Editor’s Note: This story is reprinted from Computerworld. For more Mac coverage, visit Computerworld’s Macintosh Knowledge Center.
Microsoft Wednesday acknowledged reports of hackers stealing player accounts on the company’s Xbox Live gaming service and said it is launching an investigation.
Reports of account theft on Xbox Live have been making the rounds of the network’s user forums since at least December, but complaints amped up this week when security researcher Kevin Finisterre — of “ Month of Apple Bugs ” fame — announced that he had been hacked.
In an e-mail interview, Finisterre said he was victimized last Thursday. “We were playing with some folks that were cheating by a known method called ‘standbying’ or ‘bridging,’ and during the game, we were told ‘I am going to steal your account,’” said Finisterre. “Sure enough, the next day, my Xbox said, ‘We are sorry, but someone else has signed on as your gamertag, and we have to log you off.’”
Gamertag is Xbox Live’s term for a player’s username.
“Immediately after that, I was banned from Xbox live until 3/18/2007,” said Finisterre. He called support, but got what he called “the runaround.” Several days later, when Finisterre was supposed to be able to again access his account, he logged in to Xbox Live again. “Boom, now we are banned until the 24th,” he wrote. “When I call in, they still cannot tell me anything. My account is still under investigation and that’s all I know.”
Other Xbox gamers have related similar stories. One, identified as “ St00mPPP33yYyYY,” wrote on Dec. 31 that “sumone [sic] just hacked my account over xbox live…he called bungie and gave thenm [sic] the ip and my account name.” Bungie Studios is the Microsoft-owned game developer responsible for the popular Halo series.
Another player, pegged as “ Y The Red Bar,” relayed a more recent tale. “My Xbox Live account was hacked and all credit card info was stolen and used to run up points, etc. Microsoft says, ‘Oh, well, better call your credit card companies; nothing we can do,’” Y wrote a month ago.
On Xbox Live, gamers can use a credit card to buy Microsoft Points, in-network currency that can be used to download movies and TV shows, games and interface modifications.
Finisterre went public after being frustrated by Xbox Live’s outsourced support and being stymied in his attempts to reach someone at Bungie who would give him a straight answer. As part of his campaign, Finisterre even posted an audio excerpt of a 36-minute-long conversation with Xbox Live support ( download iTunes audio ). “It is obvious that they are outsourcing Xbox Live support to … somewhere with a high population of folks that speak broken English,” Finisterre said.
He blamed a group of hackers who go by “Infam0uS” as responsible for at least some of the account hijacking. The group’s Web site makes no bones about stealing Xbox Live identities; it currently lists seven, stolen for reasons that include “Talked s*** to JustCallMeFRESH” and “Stole from clan.”
Microsoft did not respond directly to questions about whether Xbox Live and/or Bungie.net had been hacked — accounts stolen by virtue of a data breach, in other words — or whether other tactics were used, such as phishing e-mails or even a form of “pretexting.”
Finisterre seemed to lean toward the latter, a low-tech form of identity theft where a criminal calls technical support, poses as a legitimate customer, and somehow convinces the representative to issue a new password or hand over the existing one.
“Some of the forums where the Clan Infamous is talking, they state that they are basically taking advantage of dumb Xbox Live customer support. So there may not actually be some [zero-day] exploit [but] rather stupidity of the staff on hand,” Finisterre said.
Microsoft’s only official response was to say that it is looking into the matter. “There have been reports of fraudulent activity and account theft taking place on the Xbox Live network,” a company spokesman said Wednesday. “Security is a top priority for Xbox Live, and we are actively investigating all reports of fraudulent behavior and theft.
“Any customer with a question about the security of their Xbox Live account should contact 1-800-4-MY-Xbox, and an Xbox customer service representative will help them understand our security policies and procedures,” the spokesman added.
If Finisterre’s experience is any guide, that recommendation may just waste customers’ time. “I’ve stooped to calling random Bungie employees until I get someone to hold accountable,” he said. “It’s kinda pathetic that I had to go to the media to get this investigated. It’s also sad that so many other people on Xbox forums are getting blown off, too.
“Neither Bungie or Xbox Live support has owned up to anything really, so … here I sit waiting for my callback still,” Finisterre said.