In association with heise online

22 March 2007, 14:15

Complaints about stolen Xbox Live accounts on the rise

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

On Internet forms, game players are increasingly complaining that their accounts at the Xbox live online service that Microsoft operates for its Xbox 360 game console are being stolen by other players; they later find that some hefty purchases of other Xbox arcade games have been charged to their credit card account. Apparently, players of Clan who regularly take part in the online tournaments are particularly affected. According to individual reports, hackers have managed to use a sniffer to get players' IP numbers, with which they then log into the Xbox Live under someone else's name by using gamer tags.

Microsoft reassures everyone that no such attack as possible. "The rumours that Xbox Live has been hacked are unfounded," Felix Petzel, spokesperson for Microsoft Germany, told heise online. He said that the system remains secure. Three features are used to protect these accounts: the gamer tag, Windows Live ID, and the Windows Live Passport. In other words, attackers would have to get hold of all of these data to take over an account. "The Xbox identifies itself using an internal GUID via encrypted transmission. Only one GUID can be logged in under a gamer tag at any time. Furthermore, the gamer tag can only be stored on a single medium (either the hard drive or a memory unit) because it is linked to the medium's ID. It is therefore not possible to make a direct copy. In other words, the scenario that some people are talking about is not even possible," Petzel explained. The GUID is protected on the Xbox 360 by a four-digit PIN, which is entered with the game pad.

However, Petzel did say that some questionable offers were being made on the internet; for instance, in exchange for a fee some players are offering to step in for less talented gamers who cannot reach the next round. To do so, the player making that purchase would have to hand over his gamer tag, Windows Live ID, and Windows Live Passport. Once someone else has your Windows Live Passport, they can use the "Account Recovery" function to play under your identity on another console. "Doing so is about as careless as giving someone the PIN for your bankcard," Petzel explained. As soon as a third party has control of an account, they also have access to any credit card information already stored on that account. They can then purchase any games they want from the Xbox Live Arcade in return for "Microsoft Points", with the other person paying.

Unfortunately, Microsoft does not exactly make it easy to delete credit card information already stored on account. The only thing you can do is call the Microsoft Hotline to have them block the credit card, or you can enter a nonexistent account at the web site Users of the account would then not be able to make any purchases until a working account has been set up. Last week, Microsoft announced that the new "Games for Windows -- Live" is to be launched on May 18 starting with "Halo 2" for PCs. PC gamers would then be able to play against Xbox 360 players via Games for Windows Live. PC players would be using the same Xbox Live account as console players, but PC players would still be able to play against each other for free, which owners of consoles cannot. You would only have to pay the 60 euros per year for a Gold Account if you want to play against Xbox 360 gamers.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit