After the recent Xbox Live Account Hackings, you may be growing slightly more concerned with the way these accounts are being done. Microsoft has stayed steadfast that “social engineering” is the root cause, but let’s go over a few things you can do to harden your security against your account being compromised.
To do this write up, I wanted to walk myself through some of these processes. If I were trying to get in to an account, I would most likely start with trying to reset the password. I came accross a fun tidbt when doing my research for this post: when I went to reset my password, I had the option to email myself a password reset link. Pretty standard stuff. When I chose that option, it said it would send the password reset to TWO email addresses – the first being my current Live ID, and the second being an address that I had first used to create my gamertag, and actually have only rarely logged in to over the last couple of years.
I searched my account settings on Xbox Live, Hotmail, and Live.com and couldn’t find where this account was associated with my current LiveID. I went so far as to call Xbox Support (1-800-4My-Xbox), who suggested just shutting down the other Live ID / Hotmail address. No thank you, I didn’t want to delete NuAngel@hotmail.com – an account I had first registered with Hotmail on February 8th, 1999! When I worked with support, I was also told, while on hold, I might need to know the answer to my secret question. I don’t remembr setting up a secret question! If my old, forgotten email address had been compromised, and someone sent a password reset to that address, I would be out of luck. If I had to then call Xbox Live Support and answer my security question, what would it be, and would I know the answer!? I knew this could be chaos. I know that there are literally millions of others like me out there, and this write up is for all of you!
You set up your Xbox Live account 2, 3, 5, 7 years ago – and haven’t changed much since? Well then it’s time to make sure that, whatever happens to your account, you know you can at least get it back. Most of the work is going to be done from one website, http://account.live.com – open your browser to that page, now.
Once you’re on http://account.live.com, you may notice what I noticed. Email addresses on the bottom and Linked ID’s – neither of these was showing the OTHER email address that my password reset would go to.
Your personal information is at the top of the page, and the large block of links draws your eyes to the bottom. The middle looks like it’s just trying to get you to sign up for “Hotmail Plus.” If you scan over the page, like I did (about a hundred times), you’ll miss the two links which I have highlighted in red for you in the picture above. Two small links. Reset Password (I think we know what that does), and a link that says “Manage” after a small title that says “Security Info.” If you want to reset your password (perhaps for the first time in five years?), that might be a good idea. But once you click the manage button, that’s where all of the magic happens.
From that page you can ensure your account is locked down with all of the information you have for acquiring support or resetting your account. First, you’ll notice an option to Add a Mobile Phone. I, personally, haven’t done this. I haven’t read all of the legalese, but I don’t like the prospect of getting any spam text messages. However, in the event you forget or need to reset your password, you can have them send you a text message with a code in it that will get you in to your account.
The next option is Alternate Email Addresses. Contrary to Crystal at Xbox Support’s statements, when you do a password reset you cannot choose which email address the reset email goes to. It will go to ALL of the email addresses listed in this section. Make absolutely certain that these are addresses that you actively still use and have access to. Update it with new addresses for redundancy and security, and remove old expired accounts.
Third, we have the Trusted PC feature. While I have never used it, this sounds like an amazing new development in system security. I don’t know precisely how it works, and perhaps if you’re the kind of person who reformats your computer every two months, this may not be the option for you. I’m not precisely certain how it works, if a person can just name their machine the same as yours and it will work, or if the SID must match or some other technical requirements exist, Microsoft is fairly vague on it – but if you have a system that you mostly leave alone (say, a laptop that doesn’t get wiped out as often as your main gaming rig), then you might want to look in to using Microsoft’s Trusted PC feature.
Finally, the security question. This is the question that Microsoft employees may have to ask you in order to work with you when you call support. It doesn’t appear to be used during the password reset process at any point, and may never come in to play for you – but you should know what it is. What is handy on this screen is the simple fact that you don’t need to know the answer to change it. You’re already logged in to your account, even if you THINK you know what the answer to your question is, you can clear it and set it to that – because who knows how your mind and memories have changed since you first registered for Xbox Live.
So there you have it. It’s not as exhaustive as I first thought – it’s really all simple to manage from ONE page. Finding that page and not glazing right over it was the hard part! Update your question, make sure you still have access to email addresses, update your SMS phone number, create a Trusted PC, if you want. Just do everything you possibly can to protect yourself – because, until more solid news comes from Microsoft, we’re all juicy targets for some nasty folks out there, just like Susan Taylor was.