For months now, Xbox 360 owners have been complaining of a surge in account thefts, incidents when people wake up one day to find themselves no longer with access (or even possession) of their own Xbox Live accounts anymore.
At first believed to be the result of hacks in relation to EA's FIFA series, it's now looking more likely to be the result of a widespread scam run by shady types out to either make money or score cheap games.
One of the more high profile victims of these "jackings" (not "hacks," we'll get to that in a minute) was Susan Taylor, who wrote an account of her experiences, and which we covered back in January. Having stood up and identified herself as an unhappy victim, Susan soon got something she was probably never expecting: members of the jacking community reaching out to her.
UPDATE - See bottom of post for update from Microsoft.
Three such types contacted Susan and tipped her off to sites and forums where jackers congregate and trade. They were also, as members, able to access the sites (most are obviously restricted from public viewing) and pass along some of the information contained within, including techniques on how to obtain someone else's Xbox Live account information.
You can see one such site, which is publicly accessible, here. On its "black market" forum, you'll see members both selling stolen Xbox Live accounts and making requests, one person looking for an account with good Modern Warfare 3 stats, another selling an account with the presumably desirable name of "One V One".
The key distinction between "jacking" and "hacking" is that these guys aren't forcefully circumventing any software protection measures. What they're doing is, in a nutshell, contacting Microsoft, pretending to be the legitimate account holder, and through poor security and a whole lot of bluffing (usually making excuses as to why information was incorrect or why passwords could not be remembered), getting hold of the necessary reference numbers and information they need to then go on and access a stranger's Xbox Live account.
Here's an excerpt Susan was able to obtain, outlining one such strategy:
1. First you go to Xbox.com and click support at the top left of the website.
2. Then go to the bottom of the page and click Contact Us.
3. Once on that page click the Email Us link. Then click Xbox Live.
4. Now this is where it gets SERIOUS. For the name put a name. I personally use an actual agent's name ([Name redacted by Kotaku]) then put there employee ID which I put a fake ID. For the reason put Technical Support.
Then for the email put XXXX@microsoft.com or something to do with the agent's name but Microsoft. For the reason put something like this "Customer (put there name if you have it on the account you want) verified the 16 Credit Card digit number. He has made an inquiry about how he has forgotten his accounts information, since I am a Tier 1 agent I am unable to view the customers GT. He has requested to have the answer changed to (put some realistic for the answer). The Xbox Live Gamertag is (put GT). – [Name redacted by Kotaku]"
5. Now you should see something like this
6. Call up Xbox 30 minutes later. After they answer say that you were disconnected from a Tier 2 agent and ask to be transferred back.
7. After they transfer you to the Tier 2 agent give them the number (remember your the customer so you have to act like you have pretty much no idea what's on it). Once they pull it up they will take a little while and change it. DO NOT ASK FOR THE EMAIL so that you can know where to reset it.
8. Then call back and say you forgot your email but know your Secret question answer. They will ask for the GT and answer tell them and they will give you the email.
Congrats now you get the OG. This wont work every time so don't get discouraged.
That sounds depressingly simple. Here's another one.
IT HAS NOTHING TO DO WITH PHISHING clearly as you know all too well but MS tries to hide this very well. This is called by the hackers ad "Jacking an account" and what i talk about below is probably not even entered your head as how your account was taken.
The main thing is that reference number you get, see how they helped you with just a reference number and no other proof you were who you said???
Basically they ring other small companies associated with MS after getting a reference number associated with your gamertag/zune account.
To get the reference number they ring either xbox or zune support and when asked about security info such as name they give fake info and then say "Oh if thats not right my brother must have changed it, hes not in so can i have a reference number to call you back when he is home?"
These smaller companies release your name and more and literally all i or the hacker would have to say after giving them the reference number is "Could you help me verify the information on my account please". Being a smaller, clueless company they give info out like your name or address. They then call back repeatedly getting different info (this is a lengthy process as not every agent is stupid but these people spend days/weeks targetting accounts)
Bear if mind they will get your email address from this process and that pretty much seals the accounts fate into being hacked. Most people use the same email and their real/same info for everything so if they see on xbox.com you have netflix or something similar like that they will call netflix and they have all the right name and address ect.
So one example of something i would do and what these people do is to say to netflix "I purchased a new subscription but its not showing up can you check you have the right payment option on file" because the hacker can give all the correct info to netflix or whoever elses service it is and they will cluelessly give out the last 4 digits of the Credit Card. Now with the last 4 digits of a credit card a password reset form is almost certain to be successful when the hackers submits one through the windows live page when you click forgot password. But there are also hotlines were agents will reset the password over the phone when the hacker provides all this info because they are bound to believe someone with the last four of a CC right? so they help the hacker get your account.
