$1.2 Million Worth of MS Points Taken After Hackers Figure Out Code Algorithm

The Save and Quit blog reports that a group of hackers figured out the algorithm behind a set of promotional codes that were each redeemable for 160 MS points, the currency used on Xbox Live. Quoting: "A person would just have to sit back and refresh over and over and rack up the 160MSP codes. Not every code would work, but a majority would. The site started to 404 due to the heavy traffic. If you have closer ties to the pirating community, you could find a program to get the codes for you. ... This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out. ... Microsoft found out about this exploit and put a stop to it immediately, but internet pirates still had enough time to steal $1.2 million worth of Microsoft Points."

$1.2 million worth of Microsoft Points

[elrous0]

Wow, that's almost a full tank of gas.

Re:$1.2 million worth of Microsoft Points

[adamofgreyskull]

Firstly, welcome to The Internet. Secondly, I believe elrous0 was using a rhetorical device, common in English, called "Hyperbole [wikipedia.org]"

Re:$1.2 million worth of Microsoft Points

[semiotec]

In case you've never come across this before, it can also be used to point out when something is ridiculously low or worthless, as I believe is the intention of the original post, that at least in his/her opinions MS points are worthless, specifically that even though they are technically worth $1.2 million, there's very little you can buy with them.

Re:

[mikkelm]

Yes, of course you would. Until you had to fill the huge gaps left in budgets that rely on that extra money you pay for your fuel. It isn't magically more expensive because it's consumed in the United Kingdom, you know.

But, please, continue to complain and make a fool of yourself.

Re:

[FatdogHaiku]

Why do you keep putting gas in quotes?

Did you really want him to let it loose? I would prefer his gas be restrained, we can only hope double quotes are up to the job...

Re:

[badboy_tw2002]

Ughhhh, I can just imagine your high pitched snotty voice as if you were actually saying that. I hope you get "shagged" by a "lorry" while chasing a "football", and thus your "jeans" don't "continue".

Re:

[tehcyder]

Because I'm British and think it's a stupid name.

I agree, "gas" is a specific word for a state of matte, "gasoline" is liquid, it is a silly abbreviation.

But then again I'm British too

Re:

[TheThiefMaster]

Ask for a gas can in the UK and you'll most likely get a propane gas bottle.

Which is a gas.

Re:

[tehcyder]

Ask for a gas can in the UK and you'll most likely get a propane gas bottle.

Which is a gas.

They make the bottles out of gas now? And here I am using the old-fashioned metal ones like a sucker.

Don't be a wanker, the phrase "a propane gas bottle" will normally be undertood to mean "a bottle full of propane gas" unless you specifically say "an empty bottle for putting propane gas in."

Re:

[TheThiefMaster]

s'ok, I don't smoke.

Re:

[Opportunist]

Well, you could always go to a real restaurant instead of a Starbucks and get coffee at a reasonable price.

Ok, might be different for you, I don't know how far along they came already in your area.

only 160 points worth of microsoft funny money?

[RyuuzakiTetsuya]

I wonder if they're just going to ban everyone who redeemed a code worth such a small amount. Why the hell do amounts that small exist? must be for fast food promos or something.

Re:

[AndrewNeo]

It pretty much is. They never sold anything outright less than 500 points.

Re:

[nedlohs]

No, but if you redeemed 50,000 of them might be an issue..

Exchange rate

[DrugCheese]

What's the exchange rate from MS points to Schrute Bucks?

Re:

[Dayofswords]

Same as the ratio of unicorns to leprechauns

Re:

[pvera]

Same as Unicorns to Leprechauns.

Not hard to track down

[Drakkenmensch]

Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.

Re:

[thebra]

Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Re:

[Drakkenmensch]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

Re:

[thebra]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

I read your post in its entirety but it is still in the end a mostly education guess. I just don't see how Microsoft could punish based off a good guess. I realize they can ban whomever they want for what ever reason but it would just end up causing more headaches and added cost. I don't see the real payoff.

