[Dtoider Magnalon has some great tips to protect your Xbox account from being hacked. - Kauza]
Lately, we've been hearing stories of an increasingly alarming Xbox Live hacking issue, and the lack of care and concern that Microsoft has exhibited in some cases. Sure, just being hacked is beyond inconvenient, but users also risk losing access to their accounts for extended periods and the horrible possibility of having to speak with Xbox support. Yikes.
In light of all of these issues, I thought it would be a good idea to share some security tips. Read on to learn the best ways to avoid having to put yourself through a Microsoft nightmare.
Choose a strong password
There are many schools of thought in regards to passwords. My philosophy is "you can never be too complex as long as you take the time to remember it". While this comic comically indicates that a longer simpler password is more secure than a shorter complex one, a longer complex password is not out of the question; provided you're willing to learn it. The comic does have a point though - passwords under ten characters, even in "l33t speak", are easily compromised. If you're not comfortable with complex passwords, let Xbox Live be your first exercise.
Make sure this password is only used for Xbox Live - a number of people are claiming that they use the same password for their EA account, which is linked to their Live account - this may be causing issues (the same can be said for Activision's Call of Duty Elite, and Ubisoft's uPlay). To avoid spillage, make sure you change this password every so often. You can change it every month, or every few months if you wish.
Additionally, it doesn't hurt to update your information and secret question/answer, so that you can recover your information from Xbox Customer Support in the instance you forget your password.
Do not link your Credit Card or PayPal to Xbox Live
As a general rule, you can buy cards at major retailers for both subscriptions and Microsoft Points (MSP). This is easily the most secure method of conducting business over Xbox Live.
However, in some cases you will need to link some method of payment - for instance, Microsoft will require you to input a method when buying the Xbox Live Gold Family pack, or any other special offer found through Xbox Live or Xbox.com exclusively. You can subvert this requirement by grabbing a Visa Credit Gift Card from pretty much anywhere. Unfortunately you'll have to pay $2-5 in fees to nab this card, but as long as it has an expiration date and CVC number on the back, you're good to go.
As a last resort, for people who are against limited payment options, linking PayPal can be acceptable as long as it's not linked to your bank account, but I'd recommend the above two options. Keep in mind that Microsoft stores all old credit card information - you can clearly see it on your Live homepage in account settings - while this is most likely encrypted (and a hacker would only be able to view the last 4 digits of the card), it's still a security issue, so link cards at your own risk.
If you're having issues with removing a card, even with auto-renewal off, it is most likely because this card is associated with your Xbox Live subscription. To get out of this, attach a pre-paid Visa card (after you link it to the account as the "second" payment method), then switch your account over to that card, then delete your primary "real" card.
Beware of Social Engineering
This goes beyond the typical "do not respond to random Xbox Live messages of people asking for your password promising Call of Duty prestige levels". Social Engineering can be as simple as someone you know finding your password written down near your computer. It can be as complex as someone stalking you over the web using your alias, Gamertag, or description in your Xbox Live Gamer Profile, to find PII to use against you in a hack attempt. People will also attempt to find information through means such as community profiles, Facebook, Twitter, Raptr, or other such gaming communities.
To be blunt, make sure you're not putting too much information out on the web. There's an old saying - "once it's on the web, it isn't coming out". Watch how much PII you put into your Xbox Live Profile. While you may think it's ok to state your exact address and full name, the wrong party can easily use this information to either steal your account by calling Xbox Live customer Service, or locate more information about you online.
I've literally seen people take pictures of their Government IDs and share them over public Facebook posts to show how proud they are of their new job. Always make sure you're thinking twice over what you put on the internet.
