Unauthorized Access to my XBL Account

I know there are a ton of other posts on this subject, but I thought a new thread made sense because I wanted to ask a few questions that hadn't been asked (at least I don't think they have been asked) here already.  I'm not complaining either, just telling a story and asking some questions...

So, I found late last night that my XBL Account had been compromised.  I redeemed a few pre-paid cards from the holidays for MSP on Monday (5600 total), and didn't do anything with them at that time.

I signed into XBL yesterday afternoon and got a message that my GamerTag had last been used on another console.  I have 2 XBoxes at home, and even though I really only use 1 of them for my gaming I didn't really think anything of it at the time.  Anyway, later that night (or early this morning since it was 2AM Eastern) after a few hours of BF3 I decided to jump on the Marketplace for some stuff to buy, found something I wanted, and tried to buy it - only to find that I had only 10 MSP available.  I was like "WTF?!?!  I just got over 5000 points!"

I went to the XBox billing page to see which one of my kids I was going to beat to death in the morning, only to find that I had apparently bought a TON of "PREMIUM GOLD JUMBO" and "GOLD PLAYERS PREMIUM" Game Consumables.  I had no idea what those things were.  i checked all of the accounts on my Gold Family pack, and nobody else had downloaded anything - which makes sense since I hadn't allocated any of the MSP to any of them.  I started looking to see what these things were, only to be greated with error pages and a lack of any real information.  After checking these forums, and Bing/Google, I found out they were realted to content for FIFA 12 from EA, a game I don't have and have never 'actually' played.  By that time it was almost 3AM, so I decided to just change some passwords and then call it a night since XBox Support wasn't open anyway.

I called support today, and was told this was becoming fairly common.  The representative verified my information, and got the process started to investigate the issue and return my XBL account and points to me as quickly as possible.  No issue there.  My account is currently disabled, but should be up soon (the message says tomorrow), so with nothing else to do I decided to look into things a little more.

I found a bunch of articles on this issue dating back to October 2011, all for this same issue.  I also found people blaming XBL users for also being EA users and having the same or suimilar account information on both.  I admit, I was also guilty of this.  When faced with a plethora of online accounts, some of them just get in sync so we don't have 30 email addresses and passwords to remember, and that happened in my case.  I know how dumb this is and take full responsibility for that dumbness.

I also found that there are a lot of questions regarding whether this was an issue with things on the EA side or the MS side, so I looked alittle deeper.  I found I had 35 Gamerscore for FIFA 12 that all hit yesterday.  Apparently just downloading the content gets you points...  Anyway, as I was looking over things and changing my account info, I found that one of my children had also recieved some gamerscore for FIFA 12.  This is REALLY odd, since I know for a fact that this person has not played this game, does not have a EA account of any type, and had no MSP to spend.

This tells me that the issue is on the MS side of the house, at least as far as the account access is concerned, but that's really a small part.

In a most of the articles and posts, the issue is related back to phishing, social engineering, and brute force attacks to get access to the accounts.  This makes sense to me - ask for the key first, then ask again a different way and maybe a different person, then break the lock.  None of this is hard or really technical.  I haven't ever resonded to a phishing email or request, so that didn't get me.  Someone may have gotten my account info from someone else through SE, but I never gave it to anyone.  The Brute Force is the most likely culprit in my case, and I think this is Microsofts fault entirely.

Here's my comments and questions:

1.  This has been reported as long ago as October of last year.  That is almost 4 MONTHS!  Question - Why has nothing been sent out on XBL to warn people?  A simple daily message, featured video, something!  Hell, Major Nelson and the rest of the vid crew is on XBL all the time telling us to buy crap and try crap and even fry crap, why not do a service in this case and just warn us that this is a threat?

2.  Brute Force attacks on individual accounts aren't really the fault of MS.  In this case however, MS allowed these Brute Force attacks because they didn't lock the account or put any type of limit on the number of tries allowed during a logon attempt.  Question - Why the hell not?!?!  The industry at large, and MS specifically, recommends a 3 failure lockout rule for Active Directory and computer networks, why not have something similar for XBL when it has the chance of compromising the Credit Card information of their customers.  This has been recently changed, very quietly, but shouldn't have happened in the first place.  With no limit on attempts, and given enough time, there isn't a password that any real person would use that isn't breakable using Brute Force programs.