Re:

[goose-incarnated]

At which point does the "guessing" come in? This is how double-entry book-keeping works ... you reconcile the stock (in this case points) with the bank statements of deposits. There is no guessing. What OP said was that you could narrow it down so you don't have to reconcile for the entire population, just reconcile for a subset of them.

Re:

[EdZ]

Because MS point are not only sold directly: you can buy printed codes worth x points from brick&mortar stores, or online via non-MS resellers. MS have no way to tell if code XXXXXXXXX was purchased legitimately or generated algorithmically.

Re:

[goose-incarnated]

Yes they do. A reseller brick-and-mortar store would have *printed* tickets. Unless MS is deliberately neglecting to keep track of which codes have been printed, they have a record of which codes have been already printed - those codes would be exempt from the double-checking.

It's quite possible that the set of generated codes on the website overlap with the set of codes on printed tickets, in which case I happily concede the argument to your favour, but my understanding is that the codes are different (

Re:

[Drantin]

I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

In 160MSP increments?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[geekoid]

Don't hate the farmers, hate the MMO. It's their fault.

They didn't steal anything.

[jeremymiles]

It's not like MS ran out of codes.

Re:

[BradleyUffner]

It's not like MS ran out of codes.

Tell that to someone who legitimately had one of these codes that couldn't redeem it because someone else used it.

Re:

[MyFirstNameIsPaul]

If I understand those point things correctly, if points are used to purchase something, say, a game, then Microsoft has to pay the developer. So, in a certain sense, it is stealing, and could be a good source of revenue for a developer.

Didn't hack the algorithm

[russotto]

It appears the algorithm wasn't actually determined. Rather, Microsoft essentially left a code generator which took unencrypted parameters available on a web page. Amateur mistake.

Re:

[anyGould]

$1.2 Million is pretty cheap to learn that lesson, all considered.

And I'll be very surprised if they take any action against the lucky winners - the bad publicity (and risk of accidentally tagging someone who just happened to redeem their three codes at the wrong time) won't be worth the hassle.

Re:

[wbav]

Microsoft has taken action already:
http://kotaku.com/#!5780686 [kotaku.com]

This is why you have corporate america

[jonaskoelker]

They have to set a president

You're against campaign finance reform, I take it? ;-)

Read that wrong the first time.

[XxtraLarGe]

At first glance I thought it said "$1.2 Million worth of MS PowerPoints", which made me wonder "Who would pay $1.2 million for PowerPoints?"

Re:

[proverbialcow]

Does it include support? Might be an easier sell than installing OpenOffice.

Just like Pepsi iTunes codes. All you hadda do..

[RevWaldo]

...to find the caps with the codes was to tilt the bottle.

.

Re:

[demonbug]

...to find the caps with the codes was to tilt the bottle. .

Totally, completely, 100% off topic, but... this reminded me that when I looked at a map of Tripoli the other day I noticed this:

Pepsi-Cola Road [google.com].

I've been hoping to hear something about anti-government protesters on Pepsi-Cola Road ever since.

Just like, you know... stolen Microsoft Points. Or something.

Curisous and Furious

[140Mandak262Jamuna]

Curiously, the top executives are furious that their secret sauce algorithm to rack up USpoints has been leaked to this hacker. The CEO of Morgan Stanley was seen throwing a tantrum, curses and a few chairs, "This is our trick. This is what we have been doing to create money in the Federal Reserve accounts. And now some stupid hacker is using it to rack up real money? I wanna know who is responsible and heads are goin' to roll"

Boggles the mind

[TheSpoom]

Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

Re:

[thebra]

Because that would cost a lot more money to operate than a piece of software.

Re:

[geekoid]

Cost and reuse.

Re:

[tlhIngan]

Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

You're confusing this article and the prepaid points cards. First, they were 160 points at a time. No prepaid card comes with such little points - I think the smallest I've every seen was 400 as part of some

Re:

[plover]

What happened then was people figured out how to get 160 points without doing X, and with enough hackery, figure out the algorithm behind it.

