Seize the storm

This is the last picture of my avatar, before I called Microsoft on November 21, 2011.  He was wearing an Assassin’s Creed Desmond Hoodie and holding a Windows Phone 7.  Have you seen him?  I miss him.  He’s needed in my man cave – to assist in killing time, hook-blading over roof tops, piloting tanks, tracking criminals as the Dark Knight and playing games of yester-year (NBA Jams).  While he is no longer in the clutches of  an evil hacker, he is being detained by Microsoft pending a security review.

On November 21, 2011, he was avnapped.  Avnapped you say?  Think avatar and kidnapping… I define avnapped as what happens when your virtual online identity is taken against your will and held for an indeterminate amount of time.  It can encompass both the time where nefarious acts are done and also the time where the virtual online identity is restored.  This isn’t identity theft – that is something much different, stealing credit card numbers and opening bank accounts versus the spending of virtual currency and posting undesired things on your Facebook wall.

As for avnapped, feel free to use it in a sentence with your friends.  You’ll sound very cool.  Watch it catch on on Twitter by using the #avnapped tag.  You’re welcome, have a good day.

For those of you who came along for the FIFA XBox hack account, please read on or just take my simple advice: change your password to your bank accounts and other important accounts (like XBox) often , DO NOT use those same passwords on other sites, and use another equally complex password for your secret question.  I’m a software engineer by trade so  I consider myself to be quite diligent with my online security practices.  This experience taught me a lot more about password management.

Update - 1/10/12

Another call to Microsoft delivered some disconcerting news.  Since November, my entire case was never escalated to the Unauthorized Access team.  I respectfully delivered my malcontent to the customer service agent.  I had a choice – either forfeit the MS Point losses or start the whole process over again.  I said screw it and took the loss.  Within the time it took to turn my XBox on, my account was unlocked and my avatar was back.  I am still jaded.  Microsoft – you failed this customer.  Your whole resolution process failed.  At least six customer service representatives touched my account through this process and no one figured this out?!?!  Shame on you!

Update – 2/13/12

About a week or two after the last encounter, I was at work and got a text message that my login details had changed.  Immediately I log back onto the site and set my credentials, changing my password but not my secret question.  I get a text message informing me that my login details had changed, but then shortly later, I get another one saying they had changed again.  I went to login and my account was locked.  Thinking it was an auto-lock (from changing too many times), I went home and logged onto the XBox and recovered my gamertag.  I poured over all the areas where I could have gotten hacked and came down to one option, either it was indeed a true compromise at Microsoft or it was one of my friends.  I removed a bunch of friends that I didn’t know that well or hadn’t played with in months.  About a half hour later, I get an email from the Microsoft security team saying they had completed their investigation and refunded my MS Points.  While I’m glad everything got resolved, the whole thing was a horrible experience.

I listened to Major Nelson’s podcast this past weekend and heard Alex Garden talk about XBox Live security.  I swear he read my website because he covered almost every point and piece of advice that I offered.  If you haven’t heard the podcast, check it out and also read the open letter.

My Story

I was fortunate to have caught the hacker just as he added two achievements for FIFA12 spent about 1200 MS Points on FIFA Ultimate Team packs.  It’s been multiple calls back to customer support, each time they extended the estimate.  For some reason, they didn’t get an alternate email address so it had to be re-inserted into the queue in mid-December.  Obviously I won’t share my password, but I will tell you that it was similar to yummers67, a fairly secure password.  I used it for my XBox Live account…and for a bunch of other accounts across the internet (my biggest mistake).  There’s no way to track it back to one site as a particular culprit.  From what I’ve been reading on the internet, others have been more secure and still gotten hacked. Phishing and viruses are quite plausible, but I run a Symantec-driven virus protection provided through my company.  I doubt these could be the culprit.  A third party attack or a compromised database would be more likely in my opinion.

Plausible Theory: If I was a crook with access to a database of usernames and passwords, I would be smart about using them.  Utilize a few here, a few there and you can chalk it up to things like phishing and viruses because it’s an EASY excuse.  Do you know anyone that has never gotten a virus on a computer that was connected to the internet?  I think that over time, the spikes would increase as greed would set in.  If the passwords get changed and the stolen credentials don’t work anymore, who cares? On to the next database entry.

Outlandish Theory: A while ago, it was discovered that internet traffic was being redirected to China for a period of time.  Even if it was encrypted, given enough time, one could grab the plaintext passwords or even crack the encryption for simpl-ish passwords/hashes.  Once you’ve built a database, refer back to plausible theory.

I did some digging on Google Trends.  I don’t have the graphics but around the time my account was hacked, the graphics stated that “fifa xbox hack” trended upwards in late September and spiked in October.  Most of the searches (when I did my search) originated from the UK.  What was popular around this time?  Battlefield 3 beta, Assassin’s Creed Revelations UK game, and anything related to Batman : Arkham City.  Is there a coincidence with the AC:R UK game?  Not sure.  Did I play it – sure did.  Did I use the same username and password as my XBL account?  Sure did.  It could be another coincidence.

What I’m trying to say is that I believe that with the number of people that are talking about this on the internet, it’s more than just phishing or viruses.  There’s an intelligent pattern behind it and there are tons of clues out there.  Microsoft can’t interview every person to discover the common element.  I tried offering information to the security team through my official service request at XBox Customer Support.  They have yet to call me.  Perhaps one day, we’ll see crowd sourced computer security.  That would be a neat project – surveys that go out, interviews.  Someone could make a lot of money doing that (don’t forget to send some my way).  I bet there are more people out there that want to know the answer to the question,

“Where did I screw up and why did they do it?”

I want to know that answer.  We all have some ideas of where we screwed up which is why it will be harder the next time.  Hackers want data – because with data, they can make money.  Your data is safe until it has value.   No one cares about what I posted in TakingBetterPictures forum 5 years ago.  It probably isn’t very valuable.  Facebook? – potentially valuable.  If I could impersonate your spouse, I could get passwords from you.  Bank accounts – instant cha ching, however there is high risk to end up in jail for a very long time.  Hacking a few XBoxLive accounts a year or handing out that information to other people who actually do the hacking – much less likely to be caught and put in jail.

So why don’t they cut off all FIFA ultimate team transactions?  The hackers will just move on to some other method of spending our MS Points.  They might even stoop to levels of just doing it to cause us problems or stick it to Bill Gates and his dastardly corporation.  The last point – I believe this is here to stay.  These hacks will continue to occur.

Microsoft Read Here –>

Microsoft needs to figure out three things:

1. Investigate harder – how are they stealing this data? Can it be detected and denied?
2. Resolve cases faster – is Microsoft just waiting the hackers out? Can tools be made to rebuild accounts faster?
3. Actively combat – do more XBox 101s or Major’s Minutes on security or *gasp*, use stories from previous victims

If it’s not your fault Microsoft, then stop acting so secretive about things.  Take #3 to heart.  Everyone knows online security is fragile but no one wants to be hacked.  I would have gladly changed my password if I had seen a video that said, “Hey guys, we’re seeing a higher than normal increase in unauthorized access cases.  We suggest you change your password or check out these awesome security tips we’ve typed up for you.”

If you see my avatar, tell him I miss him.