The Xbox Live Security Crisis

The so called “FIFA hacks” plaguing Xbox Live are a story that has spanned months with so many twists and turns it’s even difficult for journalists to keep it all straight. I have endeavored to create a detailed overview of the problem, including a look at all its varied aspects, theoretical causes and potential fixes.

We live in trying times. As Sony discovered last Spring, the security of customer information has become a matter of grave trust. Unfortunately, when hackers are determined and sufficiently motivated, no system is entirely secure. In the case of the PSN hack, that attack was motivated by ideological opposition to business decisions made by the Sony corporation. It was unfortunate that Sony’s customers found themselves in the crossfire, but the outcome was not nearly as bad as it could have been. In the months since then, attention has shifted to ever increasing reports of fraud on Xbox Live.

These account intrusions have come to be known as “FIFA Hacks”, although that is something of a misnomer. Typically, an Xbox Live user will be surprised to receive emails informing them of a large purchase of MS Live points. They will then discover that any balance of points they already had on their GamerTag have been spent. If they are lucky, their password hasn’t been changed and they will be able to log in to their Windows Live account online, change their password and regain control of their profile. The less fortunate will discover their password has been changed, their security questions altered, and in some cases, their account transferred to a different country.

In most cases a call to Xbox Live customer support will be required to have any stolen points refunded, the charges to their credit card or PayPal account reversed and any other alterations restored. In cases of reported fraud, the customer service representative will inform the customer that the Xbox Live account will need to be “locked” for up to 28 days while the claim is investigated. During that time no further charges are supposed to be possible, but neither will the user be able to go online with their GamerTag. You can still play games offline and earn Achievements, but they will not be reflected online, nor will you be able to play any multi-player for nearly a month. Microsoft may even offer a free month of Gold membership to make up for the lost time.

At least, that’s what is supposed to happen. There are many reports of frustrating, multi-month ordeals faced by Xbox users whose accounts were not properly locked, whose stolen points were never fully refunded, who were forced to dispute the unauthorized charges through their bank when Microsoft support appeared unwilling, or unable to rectify the situation, or who lost their accounts for multiple months, if not permanently because MS claimed to be unable to reverse a region change initiated by the account thief.

Although it’s difficult to forgive the failures in customer service, the seeming surge of account compromises that began last fall appears to have placed considerable stress on Microsoft’s support structure. One common through-line appeared to be activity and DLC purchases related to the EA Sports FIFA games. This lead many to speculate that there may be some kind of security breach or fault in Electronic Art’s online profile system that was to blame for the rash of hijackings. In truth, FIFA does not act as the vector for an attack, but rather the motivation behind them.

Unlike the PSN intrusion, these Xbox Live hackers are not motivated by a desire to publicly shame Microsoft. Instead, they are purely driven by profit. Prior to last year there was little money to be made off stolen Xbox Live accounts. A compromised account does not actually reveal enough payment details to be used outside the service and purchased MS points could not be easily transferred to other GamerTags. That changed when EA introduced a new micro-transaction inspired player trading system and DLC to the FIFA franchise.

In the game EA has created a marketplace for players as part of their “Ultimate Team” system. FIFA gamers can spend in game currency to buy their favorite soccer player to add to their collection, or earn coins by selling their own. Serious gamers will spend a lot for the best players available. This would be fine if it was a closed, in game system, but EA also sells a DLC item that can be purchased over and over again like a pack of baseball cards giving the buyer a random chance at a high value soccer star and other potentially lucrative bonuses. This, coupled with a gray market that has cropped up outside the game where FIFA enthusiasts arrange to buy high value player cards for real world money, is where the real trouble begins.

The implication of this type of micro-transaction may not be obvious at first, but what the hackers have realized, and what the thousands of “FIFA hack” victims have discovered, is that EA has created a way to launder stolen MS points for real world cash. Suddenly there is a significant profit motive to hacking random Live accounts that just was not there before. For every account a hacker breaks into they can buy as many MS points as possible using the payment method already attached to the account, spend as many points as they can on this particular FIFA DLC, trade all the cards of any value they get to a dummy GamerTag where they can be held until they are sold through an online auction site. Repeat until the account’s owner notices what is happening, or the point purchases will no longer go through, and move on to the next hacked account.

But how are these accounts being compromised in the first place? It’s important to recognize a few facts before we can speculate on the vector of infiltration. First, the hackers are gaining access to accounts without changing the password. They may decide to change the existing password once they are in to prolong their access to an account, but they always seem to have the original password, which is what they use to access the account in the first place.

