February 7th 2012 9:00 am PT

A Letter from Alex Garden: Your Security

The following is a letter from Alex Garden, General Manager of Xbox LIVE,  that he wanted me to share directly with the Xbox LIVE community:

Your Security is Important to Me

Since today is Safer Internet Day, I thought it’d be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.

As all of us know, account hijacking across the Internet continues to grow. It’s a thriving – albeit illegal – industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.

It’s in this vein I’m reminded how important it is to listen to you, our members – to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.

Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.

That’s why I believe it’s more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.

What you’ll see here is the most common sources of attack continue to involve:

  • · social engineering to gather information about the user to guess the password;
  • · phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
  • · malicious software on the computer that has captured the password; or
  • · using the same password from another online service that has been breached.

I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you’re signing in from a PC that isn’t your own. Working together we can prevail over the criminals.

I realize it may fall flat when we don’t share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.

Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.

Recovering compromised accounts – in a timely manner – is also a priority and an area where we’ve made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we’re making great strides. We hope our customers are experiencing the improvements firsthand.

We do not take lightly the frustrations we’ve heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers’ individual and collective concerns. For now, if you have a problem we haven’t yet resolved, please email me. Also tune into Major Nelson’s podcast this week to hear more about our work in the war on fraud.

With my sincere commitment to listen and take action,

Alex Garden
Email: Alex dot Garden at Microsoft dot com
General Manager, Xbox LIVE

Xbox Live By Larry Hryb, Xbox LIVE's Major Nelson

  • Anonymous

    Hmm…my comment about my account just recently being hacked was removed.  Nice.

    • mama mambo

       Agreed, that seemed heavy handed.

  • mama mambo

    MS should have an app for security for android, windows phone and IOS devices that works as a secure ID. I would love to have that.

  • Anonymous

    Not to be too harsh but when MS/ Xbox staff have their account taken by another person the account is sorted out immediately.

    However when it comes to customers (non MS/ Xbox staff) it’s a totally different story.

    • http://www.killerrin.com killer rin

      That actually makes sense though… if your actually there in person to verify you can’t get in; and you have direct access to the servers why not reset your account right away, you know that your the owner.

      When dealing with everybody else though that’s the problem. When your over the phone, or internet anyone can pretend to be anyone. If it was in person it would be much faster

  • Anonymous

    You should have FaceBook like protection. If someone signs onto a account over a great distance. The account is locked.

    • Anonymous

       Or at the very least if an account changes to another xbox, a password is changed, and then DLC is purchased, at least throw a warning out…

      Hell, we all see the pattern here on what they do…  MS should be able to stop or see the pattern at least.

  • Kumar Rishabh

    my account was hacked twice, Microsoft security sucks.They used all my points.

    • Anonymous

      They raped my sister with her own weiner.

  • http://twitter.com/Carl1412 Carl Jennings

    No evidence.. except all the people who were hacked

    • http://twitter.com/Sleaka_J Sleaka J

       It’s far more likely users are just careless/stupid.

  • http://twitter.com/SMG_823 Steve

    there’s a youtube page dedicated to videos of accounts being hacked. microsoft is such bs 

  • Anonymous

    Two Step Verification is a really cool thing that exists and companies interested in their customer’s security often implement. Just letting you know, Alex.

  • Anonymous

    The android app “Xbox Live Statistics” both free and pro is used by its developer to harvest account details for use in fifa ultimate team fraud. Despite numerous users reporting this app it is still being used by thousands of xbox users. Microsoft should ask google to remove this app. Maybe google might listen then. My account password was being reset for months untill i stopped using this app. Within 5 mins of reinstalling it i was being signed in on other consoles and a fifa12 ultimate team achievement had been added to my gamertag. I dont even own any fifa games. So as an Xbox Live Community Ambassador i would like to take this opportunity to warn all xbox live users against this app. Please look at Spark360 or any other alteratives. Ive been using Spark360 for a long time with no issues to my account security. Also if you have been an victim of xbox fraud and used the Xbox Live Statistics app please can you report the app to google using their complaints form.

    • http://www.facebook.com/tony.ortale Tony Ortale

      Just for the record, I’ve been using Xbox Live Statistics (by Nicolas Ortiz) for well over a year now and I’ve never had any issues… I’ve had my account linked to there since I got my Droid X on launch day, and I frequently use the app. Is this the same one you’re referring to? I’ve never gotten a single password reset attempt nor have my points disappeared, and I still don’t have any record of FIFA on my account.

