Xbox Live Security Q&A

Online gaming is booming at the moment, and judging by the types and number of security related questions I am asked by online gamers, I think there may well be some issues to be raised and addressed. On the face of it, gamers’ accounts hold personal information, and often their payment details, such as bank or credit card details. And then there’s the odd mythical online object, which actually can have a real value in the real world, so the stakes are high enough for concern.

In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.

Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.

Q. “Are my credit card details stored on the Xbox 360 console?” - The answer is no, credit card details aren’t held on the Xbox 360 hard disk nor on the memory card, they are actually held on the backend Microsoft Xbox Live Servers. The proof of this is you simply cannot access your Xbox Live account management screen without your console being signed into the Xbox Live Service, let alone manage your account payment card options.

Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on http://www.xbox.com/, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!

Q “What can happen if someone were to takeover my Xbox Live account?” “I’ve had my Xbox 360 stolen, and I had setup my credit card details to pay for my monthly subscription, so can they steal my card details as well?” - First let me provide an assurance over the credit card theft question, should your XBL account or Xbox 360 itself be stolen. Within the Xbox Live account management, your credit cards are displayed in a “Payment Card Industry” compliant manner, in that only the last four digits of the card number (aka the PAN) are ever displayed, there is no way of accessing the full number from the system, therefore your saved payment cards information cannot be stolen and used elsewhere. However it is possible to spend against your credit card, by purchasing Microsoft Points (XBL currency) and purchasing subscriptions to the Xbox Live service, so it is certainly an important aspect to be aware of, and I certainly recommend you ensure your payment card details removed should your circumstance dictate. Remember the only way to remove those card details is to phone Microsoft Xbox 360 Support, prove who you are and then wait.

Up to 30 Days to Remove Your Credit Card Details from Xbox Live!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.

Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.

I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.

The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.

Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.

Q. “Is it true I can get banned from Xbox Live if I "chip" my Xbox 360 to play “backed up” copies of games?” - Yes it’s true, chip your 360 and go online and you can expect to see the following message...

Q. "Is there a Security reason why Xbox Live doesn't have a web browser?" - Yes, I believe security is the reason Xbox Live doesn't have any web browsing capabilities, as Xbox Live is a fairly closed network from the Internet. Having a web browser leads to the possibility of malware being installed on Xbox 360 (which is basically a PC!), account detail being phished/stolen, even Xbox viruses, etc. Having said that I wouldn't be over surpised to see a web browser being released in the future, as competitor game consoles seem to be offering them.

Microsoft are making moves to open the service up more, as I think there is an agenda to make Xbox Live more like the social networking sites. At the end of day, most gamers don't care too much about where the service is going and web browsing capability, as long as all the extra interface software and other extras doesn't slow down their overal online gaming experience. As an online gaming platform, Xbox Live is second to none at the moment, and this is now it's main advantage in it's marketplace, so lets hope they steer well clear of messing it up too much, you what I always say, if it works, don't try to fix it!

Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.

It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.

It’s just bad, Phorm

Internet privacy controversy in the air at the moment, as adverting company Phorm are engaged on a PR campaign to gain acceptance of their new method of Internet advising, which they plan to roll out at the ISP level with BT, Virgin Media and TalkTalk. In fact today I will be speaking on BBC Radio Coventry and Warwickshire about this very subject.

Who are Phorm? Well they are an “adware” company formally know as 121Media. They were responsible for the “PeopleOnPage” desktop adware application, which gathered information about the host PC and recorded which web sites were visited by the user, before passing this information on to a third party server, in order to direct specific pop-up advertisements. In fact security company F-Secure regarded their app as Spyware, whether it is labeled officially as Adware or Spyware does really matter to me, as I believe such software is an unnecessary nuisance and any company behind duping users into installing it on their PCs should be viewed with utter scorn.