According to TFA it doesn't appear that they ever figured out the algorithm. They just figured out how to get 160 points by refreshing web page X, and then repeated until they had a lot of points.

As usual the /. headline is sufficiently lacking in factual basis. The "hackers" figured out a URL, not an algorithm.

Re:

[yuhong]

Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

Because they sent emails with a link to it passing an ID. The problem is that the ID is easily guessable.

Re:

[Seth Kriticos]

Only if you believe in a deterministic universe. Otherwise you get pretty good results with TRNG's and quantum mechanics.

http://www.random.org/randomness/ [random.org]
http://en.wikipedia.org/wiki/Quantum_cryptography [wikipedia.org]

Re:

[Dhalka226]

That really doesn't change his point, though.

The API still should have been secured with some sort of credentials. They don't have to be rocket science and they don't have to be so complex they get in the way of the third parties, but I don't think a username/password passed with HTTP Auth or something would be overly burdensome if you're already asking partners to connect with an API. And a couple of Microsoft developers could probably pump out libraries for most major languages to do that in only a fe

Re:

[NemosomeN]

I'm going to double fist this one. It returns a 404 when it's overloaded because Microsoft doesn't gaf about standards. Also, "Refreshing" doesn't refer to refreshing a MS site, it refers to refreshing a page that has an auto-incrementing iframe of some sort that tries codes over and over again. Both of you should have known better.

Enjoy your fake money!

[DarthVain]

Wait! We were talking about the US Dollar right?

Re:

[ConceptJunkie]

Hey, the U.S. Dollar isn't fake as long as we all agree it isn't fake. Even if it is.

Re:

[witherstaff]

It's not fake! The creature [amazon.com] from Jekyll Island [wikipedia.org] says it's just fine.

404? really?

[ruiner13]

When sites are under load, they 500 or 503. I've never seen a server 404 under load. Plus, this wasn't a case of just hitting F5 to refresh and get a new code. URLs had to be uniquely tampered with. At least read the source article, editors, before posting sensationalist summaries. Sheesh. And according to other links posted in this thread, MS was able to track the "hackers" and ban them. So, it seems their system worked. If anything, perhaps it was a honey pot they put up to try to see what players

Re:

[thebra]

I doubt it'll be hard for Microsoft to figure out who redeemed an excessively large number of these codes.

If they are valid codes I don't see how Microsoft could tell the difference.

Re:

[smelch]

The difference between redeeming 1 valid code and redeeming 10? Thats pretty easy. Most people learn how to count pretty early on. Or looking at how fast they redeemed them. "Oh, it only took them 1.28 seconds to type in this 25 character string of random numbers.... how odd!"

Re:

[JTsyo]

The difference between redeeming 1 valid code and redeeming 10? Thats pretty easy. Most people learn how to count pretty early on. Or looking at how fast they redeemed them. "Oh, it only took them 1.28 seconds to type in this 25 character string of not-so-random numbers.... how odd!"

FTFY

Re:

[natehoy]

Don't the codes get associated with some sort of account somewhere? Could Microsoft not simply look for accounts with some arbitrarily reasonable amount of points on them, then query the purchasing/issuing database to see which of those accounts got most of their credit in short order in 160-point increments then drain those accounts?

Or just simply look for any issuance of points using these promo codes to any accounts, and make sure that credit is only given for ONE promo code per account, and remove all

Re:

[Sir_Sri]

After all, Microsoft really hasn't "lost" $1.2 million in cash

Careful now. Microsoft points can be used to purchase things from the MS store. Not all of which are owned by MS. If I developed and XBLA game, or DLC for something I expect my 70% (I think it's 70%, steam is 70%, I haven't worked with anyone using MS points in a while), whether the points where legitimate or not is MS's problem. The deal I have is to be compensated, in cash, for downloads of my product through their store.

If they give away 10 million MS points for the hell of it, I still expect to be p

Re:

[shentino]

Have the hackers arrested and thrown in prison for fraud.

