A black eye for Xbox customer service

The company does acknowledge that some of its staffers who answer 1-800-4MY-XBOX, the Xbox Live customer service line, reset passwords on accounts for people who did not actually own the so-called gamer tags.

The matter received wide attention last week after a frustrated user who had been locked out of the Xbox Live service, posted recordings of his calls with the help line. Microsoft initially said there was no security breach and blamed its users. But the company subsequently said it would review its customer service processes, including the retraining of its staff.

Larry Hryb, director of the Xbox Live team, and Stephen Toulouse, senior product manager in Microsoft's Security Technology Unit, talked to CNET News.com about what happened and what the company is doing to help prevent future account hijacks.

(Xbox Live is offline for maintenance on Tuesday. The outage was planned many months ago for an upgrade and has nothing to do with the security issues, the company said.)

Q: What happened?
Hryb: Early last week, we first heard about the Xbox Live network being hacked, which obviously raised a lot of concern in our team. Our network engineers looked right into it and it turned out that wasn't the case.

If the security of your system wasn't compromised, how did accounts get hijacked?
Hryb: It turns out that some accounts may have been compromised as a result of pretexting through our support center.

What does "pretexting" mean?
Hryb: That means social engineering. Basically, the bad guys were calling up and claiming to be people that they were not. They had obtained personal information or some type information and then were able to social engineer our support department into revealing some information that should not have been revealed.

What happened to Xbox Live users as a result of that?
Hryb: A small number of accounts were compromised. This allowed the bad guys to recover that gamer tag and go online and play as that person. Consequently, that person obviously doesn't have access to the account anymore. And they need to contact us and we need to get them back into control of that account.

There were some people who claimed charges were run up on their credit card to buy "points," the virtual currency on Xbox Live. How does that happen?
Hryb: Xbox Live Marketplace is a vibrant online space. In North America, we're selling high-definition movies and television and gaming content. If there is a credit card attached to the account, you can purchase points, but only up to a certain amount. Also, you can only redeem those points on the Xbox Live Marketplace; you can't go over to Amazon.com and start ringing up charges. It is a very tight system; all you can really do is download content. Points are also tied to an account. You can't move points to another account.

What's the maximum amount of charges people could incur?
Toulouse: There's a cap to the number of points you can have at any given time: 10,000. The attacker would have to buy two 5,000-point packs, which is about $59 apiece. They'd be maxed out at that point. They'd have to spend those points in order to buy more. We don't know each individual case--that's what we're investigating--but the attackers are limited to what they can do and what they can download.

Are there games on Xbox Live where a player could be robbed of items collected in a game after their account gets stolen?
Hryb: On one or two of the titles, you can send a character, but there is no in-game monetary value to that. It is not like World of Warcraft where you can get cleaned out of your loot and you're going to miss all your 50,000 gold pieces. That doesn't happen; we don't have that ability on our service.

What is being done to avoid the abuse of the Xbox help desk by account hijackers?
Hryb: (Security researcher) Kevin Finisterre contacted me directly and forwarded some audio files which, frankly, were a little painful. We have mobilized the right teams and we're doing a top-to-bottom look at what the process is. We're straightening things out, we're retraining staff, we're making sure that we're doing everything we can to reduce this kind of social-engineering attack. The changes are in place and they are continuing to go into place.

Do you have any idea how many people did have their accounts compromised?
Toulouse: We're still looking at it. I can't give you a hard number, but I don't think it is that large. When someone's password gets reset, we know that. The problem is that there are people that had their password resets because they really needed that done and there are people that had their password reset because of pretexting.

How long do you think this has been going on?
Toulouse: There are a couple of things that go on. There is someone who communicates with somebody else and grabs enough personally identifiable information to then try and pretext the account through the support center. We are looking as far back as we can to understand in what types of situations this has occurred. It doesn't matter how long it has been going on, it has to stop.

Are you planning any action against the folks who did this, if you can find out who they are?
Toulouse: If the results of the investigation give us details that could be relevant to law enforcement, then absolutely we're going to pursue that angle.

Has there ever been an actually break-in on Xbox Live or has the security of the service held up so far?
Hryb: The absolute security has held up so far. The information that users log on with, we take that very carefully and we're very proud of the fact that it has got military-grade security for the Xbox Live network. The console itself is very secure. We're happy with the fact that the console and the network have not been compromised.

What do you hope to do when it comes to your help desk and users?
Hryb: We want to continue to make sure that our users feel comfortable with the Xbox Live service. It is the largest online console service in the world. We want to make sure that they are comfortable with their transactions. We also want people to understand that if they feel like they have a problem with their account, we're going to be putting steps up on Xbox.com/support on how to make sure that their account is secured and OK.