Microsoft is taking "aggressive steps" to combat the recent surge in Xbox Live account hijackings but also needs gamers' help to stamp out cyber-theft, according to the service's general manager.
An open letter from Alex Garden published on Major Nelson's blog today didn't explicitly reference the storied FIFA Ultimate Team exploit but did acknowledge that "account hijacking across the internet continues to grow".
"While we here at Xbox have no evidence of a security breach in the Xbox Live service, that is of little comfort to our members whose accounts have been compromised by malicious and illegal attacks," he wrote.
"It's in this vein I'm reminded how important it is to listen to you, our members - to really listen, to really hear and to really do something with what you say.
"I can assure you we are listening and continue to take aggressive steps to help protect you against ever-changing threats. We also care deeply about how this ongoing issue affects your experience with Xbox Live and your trust in us."
Garden went on to list a few of the systems it currently employs in an effort to make life harder on cyber-thieves.
"Some of the security measures we have in place to help protect our members include password-attempt throttling, CAPTCHA (an industry-standard anti-scripting measure designed so that an actual human needs to answer the challenge), strong proofs (trusted PC, pin sent to cell phone, secondary e-mail and security questions), and account lockout for multiple failed attempts and compromised accounts, which we investigate and recover to the rightful owner."
However, he also reminded gamers that they must also take some responsibility for the security of their account.
"Security is an ongoing battle. No matter how well we work to improve security - and we are working every day to bring new forms of protection to Xbox Live - our work will never end. With every measure we put in place, ill-intentioned people will create new ways to attack online services.
"That's why I believe it's more important than ever that our members are armed with information and security tools to actively partner with us in this war on fraud. We have a dedicated web page at http://xbox.com/security detailing all the steps you can take today to help protect your account."
That site lists a few of the most common methods used by thieves to illegally gain access to accounts:
- Social engineering to gather information about the user to guess the password
- Phishing, whereby the user types the account password into an illegitimate website that is pretending to be something else
- Malicious software on the computer that has captured the password
- Using the same password from another online service that has been breached
"I share these realities in hope that our members will work with us to reduce the ease of access for hackers," continued Garden.
"Personal account security starts with setting strong passwords and routinely changing them, using a valid email and a unique password for each online service, adding a phone number, alternate email address, and a unique and private security question via the Windows Live ID Account Management site, and reducing the amount of personal information shared online or through social networks.
"More and more, being mindful of where you log-in to online services, even when not using Xbox Live, and using single-use codes, provides added protection, especially when you're signing in from a PC that isn't your own. Working together we can prevail over the criminals."
Garden added that Microsoft is committed to investigating cyber-criminals and bot nets, and continues to put in place "security features and process improvements to help secure Xbox Live".
He also stressed that the company is working to improve its process for recovering compromised accounts.
"We have invested more resources in our account recovery process and as a result, for most new fraud cases we are now able to investigate and return accounts within three days," he wrote.
"For users who have added strong proofs to their accounts, this may be as fast as 24 hours. We still have a few cases that are taking longer to fully recover and some refunds are still being processed, but we're making great strides.
"We do not take lightly the frustrations we've heard from our loyal Xbox Live members and remain committed to addressing and persistently resolving our customers' individual and collective concerns," he concluded.