: They’re super-complex, and the reason that they’re complex is because the Xbox Live service has just evolved so much in the past six or seven years to encompass so many new types of data and licenses and things that customers can do that there’s all sorts of associated complexities when the attacker grabs the account and region migrates it to Russia. Now, there’s a whole bunch of license stuff that has to be repaired, in effect, to bring it back from that region. That’s just an example of some of the complexity. It’s both a function of the amount of different types of licenses, regional issues, whether or not those licenses are still owned or not. They’re just a ton of complexity.

GB: I know you probably can’t dole out the nuance of what your team does to recover an account, but if I had to try and express the frustration of users between what your team has to do in order to bring an account back, is that it should be more a matter of just flipping a switch. It’s in Russia, now change it to America. Can you illuminate a bit more of what’s involved there?

Toulouse: I don’t think people realize, because they’re only in one region, that the reality is that if you live in the UK, you see a much different--a dramatically different--set of content on Xbox Live than you do in the United States. Likewise, [in] Canada, you see a completely different set of content than you’d see in the United States. And that has a lot to do with just the fact that licensing in a worldwide service is really complex, and there’s different studios and different content delivery entities don’t want their stuff necessarily available in certain ways in certain markets and everybody, by the way, has to deal with these challenges. It’s not just Xbox. That’s just one facet of the complexity that people don’t realize.

Having said that, there is no denying that we can’t to get better at this or we want to get faster at this, and get customers’ accounts in their hands as quickly as possible. There’s both a complexity, which, yeah, I certainly want to communicate and have people understand that it’s not as simple as flipping a switch, but at the same time, we hear their feedback that we need to get better and faster at this.

GB: You mentioned the 25 day average. I did hear from a number of users that had it wrapped up in 10 days or less, depending on the complexity of their account and what had occurred. Does that number change through the year, based on how many people use the service? I have to imagine during the holidays, having sold 1.7 million machines, that there’s a lot of people going online, and there’s a lot more people that can be exposed to the worst parts of the Internet.

Toulouse: I think it’s both seasonal, as well as targets of opportunity. By that, I mean when a big title that has something that’s very lucrative and attractive. While, yes, there are ebbs and flows to what the attackers try to do, our goal is to always get that 25 days lower, regardless of how many users, regardless of the attacks--we want to continually try and lower that number.

I was thinking about Stepto and the issue with his account being hacked a couple months ago just yesterday. Weird.

@JoeyRavn said:

I was thinking about Stepto and the issue with his account being hacked a couple months ago just yesterday. Weird.

I forgot about that! Added a note about it. Thanks.

I don't think he mentioned it, but all that stuff's either on the official site and/or Live.com.

@patrickklepek:

In fairness, that wasn't really MS's fault

Dat exclusiveness.

Nice interview Patrick!

But you're not playing Skyrim Patrick. ;)
 
Anyway cool interview dude. It's nice to occasionally read about behind the scenes stuff with this overly secretive industry. This sheds some light on how crazy things can get for MS when accounts get hacked. It sounds like a not fun process for both the consumer and company.

Great interview. I like how Giant Bomb has been getting a lot of exclusive stories since Patrick joined the team.

TL,DR

I'll just assume Mircosoft is still evil.

(Only kidding!)

I didn't know about the Xbox security page, it has some pretty helpful info there. Added a mobile number and set a trusted PC from that page. Excellent article Patrick, and thanks to Stepto for taking the time to shed some info.

@patrickklepek said:

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

They don't give a shit until you call them out.

Well that didn't take long.

Patrick Klepek dropping bombs on this issue.

My account was hacked August 12. The person didn't change the password, but the account was transferred to Poland and STILL hasn't been transferred back, over 4 months later. My money's been refunded, but the account is still pretty useless. I've basically just resigned myself to starting a new Live account and being done with it.

The piece about there not being a "switch" seems pretty disingenuous. There was a "switch" that got flipped to have my account transferred to Poland, right? It happened in less than an hour. If the switch doesn't exist to flip someone back to an earlier state, then that switch should be created. Talking about licensing seems like it's just a smoke screen because everyone always say "oh, yeah, well licensing CAN be tough."

Now, we need the entire internet to link to this, and talk about it.
 
And even though it doesn't cover all cases, people need to use unique passwords for places ¨<

Oh, hey, sure, you can keep playing your games, no problem. What? Yeah, when you recover your profile it'll overwrite your achievements but that's no big deal, right?

ಠ_ಠ

TOP SECRET HALO 4 BETA?!?!

Great article, Patrick. Stepto didn't exactly reveal any new information. A lot of it just seems by the numbers.

