A Letter from Alex Garden: Your Security

The following is a letter from Alex Garden, General Manager of Xbox LIVE,  that he wanted me to share directly with the Xbox LIVE community:

Your Security is Important to Me

Since today is Safer Internet Day, I thought it’d be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.

As all of us know, account hijacking across the Internet continues to grow. It’s a thriving – albeit illegal – industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.

It’s in this vein I’m reminded how important it is to listen to you, our members – to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.

Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.

That’s why I believe it’s more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.

What you’ll see here is the most common sources of attack continue to involve:

  • · social engineering to gather information about the user to guess the password;
  • · phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
  • · malicious software on the computer that has captured the password; or
  • · using the same password from another online service that has been breached.

I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you’re signing in from a PC that isn’t your own. Working together we can prevail over the criminals.

I realize it may fall flat when we don’t share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.

Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.

Recovering compromised accounts – in a timely manner – is also a priority and an area where we’ve made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we’re making great strides. We hope our customers are experiencing the improvements firsthand.

We do not take lightly the frustrations we’ve heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers’ individual and collective concerns. For now, if you have a problem we haven’t yet resolved, please email me. Also tune into Major Nelson’s podcast this week to hear more about our work in the war on fraud.

With my sincere commitment to listen and take action,

Alex Garden
Email: Alex dot Garden at Microsoft dot com
General Manager, Xbox LIVE

Comments

  • Anonymous

    Hmm…my comment about my account just recently being hacked was removed.  Nice.

    Like

    • mama mambo

       Agreed, that seemed heavy handed.

      Like

  • mama mambo

    MS should have an app for security for android, windows phone and IOS devices that works as a secure ID. I would love to have that.

    Like

  • Anonymous

    Not to be too harsh but when MS/ Xbox staff have their account taken by another person the account is sorted out immediately.

    However when it comes to customers (non MS/ Xbox staff) it’s a totally different story.

    Like

    • http://www.killerrin.com killer rin

      That actually makes sense though… if your actually there in person to verify you can’t get in; and you have direct access to the servers why not reset your account right away, you know that your the owner.

      When dealing with everybody else though that’s the problem. When your over the phone, or internet anyone can pretend to be anyone. If it was in person it would be much faster

      Like

  • Anonymous

    You should have FaceBook like protection. If someone signs onto a account over a great distance. The account is locked.

    Like

    • Anonymous

       Or at the very least if an account changes to another xbox, a password is changed, and then DLC is purchased, at least throw a warning out…

      Hell, we all see the pattern here on what they do…  MS should be able to stop or see the pattern at least.

      Like

  • Kumar Rishabh

    my account was hacked twice, Microsoft security sucks.They used all my points.

    Like

    • Anonymous

      They raped my sister with her own weiner.

      Like

  • http://twitter.com/Carl1412 Carl Jennings

    No evidence.. except all the people who were hacked

    Like

    • http://twitter.com/Sleaka_J Sleaka J

       It’s far more likely users are just careless/stupid.

      Like

  • http://twitter.com/SMG_823 Steve

    there’s a youtube page dedicated to videos of accounts being hacked. microsoft is such bs 

    Like

  • Anonymous

    Two Step Verification is a really cool thing that exists and companies interested in their customer’s security often implement. Just letting you know, Alex.

    Like

  • Anonymous

    The android app “Xbox Live Statistics” both free and pro is used by its developer to harvest account details for use in fifa ultimate team fraud. Despite numerous users reporting this app it is still being used by thousands of xbox users. Microsoft should ask google to remove this app. Maybe google might listen then. My account password was being reset for months untill i stopped using this app. Within 5 mins of reinstalling it i was being signed in on other consoles and a fifa12 ultimate team achievement had been added to my gamertag. I dont even own any fifa games. So as an Xbox Live Community Ambassador i would like to take this opportunity to warn all xbox live users against this app. Please look at Spark360 or any other alteratives. Ive been using Spark360 for a long time with no issues to my account security. Also if you have been an victim of xbox fraud and used the Xbox Live Statistics app please can you report the app to google using their complaints form.

    Like

    • http://www.facebook.com/tony.ortale Tony Ortale

      Just for the record, I’ve been using Xbox Live Statistics (by Nicolas Ortiz) for well over a year now and I’ve never had any issues… I’ve had my account linked to there since I got my Droid X on launch day, and I frequently use the app. Is this the same one you’re referring to? I’ve never gotten a single password reset attempt nor have my points disappeared, and I still don’t have any record of FIFA on my account.

      Like

  • Anonymous

    Give us 2 step verification of logins already!  This would certainly put my mind at ease about my account
    I have never logged into a console other than the one I own, except in the case of my launch console dying in 2010.  I am extremely concerned that there *is* something wrong with Microsoft’s security based on the reports I have been hearing from people getting hacked out of the blue.

    Also, close the loopholes allowing people to resell points codes purchased through accounts(this should not be allowed, period) and EA’s FIFA third party sales nonsense.

    Like

    • Anonymous

      100% agree that MS should outlaw loopholes such as the in-game roster trading in the FIFA games.  It is these situations that encourage the stealing of Live accounts to gain access to MSP, and credit card/ Paypal accounts.

      Like

  • Anonymous

    Live/Xbox needs two step authentication at the very least.

    Like

  • Anonymous

    I’ll join in with the two step authentication crowd. That is long overdue from an industry leading company.

    There are a lot of other simple fixes that will prevent or at least slow down fraud. For example, having a feature similar to facebook’s device identifier. In facebook, you can have it set so that everytime you login to your account on a different device (computer/phone/tablet/whatever), you have to name that device and then an email is sent to your email account. While this wouldn’t necessarily stop fraud, it would alert the user quickly that their account has been compromised.