Enough of the history of Phorm and back to the present, although what Phorm are proposing is really the same sort of thing as their “PeopleOnPage” adware, but at an ISP level. Everything you do on the Internet passes through your ISP, website visits, Email and even the search text you submit on search engines. The Phorm plan to collect all individual http traffic within the ISP, including those search engine searches, profile the information based on keywords, then use the profile to direct specific web adverts within websites signed up to Phorm adverting. So let’s say I search for “fast cars” and visited several car based websites, the Phorm software running at the ISP would recognize me, or I should say technically my computer via a Phorm cookie, as being interested in “cars” and direct car advertising within any websites I browsed which used the Phorm advertising.
What could be interesting if lets say I were to let my misses browse the Internet on my shared PC account, when I came to use it I’d probably get bombarded with adverts for shoes and handbags!
Why are Phorm and ISPs eager to get this advertising introduced? The answer is clearly money, Phorm can charge higher for click through rates on their adverts because of higher chance that someone will click through and buy the end product, and the ISPs are interested as they will also take a cut of the cash, unlike traditional internet advertising, which have made millions for web site provides, like Google and MySpace.

So the big controversy is this, this is occurring within the ISP, and specifically whether our ISPs should be exploiting our “private” Internet usage for profit. Some consider this practice a direct violation of our privacy rights. While Phorm and the ISPs signing up say users will be able to opt out, but they don’t say whether everyone will be opted out or in automatically by default, I strongly suspect everyone will be opted in as a matter of course, here’s why. If you were to ask the users to opt in with this form advertising, I’m pretty sure just about everyone would say no thank you! Which for me answers the question to whether this is a good idea or not, in fact I’ve seen one Virgin forum (cableforum.co.uk) poll that stated 95% of users would want to opt out. I’ve also heard that if Phorm don’t have millions of users signing up, the whole system would not be viable, so we can be pretty sure everyone will be signed up by default.

It’s worth reminding that search engines track what we search for, just about all web sites track our visits, through cookies and even by our IP address and what we do on the website. Websites like Amazon use profiling within the scope of their website to direct items of interest to us. And most of us use supermarket club cards and Store Cards, which also track our shopping habits. But for me there is a clear difference, all of these are in the form of an “in house” profiling, rather than tracking everything we might do on the open Internet. I think this form of advertising is a step too far, and at the end of the day we pay for an ISP provided service, our searches and website visits is information created by us and ISPs should not be exploiting this information for extra profit by helping to direct advertising at us. The only way I see the Phorm proposal to be an acceptable practice, would be if an ISP were to offer free ADSL in conjunction with the Phorm ISP advertisement profiling.
Finally I have to ask whether this form of advertising is really needed anyway, what’s wrong with sticking advertisements for Cars, on Car themed websites and the latest Computer Game advertised on Gaming websites, do we really need to profile people’s internet usage in order to target the advertising at them?

A Hard Disk Shredding Story

These days most people think nothing of donating their old unwanted PCs to noble and worthy causes such as their local School, charities, or they do the “green thing” by sending their PCs to be recycled at their local rubbish tip or at the supermarket. This is all great and dandy, however I find more often than not personal data security is completely overlooked. So I’m going to explain these pitfalls in the form of a story…

Once upon a time there were three blokes, John, Colin and James who won a regional pub quiz championship sponsored by a major computer manufacturer, each of them won a powerful super quick Windows Vista PCs. The next day all three transferred their personal data from their old dilapidated PCs to their spanking new computers and then decided to do the “green thing” and drop off their old PCs at the local supermarket for recycling or charity donation if suitable.

John went through his old PC and very carefully deleted all his personal data files, and Email accounts, thinking it would be really useful to leave the Operating System intact so the PC could be instantly usable should it end up being picked up by a charity. Colin prided himself on being a bit of a techie, so decided to play it safe and formatted the hard drive. Meanwhile James not being so technically minded removed the hard drive from his old PC and smashed it into pieces with a sledgehammer, before dropping off the his PC at the supermarket computer recylcing container.

Several months had passed and all three had met up for their usual drink and quiz at their local pub. Colin asked how the other two were getting on with their new PCs. John always chocked on his pint and went to explain that he recently had fraud committed against his credit card, and was now really worried he could become an identity theft victim, all thanks to the new PC. It had transpired when he carefully removed his personal data files, he failed to remove his internet cache and history, so when his old PC ended up being used in a inner city youth hostel, the little angels were able to automatically log into several of his online accounts, and they attempted to purchase items and completely messed up his social networking site profiles. Colin smugly told John, “I told you should of formatted your hard drive”, before going on to laugh at James for being over the top with his hard disk smashing up.

