What Alleged Xbox Live Hacks Should Teach Microsoft

This afternoon, my colleague Lisa Vaas reported one verified incident where a Microsoft staffer gave out an Xbox Live gamertag based on false information. The person seeking the gamertag picked a random name and location; the gamertag was not his own.

Her story follows numerous reports on online forums about stolen or subverted Xbox Live accounts. In a statement provided by Microsoft last night, the company claimed: "To our knowledge, there has been no compromise of the Xbox Live network," and "to our knowledge, no credit card or other personal information was exposed."

The statement isn't a denial of intrusion or account pilfering, just a statement that Microsoft knows nothing about them. Based on the recorded phone call Lisa heard today, at the least, one gamer's personal information was indeed exposed—by Microsoft.

In fairness, Microsoft isn't the only one at risk. The same kind of social engineering tactics could be used to obtain account information from other companies. For example, name, zip code and last four digits of a credit or debt card would be enough to gain access to some accounts for resetting the password. I tried this method on some of my online accounts a few years ago, with some success. Of course, I knew the last four digits of the credit card number. But the information wouldn't be tough to get, as many credit card receipts include those four numbers.

However, Microsoft's response is the issue. Denial.

Xbox Live account access isn't the only area of denial. Windows Genuine Advantage is another. Many Microsoft Watch readers complain of receiving false positives, of software they claim is legitimate being identified as counterfeit. Microsoft's stated position is that the real number of false positives is way less than 1 percent. It's minuscule.

Back in November, my mom's PC, which I set up and sent to her, starting displaying a counterfeit popup. Her Windows XP Professional failed to validate. That sure sounded like a false positive to me. In December, a Microsoft support technician troubleshot mom's computer and found that a corrupted cryptographic key caused the computer to issue the pop-up.

Microsoft never acknowledged a false positive, however. Instead, I was told that the computer passed validation, but the corrupted crypto key generated the counterfeit pop-up notice. Huh? I guess WGA validation issues a false positive only when Microsoft says it does.

Denial.

Without forensic proof it's Microsoft's word against the customer. In my mother's case, Microsoft conducted the forensic analysis, which it could interpret.

Lisa asked me yesterday: In the absence of hard forensic evidence, who is more believable, a company like Microsoft or the people claiming a problem? The answer isn't easy.

Public companies have conflict of interest and reason to want to mitigate any bad news. Microsoft's statement, which I regard as carefully worded, is a good example. Today, I saw headlines like, "Microsoft: Xbox security wasn't breached" and "Microsoft says finds no Xbox Live security breach," based on the statement. But Microsoft's statement doesn't definitively say there was no breach, just that the company has no knowledge of one.

People complaining of problems might have mixed motivations, too, or simply could be mistaken. Their believability is subject to interpretation, too, in the absence of forensic analysis. Lisa took a good approach, by obtaining evidence that someone representing Microsoft gave out gamertag information to someone who isn't the account holder.

If enough people complain, the mass number increases credibility, too. Additionally, people with evidence of fraud, such as a credit card used to purchase Microsoft Points, also has credibility—even without forensic evidence.

Microsoft can deny there is a problem or claim no knowledge. But there is knowledge, in Lisa's story and on Microsoft's very own Xbox forums.

Denial is a way of mitigating public relations problems. But it's an unsound approach to good customer relations.