Friday, February 3, 2012

Beware, Xbox owner! You could be hacked!

The morning after our last video games club - December 30th, 2011 - my husband turned on our Xbox to download some games for the next video game club. We purchased some awesomely on sale points over Christmas, and we thought it was time for a shopping spree. He couldn't get into our account. He called me, "What's your favourite childhood movie?" He knows the answer, but he wanted to make sure. It had been changed! He called Xbox to find out that someone had hacked into our account, then changed our e-mail address, password, and security question. They had spent most of our points as well. (About $80 worth or so...)

Over the next few days - I want to say a week or so - we watched this hacker play Guitar Hero: Aerosmith, Mega Man 9, Gears of War 3, and other games under our name. We watched him spend our points, even thought we had reported to Microsoft that he was not us! Microsoft eventually restricted the account so no one - including us - could use that name, but five weeks later, nothing has been resolved.

How did this happen? We have no idea! We're careful - very careful - about security. Raymond's a computer programmer by trade, so he knows all the things we need to do to be safe. There's no way anyone could know my password - I forget it half the time! - and we don't keep a credit card on the file for this very reason. We don't use Xbox Live - other than the things like seeing if our friends are on-line or seeing the leaderboards for Rock Band - mainly because Raymond doesn't like being called horrible names by little kids...

This could have been easily prevented by having Microsoft sending out an e-mail that said, "Hey! It looks like you're trying to change your e-mail address, password, and security question. Are you sure you want to do that?" (And God knows, Microsoft products love to ask "Are you sure?" "Are you really sure?" "Are you ultra-mega-double-dog-serious sure?" when you want to do something as simple as exit Microsoft Word!) I would have clicked "no" and life would have gone on as normal. Instead, we've waited 5 weeks with one e-mail as communication.

I wanted to share this with you to remind to you stay on guard, and to let Microsoft know that I'm not going quietly on this matter. They haven't been in communication with us. They wrote us an e-mail on January 11th and told us to quote the reference number and use that address if we had questions, but it's an unmanned alias, and the bounced back e-mail told us to visit their site to find out how to make a complaint. I called them last week, and was told by a very nice operator that he couldn't give me a time for when this might be resolved, but it won't be more than a month because it is a very hard case because our region was changed. It won't be more than a month? Eight weeks to solve this problem? This is blatant theft of our property (our Xbox points) that they allowed to continue, even after my husband reported it! I guess I'm just grateful that we didn't have a credit card attached to the account...

If it weren't for the fact that we've invested so much money into the Rock Band equipment for the Xbox, I'd move to the Wii permanently. The kids love it for Super Smash Bros and Mario Kart. Plus we can use Game Cube games in it. 

Another week has gone by and I'm posting this to the blog in the hope that this doesn't happen to you, and, if it does, that you will do what I'm doing now, which is annoying them and making them public.

If you need to get in touch with Microsoft call 1-800-469-9269 (North America). I put this here because it's really hard to find! 

Update: After a phone call to Microsoft, I am no further ahead. Last week, I was told the reason it was taking so long was because the hacker had changed regions. This week, I'm being told that my region wasn't changed. (So why is it taking so long?) Luckily, our file has been transferred to the case wellness manager, who will forward it on to the unauthorized access team, who will read it....and what? They won't return our call unless we need more information, but it's hoped they will be able to speed up reinstating our file. I'm not holding out much hope...

Towards the end of the call, Travis (the manager of the front line) told me that he had updated our file with the information that I wanted someone to call me. This doesn't mean that someone will call me, just that they know I want to be called. "They could be finishing up the case today...", but he acknowledged that we would know what was going on before his team did and that there was no basis for this statement. He did point out that the unauthorized access team wrote to us on January 11th (to tell us they had started the investigation and so sorry that it had taken so long to get around to it) and they had 30 days to get in touch again. But they wouldn't be in touch unless they needed more information from us.

Oh, and they implied it was our fault that we were hacked by saying, "They get into it through your e-mail address..." Hmm. I need to know more about that! Are they implying that I shouldn't be giving out my e-mail address? That's kind of the point of an e-mail address! I give it to you, so you can find me!

An aside...I'm getting really tired of big companies where no one takes any responsibility for the company's actions. I'm tired of not getting an apology, when it really is very easy to offer one. I'm tired of "statements of empathy" (I understand how you feel...no, you don't because no one can know how I feel because no one knows how anyone feels!) and wouldn't mind a little real empathy. I'm tired of hearing about the company's policies. (They're policies, not the law!) I'm tired of dealing with front line staff whose only goal is to not be yelled at for a few minutes. I'm just plain sick and tired of dealing with companies where nobody is authorized to do anything but try to get you off the phone, regardless of whether they've solved your problems or not.

I am trying to make 2012 the year of supporting my local by shopping in owner operated type stores (click here for a post on this topic) and I really suggest that you do, too. More about this tomorrow. 

2 comments:

kimbo said...

Susan, you have raised a really important issue- lack of corporate responsibility. I am very concerned because my son is constantly on XBOX live and I know how easy it is today for an account to be hacked. Don't give up and don't let them brush you aside, keep calling back and each time ask for an upper level manager or supervisor. Good luck, rooting for you!
Kimbo

Anonymous said...

http://www.eurogamer.net/articles/2012-01-13-is-this-the-hack-used-to-exploit-xbox-live-accounts

Also, there are a lot of people playing EA FIFA who have been hacked.