Security Watch

Keeping Track of patches and hacks in the IT security world.

Microsoft 'Fesses Up to Pretexting Goofs by Xbox Agents

After having listened to audiotapes that execs found "painful," Microsoft has owned up to the fact that some of its Xbox Live support center agents have fallen for pretexting and have given away personal information that could have potentially enabled pretexters to hijack accounts.

"The [Xbox Live] network isn't being hacked—[but] through working with [security researcher] Kevin Finisterre, we found out that people were socially engineering or pretexting our support center agents," said Larry Hryb, director of programming for Xbox Live, in an interview with eWEEK.

Finisterre "sent us audio files" of a conversation wherein Finisterre managed to get personal information out of a call center agent, in violation of Microsoft's Privacy Policy, Hryb said. "They were pretty painful to listen to."

Hryb said Microsoft has been "running around trying to make sure" that it addresses the ease with which its agents fall for pretexting, including investigating a number of reports of hijacked Xbox Live accounts and addressing the issue with support agents. "We've taken it down to the agent level, making sure we have the right processes in place," he said. "Clearly folks haven't followed the right processes. We're also doing some training with everybody on the front lines of the phone centers. This has affected everybody deep in the organization."

Microsoft Security Program Manager Stephen Toulouse told eWEEK in the same interview that the information given up by a support agent in the recorded conversation, including a gamer's address and gamer tag, represents a deviation from Microsoft's privacy policy and that Microsoft intends to "Make sure we re-center those individuals and make sure everybody adheres to" the policy.

Hryb told eWEEK he plans to post a message in his popular "Major Nelson" blog later today, thanking Finisterre for bringing the matter to Microsoft's attention and directing gamers on how to report any apparent misuse of their accounts as Microsoft continues its investigation into the pretexting and account hijackings.

Finisterre wasn't the first to attempt to bring this to Microsoft's attention. Gamers have been trying to get Microsoft to address the matter since at least September by posting to Xbox Live forums and alerting the support center.

When asked why Microsoft didn't take the matter seriously until Finisterre shared taped pretexting against Xbox agents, Toulouse said the complaints hadn't gotten the company's attention. "In looking at forum material, there's a certain amount that bubbles up to our attention," he said. "And there's a certain amount that can stay under the radar. When Kevin pointed out the audio files, we said OK, we want to make sure people are being careful. And then it became clear people were volunteering information."

At any rate, a true security breach can easily get lost in the haze of hubris on the gaming forums, where "There's a lot of misinformation floating around," Hryb said.

A more serious security concern than hijacked gaming accounts is the illicit access to other Live services that hijackers have boasted of attaining—a security breach that, if it exists, could affect Windows users who've never touched an online game. Such Live services contain credit card numbers, for example. Some gamers posting to Xbox Live forums have complained that their credit card balances for use in the Xbox Live market—for buying points, which are in turn used to buy games or game modifications—have been maxed out.

But Toulouse said there's no way that pretexters can get in and steal credit card numbers or other financially exploitable information, regardless of what gamers say.

"I think there's been some bragging beyond reality," he said. "They say they've gotten credit card numbers, well, no, they [haven't], because they're obfuscated. You get asterisks. You get the last four digits, and that's all you get. It is true you can try to get an address. We view that as very serious, and we're not trying to downplay that. We're just trying to make people understand what's possible and what isn't."

In the meantime, gamers have been shut out of playing games that they've paid for. Will Microsoft compensate them?

Toulouse said Microsoft is in fact looking into "what we'll do to make it better for them."

"We're still investigating," he said. "That's why it's very, very important that a customer follow steps we'll post later on [to determine] that the account is as it's expected to be, and if it's not they can call and we can register that. That's absolutely something we're looking into."