Microsoft has denied there is any evidence of a security breach in the Xbox Live service but has acknowledged users are having their accounts hijacked by cyber criminals.
Xbox Live users who have had their accounts compromised and facilitated to make unauthorised transactions have been complaining over the past few months that Microsoft has been slow to assist customers and restore access to their accounts.
The security of online consoles was thrust into the spotlight last year when a PlayStation Network security breach compromised millions of customer accounts and resulted in the network being shut down for a month.
Microsoft has only recently begun to publicly address the issues of hijacked Xbox Live accounts.
Last month the software giant revealed it had improved security on its Xbox.com website, which seems to have been how hackers got access to user account information, and this week the general manager of Xbox Live Alex Garden penned an open letter about security on Xbox Live that acknowledged "account hijacking across the internet continues to grow".
Mr Garden did not specifically mention the issue that has seen many people suffer unauthorised purchases on their Xbox Live accounts such as Xbox Live subscriptions and Microsoft Points, however he did acknowledge that security "has been on my mind these last several months".
"Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us," Mr Garden says.
"While we here at Xbox have no evidence of a security breach in the Xbox Live service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks."
Mr Garden says he can assure Xbox Live users that "we are listening and continue to take aggressive steps to help protect you against ever-changing threats".
"Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox Live – our work will never end.
"With every measure we put in place, ill-intentioned people will create new ways to attack online services. That’s why I believe it’s more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud."
Screen Play reader Damian Cavanagh is an Australian victim of Xbox Live account hijacking. He was alerted to a problem with his account when he received an email receipt for a purchase of Microsoft Points that he did not make.
"I jumped straight onto my Xbox 360 and found that my GamerTag was no longer there and I now had the GamerTag of 'DemetedLemur12' or something to that effect," Damian says.
"Apparently the last game I played was FIFA 12 and I had also earned achievements. I don't and haven't owned a FIFA game since the SNES. I even went and checked my EA Sports account online and the achievements appeared on there too."
Fortunately, there was only one $99 transaction made, and "it was refunded by the bank with minimal fuss". "$99 wasn't as bad as some that I heard about," Damian adds.
Damian says the worst part was having no access to Xbox Live for three weeks while Microsoft investigated the issue.
"I originally spoke with Microsoft on the phone, who suspended my account and I wasn't able to go in and reset my password until they had completed an investigation. I was also advised to use an alternate email address, which I did.
"The waiting period was probably the worst part of the situation. I think I was without Xbox Live for a little over three weeks. Once I was given the all clear it was easy to retrieve my original GamerTag. All of my achievements were there (plus the FIFA stuff)."
Damian says he was not given an explanation by Microsoft for the hijacked account but was given 400 Microsoft Points and a month's free Xbox Live Gold access as compensation.
"I never chased Microsoft for a reason," Damian says. "I guess I was just happy to be online again."
Damian says the incident has changed his online behaviour.
"I no longer keep my credit card details on my Xbox 360 and if I was to use a credit card for Xbox Live subscriptions or Microsoft Points I would probably use a pre-paid card. I think lots of people would be more wary now after the troubles Sony went through and this incident that Microsoft suffered."
Microsoft says the most common sources of security attack are:
- Social engineering to gather information about the user to guess the password
- Phishing, where the user types the account password into an illegitimate website that is pretending to be something else
- Malicious software on the computer that has captured the password
- Using the same password from another online service that has been breached.
Xbox Live chief Alex Garden says Microsoft is determined to continue to investigate cyber-criminals and "bot nets", and will "continue to put in place security features and process improvements to help secure Xbox Live".
Microsoft is also working to improve its process for recovering compromised accounts in "a timely manner".
"We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days," Mr Garden says.
"For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we're making great strides.
"We do not take lightly the frustrations we've heard from our loyal Xbox Live members and remain committed to addressing and persistently resolving our customers' individual and collective concerns."
Screen Play is on Twitter: @screenplayblog