Microsoft says “okay, errm, maybe it was our problem” – Xbox Live fraud

Mike Bantick
Tuesday, 27 March 2007 07:36

Your IT - Entertainment

It was only last week when Microsoft stated that the possible Xbox Live fraud was due to customers being duped into giving over their details.  Well to their credit, Microsoft has dug deeper.

It now seems that the ones that were duped were Microsoft themselves.  Originally revealed as a customer phishing scam, it now emerges that the Microsoft support centre itself may have been compromised by a “pretexting” scam.

Pretexting relies on the ability of a caller to convince the listener that they are somebody else, and in return getting sensitive information about that identity. 

Late on Friday, the Major Nelson Xbox blog had this to say about the incident; "Earlier this week when I first heard about the "Xbox Live network hacked" story, I checked with the people on our end, and then posted about it. As originally posted, Xbox Live has not been hacked. That is still true. A security researcher, Kevin Finisterre, discovered not a hack, but the fact that some accounts may have been compromised as a result of 'social engineering', also known as 'pre-texting', through our support center. Kevin gave me a call directly and once I realized what he was talking about (he sent me some painful-to-listen-to audio files) I confirmed that the team is fully aware of this issue. They are examining the policies, and have already begun re-training the support staff and partners to help make sure we reduce this type of social engineering attack.
There's no other way to say it; this situation shouldn't have happened. Our customers deserve better."

Kudos to Microsoft for not letting this situation rest, and as a continuous improvement program, incidents like these should not be swept under the carpet.