I know there are a ton of other posts on this subject, but I thought a new thread made sense because I wanted to ask a few questions that hadn't been asked (at least I don't think they have been asked) here already. I'm not complaining either, just telling a story and asking some questions...
So, I found late last night that my XBL Account had been compromised. I redeemed a few pre-paid cards from the holidays for MSP on Monday (5600 total), and didn't do anything with them at that time.
I signed into XBL yesterday afternoon and got a message that my GamerTag had last been used on another console. I have 2 XBoxes at home, and even though I really only use 1 of them for my gaming I didn't really think anything of it at the time. Anyway, later that night (or early this morning since it was 2AM Eastern) after a few hours of BF3 I decided to jump on the Marketplace for some stuff to buy, found something I wanted, and tried to buy it - only to find that I had only 10 MSP available. I was like "WTF?!?! I just got over 5000 points!"
I went to the XBox billing page to see which one of my kids I was going to beat to death in the morning, only to find that I had apparently bought a TON of "PREMIUM GOLD JUMBO" and "GOLD PLAYERS PREMIUM" Game Consumables. I had no idea what those things were. i checked all of the accounts on my Gold Family pack, and nobody else had downloaded anything - which makes sense since I hadn't allocated any of the MSP to any of them. I started looking to see what these things were, only to be greated with error pages and a lack of any real information. After checking these forums, and Bing/Google, I found out they were realted to content for FIFA 12 from EA, a game I don't have and have never 'actually' played. By that time it was almost 3AM, so I decided to just change some passwords and then call it a night since XBox Support wasn't open anyway.
I called support today, and was told this was becoming fairly common. The representative verified my information, and got the process started to investigate the issue and return my XBL account and points to me as quickly as possible. No issue there. My account is currently disabled, but should be up soon (the message says tomorrow), so with nothing else to do I decided to look into things a little more.
I found a bunch of articles on this issue dating back to October 2011, all for this same issue. I also found people blaming XBL users for also being EA users and having the same or suimilar account information on both. I admit, I was also guilty of this. When faced with a plethora of online accounts, some of them just get in sync so we don't have 30 email addresses and passwords to remember, and that happened in my case. I know how dumb this is and take full responsibility for that dumbness.
I also found that there are a lot of questions regarding whether this was an issue with things on the EA side or the MS side, so I looked alittle deeper. I found I had 35 Gamerscore for FIFA 12 that all hit yesterday. Apparently just downloading the content gets you points... Anyway, as I was looking over things and changing my account info, I found that one of my children had also recieved some gamerscore for FIFA 12. This is REALLY odd, since I know for a fact that this person has not played this game, does not have a EA account of any type, and had no MSP to spend.
This tells me that the issue is on the MS side of the house, at least as far as the account access is concerned, but that's really a small part.
In a most of the articles and posts, the issue is related back to phishing, social engineering, and brute force attacks to get access to the accounts. This makes sense to me - ask for the key first, then ask again a different way and maybe a different person, then break the lock. None of this is hard or really technical. I haven't ever resonded to a phishing email or request, so that didn't get me. Someone may have gotten my account info from someone else through SE, but I never gave it to anyone. The Brute Force is the most likely culprit in my case, and I think this is Microsofts fault entirely.
Here's my comments and questions:
1. This has been reported as long ago as October of last year. That is almost 4 MONTHS! Question - Why has nothing been sent out on XBL to warn people? A simple daily message, featured video, something! Hell, Major Nelson and the rest of the vid crew is on XBL all the time telling us to buy crap and try crap and even fry crap, why not do a service in this case and just warn us that this is a threat?
2. Brute Force attacks on individual accounts aren't really the fault of MS. In this case however, MS allowed these Brute Force attacks because they didn't lock the account or put any type of limit on the number of tries allowed during a logon attempt. Question - Why the hell not?!?! The industry at large, and MS specifically, recommends a 3 failure lockout rule for Active Directory and computer networks, why not have something similar for XBL when it has the chance of compromising the Credit Card information of their customers. This has been recently changed, very quietly, but shouldn't have happened in the first place. With no limit on attempts, and given enough time, there isn't a password that any real person would use that isn't breakable using Brute Force programs.
3. EA made the FIFA with what are essentially trading cards. Anyone who breathes oxygen knows that when you set up any kind of economy in a game, people will try to profit form it in the real world. This isn't exclusive to EA, either. Question - Why to companies do this? Doing this, in FIFA or in Forza, or in WOW, or in any game world, incentivises the worst of society to prey on the the rest of society. What's worse is that there are way too many people willing to pay for this ill-gotten fare. There has got to be a way to allow an in-game economy to remain seperate from the real-world economy. All too often good people are victims of ebayers and lazy gamers...
4. It seems way too easy to 'recover' an XBL account, or download a gamertag from the cloud on XBL. If you can get an email and password, you got all you need to take an account and download it to any other system on the planet. In this case, even doing some of the preventative stuff that is recommended won't work. Require a password to download and sign in - done, the bad guys already have it from doing the stuff in #3 above. Question - Since there can be CC info attached to XBL accounts, why doesn't MS either LOCK the account to a specific console without verifying the full CC info or something like that? Or, at least allow XBL users to lock it a specific console. PSN does soemthing like this - the only thing they do that I actually like. This is my guess (and others guess as well from various articles out there) as to why this issue is almost exclusive to XBL and FIFA and doesn't show up related to PSN.
Well, that was longer than I had planned. Don't get me wrong, I LOVE XBox and XBL. I just think that MS and EA failed all of us in this case. Anyway, comments are welcomed...