3.  EA made the FIFA with what are essentially trading cards.  Anyone who breathes oxygen knows that when you set up any kind of economy in a game, people will try to profit form it in the real world.  This isn't exclusive to EA, either.  Question - Why to companies do this?  Doing this, in FIFA or in Forza, or in WOW, or in any game world, incentivises the worst of society to prey on the the rest of society.  What's worse is that there are way too many people willing to pay for this ill-gotten fare.  There has got to be a way to allow an in-game economy to remain seperate from the real-world economy.  All too often good people are victims of ebayers and lazy gamers...

4.  It seems way too easy to 'recover' an XBL account, or download a gamertag from the cloud on XBL.  If you can get an email and password, you got all you need to take an account and download it to any other system on the planet.  In this case, even doing some of the preventative stuff that is recommended won't work.  Require a password to download and sign in - done, the bad guys already have it from doing the stuff in #3 above.  Question - Since there can be CC info attached to XBL accounts, why doesn't MS either LOCK the account to a specific console without verifying the full CC info or something like that?  Or, at least allow XBL users to lock it a specific console.  PSN does soemthing like this - the only thing they do that I actually like.  This is my guess (and others guess as well from various articles out there) as to why this issue is almost exclusive to XBL and FIFA and doesn't show up related to PSN.

 

Well, that was longer than I had planned.  Don't get me wrong, I LOVE XBox and XBL.  I just think that MS and EA failed all of us in this case.  Anyway, comments are welcomed...

 

Question Info


Last updated July 5, 2018 Views 46 Applies to:

1. There's been many, many news stories about this, heck it made the front page of a best selling tabloid over here. The advice as noted in those stories has always been the same, is freely viewable on the site and much of it is common sense. If people want to ignore that or not go looking for it then there's not a lot that can be done. 

2. Correct there isn't a password that isn't breakable with brute force programs. However a hacker is not going to tie up his entire computer farm for several centuries just so he can decipher a password like "i';slgv[pw-02kg)". He's just going to quit after several hours and go back to deciphering passwords that are made from dictionary words or names with the odd number added in. 

3. Here's a better idea how about you get up off your high horse and stop telling people how to spend their hard earned money? If people want to spend their hard earned on virtual tat then more fool them but I'm not going to judge or stop them. They're big boys & girls and don't need big brother watching over them. 

4. Or you could just create a password that isn't ridiculously easy to crack but then that would involve taking responsibility and you can't blame anyone else if it goes pear shaped then.  

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Nobody has been forthcoming in regards to what is actually happening, has happened, or may happen. Until someone who actually knows how these accounts were compromised explaines, it is all speculation what happened, and what needs to be done to prevent it.

Assuming brute force attacts are the cause... iTunes disables your account after three failed attempts.. Why not MS?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

So, what Vernier is basically saying is...

1.  It's my fault I got my account compromised because I didn't look everywhere for information on an issue I wasn't even aware existed. I don't know where "over here" is, but I didn't see anything.   Granted, I wasn't really looking.  Oh, and I also have no common sense because I was hacked and, apparently, it's all my fault.

2.  It's my fault for not making a password that is so complicated that I would have to write it down somewhere and then probably mistype it 1 several times before gaining access to my account...  Oh, and he also seemed to miss the part about a passowrd that any real person would use.  Got it.  (Though, with money to be made I would disagree that said 'hacker' would give up that easily)  I don't recall ever stating anything about my password, or how simle it may or may not have been when it was cracked.

3.  I am on a 'high horse' for pointing out the flaw in video game economies that cause crime in real world economies, and for voicing an opinion (something he seems to be able to do at will without any guilt whatsoever).  Got it.

4.  It is my fault that Accounts are too easy to transfer to any console in the world and that they cannot be locked to a specific console by the user.  Also, it's still my fault for making my password far too easy to be crack.  Funny, again I don't recall mentioning anything about my password, or how simle it may or may not have been.

Seems to be a theme with you, to blame the victim, from reading your posts on this subject.  Do you blame victims of other crimes for being a victim as well? The robbery victim for not being safe enough, the assault victim for not being tough enough, the murder victim for being to easy to kill, etc... ?

Some 'Ambassador' for XBL.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Just switch to the PlayStation 3 and problem solved.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hey Sir, thank you for your feedback--I'll definitely be sure to pass this information along. Since you already have an unauthorized access investigation on your case, I'm going to lock down this thread, if only to prevent an impending flame war. I am very sorry to hear about your account, however, and if you run into an issues with your investigation, or if you have any questions, please feel free to message me personally by using the envelope icon below my post.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.