Another month went by and all three met up at their local pub once again. But Colin wasn’t so smug this time, as he was in dispute with his bank after large sums of money had been removed from his account without his knowledge. It transpired his old PC was picked up by a charity and was sent to West Africa. While in West Africa fraudsters ran a data recovery tool against the formatted hard drive was able to recover 90% of Colin’s personal data files, which including his password document, which detailed the login details to Colin’s online banking. Needless to say James “the sledgehammer” got the rounds in and had the last laugh.

Taking a sledgehammer to a hard disk does do the job, but there is a less dramatic alternative to protecting your personal information before disposing of your old computer, which is to use a hard disk shredding tool. A hard disk shredding tool is a software application which can overwrite the entire hard disk with either 0s, 1s, or random characters. The number of times it overwrites the hard disk is know as a pass, the more passes it does, the less likely the original data can be recovered. The standard minimum is three passes, but most professional organisations will go with 7 passes which is the Department of Defence standard and in my view sufficient. But if you are really paranoid you can do as many passes as you like, or you could always breakout the sledgehammer like James.

There are many free hard disk shredding tools available, simply Googling “Free Hard Disk Shredding” should return plenty, such as http://www.fileshredder.org/. I also have a list of my own recommended free hard disk shredders on my main website.

So whatever method you plan to dispose of your old PC, just make sure you either run a hard disk shredding tool, or remove the hard disk, as there are people out there, especially in places like West Africa who make a living out of recovering personal information from donated computers from the West.

The Cyber Warfare Risk to Business

Businesses are relying on the Internet more than ever, whether it’s sales through an e-Commerce website, or low cost “site to site” communications by way of Internet VPNs, Email communications or general web information gathering/distribution, there are many businesses which just can’t “do” without the Internet for a sustained period of time. In my view businesses are very complacent with their reliance on the Internet, and don't have plan B, should worst happen.

Sure the Internet was originally developed to withstand a World War III nuclear attack, but businesses which heavily rely on the Internet to conduct business, should be wary of a new wave of Cyber Warfare threats as we progress into the 21st Century. The fact is there are individuals, criminal gangs and even governments and terrorist organisations which have the ability to take down websites, and effect geographic parts of the Internet, even a slow down of Internet traffic in a specific region can have a financial impact on a business, consider a VPN to an offshore call centre for example.

Recently Pakistan ISPs by the way of the Pakistani government killed the YouTube website to the entire world for two hours on political grounds, which is extremely alarming, considering Google owned YouTube is one of the world’s most visited websites, and has extensive resilient networking infrastructure supporting it, designed to take the heaviest volumes of Internet traffic. This incident was caused by simply messing with the Internet Routers (which direct Internet traffic), namely their dynamic routing tables, which can be achieved due to the security weakness of the BGP routing protocol.

Interestingly in recent weeks we seen several ocean comms cables “going down” in the Middle East region, which is putting a strain on Internet Traffic in that part of world. Some say it's too much of co-incidence and considering the political issues of that region of the world, it wouldn’t be surprising if a government or some sort of foul play was behind it.

Last year we saw the almost state sponsored Cyber Attack on Estonia by Russia which had a dramatic negative effect on Estonia e-Commerce websites amongst things. We also saw the US accusing China of state sponsored hacking on several ocassions, one of these alleged attacks forced the US government to take offline several Internet based systems. Then there are the criminal gangs which have built up huge bot-networks in recent times, these botnets can be used to take down business e-Commerce websites with a Distributed Denial of Service (DDoS) attack.

I’m not going to try to quantify these risks to business, but I can definitely see a trend here, whether such attacks are Politically motivated, Fraud Financial motivated, or an Electronic Jihad, I don’t think it will be too long before there are more examples of these sorts of attacks making the headlines and effecting Internet reliant businesses. In the meantime I think it is a valid and interesting question to pose to any business, what would the impact and financial cost be, should their Internet access be cut for even a few hours.