Re:

[trollertron3000]

They aren't "valid" in the sense that although they meet the algorithm for validation they were not created by MS, who can in fact tie those codes back to SKUs and track the purchase. I know that's how I do it. But I also validate against that list on the fly because I'm not fucking retarded :P

Seriously this is like checking a credit card using Luhn but never actually validating it by doing a capture via a payment gateway. It's laughable and I bet someone got fired for it.

Re:

[im_thatoneguy]

The codes were generated I believe on a MS service that was tricked into generating codes based on existing codes.

From Kotaku:

With Microsoft able to track the generated codes, that means they can also track accounts that cashed in the generated codes for points.

And since they can track the damage, they are qualified to tell us that the $1.2 million figure being thrown about is far from the actual number. "We can't share specific numbers, but the figure is nowhere near the amount that has been reported."

[...]

"We take safety and security very seriously and require that Xbox LIVE members use the service in compliance with applicable laws and specifically prohibit people from engaging in illegal activity as a part of our Terms of Use and Code of Conduct," the statement continued. Our Policy and Enforcement team is evaluating whether or not certain individuals have violated the Terms of Use for Xbox LIVE and will take the appropriate enforcement on an individual basis."

http://kotaku.com/#!5780686 [kotaku.com]

Re:Dumb kids

[natehoy]

why do you cower behind a chosen underwear based pseudonym? what are you afraid of?

Perhaps he meant a striped, horse-like animal, and he has a lisp, you insensitive clod.

Re:

[yakatz]

English is a cruel language:

Perhapth he meant a thtriped, horthe-like animal, and he hath a lithp, you inthenthitive clod.

Fixed that for you

Re:

[Alsee]

I don't have a lithp! My keyboard doeth, you inthenthitive clod!

-

Re:Dumb kids

[Anonymous Coward]

you're an idiot.

And you have the social graces and sense of humor of a striped, horse like animal with a lisp.

Re:

[Low Ranked Craig]

Aww... Someone shit in your Cheerios this morning?

Re:

[RMingin]

Is that you, Charlie Sheen?

Re:

[RMingin]

Bi-winning! Fists of fire! You get down with your insane self!

Re:

[RMingin]

Hypocrite? You're so funny! You use words that sound menacing, while not realizing that they actually have meanings, which you ignore! You're so funny! I loved your work in Hot Shots! Part Deux!

Re:

[Opportunist]

And how many kids will come crying after they got nothing but MS-Points for their birthday (because they wanted them, remember, kids aren't really the most reasonable people on the planet) and now are accused of cheating?

Could you see how this could maybe ruin a few kids' birthdays?

Re:

[uberjack]

The idiots are fucked. Unless the codes were sold for cash, the trail will be easy to follow. Expect a large number of console/account bans, followed by arrests fairly shortly.

Re:

[SuricouRaven]

Probably right, aside from the arrests. It sounds like most of the points were taken by script kiddies, who arn't worth the effort of arrest. Maybe if MS can find who wrote the code-generating program.

Re:

[Demonantis]

I don't think so they probably didn't use the codes themselves and were smart setting up the web page. They just wanted to thumb their noses at microsoft and they managed to do it. The people able to refresh a web page will probably get the third degree. But only because of the agreement they have with microsoft for using the xbox "ecosystem". It is unlikely criminal charges could be laid.

Re:

[Opportunist]

Do you arrest the CEO of Smith&Wesson for a bank robbery?

Outlawing a tool and incriminating its maker for its abuse is a dangerous slippery slope.

Re:

[scot4875]

What is the arrestable offense here? They put some numbers in a website text box, and it gave them "Microsoft Points" which have only the 'value' that Microsoft ascribes to them -- they aren't even redeemable for cash. If, instead, they had used a code to generate 1.2 million gold pieces in WoW, would that be worthy of arrest? If it were 1.2 million in gold in a single-player-only game, would that warrant arrest?

My point is that nothing was "stolen" -- there wasn't even any arguable "unauthorized compute

Re:

[Ben4jammin]

People have already used codes to buy games, according to some of the posts on the forum the story links to.