There are literally TONS of different little tactics here and there that these people or I used to use to get different bits of infomation and i only skim over it briefly above obviously because it would be too lengthy to try and explain it with written words in one email.
As you can see, if this stuff is indeed the kind of methodology used by jackers, it's a far more serious problem than a flaw in Xbox Live's code or immediate security. That sort of thing can be patched, the holes plugged. What Susan's sources are describing though, that's something else. That's a failure of bureaucracy. Something broken at a systemic and fundamental level of Microsoft's customer service system, a result of under-trained and outsourced staff not knowing the finer details of the service's security framework. Which is a lot harder, and slower to fix.
It would also explain why it's been so hard for Microsoft to track down the problem. It's been looking for a problem, something obvious, a chink in Xbox Live's armour. What's being described here, acts of deception carried out on a personal level with customer service staff, wouldn't even come up on their radar.
The raft of thefts reveal that Xbox Live accounts are big business. Definitely worth the trouble of getting hold of. But why? It appears there's a market for all kinds of accounts and the things related to them. The most obvious, and lucrative for the more criminally-minded, are accounts with credit card or PayPal info linked to them. Once loaded up with "free" Microsoft Points, they're then sold off to buyers who get thousands of points for a lot less than they'd normally have paid for them.
Another money-saving motivation is free games. If an account has purchased any Games on Demand titles, for example, those games are linked to the account, meaning the new owner can jump onto Xbox Live and download the games "again" for free. Surprise surprise, the most valuable accounts are ones with Call of Duty titles attached.
Two other reasons, though, are a little more vain. Some black market buyers want access to "OG" usernames. They don't want, for example, "b08". They want "Bob", or names related to pop culture figures, or movie stars, or dumb shit like "Killer". The more interesting OG handles are thus targets for jackers, and can be sold for hundreds of dollars.
The other cosmetic lure is a user's tenure. In the corner of your Xbox Live avatar there's a number. The higher the number, the longer you've been a member. Long-time members—we're talking 5-6+ years—are of course the most valuable, and are a target for jackers who can sell them to people who want to look more seasoned on Xbox Live than they actually are.
If these reports are accurate, then what can you do to protect your account? It would appear you can't do anything at all. Unlike a phishing scam, which you can head off by changing passwords, these jackers are bypassing the user entirely and going straight to Microsoft support. If they see a gamertag they think can make them money, then they'll pull their support scam, and if they can pull it off (as stated above, often they're unsuccessful) there's not a thing you'd be able to do about it.
About the only recommendations would be to do what you should be doing anyway: keep your passwords separate, don't link credit card information to an account and use a dedicated email account for just your Xbox Live, nothing else. At least then you're minimising the damage, cutting down on the possibilities that by stealing your account details these scammers also get access to other online services of yours.
Bear in mind that while these reports may seem convincing, given their origin and the fact nobody but Microsoft knows the full extent of how its own support network operates, the means of account "jacking" should be treated as rumour until we're able to confirm them. As such, we've contacted Microsoft, and will update if we hear back.
Asked for comment, Microsoft has responded to Kotaku with the following:
There are several different methods malicious users employ to gain unauthorized access to accounts; social engineering is one of them. We are aware of the vulnerabilities that social engineering poses, and continue to address these through tools and training to help keep our members safe and secure.
The security of Xbox LIVE member accounts is a top priority and we continue to take aggressive steps to protect our members against ever-changing threats. This includes continually evolving our security practices and staff training to help prevent these scenarios from occurring.
On the specific examples highlighted:
We really appreciate that these issues have been raised; however, the specific examples in this article contain information that is invalid and out-of-date. We would welcome the opportunity to work directly with Ms. Taylor and the members who have contacted her with unresolved cases. We have done a considerable amount of work to resolve cases for our customers in the last several months and will be reaching out to her to provide further assistance.
And finally, advice from Microsoft on protecting your account:
Finally, many of our security enhancements and recovery processes, should an account become stolen, are dependent upon our members being able to verify their identities using additional proofs, such as secondary email addresses, phone numbers, security questions and answers, or trusted devices. Adding strong identity proofs to an account provides multiple layers of identity verification, which can drastically reduce the incidence of identity theft and other online fraud.
How (And Why) Your Xbox Live Accounts Are Hacked [HackedonXbox]