Offering the company's first detailed and dare I say it human response to a recent flood of hijacked Xbox Live accounts, Microsoft's Alex Garden, General Manager of Xbox LIVE, has issued the following statement:
(I've bolded what I think are the important bits!)
Your Security is Important to Me
Since today is Safer Internet Day, I thought it'd be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.
As all of us know, account hijacking across the Internet continues to grow. It's a thriving – albeit illegal – industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.
It's in this vein I'm reminded how important it is to listen to you, our members – to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.
Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.
That's why I believe it's more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.
What you'll see here is the most common sources of attack continue to involve:
· social engineering to gather information about the user to guess the password;
· phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
· malicious software on the computer that has captured the password; or
· using the same password from another online service that has been breached.
I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you're signing in from a PC that isn't your own. Working together we can prevail over the criminals.
I realize it may fall flat when we don't share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.
Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.
Recovering compromised accounts – in a timely manner – is also a priority and an area where we've made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we're making great strides. We hope our customers are experiencing the improvements firsthand.
We do not take lightly the frustrations we've heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers' individual and collective concerns. For now, if you have a problem we haven't yet resolved, please email me. Also tune into Major Nelson's podcast this week to hear more about our work in the war on fraud.
With my sincere commitment to listen and take action,
Email: Alex dot Garden at Microsoft dot com
General Manager, Xbox LIVE
It's great hearing Microsoft respond to the attacks by improving the turnaround time for hijacked accounts. It's also nice to hear some kind of summary of the company's defences, even if they're expressed in the vaguest terms.
But the bulk of this still places the "blame", so to speak, at the foot of the user, implying that the loss of their accounts is due to phishing, or scamming, or someone using a tired old password. Something I find, given the sheer scale of the incidents (both in terms of readers contacting us and Microsoft's investment in turning them around), the targeted nature of them and the recent timeframe involved, a little hard to believe.