Support NeoGAF

[Neuromancer]

http://www.giantbomb.com/news/a-qa-with-stephen-stepto-toulouse-on-xbox-live-security/3862/

Really good interview by Patrick Klepek. Here are a few excerpts but I recommend reading the whole thing:

GB: When I put out a call for people to share their stories, 99 out of 100 times, I’m going to get stories of people that aren’t happy with the process or how their particular story played out. That’s the nature of the Internet--they’re going to want to speak up when something goes wrong, not when it goes right. That said, there did seem to be a decent number users that were more than just outliers, their accounts taking 45, 90 days and some more excessive than that. There were enough that fell out of the 25-day range that was the average of most people I talked to. What is your sense of what accounts for these people that find themselves waiting for an exponentially longer period of time for their account to be recovered?

Toulouse: I think we run a bit into the law of large numbers starts to apply in these circumstances, right? We have 35 million users coming through the system, and once you have even a tiny percentage of people being compromised, [that] can seem like a really large number. And then even inside that, the outliers can seem like, again, a large number. There’s a couple of things going on.

When we say 25 days, just to be clear, that’s kind of the worst case scenario. The vast majority of those get fixed much sooner than that, and then there’s some outliers where it takes longer. Those outliers, the complex factors that go into that are if the attack has done region changes, if the attacker has done a significant amount of stuff to the account that keeps us from getting it back. We can get any account back, that’s not the issue. The question is how many things the attacker has done to try and make it harder for us.

One of the interesting tidbits of information that most people don’t realize is the attackers will call into us, claiming they’ve been compromised just to see what we do and how fast we can do it and how much they can disrupt that process.

GB: FIFA 12 seemed to be a really large target lately. It wasn’t really clear whether FIFA 12 was the target, or it was simply convenient, or if the Ultimate Team program that EA had made it convenient for these phishinmg attacks. From your side, what have you seen? What accounts for why, out of all the games, FIFA 12 became this target for users waking up and realizing “Oh god, some guy in Russia just spent $100 buying FIFA Ultimate Team card packs.”

Toulouse: To be clear, whenever we see something like this, we work with the developer and the publisher. That’s one of the things my team does. “Hey, we’re suddenly seeing a Modern Warfare scam, let’s go contact Infinity Ward or Treyarch or Activision.” That’s a key piece of what my team does--it notify them.

We’ve definitely been working with EA, working to understand it, and what we’ve discovered, basically, is that it’s a recently released, really popular title worldwide that has an online marketplace that has this really attractive content. We haven’t seen anything that shows that the attacks are about the title or even about Xbox Live necessarily, it’s just one more way for attackers to create value to turn around and resell a stolen account in another market. I can’t imagine there’s too much of a market in the United States, for instance, for a fully loaded FIFA 12 pack versus the UK.

GB: So you’re not seeing anything, at least from your end, that this is anything more than just this is the latest game to become a value proposition for someone to sell on eBay or another market.

Toulouse: The thing that’s unique about FIFA is that is has a really, really rich marketplace where the player has a ton of capability in terms of being able to share content and trade content. That’s one of the things we’re working with EA on. How do we detect and try to prevent people from using those rich experiences in a negative way?