Xbox Live is an extremely popular service, featuring a bunch of users with credit cards oh-so-conveniently attached to their accounts, so it’s an obvious target for scammers. Getting emails from users who’ve been had their accounts compromised is nothing new; it happens every single day. Tide goes in, tide goes out.
There was something different about the stream of emails from the past week, with a bunch of users mentioning FIFA. The first confusing tip-off these users had was finding FIFA 11 in their game library, despite never having played it.
“12th october 2011, i get a phone call while i am at work off my brother,” wrote one user. “he asks me what on earth am i doing at home and why the hell am i playing Fifa 12 ( he knows i hate football) i explain i am at work and i would not play fifa 12 even if i was being forced by a knife point held at my groin with the imminent threat of genital removal.”
“I had my account hacked back at the beginning of August,” said another. “First time that had happened on any system. I had my account suspended the day it happened but it took over a month to get my account restored. The crazy part was they didn't buy anything with my points. When I got my account back the only activity was they played some FIFA '12.”
Similar stories can be found inside my inbox from dozens of different readers. Something was up. A few noticed achievements for FIFA 11 or FIFA 12 had been unlocked, others found hundreds of dollars missing from their bank accounts thanks to a series of point purchases, and many noticed the people accessing their account were interested in purchasing tons and tons of cards for FIFA Ultimate Team.
The common thread, however, was FIFA. But why? How? FIFA? A Google search brings up exponentially more stories of digital soccer woes from users of Xbox Live. To Microsoft’s credit, many appear quickly resolved.
“With the popularity of FIFA globally, and the sheer number of players playing the game online, FIFA is an obvious target for phishers and frauds,” said an Electronic Arts representative to me. “This is why we try to educate FIFA players to take measures to keep their accounts safe.”
EA outlines steps to protect your account in a message board post, which is comprehensive and worth reading, but its sheer existence suggests account exploitation has been an issue EA has been forced to pay attention to.
“We haven’t seen a spike or increase in reports of FIFA 12 players having their accounts hacked,” said the rep. “With the launch of FIFA 12 it likely has just shifted renewed focus onto this particular game.”
Microsoft, however, seemed to acknowledge there had been a spike in activity lately.
“We do not have any evidence the Xbox Live service has been compromised,” said a representative. “We take the security of our service seriously and work on an ongoing basis to improve it against evolving threats. However, a limited number of members have contacted us regarding unauthorized access to their accounts by outside individuals. We are working with our impacted members directly to resolve any unauthorized changes to their accounts.”
The company did outright reject any running theories--of which I’ve heard many at this point--running around the Internet about a major security glitch exploitable in the FIFA games.
“It’s not a title-specific issue and is coincidental that FIFA has been tied to a number of compromised accounts,” said the rep.
The largest issue facing Xbox Live and similar services is social engineering, in which outsiders attempt to trick customer service systems into unlocking accounts. I filed a story with MTV News back in 2008 about Xbox Live’s problems with social engineering, where even Bungie Studios employees were not safe. At the time, users were being targeted because their accounts had gained access to Halo 3’s elusive multiplayer “Recon” armor, which could not be unlocked in the game. It was special.
Think about how much information about you is on the Internet. Can you imagine it being terribly difficult for someone to fill in the blanks? How many different security codes are linked to your mother’s maiden name, which is probably featured on her not-properly-secured Facebook page?
Then, remember the PlayStation Network information implosion. And the Gawker Media incident. The list goes on.
"People don't hack accounts by using programs and any other bullsh-- that you hear around [Xbox Live]," said a user who publicly admitted to compromising Microsoft’s systems back in 2008. "It's as simple as picking up the phone."
It's more complicated than that, of course, but the underlying point remains the same.
Microsoft has made reforms to its system, but no system is perfect, and social engineering remains a threat. As we become more comfortable with more information available, there will be more ammunition for those hoping to take advantage of us.
Halo 3 spurred these issues three years ago, today it’s FIFA 12. Different day, different game, same issues.
In the meantime, maybe change your password and alter your mom's Facebook privacy settings.