MS Point scam cost Microsoft over $1 million

by David Hinkle on Mar 10th 2011 6:05AM

That seemingly unintelligible string of numbers and letters attached to MS Point cards and Xbox Live Gold trials has an underlying code, a kind of system in place, a group of hackers found out yesterday. Using old claimed codes, this group was able to come up with an algorithm to generate new, valid code strings -- those who input the code got 160 MS Points and could refresh the site for more. Later, through a separate channel, hackers were able to exploit the algorithm to generate codes for a Halo: Reach Banshee Avatar prop.

This forum seems to be the origin point of the algorithm in question, where some users have claimed to have gathered hundreds of dollars in MS Points; current estimates put the total damage to Microsoft at over $1 million. Microsoft has since had the codes pulled, though we have to wonder if there's any other countermeasure the company could use to catch these individuals.

Honestly, we're a bit too busy staring at these awesome lightsabers we just got for our Avatar to worry about such things. Lightsabers that were, uh, totally acquired through legal, completely ethical means -- yeah, that's it.

Via: The Escapist, Save and Quit
Source: The Tech Game

Tags: microsoft, ms-points, scam, xbla, xblm, xbox, xbox-live-marketplace

Reader Comments (64)

Damn, so people who buy point cards now could get codes these guys already used? Not cool.

@sparkster if each code gives 160 points I think that probably won't happen (seeing how the codes sold are for 400 and up).

@Dextro
Oh, I assumed 160 was a typo since the picture showed a 1600 card. Sorry about that.

World's tiniest violin.

@Bielzer I hate you, I guess you wont mind if I come rob you.

i would be happy with a code for Halo's flaming helmet lol

Damn, that's a big exploit. I wonder if they're going to try to ban some of them. Also, what happens to the people who buy a code that has already been generated and used by this algorithm? I doubt MS has finished paying for this.

@SpacePenguinBot They dont get their MS points. :(

@SpacePenguinBot

They're 160 point promotional codes. They don't actually sell em that small.

@SpacePenguinBot

You can't buy a card for 160points so no one will have the problem of buying a card with a 'used code'

@Ninjasoup That's what she said! OW!

Well piracy doesn't hurt anyone, there was no physical theft that took place just the shuffling of digital bits on the internet. Hell the money might not even be real
/sarcasm

@Einlander

I know buy stealing points your actually helping Microsoft. You steal an Avatar that your friends see and then they pay for it. By stealing an Avatar your helping get the word out about the cool new Avatar. Everyone knows that Avatars make all their money with concerts and T-shirts.

@Mr Esc is the namesarcasm is my

I thought my statement was so over the top ridiculous that a sarcasm tag was unnecessary. I was wrong.

@FriedConsole
Unfortunately, people have said similar things in all seriousness on this site before.

@Einlander The fact that so many people voted your post down, proves my theory that the majority of children on Joystiq either can't read, don't read, or aren't smart enough to understand sarcasm even when you hold their hand and point it out. I guess they read the first three words and voted it down based on that. Wouldn't want the A.D.H.D. children of today reading that HUGE "wall o text" consisting of 100 words. If children truly are our future, the future is in b- oh look, a basketball.....

Here is a thought... how about MS forgets the ridiculous point system and goes to normal, dollar denominated credit card transactions?

ST

@Steel Toad
No!
If its based on dollar values, then you can't get discounted points!
No store would ever sell $50 for $30.

MS just needs to update the dollar values for international on a much more frequent basis

@Premature ejaculation man

The current 'frequent basis' = never.

So any update at all would be nice.

@Steel Toad Please no! I buy a 1600 point XBLM card, I can buy two 800 point games. I buy a $20 PlayStation Store card, I can't even buy two $9.99 games because of taxes. I'm never charged 813 points for a $10 game on XBLA.

Online is the future!!!
Burn the brick and mortar stores!!!

@Barkley610 Even taking this into consideration, I bet Microsoft's XBLM losses from theft don't look too bad compared to a major B&M retailer.

I am sure there is a way for mircosoft to find out who are the biggest offenders exploiting points, in the forum users talk about getting 10's of thousands they deserve to be banned and legal action, I'am sure they will too. Hope that DLC and stupid banshee avatar was worth it... ha ha

@(Unverified)

Considering the points were all from 160 point codes.
They can just look for all accounts that redeemed 160 point codes in the past 24 hours.

