Microsoft probes alleged Xbox Live fraud

Stephen Withers
Thursday, 22 March 2007 03:50

Your IT - Entertainment

Microsoft is investigating claims of "fraudulent behaviour and theft" involving Xbox Live accounts being hijacked and associated credit card numbers used fraudulently to buy extra points, following months of complaints from users.

Various versions of the story are circulating, and it is possible that all are true. One main theme is 'social engineering' whereby the culprits simply call the support line with a sufficiently convincing story to get account details changed. This behaviour has become widely known as 'pretexting' since the publicity given to a private investigator that used it while investigating an information leak from Hewlett-Packard.

Variations on this theme refer to the culprits obtaining account information through traditional phishing techniques, or by engaging their opponents in conversation in order to get them to reveal information that will help the impersonation.

An alternative explanation points to technological attacks, whether that involves compromising some part of the Xbox Live infrastructure or simply 'sniffing' other players' account details as they travel across a LAN at an Xbox party.

One victim is Kevin Finisterre, well known to iTWire readers for his involvement in the Month of Apple Bugs project. Apparently Finnisterre's Halo opponents threatened to steal his account, and the next day that account was being used by someone else.

Finisterre's web site contains a catalogue of complaints and related postings dating back as far as 2006.

"Recently, there have been reports of fraudulent activity and account theft taking place on the Xbox Live network," a Microsoft representative said. "Security is a top priority for Xbox Live, and we are actively investigating all reports of fraudulent behaviour and theft."

Those fond of conspiracy theories might be inclined to note that this story has broken just as the PAL version of the PlayStation 3 goes on sale, but we think it's just a coincidence.