Xbox live accounts being hacked?

[AbandonedTrolley]

And you all were claiming it was a major hassle to get your money back. That's not true for the overwhelming majority of users. This is why I believe the PSN hack was worse as everyone faced having their data stolen.

I think we will have to just agree to disagree on this one.

[HawkMan]

Yeah several million vs a handful, obviously the handfull is far worse. Especially since that most likely wasn't even a hack, but rather simple social engineering or exceptionally weak passwords.

[Dotdot]

Sure did. Also read the posts from users who have had their accounts hijacked who had it taken care of in minutes. You should have called your credit card company instead of repeatedly calling Microsoft.

I cant as I use a Visa Debit card from my bank. Ive phoned them only to be told they cant look for incoming payments on the card. Incidentally I use a combination of passwords any of which that are linked to an account where my Debit card is also linked have 3-4 unique characters to them, along with at least one symbol.

When my live account was hacked it had one such password on it. Needless to say I now have a completely new and unique one that has the full range in it again, tho this time about twice the length.

Oh and its now the 5th, still nothing in my account from MS.

Hassle thus far, equates to 3-4 phone calls to MS, out of pocket for ooh 30+ days. Plus however long it now takes me to get my actual money back.

[OOOOOOOO]

No. I haven't played fifa at all. Last night I played Rocksmith, and Alan Wake. Today, this. When I logged on it said I had played Battlefield 3, which I don't even own.

You should get it tho ... it's bloody great :)

[Dotdot]

Phoned Ms today. Guess what?

Yip, another 10 days atleast Im told as there re-submitting my case to the fraud department so the payment can be made. Other than that theres nothing they can do. I asked if I could lodge a complaint and they said this was all noted in the file, which is fair enuff, but no offers to keep me happy etc and when I mentioned I was going to cancel my Live account they seemed to not give a hoot.

So yeh boo MS.

2 months on and im still -?50

[Scraggles]

You should get it tho ... it's bloody great :)

playing an FPS on a console is like riding a Harley with training wheels. Its only for the people who can't ride without being babysat.

[Scraggles]

So, more than 1 month later... I still do not have complete access to my account. I have gotten the runaround from XBox Live support several times now. They gave me 500xbl points... big deal. My unauthorized access case was written off and considered 'closed'. They reactivated my account... In... ****ing... RUSSIAN. So, I had to call them up to tell them that I AM NOT RUSSIAN and have no ****ing clue what the console says anymore. Well, literally after 3 hours on the phone with them the agree'd to 'reopen the investigation'. They did refund me my money in full that was stolen from me. I have access to the account however everything including the website is in russian. I can honestly say that this is the worst customer service I have ever seen. I spoke to them on Thursday and the supervisor I spoke with told me that they would be calling me within 3 business days. I'm convinced that it was a simple tactic to get me off the phone.

I honestly wish I could return the console. Sucks. I do like it, and enjoy the games... but the main reason I got it was to play the games I can't play on PC with friends. It was actually humerous. When talking with one supervisor on Thursday I was livid and mentioned taking them to court. The supervisor said 'Well, due to the new terms of service'... My response '**** you. I haven't hit that ****ing 'agree' button yet.' He was all cool until I said 'What number should i have my lawyer call?'. Then... Click. He hung up on me. I called back, and sure enough when I got a person on the phone I asked why I had been hung up on. I gave a quick rundown of what was said right as it happened. She stated 'I'm sorry sir, however we are required to disconnect from the call at any mention of a lawyer so I am going to have to let you go now. Thank you have a good day' and she hung up on me.

So, quite honestly this is the worst customer service I can even imagine. However I'm probably going to suck a big fat one and deal with it because I want to play with my friends. ****.

[LaP]

If the network was breached, MS points would be the least of the worries, as was the case with PSN. I guess people who have nothing to spend on xlive have nothing to worry about.

I highly doubt the network has been compromised.

But MS should give users tools to prevent illegal access. Like an authenticator. 3 digits code to buy things on the market place. Etc ...

Right now it's way too easy to buy things on xbox live if you are not the owner of the account.

[Scraggles]

I highly doubt the network has been compromised.

But MS should give users tools to prevent illegal access. Like an authenticator. 3 digits code to buy things on the market place. Etc ...

Right now it's way too easy to buy things on xbox live if you are not the owner of the account.

Microsoft could care less. They are screwing people bad. Banning accounts left and right. Forcing people to either buy new consoles or new tags with new subscriptions so in the long run they're making a fortune off of their bad security. Hell, every other game has an authenticator. They just have no interest in increasing the security. They gave me 500 points. FOR AN ACCOUNT THAT IS USELESS. ultimately that move didn't cost them a penny.

[JaredFrost]

I highly doubt the network has been compromised.

But MS should give users tools to prevent illegal access. Like an authenticator. 3 digits code to buy things on the market place. Etc ...

Right now it's way too easy to buy things on xbox live if you are not the owner of the account.

Would that even help? if they have the account password, could they not just change this code? and if the code is unchangeable, what about the people that forget theirs?

I see no easy solution, as the problem at hand is they gain FULL access to the account, with this information they could even call MS and claim to be the account holder

and be able to fully answer any questions about the account.

What I think Microsoft should have in place is more aimed towards support personnel

1: A faster live escalation path for claims of fraud

2: And they need to have easy access to an account history which contains the Xbox ID, IP and what purchases those two combinations made so they can easily determine if it is a valid claim

3: A way to revoke licenses issued on XBL so they can quickly refund the customer

....and obviously stop allowing EA to sell in-game gold/currency in games on the XBL interface, since these can be transferred as a way to make money, if EA wants to do this let them use their own systems it's just an incentive for fraud which is more trouble than it's worth, and if EA had to deal with it themselves they probably wouldn't do it either.

[LaP]

Would that even help?

I'm talking about the 3 digits code on the back of the CC. You know the code mostl serious online stores ask for. It would make things a little bit harder for "hacker" as the stored CC would not be readily usable like it is right now.

Of course there's no perfect and un-breakable solution. But the more layers you have the better the user is protected. And right now xbox live has one layer only. If you get the username and password of the account then you are free to go. It's not really secure imo. In fact it's extremely not secure for an online store.

Let's say my CC is stored in an online store X server. Then a hacker get my account infos without hacking the server. If this store ask for the 3 digits CC security code when i'm buying things then the stored CC is not readily avaible. I don't say it's impossible for the hacker to get this code but let's say it makes thing less trivial. Since this code is supposedly not stored anywhere (but the bank) the only way for the hacker to get it is from my end and my own mistakes.

I know lot of people think that it's all users fault and there's absolutely no way the breach could come from somewhere else. But as someone who got his WoW account hacked and did nothing wrong from his own side (i'm a computer eng and i took one complete day to investigate my end for a potential breach) i can tell you the illegal access are not always users fault. At least in the case of the 3 digits CC security code since it's not stored with the CC and account infos the users are responsible for it more than the account informations. It's not perfect but it's a 2nd layer that needs to be broken.

I like the battle.net iOS authenticator too. Again it's not perfect as the code is asked for once a week only or when you log in from a different ip and machine but it's another layer. So far i don't know anybody who got hacked and was using the authenticator. Don't say it doesn't happen but it certainly happens far less.

And don't be fool and believe people who tell you 1049138138918293812 digits password will protect you (specially the people who tell you to make this long password with random words found in a dictionary to remember it). My WoW account password was a really secure password and got hacked. Took lot of times as the account was 5 years old but hackers eventually got it. How ? I really don't know but a secure and unique password (entered only in wow log in screen from a work machine never used to browse the web outside of sites like msdn and neowin) did not protect me at all. Also such passwords take you 3 hours to enter :p

[AbandonedTrolley]

The irony in what most people say when comparing Live to PSN of 'You get what you pay for' in this case, you most certainly aren't getting what you are paying for :rofl:

[Scraggles]

Well lets put it this way. My password was completely unique. I had, and still have never used it before or any other site. My password when the incident happened was

?2&4is$ix!

I'm not afraid to post it here because it was so unique. However you can see there was a method for me to remember my password since in a way its logical. However, I'd be willing to bet a years salary that no one 'guessed' that password. Now if anyone of you could 'guess' that password you are a god. Even a brute force password cracker would take years to guess that password. Trust me. I've tried.

[LaP]

Well lets put it this way. My password was completely unique. I had, and still have never used it before or any other site. My password when the incident happened was

?2&4is$ix!

I'm not afraid to post it here because it was so unique. However you can see there was a method for me to remember my password since in a way its logical. However, I'd be willing to bet a years salary that no one 'guessed' that password. Now if anyone of you could 'guess' that password you are a god. Even a brute force password cracker would take years to guess that password. Trust me. I've tried.

It doesn't matter how much time brute fource would take as NO service should allow an account to be brute forced unless the password is 12345678 or password.

An account should be frozen WAY before enough wrong passwords have been entered to brute force the account.

It makes me laugh to see those stupid comic strip telling you how much your 10 digits (random numbers, letters, 1 upper case and 1 symbols) password is not secure because it takes less time to brute force than a 30 digits password made of random words found in a dictionary. It's doesn't matter. Both takes FAR too much tries if the service is not dumb and freeze the account for suspicious activities. And the 10 digits password made of random letters, numbers, 1 upper case and 1 symbols is not easier to guess even if it has 3 times less digits. And more importantly once you memorized the password it takes lot less time to enter it ;). 20+ digits using a virtual kb and a controller is a pain in the ...

[Scraggles]

It doesn't matter how much time brute fource would take as NO service should allow an account to be brute forced unless the password is 12345678 or password.