Given that fact we should be able to rule out one class of attack, the “social hack”. Typically, social attacks involve targeting specific individuals, gathering personal information through Google and various social networks and using those details either over the phone with a customer service rep while masquerading as the target, or through a website’s password reset mechanism to answer any discoverable challenge questions.

The end goal is to reset an unknown password, set by the rightful owner of an account, to a temporary or new password known only by the hacker. Since the Xbox Live intrusions are occurring without the password being reset, we can discount social attacks as a possible cause. In addition, social hacking is far more time consuming than other types of attacks and usually employed when a hacker has a very specific target. There are prominent examples of celebrities, politicians and other public figures having their email and cellphone accounts invaded and their dirty laundry aired publicly. However, it’s not a particularly efficient method for a profit-minded hacker who doesn’t care whose account they access, and are more interested in turning over as many accounts as they can as quickly as possible.

Another fact we must remember is enough victims have reported their compromised accounts had unique passwords to cast doubt on another popular theory on how these intrusions are being accomplished. Given the number of other services and sites like PSN, Gawker or Valve that have had their own systems hacked into and customer information stolen, it is not unreasonable to suspect hackers are using the email addresses and passwords pilfered elsewhere hoping Xbox Live users use the same login credentials on multiple sites. In fact, a few months ago Sony’s new czar of network security disclosed that they had detected and blocked just such a mass log in attempt against PSN. Their network technicians detected this activity as irregular, possibly harmful to PSN users and immediately took measures to protect and inform their customers of the danger.

Unfortunately, it’s a difficult hypothesis to prove, but we have reason to doubt it is a comprehensive explanation. As mentioned above, some victims at least claim to have been using passwords unique to their Live account. From personal experience I can tell you that my information used to gain unauthorized access to my account in August did not come from PSN, as I did not sign up for PSN until a few months after their intrusion. I can also verify that my information was not contained in the database stolen from Gawker, and the Valve intrusion occurred after my Live account had been hijacked. I know of no other publicized hacks, within the gaming industry or otherwise, that could have exposed my password for Xbox Live.

For many months Microsoft refrained from commenting officially on the apparent epidemic of account thefts. It was not until a few months ago when a number of prominent gaming journalists found themselves victim to the same fraud and started writing about it for their respective sites did MS release a statement. Officially, Microsoft denies suggestions that the Xbox Live service itself has been hacked and blames “phishing scams” for the so called “FIFA hacks”

Phishing scams essentially involve tricking a user into entering their user names and passwords for a service into a fake version of the real site. Typically someone will receive an email suggesting there is a problem with their account, or promising some kind of freebie and include a link to a site that looks very official, but is actually hosted and controlled by hackers. World of Warcraft is a frequent target for this kind of scam as in game gold continues to be an asset with real world value.

It’s not hard to see why Microsoft would blame phishing for incidents of Xbox Live fraud. It’s a known and ongoing problem in the industry, it jives with the fact that the intruders seem to know user passwords and it conveniently absolves their own security infrastructure of any responsibility. And in truth, phishing is likely responsible for some level fraud on the service, but it is a leap to suggest it explains all of the increase. To many, it appears very much to be a case of Microsoft blaming the victims with a plausible, but unverifiable excuse while deflecting attention from a very real, ongoing problem.

And there are many reasons to be skeptical of the official explanation. For one, many people with a high degree of technical knowledge and understanding of good security practices have fallen victim. I can tell you that I personally, emphatically, did not fall for a phishing scam. I have never even seen a phishing scam that targets Xbox Live, although there tend to be one or two WoW scams in my spam folder each week. It’s also difficult to believe Geoff Keighley or Michael Pachter were tricked into signing up for free MS points. Worse than that, if this was a widespread and incredibly effective phishing scam, where is the evidence? Microsoft offers no proof to support the claim and we are being asked to believe that not a single person in the gaming press, at NeoGAF, 4chan or SomethingAwful has been wily enough to recognize and document the scam site so many are supposedly victims of? It’s a poor phishing scam that is apparently impossible to find.

All the circumstances suggest something else is going on. If these can’t be social attacks, don’t appear to be related to third party compromises or entirely caused by phishing sites or emails then there must be an undisclosed or perhaps undiscovered security flaw allowing hackers to discover user passwords without being noticed. As it just so happens, last week just such a problem was discovered on Xbox.com.