He mentions going to xbox.com to fix many of the problems. I haven't been able to get xbox.com to work on either firefox or chrome for like a month. Results in a redirect loop. I've tried using internet explorer and am able to get to the homepage, but anything else results in a page that says something along the line of "oops, that shouldn't have happened. you've found a bug in our system".

I'm on day 7 of the 25 day process. I'll tell you this much though - I was NOT phished in anyway. I'm a 32 year old IT professional with 10 years experience in this field. I know a phish when I see one, I'm not the kind of guy to try and get free points or early access to anything (hell, even if I did get early access it would be useless with my daughter around - toddlers are real time consuming). Also I did a search with Malware Bytes and SuperAntiSpyware immediately after I noticed the intrusion and there was nothing found at all.

But yet 1920 MSP that I had on my account had been spent on FIFA booster card packs. I'm just grateful they didn't use my card to buy more or do anything else. But I would like to put it to Mr Toulouse that we're not seeing social engineering at work - at least not on my side.

Anyway, I'm recording the entire process - expect to see it on Eurogamer soon if all goes well.

P.S. Patrick - you rock for this Interview, it was a great read.

Pretty much reads like a support FAQ from their website, but okay.

Used to follow Stepto on Twitter. Guy comes across generally as a douche bag. I guess you kind of have to be in his role as Master of the XBL Hammer, but still.

He could have saved some time and just boiled it down into one sentence: "Yeah, we're going to try and be better about this...but not really."

SCOOPZ MAN AT IT AGAIN!

@Rincewind: Dropping giant bombs on it?

Microsoft is evil because Stepto misused the phrase "law of large numbers."

Patrick, I need to know right now brother. Do you like Skyrim? Also, nice interview, but I do agree that the whole licensing synopsis is way too vague.

"To be clear, to be clear, to be clear..."

As someone who is absolutely entrenched in the Microsoft ecosystem, everything hinges on my Windows Live ID. My gaming console, my email, my cloud storage, even my (Windows) phone, all of these devices and services I use have the point of commonality that is Windows Live ID.

While using a different email account and password combo for everything would make me more secure, that would be extremely inconvenient. I could use one of the various password services out there that create super complicated stuff, but that would be painful for the times I need to put my password in on my Xbox or my phone.

I consider myself a smart internet user. I don't give my password out, and I feel my top tier password is fairly secure with lower and upper case letters, numbers, and symbols. But I still wish I could know how these XBL/WL ID accounts are being compromised. I doubt it would happen to me, and I understand why Toulouse didn't want to talk specifics, but knowing would definitely make me feel more secure.

Great interview, but I wish you had asked him about a recent story (sorry can't find the link) about a journalist whose 360 got hacked. He said the reason this is so prevalent on Xbox vs PS3 is that when using a new console, Sony asks for your extra three numbers on the back of your credit card, while MS doesn't--making it far easier to hack. If this really is just phishing, that seems like a really simple fix on their end to make it a whole lot harder to get access.

Great interview, very interesting.  
 
Good job, Patrick!

Good job, Patrick. On both articles.

Great interview, although he didn't reveal that much. But in cases like this, when people have to wait for a long time and quite some things are not that clear, it's always nice to get some information.

Great article. Good that you don't skirt around the harder questions. Well done.

I must have been an exception. It was 21 days for me. My particular compromise was not a FIFA "hack." I can also say, after working in IT for ten years, I would think I can spot a phishing attempt via email from miles away.

I think the weakness came from the live.com side of things. I had not used my new 360 in almost two months and someone had added funds to the account and then bought a PC MMO (that they couldn't even play). I still have a hard time figuring out "how" the system was compromised because since the Sony fiasco I've changed all my passwords EVERYWHERE to be something unique. That is a major chore, I have an app that helps me keep track. I also don't use public wifi or open wifi at my home.

Did Microsoft do right by me? Sure, 20+ days later with a locked account during AAA title season. I couldn't play PC games that had GFWL either. I'm glad they worked with me and helped me through the process. They were even forthcoming with updated info when I called two weeks into the process for an update. It's just unfortunate that everything had to be locked down, but I understand.

Even though "35 million" accounts go through there, there HAS been an increase in problems somewhere. Just google it. I do have a hard time accepting that social engineering and phishing just got lucky and stepped up it's game. Still, it's like SPAM ratios. 1% of 35 million is an incredibly high number.

Since, the Sony ordeal, I've removed my credit card from every online account I've had, or so I thought. I still need to do it with the 360, but I'm finding that to be complex. It's my own fault for not being proactive enough. The big companies want to make it easy for me to purchase things through their console (and rightfully so for them), but there has got to be more assertivness, transparency, and protection in place.