     

    Like

    • http://twitter.com/cerisier Megan

      I cannot reiterate this point enough, it makes perfect sense. We should be able to authorize only certain consoles from accessing your gamertag/account.

      Like

  • http://twitter.com/Anaris82 Patrick Copeland

    We definitely need a Steam Guard like system for XBL.

    Like

    • Anonymous

       Please no, or at least make it optional. I hate Steam’s system.

      Like

      • http://www.toothball.co.uk Toothball

        Having to check your email once a month is a lot less inconvenient than having your account stolen and then losing access to it for several weeks while Microsoft investigate. If you’re lucky you might get your time back and refunds for any erroneous charges, although that doesn’t appear to be guaranteed from some of the reports.

        Like

      • Anonymous

         I would rather they come up with something better than the crappy system Steam uses. I like a lot of things about Steam but that is not one of them.

        Like

  • http://twitter.com/erichsouza Erich Souza

    Really hope that the security improves heavily and quickly because my account just got hacked on last Sunday and the SOB made just about USD600 on purchases on my PayPal account linked to my Live account. Already spoke with customer service and hopefully they’ll try to solve it. And the most strange thing that it seems it wasn’t related with that FIFA issue everyone else is speaking about.

    Like

    • http://twitter.com/seekul Luke Es | sE ekuL

      They linked PayPal to LIVE now? What an awful idea.

      Like

      • http://www.killerrin.com killer rin

        Its an option for if you want to… just another method for people who don’t trust credit card info online

        Like

  • http://twitter.com/sockatume AW

    Doesn’t the Live ID password-recovery CAPTCHA have a known vulnerability where it’s possible to make an unlimited number of attempts to enter a password, allowing an attacker to make a simplistic “brute force” attack?

    Like

    • TomeOne

      Microsoft altered that.

      Like

      • Anonymous

        No, they didn’t. They said they did but it is not fixed. Google it.

        Like

  • SD

    I was the victim of an unauthorized access incident several weeks ago.  The criminals that accessed my account drained my existing MSP for FIFA content.  Fortunately, they didn’t run-up additional charges with the CC that is attached to my account and I was able to regain control of my account within a few hours of the breach before the account was migrated and more damage was done.

    My overall interaction with Xbox Customer Support was pretty painful.  Several conversations with several people over many days to completely restore my account and refund the MSP, not to mention getting my credit card information removed from my account.

    I understand that no online security is flawless, but MS could change their policies to remove many of the lucrative incentives that exist within the system today for people to steal Live accounts in order to gain access to the MSP and linked payment options.  This includes outlawing in-game content trading such as the team rosters in the FIFA games and distributing points within bogus Family Accounts.

    There was an interesting article on joystiq this week with EA celebrating the huge gains that they have made in the past year with FIFA in-game microtransactions… oblivious to the on-going criminal activities that are supporting their record profits.

    Like

  • TomeOne

    I sure hope you’re giving EA hell for their stupid FIFA premium junk that is becoming a huge impetus for account hijacks.

    Like

  • Billy O'Keefe

    Translation: “Now that the games media has shamed us into admitting we have a security problem, I guess your security is important to me.”

    Like

  • http://twitter.com/seekul Luke Es | sE ekuL

    If Mr. Garden is going to go to the trouble of explaining what CAPTCHAs are, I’ll go to the trouble of saying just Bing PWNtcha to see why “industry-standard” doesn’t count for much.

    Like

  • http://twitter.com/locolukah Rocket Slime

    Welcome to the internet Microsoft! The year is 2012.

    Like

  • http://twitter.com/pcedfeldt Paul Cedfeldt

    Get on top of that FIFA hack stuff.  The perception is that this is happening quite often, and it scares the sh** out of me.  

    Like

  • Anonymous

    Just wondering, but has anyone at Microsoft looked at non-official apps that claim to connect users to Xbox Live for friends’ statuses and such? I can imagine with all the apps out there, it’s “easy” to create one that doesn’t work as promised yet sends the login info somewhere… I know it was very tempting to try a few Xbox Live apps when I still used android, though I never did as I didn’t trust them.

    Also, were the compromised accounts “protected” with a passcode that must be entered before it’ll let the user log on to the account? Mine is, though I can’t remember for the life of me how I turned it on.

    Like

  • http://twitter.com/HTLoneWolf HTLoneWolf

    Too long, did not read.

    Like

  • http://twitter.com/rogXue Justin Forsythe

    Look at it this way, at least we all get 15 free achievement points if we’ve been hacked…. I have that “badge” on my account unfortunately…

    Like

  • Wayne Drury

    The point being missed is Xbox Live ability to allow points to be brought on an account without the need to re-enter the Credit Card CVC code from the back of the registered card.  That is a FAILING of Xbox and Microsoft.  What other online purchase system allows an item to be bought without using your CVC code to validate the card.  

    If this STANDARD security measure had been in place my Xbox Live accounts then the hackers couldn’t of made any MS point purchases in the first place!

    Like

    • MosquitoControl

       This seems very reasonable to me. Forcing that to be re-entered would add a very nice added step.

      I’d prefer to have to enter the entire CC#, but Microsoft makes it difficult to not keep a CC stored. Not only is it nearly impossible to remove, but after mine expired I tried buying a card with a code. Unfortunately my Gold account had also expired and I couldn’t redeem my code without entering a CC# and buying Gold… I needed to buy Gold to redeem Gold and I needed to store a CC#… was all a bit unpolished.

      Like

blog comments powered by Disqus