An Open Letter from Xbox Live's General Manager

February 8, 2012 -

Xbox Live general manager Alex Garden has issued a statement about ongoing concerns about Xbox Live account security. In the letter he says that many of the security issues have very little to do with the Xbox Live service, which has not had its security breached. The letter is in response to numerous user complaints about their accounts being hijacked or stolen, and their points being used. He acknowledges that there is little comfort in knowing that Xbox Live is secure when a user's account has been compromised.

He blames much of the security issues users encounter on phishing scam sites, email scams, and poor user passwords.

Garden says that the company is working to improve its security, reduce wait times for recovering accounts and issuing refunds for unauthorized charges. Garden added that in most new fraud cases, users have control of their accounts again within three days of a complaint being made to Microsoft.

You can read the entire letter below:

"Since today is Safer Internet Day, I thought it’d be a good opportunity to share a few things that have been on my mind these last several months. Here at Microsoft we view this day through many lenses from online safety to privacy to account and data security and more, and we take your security and online safety very seriously.

As all of us know, account hijacking across the Internet continues to grow. It’s a thriving – albeit illegal – industry affecting online services the globe over. Last year, there was a surge of personal information being compromised and sold, and this undoubtedly has had an impact on all of us. While we here at Xbox have no evidence of a security breach in the Xbox LIVE service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks.

It’s in this vein I’m reminded how important it is to listen to you, our members – to really listen, to really hear and to really do something with what you say. I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox LIVE and your trust in us.

Security is an ongoing battle. No matter how well we work to improve security – and we are working every day to bring new forms of protection to Xbox LIVE – our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.

That’s why I believe it’s more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at detailing all the steps you can take today to help protect your account.

What you’ll see here is the most common sources of attack continue to involve:
• social engineering to gather information about the user to guess the password;
• phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else;
• malicious software on the computer that has captured the password; or
• using the same password from another online service that has been breached.

I share these realities in hope that our members will work with us to reduce the ease of access for hackers. Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows LIVE ID Account Management site, and reducing the amount of personal information shared online or through social networks. More and more, being mindful of where you login to online services, even when not using Xbox LIVE, and using single-use codes, provides added protection, especially when you’re signing in from a PC that isn’t your own. Working together we can prevail over the criminals.

I realize it may fall flat when we don’t share specific details of our security architecture. However, some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner.

Getting ahead of potential threats of harm is an important area of focus. At a broader level, Microsoft continues to investigate cyber-criminals and bot nets, and help shut them down. And although this is an industry-wide challenge, we are an industry-leading company that believes in our responsibility to actively address online fraud and identity theft. As part of this commitment, we continue to put in place security features and process improvements to help secure Xbox LIVE.

Recovering compromised accounts – in a timely manner – is also a priority and an area where we’ve made, and will continue to make, improvements. We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days. For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we’re making great strides. We hope our customers are experiencing the improvements firsthand.

We do not take lightly the frustrations we’ve heard from our loyal Xbox LIVE members and remain committed to addressing and persistently resolving our customers’ individual and collective concerns. For now, if you have a problem we haven’t yet resolved, please email me. Also tune into Major Nelson’s podcast this week to hear more about our work in the war on fraud.

With my sincere commitment to listen and take action,

Alex Garden
Email: Alex dot Garden at Microsoft dot com
General Manager, Xbox LIVE



Re: An Open Letter from Xbox Live's General Manager

Sometimes, I wonder if a lot of quote-unquote hacking stems from the fact that we've been engineered by the internet to use really insecure passwords.  "Use mixed case and numbers, it totally makes your password more secure!"

Re: An Open Letter from Xbox Live's General Manager

Incorrect password policy easily defeats brute force attempts, as far as I know XBL doesn't allow infinite attempts. This makes complexity almost a nonissue, even a low complexity password that can be guessed in milliseconds will overwhelmingly lock out the account before being found. The real issue is password capturing.

Take the big hacking mess of WoW. It all comes down to keyloggers and phishing, not hacking. A 730 character password using upper and lower case numbers special characters and alt key combination characters may as well be aaaaa when you've got a keylogger.

And most people are far more cavalier about clicking links, downloading every borderline interesting program, using out of date and insecure browsers, and having their only protection be a trial copy of Norton that came with their computer and stopped actually doing anything in 2006.

Re: An Open Letter from Xbox Live's General Manager

I don't really think that's the biggest concern. Password reuse is arguably a much bigger issue than password complexity -- if you use the same hyper-complex password everywhere, then all you need is for one of those sites to do something incredibly stupid with their security (such as storing passwords in plaintext) for your accounts on all of them to be at risk.
Forgot your password?
Username :
Password :

Be Heard - Contact Your Politician