SECURITY REVIEW: XBOX LIVE

Xbox Live: Security Review

Xbox Live is an online multiplayer gaming and digital media delivery service created by Microsoft Corporation. It charges users a fee to play multiplayer gaming. With Microsoft's new mobile operating system, Windows Phone 7, Xbox Live will be integrated into new Windows Phones. Furthermore the system has been integrated into social networking sites to find friends you played online with. To pay for your online gaming experience users enter their data and credit card information through their console into the Xbox Live network. Xbox Live features include: marketplace for downloads, instant massagers, friends’ lists, personal bio, Netflix account link, MSN portal, personal gaming settings, social media linkups, gaming location, and a voice/video mod.
There are a number of security risks with Xbox Live spanning the entire CIA Triad. An attack on the system seems to be a likely risk as the online gaming community is technologically intelligent. An unintended user could target an Xbox Live account in order to steal personal information and credit card data. They could also target the accessibility and make it so that an account holder is not able to access their own account or even pose as a real user. And finally the attacker could target the accounts integrity by changing the account holders bio, friends list, preferences, etc. Further security risks include entry into social media sites, Netflix accounts, MSN portals, and cell phone operating systems all through the Xbox Live account. This is all a risk on Xbox Live because if you can obtain a users gamertag and password you can access their account and modify it. From accessing the Xbox Live account you can enter into other Microsoft applications with ease. It would be harder to enter social media and Netflix sites because further passwords are necessary. However, just knowing one password greatly increases the likelihood that you can hack into others. Again, an advanced hacker may be able to skim credit card information from future downloads and even steal card information or completely hijack the account once accessed.
If I were an attacker I would definitely target the broad step of stealing accounts temporarily. Gamertags (usernames) are not protected and are visible to all people with an Xbox and internet connection. However, if I was able to steal passwords for these gamertags I could renew subscriptions, transfer account details, change cardholder information, alter the bio, alter the friend list, and deny the original user access. Furthermore, an attacker could easily hack an account and disclosure the real user’s home address and other information to the online community. I believe that this is the real weakness and probable attack. I have personally accessed my friends Xbox Live accounts before and I can see how easy it would be to copy their information, alter its integrity, and disclose it to a vast amount of people.
I think that Xbox Live technology has the basic weaknesses that we have been talking about in class that go along with all sites and delivery services. Whenever you are assuming an online identity the risks for theft and alteration greatly increase. We have talked a lot about credit card theft and I think this is a real threat if an account is hacked. Additionally, in much the same way social media works, Xbox Live presents the opportunity for an attacker to alter and disclose personal information on a wide level. This is because you are basically leaving a digital footprint and also creating an online identity that many people with internet access can view and get close to. This is an inherent threat with this type of technology.
My recommendation to Microsoft regarding the security risks of Xbox live would be to mitigate the risk and to transfer some of the liability. Xbox Live accounts contain a wide array of personal information, credit card data, and links to other sites that the user would have personal records. This variety and amount of information must be protected by Microsoft and Xbox. They need to consistently be on top of the hackers and always practicing the most up-to-date technologies and mitigation techniques that prevent illegal attacks. Furthermore, Microsoft needs to make all of their users away of the treats that accompany adding friends and also in keeping their passwords protected. Microsoft also needs to remind users that all their passwords (Live account, Netflix, social media) should be different from each other as to stop an attacker from totally hijacking an online identity. Finally, Microsoft should transfer some of this risk through purchasing a large insurance package against potential hacking into accounts.