First being reported by AnalogHype and Eurogamer, the news comes from an Xbox Live user named Jason Coutee who also recently had his account broken into and had 8000 MS points purchased fraudulently. After contacting Microsoft support he declined the offer to have his account locked for 30 days so the intrusion could be investigated. Coutee is employed as a network infrastructure manager and instead decided to conduct his own investigation into the possible cause.

What Coutee discovered was a rather severe flaw in the Xbox.com website log in system. For hackers, it’s not difficult to compile a large list of email addresses potentially connected to an Xbox Live gamertag, and based on the way the site handles errors for non existent accounts versus real accounts with incorrect passwords those can be easily sorted for further scrutiny. But the big problem is the site’s security measures intended to kick in after eight failed password attempts, invoking a CAPTCHA, can be easily circumvented. The whole process can be easily automated by a hacker, allowing them effectively infinite log in attempts to to any Live account.

This allows for what are called “brute force” hacks. Essentially, if there is nothing to stop a hacker from trying to log in to a single account as many times as they want they can simply create a script to run through a list of common, stolen, or randomly generated passwords until they find one that works. Given enough time hitting the right password for some accounts is inevitable. For this reason most sites and services will lock an account after a handful of failed attempts. Many also analyze access patterns for such requests in real time to detect and block possibly malicious activity. Unfortunately for the manner hacking victims, Microsoft failed on both accounts.

Now, some will tell you that remotely brute forcing any password that is not a short dictionary word is not feasible, but belies an antiquated understanding of password security. In order to maximize the possibility of success, hackers have many sophisticated and powerful tools at their disposal. Low latency fiber Internet connections, botnets, GPU accelerated password cracking software, databases of known passwords from other hacks and a little human psychology take the hackers a lot further than most suspect. They do not have to test every single possible combination for an eight character alphanumeric password. They can look at the kind of passwords people actually construct and generate a list accordingly.

For a long time we’ve been told to combine letters and numbers and avoid words to create something secure. Back in 2002 a password like “ronco123” seemed really secure, but computational increases and hacker sophistication have increased exponentially in the last decade and now it has to be looked at as fairly weak. Not as weak as “password” or “1234”, but far below current security standards. Further, “ronco123” is constructed in a very obvious manner. The vast majority of people who think they are using good security practices with their passwords will have a password that looks very similar, if only because it feels natural to put the letters on the left and the numbers on the right. Frequently the numbers will just be padding, thus a lot of “123”s or “11”’s appended to a word or acronym. Otherwise you’d expect lots of dates in two or 4 digits, and given the expected age of your target you could narrow that further to 01-12, 60-99 and 1960-2012, frequently paired with names of cities, places or events.

Additionally, there is no reason for a hacker to limit themselves to brute forcing a single account at a time. Let’s assume at a base level you can’t check more than 100 passwords on a single account per second (although that is incredibly conservative, it is likely 10x that). Unless the password in use is exceptionally poor, it will still take some time to succeed. The solution is to scale up the scope of the attack by brute forcing many accounts at the same time. Since it can all be automated there is no reason not to be testing hundreds if not thousands of accounts at the same time, 24 hours a day. Every time a successful password is discovered it is recorded in a text file for late exploitation. For the hacker the result is a constant stream of vulnerable accounts that could each pay out hundreds of dollars.

In an official statement given to 1up when the site reported on the flaw, Microsoft disputed that article’s characterization of this as a “loophole” in their security. According to a Microsoft rep, “the hacking technique outlined is an example of brute force attacks and is an industry-wide issue.” This is true, brute forcing is a known technique, but most organizations have working security measures to prevent it from being an effective attack vector. They also go on to reiterate their earlier statements that the service itself has not been hacked, another technical truth. In both cases Microsoft is playing a semantic game to obfuscate the truth, while tacitly acknowledging the critical flaw in their authorization system did exist.

According to a follow up report from Jason Coutee, shortly after the news of this flaw broke Microsoft implemented a silent fix on the back end of Xbox.com. Hopefully their solution will be effective in blocking a majority of future attempts to hijack accounts, but their negligence and evasiveness over the FIFA hacks to date are not encouraging. Unless the executives at Microsoft decide to completely change course and come clean with concrete details about what has been going on, something they were eventually forced to do previously with the hardware flaws that led to the Red Ring of Death, we may never have a clear picture of the full extent of the problem.

