How I was hacked – a tale of hijack, XBox Live and FIFA trading cards

This week, my Xbox Live account was hacked. This is the story of what happened, my response to it, and the questions about security that it has raised.

The hijack

At twelve minutes past midnight on Tuesday night, just as I was finishing up some work, I received an email to say that I had purchased 6,000 Microsoft Points. My first thought was to laugh it off as spam, as I hadn’t bought any points for months, but I thought I should check my console anyway. On switching on my Xbox, I found that I could no longer access my account.

A quick Google search revealed that other Xbox users had been experiencing similar problems, and I realized that my account had been compromised. I tried to contact Xbox Live support, but its helpline was unhelpfully shut for the night.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

Trying to think clearly, despite my somewhat bleary late-night state of mind, I logged into my Microsoft account on my PC, and changed the password. I then went through the process of recovering my Xbox Live account on my console dashboard, which involved entering my Windows Live ID and the new password. On seeing my account again, I was relieved, but also surprised to note that it had been used to play FIFA 12, the popular Electronic Arts soccer game.

The loot

My next move was to contact my credit card provider. The customer service adviser at the bank revealed that there had indeed been a transaction to Xbox Live that night, for £51 (about $80), and they immediately cancelled my card. I was told to phone again once the transaction went through, as it would then be reversed, and dealt with as fraud. Thankfully I use a decent bank and the issue was dealt with quickly and efficiently from that end. I am not sure that every victim of such an attack will be so lucky with their card issuer.

The response

The next morning, I successfully contacted Xbox Live support, explaining in detail what had happened. The adviser confirmed that my account had been used to purchase 6000 Microsoft Points, and intimated that these points had been spent on FIFA 12 Ultimate Team packs. To add insult to injury, it seemed that the hacker had also used up my own, admittedly rather paltry, supply of MS Points during their spending spree.

Confirmation of these Ultimate Team card purchases was found when I checked my console, to find these three new achievements staring back at me:

New Club in Town – 5G – Create your FIFA 12 Ultimate Team club
I’ll Have That One – 10G – Open your first pack in FIFA 12 Ultimate Team
How Great is That? – 20G – Find a team of the week player in an Ultimate Team pack

Quite a kick in the teeth, but hey, at least someone got some pleasure out of those 35G.

The Ultimate Team packs of football cards that were purchased, containing various players that can be used in the game, are apparently transferable between Xbox Live accounts. This allows a hacker to buy them with a hijacked account and then send them to their own account, for their own purposes. Scouring the internet, it appears that the rarer cards are being traded for cash, through forums and online auction sites, with some fetching as much as $280 .

I was told by Microsoft Customer Support that my account would be suspended, pending an investigation, which could take between 21 and 30 days to complete. My existing points would apparently be restored once the investigation was complete, and the £51 that had been fraudulently spent would also be refunded (I said this was not necessary, due to the actions being taken by my bank). In the meantime, I would be unable to access my Xbox Live account, and would only be able to play my console offline.

A widespread problem?

Such hacking of Xbox Live accounts, particularly for the purchase of FIFA items, has been widely reported in the past few weeks, both in the specialist and mainstream press. There have also been multiple occurrences of such hacking reported on a variety of websites, including the official Xbox forum and Twitter.

Questions have been asked of Microsoft, as to whether its security is up to scratch, and the response has been that this is not a wider security breach, but rather individual cases of malicious activity.

I approached Microsoft with some questions on this hacking issue, and a spokesman responded with the following statement:

“It is important for us to reconfirm that the Xbox Live service has not been hacked. Some of our customers have been the victims of internet fraud on their accounts. This is a frequent issue that all internet and e-commerce sites and services experience every day. These threats include phishing, brute force attacks, malware, third-party security breaches and in-game scamming / social engineering.

Customers who use the same identity and log-in details across multiple online sites and services are more vulnerable against these everyday internet threats. As ever, we advise customers to be vigilant, and provide further advice on account security across Xbox 360, internet websites and email at www.xbox.com/security.

Of the tens of millions of Xbox Live customers (there are 35 million active members) using the service daily, these issues are affecting a very small percentage of users globally.

Security in the technology industry is an ever-evolving challenge. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time, account security features have been added to help protect our customers’ accounts, and we will continue to add features and processes.

As always, Xbox Live customers who have any queries or concerns should contact Xbox Live Customer Service on 0800 587 1102 [in the UK] or visit www.xbox.com/security.”

So, according to Microsoft, this issue is only affecting a small percentage of global users, but that does not stop it being an issue that raises some pretty big questions, and it is deserving of further investigation.

How is this happening?

The Microsoft statement suggests that these breaches are caused by account details being obtained, via a variety of malicious methods. The nature of Xbox Live is such that an account can be ‘recovered’ on a second console, as long as you have access to the Windows Live ID and password of that user. That results in the account being locked on the original console, as I experienced. With card details being stored on the Microsoft servers, anyone hijacking an account in this way is then able to make purchases on Xbox Live, using the payment card linked to that account.

Why me?

While I cannot dispute that I may have been hacked through some third-party breach, I would be surprised if that was actually the case. I am pretty careful with my passwords, having four or five that I tend to use for different websites, which I regularly change. I have never responded to a fake ‘phishing’ email and I keep my PC clean, using anti-virus and anti-spyware software.

Looking at other reports of Xbox Live hacking, it is clear that I am not the only one asking this question – a question that remains unanswered.

1 2 View All