An account should be frozen WAY before enough wrong passwords have been entered to brute force the account.

I agree entirely. However the xbox live reps told me that was a way for people to get into my account. I still wholeheartedly believe that their system was hacked to an extent. That is literally a password that has never been anywhere except for on my xbox until on the day I was hacked I had to enter it on my pc to change it however that was AFTER the incident.

One microsoft rep claimed that if there was a breach in their system that they would legally have to publicly announce there was a breach. That makes sense, however I have seen a number of articles where microsoft said it was a phishing attempt that people are falling for. Unless someone phished the PW from me through logging into my console, they are full of ****. It is just very discouraging knowing that they are covering this up instead of simply implementing a few very simple security techniques that other sites have been using without fail for a dozen years.

[LaP]

would legally have to publicly announce there was a breach

Not sure about it but i don't think so.

Took a lot of time for MS to admit the RRoD problem was widespread enough to be beyond the boders of normal defect rate and that something needed to be done. They admitted and extended the warranty something like close to 2 years after the launch i think.

But honestly i don't know about the laws maybe there's a law in USA obliging companies to report any breach to frivolous service like xbox live.

I don't think their servers was hacked though. Doesn't mean there's was no security breach from their side though. There's so many ways to get access to account informations without the need to scam the users.

When i closed my xbox live account (sold my xbox) i did not remember the answer to my secret question (or something like that anyway i had to provide informations i could not remember). The rep was not supposed to let me make any change to my account but he still closed it. Only thing i needed to give was my account name, my name and street address i think (informations someone can easily find online). Maybe my birthday not sure though. If all reps are so liberal it's something that could very well be used to get illegal access to an account.

[Lexcyn]

I removed my CC from Xbox and also cancelled the payment agreement with Paypal ... so even if someone hacked my account they wouldn't be able to do anything.

This is pretty scary though ... maybe from now on I will just buy pre-paid cards.

[Scraggles]

I removed my CC from Xbox and also cancelled the payment agreement with Paypal ... so even if someone hacked my account they wouldn't be able to do anything.

This is pretty scary though ... maybe from now on I will just buy pre-paid cards.

While that is a good thing to do... my account was migrated to russia. So Its been a nightmare as I've lost the account for over a month now. They did refund me the money however I had to close my account and get a new card. The problem is how easy it is to steal an account and make it a nightmare for users to get back. Took what.. 1 night for someone to ruin my account for at least a month. Some people are saying it was 6 months before their account was migrated back.... 6 months. Know what the worst part is? You can migrate it every 3 months. So if you never reported it stolen you'd get it back faster than when reporting it.

I'd say simply buy the prepaid cards however don't even put THEM on your xbox until you intend to use points. All it takes is for them to migrate it and steal your points 1 way or the other.

[HawkMan]

what most likely happened is that your secret question on hotmail or some other service usign the live passport was bypassed. that or they somehow intercepted the password reset mails, or it's related to the recent security certificate hacks in netherlands, but most hacks from that was in a single country so...

[JaredFrost]

I'm talking about the 3 digits code on the back of the CC. You know the code mostl serious online stores ask for. It would make things a little bit harder for "hacker" as the stored CC would not be readily usable like it is right now.

That code would work to stop the purchase of new Microsoft Points, they'd still lose any existing MS Points on the account

But I'll agree with that, they should add that. I still think they need a better support path for these claims though.

[shakey]

This "hacking" has to be related with a certain service offered by MS. If it was just EA, we would have accounts on PSN being hacked just the same. But we haven't heard anything about that yet. We have only been hearing that those with 360's are being hacked. So this leads me to lean more on Microsoft's fault than any other party.

[Tha Bloo Monkee]

That really sucks that this is happening to legitimate customers. I hope that the OP (and everyone else) gets compensated.

The irony in what most people say when comparing Live to PSN of 'You get what you pay for' in this case, you most certainly aren't getting what you are paying for :rofl:

Despite what PSN's been through, I still haven't heard of any PS3 players who got scammed out of money.

[AbandonedTrolley]

That really sucks that this is happening to legitimate customers. I hope that the OP (and everyone else) gets compensated.

Despite what PSN's been through, I still haven't heard of any PS3 players who got scammed out of money.

The only inconvenience that the PSN members faced was cancelling cards if they so wished. They then went on to offer fraud protection for a year on cards free of charge.

[Dinggus]

I haven't touched my xbox since I've been deployed, and on the 13th I see that there are 3 charges on my PayPal, awesome. Microsoft shows $299 charges from the 13-15th.

[Scraggles]

I haven't touched my xbox since I've been deployed, and on the 13th I see that there are 3 charges on my PayPal, awesome. Microsoft shows $299 charges from the 13-15th.

I'd highly advise calling ASAP to have them look into it. It could be months to get it taken care of. Also change your Xbox info ASAP.