• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

GFWL Fraud Victim can't be helped cuz he doesn't own a Xbox

LiK

Member
http://www.gamepro.com/article/news...cant-be-helped-because-he-doesnt-own-an-xbox/

The PSN debacle earlier this year got more than a few people worried about storing their credit card information online and how easy it would be for hackers to break in and spend all their money. As blogger and motion picture restoration artist Greg Knight discovered, however, it's not just Sony's systems that are open to such abuse.

Knight doesn't own an Xbox 360, and his Live account activity shows a grand total of two games: the PC versions of both Batman: Arkham Asylum (which requires Games for Windows Live to play) and Viva Piñata (which he purchased from Microsoft when it was on sale for just $0.99 a while back). This Tuesday, he found two Microsoft Points purchase confirmation emails in his inbox amounting to a grand total of 10,000 Microsoft Points -- or $125. Upon logging into his Xbox.com account, he discovered that his "alternate email address" had been changed by an unknown intruder to an account from guerrillamail.com -- a service which provides temporary email addresses ostensibly for avoiding spam, but sometimes used for less salubrious purposes.

Knight managed to get in and return his email address to normal before the intruder was able to send a password reset request to the new, temporary and theoretically untrackable email address. He also had the good sense to remove his credit card from the account as well as change his password and security question. He then decided to get on the phone to Microsoft in an attempt to get his $125 back.

His first call saw him confronted with a member of the Live support team who was seemingly ignorant to the fact that Games for Windows Live even existed, but the operator in question was familiar with the GuerrillaMail tactic and assured Knight that his account would be locked down for a few weeks while an investigation took place.

A month later, Knight received an email informing him that the Live support team had found no evidence of unauthorized access to his account and as such would not be receiving a refund of the $125. Understandably, he then called them back and started the whole process again.

He was shocked to be told, after being on hold for about 30 minutes, that nothing could be done because he didn't own an Xbox. Instead, he was informed that he would have to convince his bank that the $125 transaction was fraudulent, and then get them to do a chargeback. But, understandably, he's concerned:

"If that's the next step, so be it," writes Knight. "But now I'm worried as to what sort of standing that will leave my Live account in. Will I someday buy an Xbox to then find out that my account was banned? They assured me that a bank chargeback would have no negative impact on my account, but my confidence in their word is understandably shaky."

We've contacted representatives of Microsoft for their comments on this situation, and will publish them when we hear back from them.
 
Something tells me that line was spoken by more people who don't know what they are talking about, since it doesn't even make since in the context.
 
Omikaru said:
Yet another reason to avoid that piece of shit service. I can't wait until this is thrust upon us in Windows 8.

I haven't been keeping up with this, but is this really something to worry about? There aren't many people left putting their games on GFWL.
 
/raises hand

Hi, I work in customer service for a service similar to Xbox Live; in that people create accounts to buy intangible items. If a person complains about fraudulent charges on our service but they do not have an account, our hands are tied. We encourage them to contact their bank and law enforcement, provide them with the information they need to properly file these reports and expedite the process, and will fully cooperate with the bank and law enforcement.

It's frustrating, but that's how things are.

EDIT: Regarding the "Lack of acknowledgement" thing, same where I work. We don't acknowledge any issues with the service's security. We are only allowed to respond with a prepared document, which provides tips on how to create secure passwords, make sure anti-virus and our software is up-to-date, etc. Acknowledgment = legal shitstorm and your ass is fired.

Basically, it could have been handled better from a customer service point-of-view but the overall actions aren't different from other companies.

Edit 2: Missed the part where he had an account. Sorry :(
 
Omikaru said:
Yet another reason to avoid that piece of shit service. I can't wait until this is thrust upon us in Windows 8.
Come on now, they clearly didn't call if GFWL anymore, it's totally different :p
 
The fact is is that during an investigation into an account, you need to provide the last known console ID and console serial number during the investigative process.

To be honest, he managed to get control of the account back, so he really should just file a fraud claim with the bank. What makes me think that this is dumb, is that when someone's credit card gets stolen, and they check the places that it was used, the person doesn't go back to every merchant and demand a refund, they contact their bank. So why is Microsoft any different?
 
Keavy_Rain said:
/raises hand

Hi, I work in customer service for a service similar to Xbox Live; in that people create accounts to buy intangible items. If a person complains about fraudulent charges on our service but they do not have an account, our hands are tied. We encourage them to contact their bank and law enforcement, provide them with the information they need to properly file these reports and expedite the process, and will fully cooperate with the bank and law enforcement.

It's frustrating, but that's how things are.

But he has an account...
 
Castor Krieg said:
Yes, that 2-games-acount carries a lot of rep.

