Friday, July 16, 2010

XBox Live and the lack of security

I received a frantic call from a parent friend of mine last night. His credit card had been charged with some XBox Live purchases. His son denied all knowledge of this and he was worried that someone had hacked the account.

The outcome was that the son had done it "by accident" but working this out threw up some concerns about the XBox Live service.

Firstly you log in with your Gamertag, now here's the quote from Microsoft on account creation Once you've created your Gamertag

Once you’ve created your account, you can sign in at any time and set up additional controls for Xbox LIVE access:
  • Set a secret pass code for sign-in.
So you don't have to set up a pass-code you can just sign with your Gamertag - the one that's public displayed every time you play online?

So what is your pass-code? Note for my PSN account you sign in with an email not your publicly displayed name and an alphanumeric password. How secure is it? Well it can use the full 26 letters plus 10 numbers has to use both and has to be over six characters long. The XBox Live password uses the controller keys so that's the face and shoulder buttons and is only four 'characters' long. Wow!

{Update 19/7 - After p.o.t. Darren tells me there's a passcode to prevent unauthorised access to the console and a password to access the online parts. The latter you are prompted for at creation. Therefore the account should be safe despite the knowledge of the Gamertag]

It also states here that you can modify your billing profile including updating your credit card details. This is true except you can't delete a credit card; no wait sorry not quite true you can delete your credit card provided you've given them another valid credit card's details.

Again I'll just put that in bold to emphasise the stupidity Once you give XBox Live a credit card's details they must always have some credit card's details. My friend had already noted this stupidity and tried to invalidate the card by changing it so the expiry date had... well expired. No change, turns out they don't care so long as the long number is correct that's it despite the note
If your credit card or debit card expires, you'll need to modify your billing information for your account
Seems not.

[Update 19/7 - again from p.o.t. You can't delete a credit card linked to an active subscription despite the fact that payment has already been taken]

Anyway just running back to the start of the problem I advised him to access the Marketplace and and check for any contact/refund/dispute information there. Turns out there isn't any. All sales are final end of story.

The child in question claimed he was trying to access demos, hit the wrong button and it happily proclaimed "Thanks for buying this". Not having an Xbox or witnessing a purchase on one I don't know how valid this is; I'll have to check in with others (hmm I'll also ask on p.o.t.)

[Update 19/7 - p.o.t. If it's possible to buy something then it is easy to do so "The choice is the same screen as the demo downloads (which they "sell" you for $0, basically)"]

Okay I'm guessing that my friend didn't set the account up properly they should have created their own profile with credit card info etc. and then created a child account that wouldn't have said info. Except how does that work? If the child wants to buy something is it still attached to the parent account, or do they have to call their parent in to authorise it? Does the parent just transfer over money in the form of points and the child can spend them how they like. I don't know.

However it goes given the fact that particular friend is tech-saavy and I assume most parents aren't I wonder how many XBox accounts are set up to allow the child to download what they want charging the non-removable credit card using an un-protected account?

4 comments:

Orphi said...

Hey, as long as MS get paid, why would they care? :-)

FlipC said...

Well at least Darren's set my mind
at rest about the account and I'll pass the details on to my friend.

But he did acknowledge that buying stuff is easy when the account is set up to allow it. So the son's "I was trying to download a demo" has some credibility if you consider that you are presented with the same screens for Free items as well as Pay-For items.

Add in "all sales are final" and yeah money, money, money.

Anonymous said...

the son knew exactly what he was doing heard this story several times and the kids always play the fool!

xbox live is safe as you like tell the parent to go and buy a microsoft points card and redeem it on the xbox then he can remove his credit card details and he knows the son only has a maximum of ...... points.

Also microsoft will take money at the blink of an eye there are no confirm screens or press next to continue as soon as you press download you have paid for it.

Hope this helps

FlipC said...

From what I gather they've turned off the auto-renewal of the subscription; let it run out, and then been 'allowed' to remove the credit card details. They'll be using the points cards from now on.

As he said after all this fuss "If I'd known how easy it was to buy things and how difficult it was to not allow it [i.e. remove the credit card] I'd have been using the points cards from the beginning"