@This Little Man Says His Name Is

The problem is that people were selling these on eBay. Microsoft doesn't want to ban accounts belonging to users who were naively thinking they were just getting a good deal on points.

@Ample Salty

I don't agree with this guy, but... if you hate someone, isn't it kind of the whole point that they do mind the bad stuff you do to them? ;)

Crap! I totally got a free Vanshee code but I had no idea it was a generated code. My friend just send me an email with it...

@Enigma7ic There was a completely legit site giving out Banshee codes for signing up for a newsletter. Maybe your friend got it there.

Theft is wrong! How would you like it if some group of people found an exploit in your online banking and instead of taking your whole account at once, they just took a couple of dollars whenever they felt like it. I hope everyone of the thieves get banned! Integrity is a value of the past.. Sigh!

Microsoft is a company I love, I broke my 360 Elite and they replaced it in what seemed like less than a week. So I couldn't ever rip them off and feel okay. Nintendo….ehhh I don't know.

At first glance I thought the headline was "MS Point Scam Net Earns Microsoft over $1 million." I knew it was wrong because they make way more off of it.

Why doesn't the article mention The Tech Game by name??? I can understand if you don't want to give those bags of shit over there any more name recognition, but it seems like it would at least be relevant to the facts of the story. I hope Microsoft sues them out of existence.

@worldpattern A link is enough.

don't worry. it's only for the homebrew. no need to get all defensive about it.

This is ridiculous, there is absolutely no excuse for making the code so weak that it can be broken. Microsoft needs to fire a whole bunch of their engineers because this is just unbelievably incompetent.

If I went to my local Gamstop and grabbed all of the Microsoft point cards and ran out the door, I would be arrested and put in jail. What is different in this case? Digital theft is the same thing.

@serge808 The codes arent valid until registered by the cashier. All you did was steal plastic

@arucious
I know that. I was just trying to make a point that stealing is stealing digitally or physically.

If you have a code there will be some keys that will be eventually breached, that is the final answer... It is weird because I will hope the cards will become active only after purchase. It makes no sense to have a bunch of active cards sitting in a store...
@mike_alebrije

@mikealebrije
I thought the same thing at first but MS cards are different from gift cards and such because the points are already allocated to a specifics key before it even hits a shelf. Gift cards are scanned and you "put" cash on them (even if they have a label for $25 or 50$ any amount can be allocated to any card) which is calculated and accounted for on the black bar on the back of the card. If MS cards did this then the cards would have to have some way of "putting" monies on the card. And that would be more expensive and impractical.

@Che J P
I guess that is a good reason why not to have it work that way.
But I will guess that having a human or physical firewall somewhere will prevent tis from happening again.. Just an idea ;)

It should be noted that the actual algorithm for generating the 25-character ('5 x 5') codes hasn't been compromised, it's only this ridiculously-insecure 'external' system that had the authority to request new codes that was figured out.

This is a very important difference.

@Morgon

What's worse for Microsoft is that someone could probably easily make a script that just autogenerates and attempts codes constantly.

Point system is such a rip off and MS knows it.

@StriderNo9 A ripoff? So me paying 10$-15$ for 20$ worth of points is a ripoff?

I think you need your head examined.

@Robborboy Umm what? Why do I need to get my head examined? It's 80 points to the dollar. When you want something for 600 (Like Lara Croft and the Guardian of the Light) points you have to pay $10 bucks to Microsoft to get 800 points, thus leaving you with 200 unwanted points. Now that means, you either pony up another purchase of points because almost nothing at all cost 200 points or you let the 200 points sit there while Microsoft has your money. That mean's that $8 game cost you $10

I'm not going to say you need your head examined because I don't see the correlation but you need to do your math.

You can bet your sweet a** this wont go un-litagated, it would be one thing if one or two codes were comprimised but 1 million dollars worth is a big no no. that takes it out of the realm of petty theft and puts in the realm of felnoy theft.

@Protege420 since tech game wants to steal others info here is there info

since the tech game wants to steal and hack every one. turnabout is fair play here is the owner personal info gathered using his own site's mods and hacks

owner-name: Brian Brown
organisation: Brian Brown
person: Brown Brian
address: 7920 Henslow Ct.
zipcode: 80920
city: Colorado Springs
state: Colorado
country: United States of America
phone: +1.7192370682

admin-c:
nic-hdl: SH1987-GANDI
organisation: 'TechGame Networks, LLC.'
person: Shane Holloway
address: "5372 Rose Ridge Lane\r\nSuite B\r\nColorado Springs, CO 80917"
zipcode: 80917
city: Colorado Springs
state: Colorado
country: United States of America
phone: +1.71933575920

they hide behind a shell company called protected domain services..

