The statement has been forced by growing concerns from users as more and more stories of Xbox Live fraud and hacks surface. “I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats,” says Garden. “Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end.”
The full statement reads (it’s quite lengthy):
Your Security is Important to Me
Since today is Safer Internet Day, I thought it’d be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.
As all of us know, account hijacking across the Internet continues to grow. It’s a thriving – albeit illegal – industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.
It’s in this vein I’m reminded how important it is to listen to you, our members – to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.
Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.
That’s why I believe it’s more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account.
What you’ll see here is the most common sources of attack continue to involve:
social engineering to gather information about the user to guess the password;
phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
malicious software on the computer that has captured the password; or
using the same password from another online service that has been breached.
I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you’re signing in from a PC that isn’t your own. Working together we can prevail over the criminals.
I realize it may fall flat when we don’t share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.
Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.
Recovering compromised accounts – in a timely manner – is also a priority and an area where we’ve made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we’re making great strides. We hope our customers are experiencing the improvements firsthand.
We do not take lightly the frustrations we’ve heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers’ individual and collective concerns. For now, if you have a problem we haven’t yet resolved, please email me. Also tune into Major Nelson’s podcast this week to hear more about our work in the war on fraud.
With my sincere commitment to listen and take action,
EGM’s TAKE: While we have no reason to believe that Xbox Live has been hacked in any way, it is apparent that fraud and phishing scams are hitting Xbox Live users hard, and this is difficult for Microsoft to counteract. All they can do is warn people about the dangers of these scams, the rest boils down to player’s common sense when opening and replying to emails of a suspicious nature. Of course Microsoft could maybe do more with websites that are selling stolen Xbox Live profiles, but we have no idea if they’ve tried or even if they could do anything about it. If you want to avoid losing your account then use your common sense, if something looks too good to be true it usually is, and never give out your username and password to anyone, no company will ever ask you to.
Could Microsoft be doing more to boost security? Leave your thoughts below.