  • Anonymous

    Give us 2 step verification of logins already!  This would certainly put my mind at ease about my account
    I have never logged into a console other than the one I own, except in the case of my launch console dying in 2010.  I am extremely concerned that there *is* something wrong with Microsoft’s security based on the reports I have been hearing from people getting hacked out of the blue.

    Also, close the loopholes allowing people to resell points codes purchased through accounts(this should not be allowed, period) and EA’s FIFA third party sales nonsense.

    • Anonymous

      100% agree that MS should outlaw loopholes such as the in-game roster trading in the FIFA games.  It is these situations that encourage the stealing of Live accounts to gain access to MSP, and credit card/ Paypal accounts.

  • Anonymous

    Live/Xbox needs two step authentication at the very least.

  • Anonymous

    I’ll join in with the two step authentication crowd. That is long overdue from an industry leading company.

    There are a lot of other simple fixes that will prevent or at least slow down fraud. For example, having a feature similar to facebook’s device identifier. In facebook, you can have it set so that everytime you login to your account on a different device (computer/phone/tablet/whatever), you have to name that device and then an email is sent to your email account. While this wouldn’t necessarily stop fraud, it would alert the user quickly that their account has been compromised.


    • http://twitter.com/cerisier Megan

      I cannot reiterate this point enough, it makes perfect sense. We should be able to authorize only certain consoles from accessing your gamertag/account.

  • http://twitter.com/Anaris82 Patrick Copeland

    We definitely need a Steam Guard like system for XBL.

    • Anonymous

       Please no, or at least make it optional. I hate Steam’s system.

      • http://www.toothball.co.uk Toothball

        Having to check your email once a month is a lot less inconvenient than having your account stolen and then losing access to it for several weeks while Microsoft investigate. If you’re lucky you might get your time back and refunds for any erroneous charges, although that doesn’t appear to be guaranteed from some of the reports.

        • Anonymous

           I would rather they come up with something better than the crappy system Steam uses. I like a lot of things about Steam but that is not one of them.

  • http://twitter.com/erichsouza Erich Souza

    Really hope that the security improves heavily and quickly because my account just got hacked on last Sunday and the SOB made just about USD600 on purchases on my PayPal account linked to my Live account. Already spoke with customer service and hopefully they’ll try to solve it. And the most strange thing that it seems it wasn’t related with that FIFA issue everyone else is speaking about.

    • http://twitter.com/seekul Luke Es | sE ekuL

      They linked PayPal to LIVE now? What an awful idea.

      • http://www.killerrin.com killer rin

        Its an option for if you want to… just another method for people who don’t trust credit card info online

  • http://twitter.com/sockatume AW

    Doesn’t the Live ID password-recovery CAPTCHA have a known vulnerability where it’s possible to make an unlimited number of attempts to enter a password, allowing an attacker to make a simplistic “brute force” attack?

    • TomeOne

      Microsoft altered that.

      • Anonymous

        No, they didn’t. They said they did but it is not fixed. Google it.

  • SD

    I was the victim of an unauthorized access incident several weeks ago.  The criminals that accessed my account drained my existing MSP for FIFA content.  Fortunately, they didn’t run-up additional charges with the CC that is attached to my account and I was able to regain control of my account within a few hours of the breach before the account was migrated and more damage was done.

    My overall interaction with Xbox Customer Support was pretty painful.  Several conversations with several people over many days to completely restore my account and refund the MSP, not to mention getting my credit card information removed from my account.

    I understand that no online security is flawless, but MS could change their policies to remove many of the lucrative incentives that exist within the system today for people to steal Live accounts in order to gain access to the MSP and linked payment options.  This includes outlawing in-game content trading such as the team rosters in the FIFA games and distributing points within bogus Family Accounts.

    There was an interesting article on joystiq this week with EA celebrating the huge gains that they have made in the past year with FIFA in-game microtransactions… oblivious to the on-going criminal activities that are supporting their record profits.

  • TomeOne

    I sure hope you’re giving EA hell for their stupid FIFA premium junk that is becoming a huge impetus for account hijacks.

  • Billy O’Keefe

    Translation: “Now that the games media has shamed us into admitting we have a security problem, I guess your security is important to me.”

  • http://twitter.com/seekul Luke Es | sE ekuL

    If Mr. Garden is going to go to the trouble of explaining what CAPTCHAs are, I’ll go to the trouble of saying just Bing PWNtcha to see why “industry-standard” doesn’t count for much.

  • http://twitter.com/locolukah Rocket Slime

    Welcome to the internet Microsoft! The year is 2012.

  • http://twitter.com/pcedfeldt Paul Cedfeldt

    Get on top of that FIFA hack stuff.  The perception is that this is happening quite often, and it scares the sh** out of me.  

  • Anonymous

    Just wondering, but has anyone at Microsoft looked at non-official apps that claim to connect users to Xbox Live for friends’ statuses and such? I can imagine with all the apps out there, it’s “easy” to create one that doesn’t work as promised yet sends the login info somewhere… I know it was very tempting to try a few Xbox Live apps when I still used android, though I never did as I didn’t trust them.

    Also, were the compromised accounts “protected” with a passcode that must be entered before it’ll let the user log on to the account? Mine is, though I can’t remember for the life of me how I turned it on.

  • http://twitter.com/HTLoneWolf HTLoneWolf

    Too long, did not read.

  • http://twitter.com/rogXue Justin Forsythe

    Look at it this way, at least we all get 15 free achievement points if we’ve been hacked…. I have that “badge” on my account unfortunately…

  • Wayne Drury

    The point being missed is Xbox Live ability to allow points to be brought on an account without the need to re-enter the Credit Card CVC code from the back of the registered card.  That is a FAILING of Xbox and Microsoft.  What other online purchase system allows an item to be bought without using your CVC code to validate the card.  

    If this STANDARD security measure had been in place my Xbox Live accounts then the hackers couldn’t of made any MS point purchases in the first place!

    • MosquitoControl

       This seems very reasonable to me. Forcing that to be re-entered would add a very nice added step.

      I’d prefer to have to enter the entire CC#, but Microsoft makes it difficult to not keep a CC stored. Not only is it nearly impossible to remove, but after mine expired I tried buying a card with a code. Unfortunately my Gold account had also expired and I couldn’t redeem my code without entering a CC# and buying Gold… I needed to buy Gold to redeem Gold and I needed to store a CC#… was all a bit unpolished.

  • Anonymous

    OK help me out here! Accounts are getting hacked through Fifa (not official but most likely). So that makes it an EA issue (heard it linked to Fifa 11 and Madden also).
    Why is this not an issue with PS3 then? Clearly PSN/SEN isn’t hack-proof so is this just a feature on XBOX LIVE or what?

    • http://twitter.com/WickedWaffles93 Dixie Normous

      It’s not happening on ps3 because there is no hidden exploit to hack accounts as opposed to xbox live, hackers have found a loophole , not certain but it could be somewhere between xbox live and the game itself.

      • Anonymous

        Cool, thanks!

  • http://www.facebook.com/people/Joe-Adanac/100001237455741 Joe Adanac

    On one hand the article says to provide a phone number, then the next moment, in the same sentence, it says to reduce the amount of personal information shared online! Consistency in logic, please!

    A phone number is one of the worst things to put on the internet because it opens you up to personal harassment and can reveal your real life identity and home address. Giving your phone number to Microsoft so hackers can break into their database and steal it, is not a very bright idea.

  • Anonymous

    How about we don’t have to fight you with a pitchfork to not keep our credit card info on tab.

  • Gonzalo Fernández Moya

    Good but… what about increasing the password’s lenght?

  • Carl Brien

    Those suggestion are well and good, but how about allowing us to remove our credit card info from the account? I used my credit card to start my Gold account but now I use prepaid codes. Why won’t MS let me remove my info unless I let my Gold account expire first? I tried calling the 800 number and spent almost 10 minutes getting a hard sell to keep my CC attached to my account. I finally went out, bought a prepaid credit card and swapped it out with my real credit card.
    Tip for using a prepaid card: Make sure you go to the card’s website and register it with your Zip code . The card needs to be attached to your Zip code to work.

    • Anonymous

      I had to do the exact same thing and know other that did as well.

  • http://www.facebook.com/profile.php?id=100001663150901 Josh Pitchford

    I had my account stolen and was treated like the scum of the earth for worrying about my $159 that was taken from my account , let alone the month i was without my account…..

  • http://www.facebook.com/profile.php?id=574106260 Timothy Comben

    I have to say, that when I contacted Xbox about a report in a German Newspaper, the answer I got from Xbox, was to treat me as a joke! if Xbox takes security and they customers correctly, maybe the first place they should start is internal… and if someone takes the time and trouble to contact the support service a reasonable response is give not a “you are mistaken Xbox is perfect” attitude. Sorry your not perfect….. maybe Alex Garden should take time sending this message to the own support staff

  • http://www.facebook.com/profile.php?id=1187973417 Todd Moreau

    FIFA 2011/12 seems to be a common denominator, Microsoft.  Dig!

  • http://twitter.com/speil6 Jochen

    Oh please – my Gamertag was hacked for FIFA 12 Ultimate Team transfers.

    I never “answered” any phishing mails an use a – for me – secure password.

