Tuesday, 25 March 2008

Xbox Live Security Q&A

Online gaming is booming at the moment, and judging by the types and number of security related questions I am asked by online gamers, I think there may well be some issues to be raised and addressed. On the face of it, gamers’ accounts hold personal information, and often their payment details, such as bank or credit card details. And then there’s the odd mythical online object, which actually can have a real value in the real world, so the stakes are high enough for concern.

In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.

Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.
Q. “Are my credit card details stored on the Xbox 360 console?” - The answer is no, credit card details aren’t held on the Xbox 360 hard disk nor on the memory card, they are actually held on the backend Microsoft Xbox Live Servers. The proof of this is you simply cannot access your Xbox Live account management screen without your console being signed into the Xbox Live Service, let alone manage your account payment card options.

Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on http://www.xbox.com/, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!

Q “What can happen if someone were to takeover my Xbox Live account?” “I’ve had my Xbox 360 stolen, and I had setup my credit card details to pay for my monthly subscription, so can they steal my card details as well?” - First let me provide an assurance over the credit card theft question, should your XBL account or Xbox 360 itself be stolen. Within the Xbox Live account management, your credit cards are displayed in a “Payment Card Industry” compliant manner, in that only the last four digits of the card number (aka the PAN) are ever displayed, there is no way of accessing the full number from the system, therefore your saved payment cards information cannot be stolen and used elsewhere. However it is possible to spend against your credit card, by purchasing Microsoft Points (XBL currency) and purchasing subscriptions to the Xbox Live service, so it is certainly an important aspect to be aware of, and I certainly recommend you ensure your payment card details removed should your circumstance dictate. Remember the only way to remove those card details is to phone Microsoft Xbox 360 Support, prove who you are and then wait.
Up to 30 Days to Remove Your Credit Card Details from Xbox Live!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.

Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.

I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.

The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.

Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.

Q. “Is it true I can get banned from Xbox Live if I "chip" my Xbox 360 to play “backed up” copies of games?” - Yes it’s true, chip your 360 and go online and you can expect to see the following message...
Q. "Is there a Security reason why Xbox Live doesn't have a web browser?" - Yes, I believe security is the reason Xbox Live doesn't have any web browsing capabilities, as Xbox Live is a fairly closed network from the Internet. Having a web browser leads to the possibility of malware being installed on Xbox 360 (which is basically a PC!), account detail being phished/stolen, even Xbox viruses, etc. Having said that I wouldn't be over surpised to see a web browser being released in the future, as competitor game consoles seem to be offering them.
Microsoft are making moves to open the service up more, as I think there is an agenda to make Xbox Live more like the social networking sites. At the end of day, most gamers don't care too much about where the service is going and web browsing capability, as long as all the extra interface software and other extras doesn't slow down their overal online gaming experience. As an online gaming platform, Xbox Live is second to none at the moment, and this is now it's main advantage in it's marketplace, so lets hope they steer well clear of messing it up too much, you what I always say, if it works, don't try to fix it!

Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.

It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.


Anonymous said...

someone has threatened to hack my account. ive changed my email address linked to my xbox and my password and even added a pass code, does this mean my account will be safe?

Dave Whitelegg CISSP said...

Every Xbox Live account incident I have come across which is said to have been "hacked", has always been down to the actual account holder being social engineered or phished into giving away the account details.

So what I am basically saying, pretty much the only way anyone can gain access to your live account is if you supply your account password.

Such threats are usually trash talk, I mean if I was serious about stealing your Xbox live account, the last thing I would do is tell you before hand, trust me professional hackers aren't that stupid!

You did the correct thing in changing your password and Email address if you are particularly concerned, but report the threat/abuse to Microsoft, block the user, give bad feedback etc.

Just a word on your PC, ensure you keep your Anti-Virus up-to-date and your firewall enabled, as it is possible for key logger or MSN Messenger password stealing Malware to be installed, which could steal passwords from your system without you knowing.

I hope I've not scared you too much, as to be honest Xbox Live account aren't targeted so much as they offer little value to an attacker, unlike World Of Warcraft accounts, which are heavily targeted, again it's usually down the player's rather than the company's system being compromised.

If you need any further specific info about what's gone on, Email me, plus I'm on Xbox Live as well!

Anonymous said...

I think the best way to protect your credit card details is to not give them away in the first place. To setup an XBL account you do not have to enter your credit card details unless you are under 13. To buy a gold membership there are prepaid cards,these are also available for the marketplace.So I think the best way to protect yor credit card is to go prepaid.

Jake said...

i just bought a 360 today, brought it home, realized it didn't include a free trial (as i had been told by 3 different people, you can get one if you create a new account but i have an account from my roommate having a 360), figured the easiest thing to do was just buy a month off of live (id also like to add that when buying a month, it says onscreen that you can change the auto-billing online, which you can't, and remove a card, which you can't), and now im in this absurd hell to get my information off of there. this is why i always use prepaid cards, i just didn't wanna wait lol.

Anonymous said...

is my internet safe from hackers while playing on xbox live?