Hey isnt Kotaku based out of denver !!!! i'm just saying

ugh *felony

If this cost MS $1 million then what about those account full with 6000 Microsoft Points and 10,000 Microsoft Points sold over the internet?

Those accounts used stolen credit card redeem MS Point that's would be the thing that Microsoft should get rid off.

| 1 | 2 | Most Recent | Next 50 Comments

MS Point scam cost Microsoft over $1 million

Reader Comments (64)

Posted: Mar 10th 2011 6:11AM sparkster said

Posted: Mar 10th 2011 6:35AM Dextro said

Posted: Mar 10th 2011 7:04AM sparkster said

Posted: Mar 10th 2011 6:12AM wcarnation said

Posted: Mar 10th 2011 6:12AM Ample Salty said

Posted: Mar 10th 2011 6:15AM EDZiLLUH said

Posted: Mar 10th 2011 6:17AM SpacePenguinBot said

Posted: Mar 10th 2011 6:40AM LEONLEONLEON said

Posted: Mar 10th 2011 7:13AM Ninjasoup said

Posted: Mar 10th 2011 7:16AM This Little Man Says His Name Is said

Posted: Mar 10th 2011 8:16AM Obienator said

Posted: Mar 10th 2011 6:31AM Einlander said

Posted: Mar 10th 2011 9:31AM FriedConsole said

Posted: Mar 10th 2011 3:07PM FriedConsole said

Posted: Mar 10th 2011 3:36PM DreadArrow said

Posted: Mar 14th 2011 9:38AM Milf Biggenson said

Posted: Mar 10th 2011 7:22AM Steel Toad said

Posted: Mar 10th 2011 7:54AM Premature ejaculation man said

Posted: Mar 10th 2011 8:06AM This Little Man Says His Name Is said

Posted: Mar 10th 2011 2:22PM Epoque said

Posted: Mar 10th 2011 7:22AM Barkley610 said

Posted: Mar 10th 2011 11:40AM louiedog said

Posted: Mar 10th 2011 7:33AM (Unverified) said

Posted: Mar 10th 2011 8:07AM This Little Man Says His Name Is said

Posted: Mar 10th 2011 11:38AM louiedog said

Posted: Mar 10th 2011 7:51AM bm111 said

Posted: Mar 10th 2011 7:55AM Enigma7ic said

Posted: Mar 10th 2011 11:37AM louiedog said

Posted: Mar 10th 2011 9:03AM nathanposey said

Posted: Mar 10th 2011 9:19AM Miranda Lawson said

Posted: Mar 10th 2011 9:41AM Infocynic said

Posted: Mar 10th 2011 10:03AM worldpattern said

Posted: Mar 10th 2011 10:51AM Entegy said

Posted: Mar 10th 2011 10:40AM golobulus said

Posted: Mar 10th 2011 10:46AM thesage42 said

Posted: Mar 10th 2011 10:54AM serge808 said

Posted: Mar 10th 2011 6:35PM arucious said

Posted: Mar 10th 2011 7:03PM serge808 said

Posted: Mar 10th 2011 10:55AM mikealebrije said

Posted: Mar 10th 2011 11:20AM Che J P said

Posted: Mar 10th 2011 11:31AM mikealebrije said

Posted: Mar 10th 2011 11:12AM Morgon said

Posted: Mar 10th 2011 1:55PM Tiptup300 said

Posted: Mar 10th 2011 11:17AM StriderNo9 said

Posted: Mar 10th 2011 11:41AM Robborboy said

Posted: Mar 10th 2011 12:39PM StriderNo9 said

Posted: Mar 10th 2011 11:24AM Protege420 said

Posted: Mar 10th 2011 3:26PM teknobeavr said

Posted: Mar 10th 2011 11:25AM Protege420 said

Posted: Mar 10th 2011 11:30AM entanianick said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

WB conjures up Harry Potter for Kinect this fall

Featured Stories

Silver Lining: I Am Alive's unfeeling world

Game Of Thrones and the paradoxes of adaptation

Super Joystiq Podcast 004: 38 Studios meltdown, Gravity Rush, Civilization 5: Gods & Kings, Dragon's Dogma

Engadget

TUAW

Massively

WoW