Editorial: How FIFA 12 is at the heart of an Xbox Live money laundering scam, part one
On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA.
I got hacked on Xbox Live and all I got were some achievement points and a headache.
An email I received, thanking me for playing FIFA 12... insult to injury!
Some of the charges linked to my account during this scam, bleeding my MS Points dry.
-
Shacknews
replyXav de Matos posted a new article, Editorial: How FIFA 12 is at the heart of an Xbox Live money laundering scam.
On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA.-
They're so full of fucking shit. Reading what Stephen Toulouse (who in all respects sounds likes a nice guy) spouts in typical PR crap makes me really fucking pissed off. They through veiled PR speak essentially blame the victim. They say its not effecting that many people, but they said that about the whole Red Ring Hardware fiasco.
-
I still fail to see how it is not the victim's fault. Yeah, Microsoft could and should have additional account security options to make it more difficult for scammers to use an account that does not belong to them, but ultimately the user has to take some responsibility for allowing their information to be compromised. It's not like they're hacking into a Microsoft database and stealing user info; users are being individually targeted by scammers.
-
The veiled language I'm pointing at is the fact that they skirt the fact that their customer service is awful. Should customers be more responsible? Yes. But the implication is always kind of just "Hey man, they probably got phished so they're noobs anyways." *IT PROFESSIONAL VOICE*
But if you've read much about these issues it doesn't take 25 days to recover an account. I'm seeing lots of people over 70 or 80 days to get an account back. That isn't acceptable. The fact is your Gamertag is tied up with too much that when you're locked out it really makes using your xbox nigh impossible. YEAH I SAID NIGH!-
P.S. It took me 108 days to get my account back. And that was after about 75 days of jack shit. Only after I complained to the BBB did shit get done.
-
One of the first rules of PR is "never publicly admit defeat". Sony followed this rule to its very end, after their bluff was called, where it was revealed that they botched an encryption algorithm by not changing the value of a number that said "make this a changing random number" in the encryption algorithm spec. It took a long time, but they finally released a firmware version that fixed that.
Much like Toulouse isn't going to disclose what steps make it harder to recover accounts, he's also not going to reveal weaknesses in the XBox Live support process. This is why the users need to tell their stories, and tell them in an honest fashion, even if Microsoft wants to squelch them, or if news outlets want to do the squelching for Microsoft.
These are first-generation online console network platforms that are being stretched to their limits. EA aggressively monetized XBox Live, and it's proving to be a lucrative target for thieves to go steal accounts, drain the MS points balance, and cash out.-
I know the game they and what Toulouse says makes sense. He works for the goddamn company. But that doesn't make me less angry. And their lying is getting more transparent. OH HEY WEIRD XAV GOT HIS ACCOUNT HACKED AND YEAH ITS FIXED IN A DAY. WEIRD! IT JUST HAPPENS SOMETIMES! LOL.
I'M AN ANGRY VICTIM WHO IS TURNING ACTIVIST. OCCUPY TOULOUSE'S HOUSE.-
My situation was vastly different from yours.
My account never left my control. Yours was moved to a new region.
I'll detail this more in tomorrow's piece continuing this conversation.-
I'm joking a bit. I know its different.
-
-
-
-
-
no you are wrong here, the thing is that with live if you attach you debit/credit card to your account ( which is not only common, almost mandatory as they made you run trough barbedwire and feces to remove it once you used it on live), there was absolutely no additional security when using it on Live, none.
Not even a small pin code (as lets say app store), if anyone could have access to your account for any reason, no matter the strength of the password, they would also have access to your credit card without any hindrance what so ever.
This is where they have it wrong, nowhere else is it accepted that the store (or whatever) keep your credit card details and never ever let you verify when you use it, nowhere. Its just bafflingly stupid and mindbogglingly idiotic.
Add this the system of 'recovering' your profile to any other xbox and the possibility of *one-way* migration to another country without verification. hello ?
You can perhaps fault people for having a less secure password for a on-line gaming service, yes they should know better, but the magnitude of the damage is completely up to microsoft, there is absolutely no way that the amount of suffering you have to go through is correlated to the only fault the user *maybe* has done is to use the same password on another site and/or an to simple password.
Once you are an customer to a company you have an two-way trust, in this specific issue I think Microsoft is completely dropping the ball and let the user take *all* of the downfall.