Jeremy said...

my xbox live account was hacked from some guy.. I have no idea how but he took my account changed the gamertag and deleted all the friends on the account.. I called Xbox they locked the account and said they'll investegate and they never got back to me... Ya know the thing I hate about Xbox Live is that you have to give them too much sensitive information to just so you can play your game online... its bull they should just make it free and simple...
The gamertag that got hacked is still open too it was SGT JAY95 but he changed it to H3 Overdosed its still active but he changed all the info so I can't get it back

Anonymous said...

My live account was tampered with, changed name, added 5000 MS points charged my credit hundreds. I am the only one who has ever touched my console and I never gave my details to anyone. They CAN access your account ( they being hackers) and they CAN see your personal information, IE address name phone number. They CANNOT see your credit card numbers. If you do see this happening to you be aware that xbox live support WILL NOT help you, they WILL NOT issue you a redeem code NOR will they refund your moneys lost. TRUE STORY. I advise everyone who wants subscription to buy prepaid cards at your local best buy and do not enter your personal details in your account. Accounts can be tampered with and can cost you hundreds.

Anonymous said...

the best way to get your money back is to do it as a seperate issue not with microsoft but with your bank, my mate had his account hacked, the hacker purcahsed 20,000mp and 2years gold subscription, he went to the bank and explained the situation and the bank refunded all money lost all in all about $300 they then contacted microsoft who got his account back, so he got his account back and got all the MP and subscription for free.

Anonymous said...

i had my live account stolen about a month ago. ever since that happened ive been contacting xbox customer support for that whole month. they are giving me the runaround. they receive all my information to tell me they cant help me with my stolen account. so they put me on hold for about 15 to 20 minutes. then the last agents supervisor who i just got connetced to has me tell them the same information as the last person. i still cant get over that i was scammed. the hacker got my email adress and password. after they got that information, he changed the password, secret question and the secret answer. the hacker also changed the country reigon and postal code to my email adress. i have a myspace, and that hasn't been touched until a couple of days ago. he went on to myspace and changed some information and my picture. he was telling my friends that i was gay and that i have a boyfriend, he also made those friends that he was talking to mad at me. so me and my friend went on his myspace and told those people that it wasn't me and my account was hacked. he also threatened to take over my sisters myspace account. word for word he told my sister "i can F*** up your life like i have done to your brothers. look at his live account". yesterday i called xbox live support and had them cancel my account, but the hacker is still getting game time on my accoutn because my brother saw him on tonight.

rockchick said...

Oh man I am freaking out...last week I just paid a 12 month gold membership for my boyfriend and last night someone hacked into his account and cancelled it. He cant get any information about from xbox support either until I am with him when he calls up - as I am the credit card holder. I didn't realise there were so many security threats with using a credit card as I always use it on the net when buying things. I'm feeling rather worried :( the fact that it was 'cancelled' rather than taken over - is that a good sign that we will be able to fix it? X-box really needs to increase their security measures! It costs enough to buy the damn X-box console, games and membership that ultimate security measures should already be firmly set in place!
And fyi - this happened for no good reason to my bf! This guy was just a total wanker, probably a fat nerd with no friends in the real world.

Anonymous said...

is there any way of restarting my call of duty account without having to restart my xbox account? i would hate to redo my gamerpoints and recover all my friends

Anonymous said...

My son had just put 13 months Xbox Live Gold subscription on his account - after 2 days it was cancelled. When we phoned we were told someone had told them to lock the account and they were the ones who had paid for the subscription and not us. I told them we have the proof of payment but they did not want to know. Their support is a joke. We had to phone 4 times and hang on for 1 hour each time and only spoke to the supervisor after the fourth time. Even then they will not refund money or replace subscription. Rip off Merchants or what?

Anonymous said...

My credit card has been charged 42.50 for 5,000 points that have apparently been purchased and spent on downloaded games.
The downloaded games are on the xbox hard drive, but how can they be played by 'the hacker'if we have been hacked?
Dont understand how it all works,its my sons.
I do believe he has not downloaded these games, for the reasons that they are not the kind of games he plays and also in 'recently played' menu, they've never actually been played at all.

Dave Whitelegg CISSP said...
This comment has been removed by the author.
Anonymous said...

i read this post which is very informative wish i had seen it before. i had my xbox live account hacked several days ago and no i was not social engineered or phished. i was not even warned about this.after it was stolen they had the nerve to pull my friends into a xbox live party to brag about what they had done.they got hold of all my personal information where able to gain control of my email account and facebook accounts(which i cancelled)i had to cancel all credit cards and bank debit cards. i am still waiting to regain use of my xbox live account back which will happen after xbox is done investigating the incident.my advice to anyone reading this is to give a fictious email account and do not give your real address etc..,i learned the hard way that your not safe playing a game either

Anonymous said...

Download, move or delete your Xbox LIVE profile
Control access to your Xbox LIVE account
Troubleshoot Xbox LIVE sign in problems
Xbox LIVE account security
Password protect your Xbox LIVE profile

bestessay4u.com said...

Really amazing post! Thanks a lot for it.

Anonymous said...

Concerned that my son and his online gaming friend are sharing his account, meaning his friend has added his bank details etc so that "they can share games". My son says they don't know each others passwords so they can't use each others bank account. Should I be worried?