In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.
Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.
Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on http://www.xbox.com/, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.
Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.
I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.
The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.
Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.
Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.
It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.