Securing your Xbox Live Account

After the recent Xbox Live Account Hackings, you may be growing slightly more concerned with the way these accounts are being done. Microsoft has stayed steadfast that “social engineering” is the root cause, but let’s go over a few things you can do to harden your security against your account being compromised.

To do this write up, I wanted to walk myself through some of these processes. If I were trying to get in to an account, I would most likely start with trying to reset the password. I came accross a fun tidbt when doing my research for this post: when I went to reset my password, I had the option to email myself a password reset link. Pretty standard stuff. When I chose that option, it said it would send the password reset to TWO email addresses – the first being my current Live ID, and the second being an address that I had first used to create my gamertag, and actually have only rarely logged in to over the last couple of years.

I searched my account settings on Xbox Live, Hotmail, and Live.com and couldn’t find where this account was associated with my current LiveID. I went so far as to call Xbox Support (1-800-4My-Xbox), who suggested just shutting down the other Live ID / Hotmail address. No thank you, I didn’t want to delete NuAngel@hotmail.com – an account I had first registered with Hotmail on February 8th, 1999! When I worked with support, I was also told, while on hold, I might need to know the answer to my secret question. I don’t remembr setting up a secret question! If my old, forgotten email address had been compromised, and someone sent a password reset to that address, I would be out of luck. If I had to then call Xbox Live Support and answer my security question, what would it be, and would I know the answer!? I knew this could be chaos. I know that there are literally millions of others like me out there, and this write up is for all of you!

You set up your Xbox Live account 2, 3, 5, 7 years ago – and haven’t changed much since? Well then it’s time to make sure that, whatever happens to your account, you know you can at least get it back. Most of the work is going to be done from one website, http://account.live.com – open your browser to that page, now.

Once you’re on http://account.live.com, you may notice what I noticed. Email addresses on the bottom and Linked ID’s – neither of these was showing the OTHER email address that my password reset would go to.

Your personal information is at the top of the page, and the large block of links draws your eyes to the bottom. The middle looks like it’s just trying to get you to sign up for “Hotmail Plus.” If you scan over the page, like I did (about a hundred times), you’ll miss the two links which I have highlighted in red for you in the picture above. Two small links. Reset Password (I think we know what that does), and a link that says “Manage” after a small title that says “Security Info.” If you want to reset your password (perhaps for the first time in five years?), that might be a good idea. But once you click the manage button, that’s where all of the magic happens.

From that page you can ensure your account is locked down with all of the information you have for acquiring support or resetting your account. First, you’ll notice an option to Add a Mobile Phone. I, personally, haven’t done this. I haven’t read all of the legalese, but I don’t like the prospect of getting any spam text messages. However, in the event you forget or need to reset your password, you can have them send you a text message with a code in it that will get you in to your account.

The next option is Alternate Email Addresses. Contrary to Crystal at Xbox Support’s statements, when you do a password reset you cannot choose which email address the reset email goes to. It will go to ALL of the email addresses listed in this section. Make absolutely certain that these are addresses that you actively still use and have access to. Update it with new addresses for redundancy and security, and remove old expired accounts.

Third, we have the Trusted PC feature. While I have never used it, this sounds like an amazing new development in system security. I don’t know precisely how it works, and perhaps if you’re the kind of person who reformats your computer every two months, this may not be the option for you. I’m not precisely certain how it works, if a person can just name their machine the same as yours and it will work, or if the SID must match or some other technical requirements exist, Microsoft is fairly vague on it – but if you have a system that you mostly leave alone (say, a laptop that doesn’t get wiped out as often as your main gaming rig), then you might want to look in to using Microsoft’s Trusted PC feature.

Finally, the security question. This is the question that Microsoft employees may have to ask you in order to work with you when you call support. It doesn’t appear to be used during the password reset process at any point, and may never come in to play for you – but you should know what it is. What is handy on this screen is the simple fact that you don’t need to know the answer to change it. You’re already logged in to your account, even if you THINK you know what the answer to your question is, you can clear it and set it to that – because who knows how your mind and memories have changed since you first registered for Xbox Live.

So there you have it. It’s not as exhaustive as I first thought – it’s really all simple to manage from ONE page. Finding that page and not glazing right over it was the hard part! Update your question, make sure you still have access to email addresses, update your SMS phone number, create a Trusted PC, if you want. Just do everything you possibly can to protect yourself – because, until more solid news comes from Microsoft, we’re all juicy targets for some nasty folks out there, just like Susan Taylor was.

Coming (Back) Soon! Better Know a Gamer!

From my old site, WinBreak, I had one very succesful run of content: Better Know a Gamer. You could nominate yourself or anyone you know, and easily be featured in an issue of Better Know a Gamer. Interviews, getting to know community members. After we were thirty-plus posts in, thats when the site started to slow down a bit. I will be importing all of the old BKAG articles and picking up where I left off, in the thirties – you’ll be able to select the BKAG category and go back through all of the old interviews, as well. Keep an eye out for it soon!

This site will soon have implimented the same “nominate a gamer” feature that WinBreak.com had, where you can enter an email address and have the questions automatically fired off to the recipient. So be sure to check back – sign yourself up and several of your friends!

Recent Xbox Live Member Hackings

In the world of gaming, more and more buzz is being generated around recent ‘hackings’ of people’s accounts. How some of it is happening is well beyond my capacity of understanding. I started hearing of “the FIFA Hack” a few weeks ago, with the story building up to one of the staff writers at Joystiq even being hacked. It doesn’t directly involve the use of FIFA, but an alarming number of those impacted are noting that FIFA Annual Game Passes are being purchased on their accounts. Most recently, a fellow Xbox Live Ambassador had her account compromised and a whole series of problems continued.

You can read about the experiences that my fellow Ambassador, LadyElysium, had encountered on her website dedicated to the recent rash of hackings, HackedOnXbox. Susan Taylor does an excellent job of letting out her frustrations, while keeping her cool.

So what can you do to protect yourself? The sad part is, I’m having a hard time figuring that out myself. I wanted to see what would happened if I tried to change my own password on Xbox.com. What was funny was that there were no social engineering questions I could use to ‘hack’ my way in to my account – the closest possible thing was resetting via email. The thing that concerns me there is the fact that I have TWO email accounts that it says it will send my password reset to – and considering I sign in to one of those two once every six months or so, I figured I should make sure it was not associated with my account. I can’t. I can’t find anywhere on Xbox.com or Live.com to remove the second email address my password reset email would go to!

Stay tuned on Sunday for what I hope to be a little more in depth list of steps you can take to to protect yourself, but for now the best thing I can suggest as a “STEP ONE” would be to remove any payment options you have on your account. I’ve NEVER given my credit card details to Microsoft, in any way. …That was, until recently. A limitation (see: hindrance) of the Windows Phone 7 platform is that they’re not letting you use Microsoft Points to make purchases – you must use a credit card.

I wanted to buy one Xbox Live game for my phone – I had to enter my credit card details. Once the purchase went through, I IMMEDIATELY navigated to live.xbox.com, clicked on My Account, then Manage Payment Options, and REMOVED my registered credit card. I would advise you to remove a PayPal account, if you have one associated with your account, as well. Anything else I purchase, whether it’s Gold subscriptions or Xbox Live Arcade games, is all done WITH Microsoft Points which I purchase the prepaid cards for, at my local big box retailer.

Detailed instructions are, as always, on Microsoft’s support site, and I hope to have more account tightening tips for you this weekend.