It does if the DRM is tied to that and the games are worthless with it locked. Maybe he doesn't mind that they're getting thrown in the virtual trash, but it's not just about "rep."
 
Something very fishy is going on with Live lately. I wouldn't be surprised to see an admission of a major hacking or other security issue soon.
 
Ysiadmihi said:
I haven't been keeping up with this, but is this really something to worry about? There aren't many people left putting their games on GFWL.

I'm wondering if the games store that MS is making (and taking a 0% cut from) will require GFWL in some way. I hope not, and I have no actual evidence to say this will happen, but I worry about lots of things.
 
darthbob said:
The fact is is that during an investigation into an account, you need to provide the last known console ID and console serial number during the investigative process.

Why should that matter? In order to even play those games you need a GFWL account, but if something goes wrong, sorry no XBOX no helpy? Why does GFWL ask for all my info then?

In that case I should just go to guerrilamail and defraud some other GFWL account. It's not like there are any repercussions.
 
slidewinder said:
Something very fishy is going on with Live lately. I wouldn't be surprised to see an admission of a major hacking or other security issue soon.

Kids giving their password to other kids in MW2 isn't a major security breach.

DeaconKnowledge said:
Why should that matter? In order to even play those games you need a GFWL account, but if something goes wrong, sorry no XBOX no helpy?

Because it does. For credit card fraud, you go to your card company, not the merchant.
 
Keavy_Rain said:
/raises hand

Hi, I work in customer service for a service similar to Xbox Live; in that people create accounts to buy intangible items. If a person complains about fraudulent charges on our service but they do not have an account, our hands are tied. We encourage them to contact their bank and law enforcement, provide them with the information they need to properly file these reports and expedite the process, and will fully cooperate with the bank and law enforcement.

It's frustrating, but that's how things are.

uh...

Knight doesn't own an Xbox 360, and his Live account activity shows a grand total of two games: the PC versions of both Batman: Arkham Asylum (which requires Games for Windows Live to play) and Viva Piñata (which he purchased from Microsoft when it was on sale for just $0.99 a while back). This Tuesday, he found two Microsoft Points purchase confirmation emails in his inbox amounting to a grand total of 10,000 Microsoft Points -- or $125. Upon logging into his Xbox.com account, he discovered that his "alternate email address" had been changed by an unknown intruder to an account from guerrillamail.com -- a service which provides temporary email addresses ostensibly for avoiding spam, but sometimes used for less salubrious purposes.
 
darthbob said:
The fact is is that during an investigation into an account, you need to provide the last known console ID and console serial number during the investigative process.

To be honest, he managed to get control of the account back, so he really should just file a fraud claim with the bank. What makes me think that this is dumb, is that when someone's credit card gets stolen, and they check the places that it was used, the person doesn't go back to every merchant and demand a refund, they contact their bank. So why is Microsoft any different?

This is what I was thinking.
 
1-D_FTW said:
It does if the DRM is tied to that and the games are worthless with it locked. Maybe he doesn't mind that they're getting thrown in the virtual trash, but it's not just about "rep."

Read the article again, he has control of his account. He's complaining about fraud.
 
They really should've provided a ton more context and explanation to the single sentence about them not being able to help unless he owned an Xbox since that is the title of the article.

Because right now there is pretty much nothing to talk about or react to. We can just say "yeah, he got told that apparently."
 
The response he got was clearly bullshit and unacceptable.

I suspect that this was a communication breakdown. I suspect that as a result of the publicity, someone higher up will point out that this is bullshit, and the gears will turn, and this guy's problem will be resolved.
 
darthbob said:
Because it does. For credit card fraud, you go to your card company, not the merchant.

You're not getting me.

How does owning an XBOX change this? If this exact same situation happened on his XBOX, why is the situation made different? It's still credit card fraud.
 
ultron87 said:
They really should've provided a ton more context and explanation to the single sentence about them not being able to help unless he owned an Xbox since that is the title of the article.

Because right now there is pretty much nothing to talk about or react to. We can just say "yeah, he got told that apparently."
Yea, I'm curious if they bothered to redirect him to the fraud dept. Those people are way more helpful than regular CSR.
 
Stumpokapow said:
The response he got was clearly bullshit and unacceptable.

I suspect that this was a communication breakdown. I suspect that as a result of the publicity, someone higher up will point out that this is bullshit, and the gears will turn, and this guy's problem will be resolved.

His account is good. He needs to talk to his bank, not Microsoft.

Xbox LIVE UA claims go through because more often than not, something on the account is altered, and the account owner can't get it back. Hence why Microsoft intervenes. This, is a non-issue for our guy here though. Like it or not, fraud claim is the way to go.
 
