Editorial: EA's response to FIFA 12 'money laundering' on Xbox Live, part two
Part two of our investigation on Xbox Live's FIFA 12 'money laundering' scam problems, with response from EA regarding its franchise being used as a profit tool for attackers.
My account shows I've played FIFA 12, but it's all part of the scam.
-
Xav de Matos posted a new article, Editorial: EA's response to FIFA 12 'money laundering' on Xbox Live, part two.
Part two of our investigation on Xbox Live's FIFA 12 'money laundering' scam problems, with response from EA regarding its franchise being used as a profit tool for attackers.-
I'll repost what I wrote as a response in the other thread as it relates to putting the blame on not only the hackers but also in particular Microsoft:
no you are wrong here, the thing is that with live if you attach you debit/credit card to your account ( which is not only common, almost mandatory as they made you run trough barbedwire and feces to remove it once you used it on live), there was absolutely no additional security when using it on Live, none.
Not even a small pin code (as lets say app store), if anyone could have access to your account for any reason, no matter the strength of the password, they would also have access to your credit card without any hindrance what so ever.
This is where they have it wrong, nowhere else is it accepted that the store (or whatever) keep your credit card details and never ever let you verify when you use it, nowhere. Its just bafflingly stupid and mindbogglingly idiotic.
Add this the system of 'recovering' your profile to any other xbox and the possibility of *one-way* migration to another country without verification. hello ?
You can perhaps fault people for having a less secure password for a on-line gaming service, yes they should know better, but the magnitude of the damage is completely up to microsoft, there is absolutely no way that the amount of suffering you have to go through is correlated to the only fault the user *maybe* has done is to use the same password on another site and/or an to simple password.
Once you are an customer to a company you have an two-way trust, in this specific issue I think Microsoft is completely dropping the ball and let the user take *all* of the downfall.
-
I have to say I think you hit the nail on the head with all but one point. Steam is another provider that keeps your card on file without any extra steps to make purchases, however they do have that VAC guard which does help.
The reason why I think most customers of Microsoft are so upset about this is because so much of this damage could have been prevented so easily. Account transfers between regions shouldn't be so easy to do. I get that in Europe and the North Americas that consoles do migrate but I doubt it happens at such a volume that would justify no security checks.
Second Microsoft's inability (and still ongoing) to allow the user to remove their credit card from their accounts is the height of absurdity. I get companies want to mine data about their users, but working in a profession were highly confidential information comes to me on a daily bases and how I can lose my ability to practice my craft with one screw up, it just irks me to no end that such large companies are allowed to store and retain against their users will such information., never mind any expectation of security.
I, along with many other users I feel are just sitting here scratching our heads at how badly Sony, and now Microsoft have handled these security issues.
-
-
What I find absurd that while it takes over 3 months for MS to recover Xbox account, Valve can recover Steam account in 1-2 business days.
Steam is similar in size to Xbox life (last official info from both services is that they have over 35 million active users) and Valve has much less resources than MS and still they are able to resolve such situations much much faster.
It might also help if MS used something similar to SteamGuard, so that hijacker would need more than username and password to hijack someones account.-
-
I don't think diversity of content has anything to do with it, It's a matter of how their system stores and manages profiles or accounts.
If the only way to track or call up an account is the gamer tag then a name change (no unique, unchangeable ID number) it can be exceptionally difficult to track an account that has undergone multiple name changes, let alone region changes which might move it from one database to another.
-
-
You are startled people place blame at MS and EA? What planet do you live on? You call them gamers but what you forget is that they really are customers. Not only did they buy the Xbox and the game but they pay monthly for a service. A service. Customers don't really care about the details, they buy something and they expect it to work right. If it doesn't work right then the company who made the product fixes it or if the customer is paying monthly the business is even more obligated to fix it and fast, because otherwise, wtf is the customer paying for. Of course MS and EA get blamed, they need to avoid allowing situations like this, get better security, and fix things in a timely manner.
Customers, not gamers.-
Agreed, Microsoft and EA are hosting the service, so it's their duty to protect that service, and go after the hackers themselves. If you want an environment where end users are responsible for all account security, then what's the point of a closed online service?! We should just go back to open customer-hosted dedicated servers and master servers at that point.
I feel that EA just doesn't want to have to shut down a marquee service for them, the FIFA Ultimate Team, since it's probably earning lots for an "add-on" service, perhaps on the order of some free-to-play games.
-
-
-
I heard rumours that it might be possible to bypass the login somehow, as in an hacked xbox can spoof some kind of hash/token to take over another account once itself has logged in as an 'correct' account.