Tragically, the account hacking itself is only part of the scandal. Even if Microsoft is completely justified in their “blame the user” attitude, they are nonetheless failing quite spectacularly in their duty to safeguard customers against fraudulent transactions. FIFA hacking does not exist on the PS3 for a very specific reason having to do with how each platform handles payment authorizations. Account hacks will always be a problem, whether the platform holder is letting the rabble through the front gate or a single user is kidnapped and tortured into giving up their password. For this reason both PSN and Valve’s Steam store have additional layers of protection against unauthorized purchases.

When a FIFA hacker logs in to an account on Xbox Live the first thing they will do is try to initiate a purchase of MS points. No matter where they are, or what time it is, as long as there is a payment method attached to the account with an available balance, the charge will go through, no questions asked. Both Steam and PSN handle this potential scenario very differently. If you connect to your PSN account from a new PS3, PSP or Vita you will not be able to make any purchases through the PlayStation Store unless you reauthorize the saved payment method. This requires again supplying the expiration date and three digit security code for the credit card on record. Valve uses their SteamGuard security which requires you to enter a code sent to your default email address any time you log in to your account from an unrecognized browser or device.

Both methods are extremely effective at discouraging hackers from targeting those platforms. Even if a password is discoverable, there is no way to easily convert that knowledge to cash without additional information, and if they have access to a random user’s credit card details or control over their primary email address, there are far more direct and efficient forms of fraud to indulge in. The most baffling part of the FIFA hack epidemic is Microsoft’s obstinate refusal to implement these kind of simple, prudent protections to the Xbox Live Marketplace.

Above and beyond how these accounts are accessed or the questionable nature of Microsoft’s customer support for hacked users, that is the biggest question in the whole debacle. Why has Microsoft allowed this rampant fraud to continue for nearly a year without implementing any additional payment protections? They have all the power in this situation. They can even see when a user logs off in California and five minutes later the same account is being used on a 360 in Russia or China to make an unusually large purchase. Ironically, if a credit card company could see that the transaction was coming from overseas and not Redmond, Washington the transaction would be flagged immediately as possibly fraudulent and the card frozen. They can not plead poverty when Gold membership fees bring in more than a billion dollars of profit each year. To claim it would be too complicated to implement in their legacy system is simply unacceptable.

Continuing as if nothing is wrong, or there is nothing to be done, is literally inexcusable. For months Microsoft has ignored the problem, blamed the victims, denied any responsibility and refused to make the basic improvements their competitors already employ that would solve the problem completely. Sony is a popular whipping Internet whipping boy thanks to the PSN hack last Spring, but despite the sensationalistic reporting and the 77 million accounts exposed, there hasn’t been a single case of fraud connected to the intrusion. In contrast, thousands of paying Xbox Live users every month are losing money to thieves thanks to the lax security and short-sighted policies of Xbox Live.

Please do not take this observation as an attempt to, for lack of a better word, politicize the situation. Too often already complex and charged events in the industry become even more confused when they become proxy battles in the great fanboy wars. We are talking about very different situations, but also very different corporate responses. Despite the persistent perception to the contrary, Sony was incredibly forthcoming about the attack they suffered. It took only a few days to go from initial detection to a very thorough public disclosure, taking full responsibility.

And while their security was actually up to industry standards, (despite rumors to the contrary), they made the hard choice to bring the entire network down long enough to thoroughly investigate the attack and overhaul their internal procedures. This was at great expense to themselves and their partners, especially those who depended on revenue from digital sales through PSN. For every customer of the free service they offered identity protection on the chance it would be necessary and as many as four free games.

Sony’s humility and contrition is in stark contrast to the arrogant dismissals, manipulative statements and attempts evade responsibility. This should not be a Sony versus Microsoft issue mired under the din of ill-informed partisans repeating ignorance as fact in a misguided attempt to glorify their preferred platform at a competitor’s expense. Sony did the best they could in a difficult situation to do right by their customers. We should expect no less from Microsoft, and if they will not make the same effort, holding their feet to the fire is the appropriate response.

Sadly, if Microsoft will do nothing, it falls to the users to protect themselves. Xbox.com has a list of recommended security guidelines for users to follow, others recommend removing any payment options associated with your account, but the most important thing now is to make sure your Live password is unique, and very long. Eight or nine character passwords are no longer sufficient. As a recent XKCD comic points out, a 20 character password you can remember is far more secure than an eight character password that uses a random combination of letters, numbers, cases and special symbols. Tell your friends, tell your family. After all, we live in trying times.

[EDIT: Originally published on BitMob.com, reposted here for posterity.]