Beware of Software Attacks
Social Engineering is a security compromise based on human interaction and trickery, but software and machines can also compromise your account. Keyloggers are malicious programs that can detect keystrokes and passwords, and enable hackers to access your information. Internet pirates are probably familiar with "keygen" software and other such programs - these can be Trojans, and install software on your machine. Additionally, things as harmless as Windows Media Player videos and Internet Links can install software as well through loopholes in WMP and IE. As a general rule, do not use IE, and do not use WMP - when you download a video, attempt to open it in a third party program (I use VLC).
However, despite how hard you try, 99% of the computers in the world will get a virus or two in their lifetime, but there are a number of ways to combat these breaches. You can install a host based firewall/intrusion detection system (Windows comes with one for starters); Adware/Spyware removal; and Anti-Virus software.
A word of warning: be careful with Anti-Virus software - often times the software will prey on users, and will be malware itself - even reputable companies. For instance, I refuse to use Norton because of how much it can make a mess of your system. I like Malwarebytes and AVG - both have free versions that offer less protection. Ensure that your firewall is constantly running, and your software runs automatic updates and checks (at a convenient time, like when you're at work or asleep) every day. The key is to keep the software updated, to avoid zero day attacks.
While this may seem like it's the ramblings of a paranoid android, keep in mind that you can never be too secure.
Feel free to follow as little or as much of this as you're comfortable with.
Contest:
7:00 PM on 01.14.2012 | 
If you should find yourself infected with a virus, you simply need to run your computer in safe mode and run a scan. Run the programs as administers, if there are problems scanning. Be sure to immunize with Spybot often, and update it. Always do full scans every month, and basic scans every week. Store any important data on a seperate dirve (do not take it with you anywhere unless you need it) to help prevent further theft. And, finally, backup data often.
Added with my previous advice, this should prevent 90% of the problems most people tend to have. Oh, and don't go on any "strange" sites. That's a given, though.
I recommend adding a credit card, maybe making a small points purchase with it (not sure if necessary), and then removing it. Then you'll be able to provide that old billing info if you ever need to prove that you are the owner, maybe in the situation where someone hacks you and changes your security questions.
also, thanks for posts like these to help the community. i am personally not and don't see being an xbot anytime soon, but it's great to see people doing their part to give back.
but seriously thanks.
It took a month to get my acct back..
I'll never give ms my cc info..
Also, the cs rep acted like it was an "isolated" incident..
If you're skeptical about this article...don't be, it could save your XBLife.
I don't answer messages about 'prestiging' mostly because what idiot would actually do that? I'll prestige my own god damned self. I don't click on "FREE MSPOINTS!" messages or emails or anything similar. I don't even have that strong a password, shocker and I don't put any PII online. To top it off, I use a generic/common username.
In the 10 years that I've been an XBox Live member, just last month I received two emails in two days saying that my account had been renewed. Since I knew full well my renewal month was different, I got on the phone with 1-800-4-MY-XBOX and the dude on the other line was polite and extremely helpful, reassuring me that there was nothing fishy and that the reason for multiple emails was because I had added a free month that Microsoft sent me(tyvm), to my account.
I'm not saying everyone who gets hacked deserves it, far from it. However, I do find it strange that I've never had anything close to an issue in TEN YEARS.
@Ramm
I haven't had so much of a scare either, but 150 people having issues prompted me to write this - I hope they're as lucky as us :D
Microsoft's customer service, in my own personal experience, has been excellent. I've had a total of 16 repaired/replaced units. The last was an old fat model replaced by a slim 250gig no questions asked. Sure it's inconvenient. Some times irritating. But they've ALWAYS taken care of me.
"grrrr... Evil corporation! Must resist! Revolt!!!"
I get it. Just keep in mind these evil corporations are the reason you have the job you do.
you had to repair/replace 16 xboxes?
sounds like microsoft is pretty awesome.
and please don't do the "evil corporations" thing in the context in which you used it. i'm pretty totally one hundred percent sure they know they have a job because of the game industry. just because it's the reason they have a job doesn't mean they can't be critical of it.
so yes, journalism. also, blogging. welcome to destructoid.