    Also I wait about 3 weeks now for the reactivation of my account – not the described 3 days …

    I’m pissed of

    • William Heymann

      That is what happened to my friends account just a few days ago. I found him online playing FIFA and so I joined his party and it was a bunch of giggling kids. When I asked him about it later that day he said it was not him and did not even have that game.

      It turned out his account had been compromised and he contacted microsoft for help on that. I wonder why FIFA seems to be so common on this. His computer was also checked for malware and nothing showed up use MSE and he does not hand his password out to anyone.

  • http://www.toothball.co.uk Toothball

    The option to recover a Windows ID with a PIN sent to your phone is a good feature, but it’s not available via Xbox. I’ve seen friends have their accounts stolen and lose years worth of work from it. There need to be improvements.

  • http://profile.yahoo.com/JETTYUBTF722CVA76HY2PM53WM mark

    Alex was kind enough to email me and hopefully helped in getting my account back online last night.  I have been under investigation since the end of October.

    • http://twitter.com/speil6 Jochen

      Had he emailed you after you posted here or anywhere else?

      And … Bear Down :)

  • Peter Sebastian

    I enjoy my Xbox Live service and appreciate the fact that MS has reached out to reinform everyone about how to keep our accounts secure.  

    Here is the problem the FIFA hack has been going on since FIFA 11.  They have spent all this effort on bringing FIOS and other services over costing MS hundreds of millions but they can’t spend a few hours to change the purchasing process to require a CVC code?  If there is an exploit and FIFA 11/12 keep being the cause of all these MS support calls why hasn’t Microsoft disabled that game from Xbox Live and forced EA to fix / resolve the problem.  Clearly the issue is with EA as the FIFA12 hack happened to me less than 2 weeks after I first played BF3 and was required to make an EA account that linked to my XBox Live account.  The issue was resolved promptly and I got 35 achievement points from the FIFA 12 game but it should have been stopped so long ago.Fix your existing systems before you add all these extra services.

  • http://twitter.com/MadmanFF1 Neil Pleasance

    I am another victim of the FIFA 12 hack, nearly £90 on my credit card in one day, luckily I spotted the achievments appear on the same day (I don’t have FIFA 12) and then this made me check my e-mail, guess what I had purchased over 8000 MS points and then spent them all with “my” original 4000+.  To be honest though could not praise the service from MS one phone call and next day I have my money re-credited to the credit card, only issue was the e-mail informing me that the issue had been resolved and giving me my codes to reclaim my original MS points was sent to the wrong e-mail address, although this was partly my fault for not checking on the original call that they had it right.  Not happy that you can use FIFA to make money out of this, llike some other posters, I also had to set up an EA account for BF3 on PC very recently and what do you know I then get hacked a few days later…

  • Anonymous

    “Take lightly” ha ha.

  • Anonymous

    EA are at fault for this.  EA dont even want to admit it that this is all their fault.  Even their forums have been hacked.  What you got to say about this Peter Moore.

  • http://www.facebook.com/timothy.hames Timothy Hames

    Great Interview, This would be beating a dead horse but removing the Credit Card information from an account would be good or at least having to enter your pin (without saving the information) for purchases would make all of us happier.

  • Rob adams

    Lots of people pointing blame at MS, yet there has been no security breach or data leak at Microsoft.  If you bought a car, left the keys in the lock only to discover it had been stolen, would you blame the car dealer???  That is what people are doing when they signup to a site promising free MS points or extended xbox live features. It is not up to Microsoft to hold your hands and make sure you choose a strong password and keep it safe!!

    The whole Fifa saga is caused by Microsoft letting outsiders in.  EA make great games but don’t understand security like MS.  Whilst these social hubs and interactions outside of the game are good it does mean your personal data is then moved from the safety of your MS account to someone else.

    Most profile hacks will also stem from poor password choice, “password” or even “0p1a2s3s4w5o6r7d8″ as they are commonly used by everyone the world over.  Choose a very long random string and store it somewhere safe in your house.  A lot of my clients use the seriual number of their monitor/laptop so it is always available.

    The best advice is to use a good password manager
    (RoboForm) to generate random string passwords.  You only need to enter
    the password once into your Xbox then for all other account management
    you can use the official xbox live account website.

    The social engineering hacks are user error.  If you are asked to enter any more info than your gamertag then you are looking for trouble.  If someone has partnered with Microsoft you will have to sign in through the windows live log in page. Make sure the padlock icon is displayed in your browser and ensure that the site starts with https.  Sounds pretty basic but there are so many people not following these rules.

    Rob Adams

    IT Consultant

    The views expressed in this post are those of the above named person and not the views of the  company whose network was used to access this site.