-
-
-
I would not be surprised if, in a few weeks, Microsoft had to disclose that they were hacked. Lots of companies got hacked this year; even Valve got hacked, as well as Sony and a bunch of other companies:
Trion Worlds (Rift): http://www.shacknews.com/article/71706/rift-hacked-user-information-stolen
Square Enix: http://www.shacknews.com/article/71561/square-enix-members-hacked-personal-information-potentially-compromised
Bethesda: http://www.shacknews.com/article/68887/bethesda-servers-hacked-accounts-may
BioWare: http://www.shacknews.com/article/69044/bioware-hacked-ea-information-compromised
EA (Battlefield Heroes): http://www.shacknews.com/article/69065/battlefield-heroes-hacked-lulzsec-disbands
Sega (Sega Pass): http://www.shacknews.com/article/68953/sega-pass-hacked-users-warned
Seriously, if the account wasn't compromised by social engineering, phishing, malware, or password sharing with weaker services, hacking still remains a possibility. It hasn't been announced that it happened yet, but Valve's Steam database got hacked through their forum database server.-
-
Was it scud1?
-
-
[deleted]
-
-
-
And yep, they did the FIFA 12 thing. The best part is I've changed my account password and did the 'Profile Protection' thing that supposedly requires the profile to be redownloaded and the password reentered before you can log on again, but neither of those things have happened.
It's a bunch of hairy bullshit.
-
-
Glad you have your account back though.
-
Thank you for not taking special treatment friend. That's fucking horse shit and in my eyes a hush hush tactic. You get special treatment so you don't hit the 50+ day mark that so many others have made it to. I'm 1 week down since I opened the ticket and I'm in control of my account. I've seen people up to 60 days now in control of their account but the investigation is still on-going just for a refund. So I guess I'll just wait and see how long this takes. But it's pathetic that they offer a quick process to you video game article writers...wonder why /sarcasm
-
That reminds me I need to call Xbox and get them to remove my card from my account. I'm on a 12 month time card yet they won't let me remove my debit online because of "auto-renewal" which I have switched off. You can join xbox live but you can never leave.
-
An earlier version of this article was published accidentally. EA has responded prior to this article going live and is looking into the situation. A detailed conversation with EA and Microsoft will be published tomorrow regarding the investigation into FIFA 12 and potential security issues on Xbox Live.
-
Was wondering why the thread was nuked.
-
It was a publishing error on my part.
-
They got to you too, didn't they!?!?!?
-
He got squelched
-
I'm expecting a video to emerge tomorrow where Xav looks straight at the camera and says, "They are treating me well. They wish for all gamers to have a good time. It is the bad guys fault. I love you all."
-
-
-
-
-
-
-
-
If the reports of people with ridiculously complex passwords only used for one purpose getting hacked is true, then thats a real possibility.
I had a complex one-time password (generated by and stored in keepass) for my windows live account, yet my email was hacked. You shouldn't be able to brute force a web service, so what is going on?
Also there needs to be two-factor authentication.-
I've read that someone has figured out how to modify a 360 to authenticate with Microsoft or EA servers without a password. If true, the servers are relying on the 360 unit itself to say the user is valid for relogins.
-
-
The situation is what I'm saying is sophisticated. Specifically, the use of a game to launder money out of the system using a tradable piece of content... something Microsoft has never had to deal with before.
Thanks for commenting!-
I'm concerned about whether EA will ackowledge that the situation with the FIFA Ultimate Team trading card feature. EA has been making a push to become a more online-centric publisher, and their means to that end have been a bit abrasive to consumers (Online Pass, mandatory EA.com logins, heavy DLC promotions), but the biggest problem with FIFA Ultimate Team is that it effectively monetized the theft of Live accounts with an MS Points balance, which is something you don't want to ever do.
Let's see what they say in their statement today.
-
-
-
I had some issues in NHL 12 with 3 packs not opening but my credits being used.... so with this whole debacle happening EA wont do anything about MY issue yet since they have bigger problems to wory about... Thanks EA.... way to take care of your global community...
-
They say that if you recover the account yourself so it's "only a refund claim" it only takes a few day is bullshit. I reclaimed my account within hours of it happening and called support, it still took almost two months to get refunded (as in, getting the confirmation they were going to refund me, another week or two before the funds were back in my account).
-
Sorry, "StepTo" is full of shit.
My account never left my control, and it took 30 days to get it back. The retards on the phone made it clear there had to be an investigation because the hackers spent money and bought points. Instead of investigating while I could use my account, they gave me a 30 day gold card and told me to make a new account to use in the interim. Yeah, thanks a bunch for that assholes, that works really well with the system you've set up for saved games and DLC.
-