But I agree, yet the magnitude makes me suspicious, my brother and his kids have been hacked twice now, and he promise me that no one knows his login and its never used anywhere else. To make matter worse, he has a parent account for his three sons, who has separate accounts, when his is compromised all the others goes to the shitter to.
-
-
Xav, didn't you have a problem with not being able to transfer your Canadian XBox Live Gold account to the US after you moved? Did you ask Toulouse about that, and why it's so easy for region transfers from the US to Russia to happen at the frequency they're happening? I'd personally think that there would be a few legitimate transfers from US to Russia (somebody moving, or on an extended business trip), but not at the rate we're seeing people say their accounts got flipped over to the Russia region.
-
That's not a security issue. I talked to customer service about that. The issue there is about licenses for certain content... mostly media content. Since the eastern block (at least at the time) didn't have things like Netflix available that differed from the US version (which Canada does) it isn't an issue to switch the profile to that region.
The real reason it exists, also, is because Xbox Live wasn't available in some regions and people who imported their system would select neighbouring regions in order to access the service. As Live expanded, the tool was created to get those people in the right areas.
-
-
From part 1: http://www.shacknews.com/article/71700/editorial-fifa-12-xbox-live-money-laundering
"When I first discovered an issue with my account, I took it to Twitter. It was Shacknews editorial director Garnett Lee who first tipped me to the FIFA 12 hack. "Check your Xbox Live account, see if FIFA is in your recent played games." Not only does FIFA 12 appear on my list--a game I have never played--I have two achievements in the game. Both achievements are associated with FIFA's 'Ultimate Team' feature, which the digital card packs are linked to."
I'd like to highlight this part, "a game I have never played"
There has got to be some blame put on the companies for this. Some, not all; (for the hackers are the main culprits) but man, you never played the game before!
The easiest solution seems to me is to keep some contact information on file. If a region change or a transfer of money/content that is known to be associated with a scam is initiated, then call or e-mail the owner of the account, and ask for verification. If the individual says no, then you know something is going on. -
Hahahaha, oh all of a sudden a great many things make sense. Apparently someone bought 4000 points on my account using that stupid hack, and I didn't think anything of it for a bunch of reasons, not the least of which the day it happened was the day I checked out of the military and gave zero fucks.
*slaps head*
I'll probably just eat the cost if alternative is losing one of my most used items for 3 months. Fuck that. -
I know you said in your previous post that you didn't want special treatment, but there is no way in hell you got your points back so quickly without it. At minimum your account should have been locked for an investigation and that takes two weeks if you're lucky. Hell, you had the head of security explicitly tell you what seemed to happen to your account. I'm lucky if the tech support person I talk to will acknowledge that I am who I say I am.
Most of us are not fortunate enough to be able to speak with anyone with any power at Microsoft. The anger and frustration vented at Microsoft and EA is I think in part because the recovery process is so shrouded in mystery. When a person who isn't a journalist calls, they get to speak with a tech support person. The only thing this person can do is give you a service request number and add notes to your account. They don't (or claim they cannot) speak with the escalation team or the security team, and so you can only hope that the notes are being read.
The second time I was hacked I regained control of my account myself before calling Microsoft. I was fortunate enough to get various emails telling me that security options were being removed and managed to reset my password before losing my profile.
They did, however, add points to my account and change my gamertag. After calling support they locked my account and took a month to do nothing. They really did nothing. They gave me 800 points to change my gamertag back but never freed up my original gamertag. I have been waiting 2 more weeks so far for them to just give me my gamertag back. It's insane.
TLDR: If Microsoft added an opt-in authentication service similar to Google two step verification or Blizzard's authenticator, 98 percent of these cases would cease to exist.-
Oh, and if crime gets too high in an area, it is perfectly logical and justified to get upset at an ineffective police force (as well as the criminals.).
Similarly, if I pay for a service that demands my credit card I expect a competent level of security and that they hold themselves accountable for any mistakes. "...shouldn't the blame be squarely put on the shoulders of the hackers?" No, not squarely. They should take responsibility, and Microsoft should attempt to prosecute them; but Microsoft and EA are displaying Gross Negligence, and as such some blame should be applied to them as well.
-
-
-
Mine was hacked similar to Scott's on Sept 24th of this year. I was on vacation at the time, but I saw it on the 26th, changed my password, and "reclaimed" my account. I got back from vacay on the 1st of October, and reported it on the 2nd. I STILL have yet to get it back, but then again, I'll "only" be at 3 months as of January 2nd. Sadly, I'm in the same boat as Scott: my region was changed from Canada (EN) to Czech, 6000 MSP x3 billed to my CC (which was on file, but will never again be).
All I can really do is wait. :(