The Xbox Live Twitter team are pretty responsive and as helpful as they can be.
I and many of my friends have been on XBL since Day 1 of its existence and have had zero issues.
True I associate an email uniquely for XBL, have a complex password , and do not share the same passwords across my accounts. But lets be honest....ISN'T THAT COMMON SENSE? Its the 21st century for chrissakes.
XBOX Service in my years has been responsive and performed to my expectations whether it was a RROD on my XBOX Elite, a hard drive going bad on my original XBOX, or any issue I encountered.
Even if its 1000 people that reported their accounts as hacked (the majority likely due to poor security on their ends or some kind of human error).....thats 1000 out of 40 Million XBOX Live members.....which = .000025 %
I thought the same thing.. then thought 'Well if they've got my e-mail.. they can get everything attached to it!'
I assume that's what'd happen.
Don't give anyone your money information ever. For any god damn reason. I don't care what they say or how good she looks. Ho's be ho's son.
Real talk. I'mma play myself out wif a Jay Z.
notice how i did not fuck that up
Why not use a router with one of those activation buttons? You can use the craziest password ever and never have to remember it. Or are their devices too out of date to support that? I suppose that wouldn't help in that case.
You're right; they mostly are tips that can be applied to any service, which is a good thing! However there are a few Xbox Live specific ones peppered in there.
Other than the "don't respond to shady Xbox Live messages" part I wouldn't say it's all blatantly obvious though. The bit about putting a prepaid Visa Card on your account to bypass auto-renewal is not a given - many services, including Netflix, will block Vista Gift Cards automatically.
You'd be surprised how many hundreds of people on this own site list their full name, email address, and other PII right in there profile - it's more widespread than you think.
Yes. Is that more than the average gamer? Sure, the hardware is/was crap, but they've always done their part to make it right. I haven't had to come out of pocket for any repairs. That equals pretty awesome in my book.
Also, evil corporations! GRRRR. I have to review a video game >:( nerd rage activate!! Free swag RAWR!!!
TROLL IN THE DUNGEON! TROLL IN THE DUNGEON!
If by any chance you're serious, know that the fact that you didn't have any problem doesn't mean that there isn't a large number of people which suffered from account theft.
I don't doubt there have been a few accounts hacked. Doesn't suprise me in the least. Let's see some actual numbers and reports before jumping to conclusions tho. Here we have ONE reported incident and everyone is crying ms is shit. I totally understand hardware failure and accounts being hacked are two different issues but in the numerous times I've dealt with customer support it's always been relatively painless.
All I'm getting at is don't blow this issue up as if there's rampant account hacking like some epidemic. .
People! Protect your info. Use some common sense.
*notices a 16 character limit on passwords*
Are you fucking kidding me? My Google password is more than four times that. Don't give me this bullshit Microsoft, there is no reason to have any sort of password limit aside from a minimum length. And even that should be a "that's your own damn fault".
I got hacked 6 months ago and still haven't gotten my account back. I work in IT and run constant virus/malware scans on my computer. I have never been hit with any debilitating malware or viruses, but have several years of experience removing them from other users' computers. I know how to browse safely. I also use passwords that are at least 12 to 15 characters long, and are just a series of seemingly random numbers and upper/lowercase letters.
I have no idea how I was hacked, but it happened. The point is that Microsoft needs to introduce better security measures to prevent it from happening, and they need to be able to get peoples' accounts back faster after they are hacked.
Since XBL's servers have never been directly "hacked" the way Sony's have (pretty sure they're legally obligated to publicly admit when it happens), the only possibilities are: keyloggers/malware, social engineering, or security breaches on other services where you use the same un/pw.
1.)Unique password for XBL.
2.)Non-binding payment options (gift cards, etc.)
3.)Never, ever give out compromising info, even to MS "reps".
4.)Never log into XBL via a computer, unless absolutely necessary.
Maybe in the US, but here in the UK I don't think we've even heard of those.