I just don't trust the system in it's current state anymore.

I like this stuff, keep it up Patrick!

I think microsoft is doing the best they can with this issue. it sucks that it happens.

Sony did a good move with their privacy leak, but at the same time they didn't actually have hacked accounts they had to investigate as far as I know.

I guarantee Sony wouldn't be as fast or reliable in retrieving and recovering online accounts that had been compromised as XBL support is.

The problem is the average joe can complain about times, but because it was someone from GB complaining, they were answered immediately.

Patrick is on the case, one question at a time.

Just sayin' good questions!

Great Interview Patrick, but you forgot to call him an asshole at the end.

You cant really blame Microsoft. Its like the same problem Blizzard has with World of Warcraft. Its all down to users being stupid with their account information.

I am in the same boat as Mr Tom. My account is/was secured, yet it still became compromised - FIFA Cards Bought - and I was locked down for 27 days. Unless they are really good, they did not guess this password as it is the only place it is used - it is unique and complex. So I wish you had pushed him on the issue perhaps being on the Microsoft side - these are not the users fault in many cases.

@Axxol said:

@patrickklepek said:

After the story ran, Microsoft reached out, apologized for not responding faster, and quickly set up an interview time with Stephen “Stepto” Toulouse, the director of policy and enforcement for Xbox Live.

They don't give a shit until you call them out.

At first, when I read the article, I thought it was cool of Steven to respond, but then I read your comment and realized the truth.

Stephen Toulouse has always come off as an extremely self-important douchebag. It still holds true.

@barberforce said:

You cant really blame Microsoft. Its like the same problem Blizzard has with World of Warcraft. Its all down to users being stupid with their account information.

Pretty sure most of the affected were not stupid with their information. Thanks for the assumption though.

Is the additional security thing of adding a mobile phone and trusted PC a US-only perk? Can't seem to find anything on live.com or the xbox.com/security pages regarding it.
 
edit - found the link. "Go to the Windows Live Account overview webpage, and then sign in with your Windows Live ID." Then click on the Manage link.

Good, Patrick's first article kinda ticked me off because I was pretty sure most of the whining about saves was totally bullshit and if you care so much about achievements you should've thought about that before you were stupid enough to believe in something along the lines of a Halo 4 beta.

If people were being fucked over because MICROSOFT'S service was being compromised, then yeah, the wait would be understandable. But the USER is ultimately responsible for the trouble they are in when they click some stupid Pishing thing. I've NEVER seen one that I didn't recognize immediately. Even when I was 8 years old getting emails from Nigerien princes I knew it was fuckin' bullshit. Just don't click shit if you don't know what it is. Don't give your goddamn password to ANYTHING but the password entry dialogue that connects to the service that uses the password. YOU did the thing that got you in the shit, and Microsoft is taking care of that problem. It can't be perfect. YOU CLICKED ON THE LINK ASKING FOR YOUR GODDAMN PASSWORD. DON'T DO THAT. THAT IS LITTERED EVERYWHERE. IF YOU DON'T KNOW THAT YOU SHOULDN'T DO THAT YOU SHOULD NOT BE USING THE INTERNET. PERIOD. I'M SERIOUS. I cannot stress enough how much you should NEVER do such a thing. Especially with how obvious these things always are. Oh hey, that World of Warcraft account I've NEVER had connected to this email account because I've never had my own WoW account period needs my password because Blizzard detected suspicious activity? I should probably go right to buttle.nat and get that taken care of. Look at links, don't ever give your password to anyone, and make sure your passwords are as secure as possible.

Yeah, it could be better probably. But most of these issues would still exist to an extent. It will still take time to investigate your account, and the achievement thing happens for a reason. Is it a bummer? Sure. But if you care that much about achievements you've got some major priority issues. You can still play any of your games as long as you don't want to play online (which yes, is a major part of many games and there are people out there that ONLY play online, but you get a free month which on average extend your time rather than just replace lost time, even in the worse cases even). All of this talk of not being able to use your xbox at all is just bullshit and I knew something was up and reading this reminds me why: none of it is true. If it were, anyone without an internet connection would be screwed

.@wolf_blitzer85 said:

But you're not playing Skyrim Patrick. ;) Anyway cool interview dude. It's nice to occasionally read about behind the scenes stuff with this overly secretive industry. This sheds some light on how crazy things can get for MS when accounts get hacked. It sounds like a not fun process for both the consumer and company.