Castor Krieg said:
Yes, that 2-games-acount carries a lot of rep.

Are you serious? It's two games he spent money on that he might not be able to play them again.



OldJadedGamer said:
If he has an Xbox or not, the outcome is the same. Fraud incidents are handled by your bank, not the merchant.
That makes no sense if the merchant is the one to blame. Look at what happened to Sony.
 
slidewinder said:
Something very fishy is going on with Live lately. I wouldn't be surprised to see an admission of a major hacking or other security issue soon.

Hey, honest people are paying for that service! They'll hear nothing of it.
 
jediyoshi said:
Read the article again, he has control of his account. He's complaining about fraud.

He has control now, but it was on lockdown for a month, which means he couldn't play those games for ~30 days.
 
OldJadedGamer said:
For my 3 bank accounts it is.
Not if you want to keep using a service. Sony simply bans your account if you cancel a transaction... so does Steam. I'm not sure about Microsoft, though.
 
snap0212 said:
Not if you want to keep using a service. Sony simply bans your account if you cancel a transaction... so does Steam. I'm not sure about Microsoft, though.

Claiming fraud does that?

Don't you mean filing a chargeback? That'll get your account either banned, or the ability to add a card to your account, nullified.
 
jediyoshi said:
Read the article again, he has control of his account. He's complaining about fraud.

And read what I'm quoting. The quote was saying big rip if his account gets locked if he does a chargeback. "He's only got two games, who cares if he loses that gamerscore."
 
darthbob said:
Claiming fraud does that?

Don't you mean filing a chargeback? That'll get your account either banned, or the ability to add a card to your account, nullified.
Ah, sorry. :( You're right.
 
Plus is live id is his system wide MS id. You want that shit locked down tight because anything MS related uses the same id systems. Hell you use that system just to log funking into Windows 8 and get your cloud save for your settings. I'm paranoid as funk about my live id, and it getting hacked.

BTW I agree he needs to call his bank. He should have done that to begin with as soon as he found the charges. That doesn't mean MS couldn't have helped him with this all though. As someone who has had personal issues with MS Xbox customer support before, and had to get a call from someone days later not in India they can go funk themselves.
 
Shed_a_Ninja said:
http://www.neogaf.com/forum/showthread.php?t=442986
http://www.neogaf.com/forum/showpost.php?p=31159521&postcount=42

It has been increasingly getting worse. Shadiness is indeed happening, and Microsoft isn't addressing.

I call Social Engineering on this. It's rather simple actually. Your Secret Question for your password reset is pretty much public knowledge if you know the person's Windows LIVE ID. Checking what the question is, you can generally find this out fairly easily. Say it's "Name of First Pet", fairly innocuous question there, and not something you'd generally give a passing thought about if someone asked. So then, someone asks, say on a public forum or something. Makes a topic called: "What was your first pet's name?" or something similar, and there you go. Person resets the victim's password using their SQSA challenge, and then they change the password, SQSA, and WLID and gain control of their account. Recover it on their console, buy a family pack, 10000 MSP, add their own account to the family pack, and transfer the 10000 MSP to their own account, release their account from the family pack, and then dump the victim's account.

Boom.
 
My biggest concern isn't people buying points as I have no card attached, but losing what I have bought over the last 6 years on live.

That would be the upsetting part for me.
 
Brettison said:
Plus is live id is his system wide MS id. You want that shit locked down tight because anything MS related uses the same id systems. Hell you use that system just to log funking into Windows 8 and get your cloud save for your settings. I'm paranoid as funk about my live id, and it getting hacked.

63.jpg
 
darthbob said:
I call Social Engineering on this. It's rather simple actually. Your Secret Question for your password reset is pretty much public knowledge if you know the person's Windows LIVE ID. Checking what the question is, you can generally find this out fairly easily. Say it's "Name of First Pet", fairly innocuous question there, and not something you'd generally give a passing thought about if someone asked. So then, someone asks, say on a public forum or something. Makes a topic called: "What was your first pet's name?" or something similar, and there you go. Person resets the victim's password using their SQSA challenge, and then they change the password, SQSA, and WLID and gain control of their account. Recover it on their console, buy a family pack, 10000 MSP, add their own account to the family pack, and transfer the 10000 MSP to their own account, release their account from the family pack, and then dump the victim's account.

Boom.

*eyes suspiciously*
 
uhhh... you should always go to the merchant directly if you notice some wrong with your transaction with them.

I'm not sure what reality some posters live in, but a bank will generally tell you to go to the merchant first, if you call the bank first. They have told me this several times with mismatched phone bills and a few ISP problems I've had in the past. Both were solved by the merchant, as the bank didn't want to intervene until the merchant had a chance to try and fix it.
 
Top Bottom