Xbox Live fraud: Xbox.com security secretly tightened - report

Brute-force entry no longer as easy.

Microsoft may have already tightened security on Xbox.com - the website blamed for allowing brute-force entry to Xbox Live accounts.

Jason Coutee, the IT consultant who revealed the weak underbelly of Xbox.com, informed Eurogamer yesterday that something had changed.

"Shortly after IGN posted the Microsoft response (on Friday), the server over at Xbox.com started handling the brute force script differently," Coutee told us.

"Good news is that at least they lengthened the time it would take to brute-force Live IDs."

Jason Coutee, IT consultant that uncovered Xbox.com weakness

"Before, it would just let you try over and over. But now it seems that, even though I'm still able to use the link to get past the CAPTCHA, they handle the sign-in request on the server in a way that it will stop replying after about 20 attempts.

"To me, this seems like they tightened security but didn't make any noticeable changes on the front-end so they could discredit me.

"Good news," he added, "is that at least they lengthened the time it would take to brute-force Live IDs."

Microsoft shared the statement - issued at the weekend - with Eurogamer this morning.

"The online safety of Xbox Live members remains of the utmost importance, which is why we consistently take measures to protect Xbox Live against ever-changing threats," the company declared.

"Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it.

"We continue to evolve our security features and processes to ensure Xbox Live customers' information is secure.

"Online fraud and identity theft are industry-wide problems and, as such, people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable."

"This is not a loophole in Xbox.com. The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."

Microsoft

Microsoft pointed to the "Xbox Live Account Security" article as a helpful resource.

Microsoft also reiterated its stance on this break-in being an isolated exploit of an Xbox.com loophole.

"This is not a loophole in Xbox.com," Microsoft rejected. "The hacking technique outlined is an example of brute force attacks and is an industry-wide issue."

Last week, Eurogamer helped expose the brute-force method being used to access - and subsequently fraudulently use - Xbox Live accounts. It boiled down to being able to infinitely try Windows Live ID passwords on Xbox.com. A script to automate this procedure is apparently simple to produce and readily available online.

The issue of Xbox Live accounts being fraudulently used stretches back to last autumn and to FIFA 12 - the game fraudsters were buying and reselling FIFA Ultimate Team content for.

How widespread the issue is, is hard to gauge; each time we publish a story, another half-a-dozen victims get in touch and share their story (please keep doing so, incidentally).

Comments (59)

Comments for this article are now closed, but please feel free to continue chatting on the forum!