Account Security for Xbox LIVE

What is Unauthorized Access?

Unauthorized access is the use of your Xbox LIVE account without your knowledge and consent. Unauthorized use can involve the recovery of your Xbox LIVE account on a console that is not yours, or logging into your account via Xbox.com. The unauthorized recovery of your account to another console can result in loss of your access to the service or other consequences that will negatively affect your gaming experience. The unauthorized use of your account can also result in unauthorized charges for purchases made using your account.

How are accounts compromised today?

Your Xbox LIVE account can be compromised in several different ways, most of which can easily be prevented by you. Below are a few examples of situations that can lead to your account being compromised, and steps that you can take to avoid that from happening.

Account Sharing

Sharing your Windows Live ID password is one of the most common ways to have your account compromised and is easily preventable by you. Help ensure the safety of your account by keeping your password secret. Do not share your Windows Live ID password with friends, family members or anyone else, regardless of the reason, as this allows others to access your account. Do not share your Windows Live ID password with others.

Phishing Scams

Phishing is a type of internet scam designed to trick you into revealing your login credentials, such as your Windows Live ID and password, or information about you or your accounts that can be used to gain access to your account. Phishing is typically attempted through spoofed or fake emails, websites or other means of communication. You may be phished via:

  • Email messages that appear to be from a coworker or friend with links to a web site or asking for information about you or your account(s)
  • An instant message that appear to come from someone in your friends list with a link to a web site
  • An email appearing to come from XBOX or Microsoft
  • A "Spoof" web site, pretending to be an Xbox LIVE website with a Windows Live ID login page

Regardless of the phishing method, the single most important thing to remember is: Do not reveal your login credentials or other information about you or your account(s).

More information on different types of phishing scams, and what you can do to protect yourself is available from Microsoft here: www.microsoft.com/protect/yourself/phishing/default.mspx

Gamerscore Boosting sites

Sites and advertisements claiming to provide services to "Boost" your Gamerscore often lead to a compromise of your account. Typically, these sites will offer to play on your account to boost your gamer score and will require you to provide your Windows Live ID and password in order to play on your account. To add insult to injury, many of these "services" require some form of payment. In the end, you have paid someone to compromise your account, make unauthorized purchases on your account and have received nothing in return for the payment you provided. These sites are not affiliated with Microsoft, and should be avoided.

Email and Web Site Phishing Example

You are checking your email, and one of your most recent messages appears to be from XBOX offering a free 5000 Microsoft Points to the first 100 people to go to a website linked in the email. Upon clicking the link, you are sent to a web site which appears to be affiliated with XBOX and is asking for your Windows Live ID and password to login. Once you have entered your information and click sign in, you are sent to a confirmation page. Later, you go to the Xbox Live Marketplace and attempt to redeem your points, only to notice that you did not receive any. You have just been "Phished".

What does this mean? The email and website were not from Xbox and whoever is monitoring that web site now has your Windows Live ID and password, and can use this information to compromise your account.

What can you do?

  1. If you have not lost access to your account yet, immediately change your Windows Live ID password.
  2. Change your secret question and secret answer for your account.
  3. Change your alternate email address associated with your Windows Live ID.

For information on how to perform these actions from a computer online, please go to accounts.live.com, and click "Help Central" at the bottom of the page.

For "How-to steps" to perform these changes through the Xbox LIVE dashboard can be found at the following address:
support.xbox.com/support/en/us/nxe/XboxLIVE/MyAccount/ManageMyAccount/AccountManagement.aspx

Social Engineering

Social Engineering is the process someone uses, through basic conversation or other means, to manipulate individuals into revealing personal information about themselves or their accounts. They may try to engage you in seemingly meaningless conversation that is actually intended to gather information about you or your account. Once the "Phisher" has enough information about you they can use this information to pose as you and attempt to obtain access or make changes to your account. Once they have access to your Xbox LIVE account, the "Phisher" can use your account to perform any action that you could. They'll normally settle for purchasing the maximum number of Points possible on your account and downloading everything that looks interesting to them while sticking you with the bill. Do not reveal personal information about yourself or your accounts.

How to Secure Your Account

The security of your Xbox LIVE account is of the utmost importance to Microsoft. However, your account can only be as secure as you make it. Exercise caution when providing information over the internet. There are a few simple steps you can use to protect yourself when dealing with individuals over the internet.

  1. Do not provide your First or Last name to individuals you do not know over the internet or over Xbox Live. Do not put your full First or last name in your Xbox profile.
  2. Keep your physical address private. The simple act of telling someone what school you go to, or what neighborhood you live in can be enough to locate more information about you. Think of all the personal information you've likely posted to social networking sites such as Facebook, MySpace or Windows Live Spaces that can be used to pose as you. Do not put your full physical address in your Xbox profile.
  3. Do not provide your Windows Live ID to individuals who want to email you that you do not know. Set up a second email account at www.hotmail.com to use if people wish to send you an email. Your Windows Live ID should be something you provide to known acquaintances or businesses, not something you provide to anyone who asks for it.
  4. Your job is your business. Keep responses about your career brief, or vague. Do not provide specifics about where you work or who you work for as this information can lead to locating more information about you. Do not put your employer in your Xbox profile.
  5. Be wary of anyone asking you for information about yourself that doesn't have a need for the information.

How to keep your Windows Live ID secure

There are several steps you can take to help keep your Windows Live ID and password secure:

Note: Microsoft and Xbox will never ask you for your Windows Live ID password in email, Instant Messaging or over the phone. Enter your Windows Live ID password only at known Microsoft sites or through the Xbox console.

  1. Create a strong password that includes a combination of uppercase, lowercase, numbers and special characters (e.g. #$%^&*).
  2. Change your password, and secret question and secret answer routinely. When resetting your password, you can choose to make your password expire every 72 days.
  3. Never share your Windows Live ID password with others.
  4. Share your Windows Live ID only with people you know in person, such as friends and business contacts, that you wish to use Messenger to speak with.
  5. Use a Secret Question and Secret Answer that only you would be able to answer.
  6. Do not provide your Windows Live ID to unknown web sites, businesses or message boards.
  7. Do not share your password or personal information with anyone contacting you presenting themselves as a customer support agent or affiliated with Xbox and Microsoft. If you are concerned that the contact might not be legitimate, contact Xbox support directly at 1-800-4-MY-XBOX.

For more information, please review the information available at Microsoft.com available here.

www.microsoft.com/protect/yourself/personal/windowsliveid.mspx.

How to help protect yourself online

Helping to keep your computer and your information secure is a priority for Microsoft and all of our customers. For information on how to help protect your computer, yourself, and your family while on line, please visit the Security At Home portal from Microsoft, available here: www.microsoft.com/protect/default.mspx

The security at home portal, available from Microsoft, provides information on how to protect your computer, protect yourself, and how to protect your family while online.

If your Xbox LIVE account has been compromised and you no longer have access to your account, please contact Xbox LIVE support. For more information about how to request assistance when your account has been compromised, please see the support contact page.