In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.
Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.
Q. “Are my credit card details stored on the Xbox 360 console?” - The answer is no, credit card details aren’t held on the Xbox 360 hard disk nor on the memory card, they are actually held on the backend Microsoft Xbox Live Servers. The proof of this is you simply cannot access your Xbox Live account management screen without your console being signed into the Xbox Live Service, let alone manage your account payment card options.Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on http://www.xbox.com/, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!
Q “What can happen if someone were to takeover my Xbox Live account?” “I’ve had my Xbox 360 stolen, and I had setup my credit card details to pay for my monthly subscription, so can they steal my card details as well?” - First let me provide an assurance over the credit card theft question, should your XBL account or Xbox 360 itself be stolen. Within the Xbox Live account management, your credit cards are displayed in a “Payment Card Industry” compliant manner, in that only the last four digits of the card number (aka the PAN) are ever displayed, there is no way of accessing the full number from the system, therefore your saved payment cards information cannot be stolen and used elsewhere. However it is possible to spend against your credit card, by purchasing Microsoft Points (XBL currency) and purchasing subscriptions to the Xbox Live service, so it is certainly an important aspect to be aware of, and I certainly recommend you ensure your payment card details removed should your circumstance dictate. Remember the only way to remove those card details is to phone Microsoft Xbox 360 Support, prove who you are and then wait.
Up to 30 Days to Remove Your Credit Card Details from Xbox Live!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.
Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.
I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.
The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.
Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through xbox.com, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.
Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.
I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.
The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.
Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.
Q. “Is it true I can get banned from Xbox Live if I "chip" my Xbox 360 to play “backed up” copies of games?” - Yes it’s true, chip your 360 and go online and you can expect to see the following message...
Q. "Is there a Security reason why Xbox Live doesn't have a web browser?" - Yes, I believe security is the reason Xbox Live doesn't have any web browsing capabilities, as Xbox Live is a fairly closed network from the Internet. Having a web browser leads to the possibility of malware being installed on Xbox 360 (which is basically a PC!), account detail being phished/stolen, even Xbox viruses, etc. Having said that I wouldn't be over surpised to see a web browser being released in the future, as competitor game consoles seem to be offering them.
Microsoft are making moves to open the service up more, as I think there is an agenda to make Xbox Live more like the social networking sites. At the end of day, most gamers don't care too much about where the service is going and web browsing capability, as long as all the extra interface software and other extras doesn't slow down their overal online gaming experience. As an online gaming platform, Xbox Live is second to none at the moment, and this is now it's main advantage in it's marketplace, so lets hope they steer well clear of messing it up too much, you what I always say, if it works, don't try to fix it!
Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.
It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.