It's not really that it's overly secretive, it's just that no one really wants to read this kind of stuff unless their pissed off because they feel their getting screwed, so it's not a priority compared to getting the latest and greatest scoop about -insert big studio here- or what have you. Which is sad, because I think this stuff should be more accessible and I'd like to get more content like this. And that last bit is the thing that no one seems to want to admit, that the company isn't really having a great time with it either. Their probably pissy that everyone keeps clicking on dangerous links and overloading their ability to deal with this stuff as well as they normally would. They can't rapidly change the rules to suddenly fit the environment, it takes time they have to keep balancing everything while doing stuff like that. But everyone on the outside just thinks "Oh but there's just a button they can press that lets them do whatever, right?" But the actual answer is no, there isn't. That button is actually a ton of rejiggering of already complex systems to work better in a fairly unusual circumstance.

@Foggen said:

Oh, hey, sure, you can keep playing your games, no problem. What? Yeah, when you recover your profile it'll overwrite your achievements but that's no big deal, right?

ಠ_ಠ

Alright, just keep your compromised account that was most likely hacked because you clicked something stupid, or someone you trusted more than you should have did it for you.

@MrTom: You've never used public internet to access your email, never left your shit open, never could have possibly opened up yourself to be more vulnerable? Do you have a particularly secure set of passwords? Even security experts get hacked sometimes. Even a clear cut case like yours seems to be (I'm not doubting you at all, by the way) doesn't really seem like enough to make much of an argument. You need a number of people who can give that kind of proof that the same thing is happening with them before any of it becomes meaningful. Every rule has it's exception, etc etc.

@patrickklepek: "GB: I know you’re playing Skyrim, like all of us are. There were conflicting reports I heard about when an account becomes locked down, when it becomes compromised, are they still able to access their saved games?" You should really know the answer to this. Much like if you recover your Xbox Live profile to a new Xbox, if you have save files that remain on the original system you can still use that local profile, if not it's access to Xbox Live, to play those games and use those saves. Obviously cloud saves are different, but cloud saves bring with them the risk of not being accessed, and it's not really difficult to find space for a save game on your hard drive, even if you only have the old 512MB arcade model. Anything local is just that, local. Saves are local and will always be local and will not be affected by recovery, even if cloud saves, because those cannot be affected while offline.

@MordeaniisChaos: Jesus Christ. Rant a bit more, will you? If you read the article you'd know that some of these peoples' accounts were compromised due to vulnerabilities in what are almost certainly Microsoft web browsers. And that's without getting into vulnerabilities that probably exist on EA's side.

@darichardson said:

The piece about there not being a "switch" seems pretty disingenuous. There was a "switch" that got flipped to have my account transferred to Poland, right? It happened in less than an hour. If the switch doesn't exist to flip someone back to an earlier state, then that switch should be created. Talking about licensing seems like it's just a smoke screen because everyone always say "oh, yeah, well licensing CAN be tough."

No. Some hacker did not just "flip a switch". He/she did NOT just only spend 2 seconds flipping that switch and BAM! magically had your account. Don't be fooled, hackers put in the work. I work for an ISP and occasionally have to deal with hacked customer machines/accounts. Some people make it easier on the hackers than others, but still, it takes some work to compromise a machine or account. Personally I think hackers are misguided, but they are not stupid, and they are not lazy.

Also remember the hacker was just taking from you with no regard for your account. MS has to find out what was taken, how it was taken, get it back, figure out the regions and license, and give everything back to you in the least disruptive way it can all the time while trying to find a way to stop this hacker idiot from messing up another one of their customers. OR they find he has hacked multiple other customers and it's going to take longer because their investigation just got more difficult.

I don't think that a magic "put it back the way it was" switch can be created just for the simple fact that every account is different. I seriously doubt any two accounts on XBL are identical. That said, you would think, with all the experience they have putting things back to the way they were, they could find a way to expedite the process.

I'm sorry you got hacked. Hope you get your account back to working order soon.

Patrick is like the best journalist ever. He is my hero.

Also nice job Microsoft

@darichardson That's actually a good point about the switch. My account was compromised September 11th and I was on the phone less than an hour later as I happened to check my e-mail right after it happened and got the "As per your request your region has been changed to Russia" e-mail. And I was also not the victim of a phishing scam so I'm not sure how they cracked my account. I'm not even sure what they bought just that they bought $270 worth of points and used them.

But great point...Mr. Russian Hacker flipped it half-way across the world without issue, why can't they flip it back? And when I was on the phone right after the attack the CS agent mentioned MS flagging suspicious activity and locking accounts...I asked what wasn't suspicious about an account being transferred from Canada to Russia and immediately spending $270 after maybe spending $50 in the past year...she didn't have an answer for that one...