I don't know the law, but I think there may be something in this that would put you afoul of the law. There is probably a limit to the number of codes you can redeem within the context of the giveaway or whatever. Some forum posts claim as high as several thousand points redeemed.

And MS is losing money if someone uses an improper means to get the codes and then spends the points on games. Tho

Re:

[adamofgreyskull]

"Those are sales lost as the person would normally use real money to buy the points to get the game."

Small point perhaps, but: maybe. This argument is used a lot when calculating the harm of music/film/video game piracy but it doesn't hold much water. If Pw|\|3rB01_13 is some 14 year old peon who gets $10 a month pocket money and $100 at Christmas, Microsoft might sell him one or two games a year. Or $100 worth of MS points, whatever. If he gets his hands on $1600 worth of free MS points and goes on a

Re:

[Imrik]

Except that some of the things he buys may not be MS products, meaning MS would have to pay for the goods he purchased.

Re:Dumb kids

[Ohrion]

In this case, stolen bits doesn't == lost sale. In this case, stolen bits == sale for the publisher. Microsoft has to pay the publisher of the game with real money that was bought with stolen bits. Also, congratulations on your ethics, that allows you to rationalize your behavior to this degree.

Re:

[ToasterMonkey]

In this case, stolen bits doesn't == lost sale. In this case, stolen bits == sale for the publisher. Microsoft has to pay the publisher of the game with real money that was bought with stolen bits. Also, congratulations on your ethics, that allows you to rationalize your behavior to this degree.

I don't get the "stolen bits" argument at all, but an even better comparison is generating gift card activation codes. Plain and simple fraud, bit or no bits.

Re:

[lowrydr310]

If Microsoft is anything like the big record labels, they'll go after the individuals for huge sums of money claiming loss of profit.

Surely all these people who 'stole' several thousand dollars worth of MS Points would have purchased them, had they not been able to obtain them by generating codes, therefore Microsoft suffered financial damages.

Re:

[ConceptJunkie]

What is the arrestable offense here?

Making fools of a company rich and powerful enough to buy your arrest and punishment.

Re:

[Opportunist]

This is, sadly, not illegal.

Re:

[innerweb]

Cheaters never win

Obviously, you don't play on XBox Live.

Re:

[hedwards]

Yeah, really, when I was 11, the most likely place to go for computer help was from us 11 year old kids, as it seemed that a huge portion of the computer literate population was that age at that time. I'm not sure why today's kids would be so feeble intellectually as to make that true.

Re:

[2names]

I'm not sure why today's kids would be so feeble intellectually as to make that true.

Go spend some time with a group of "today's kids." Then watch Idiocracy. Then weep as the truth becomes clear to you.

Re:

[CannonballHead]

Well, to be fair, I don't think it's an intellect issue. I'd say most kids have an intellect that's just fine.

They just don't use it.

If anything, it's laziness (partially due to lack of necessity), lack of ... ambition, one might say... lack of interests in anything but [insert wastes of time here], etc.

In short, it's kind of a parenting issue, I suppose.

Re:

[Amouth]

i point it at society's need for instant gratification.. most kids and people now days don't want to do something that might not work or takes time/energy/brains/effort to complete, when there is something easier to do.

It's not so much being lazy because they are doing something most of the time.. even if it is just playing a game/watching tv/talking/texting/surfing the net.

it's kinda sad really

Re:

[ConceptJunkie]

Not my kids. They're plenty smart and technically literate (mostly self-taught too).

But we are not a typical family... in good ways and bad,

Rick

Re:

[gangien]

the ratio of kids that can do such things is probably the same, it's just that computers are everywhere now.

So i submit that you are wrong. and so is idiocracy... atleast in the regard that we're getting dumber.

Personally I would suspect that as far as strictly intelligence is concerned, we're the exact same as we were whether you compare to gen y/x/baby boomers/ 500 years ago. Just that knowledge and how quickly knowledge is available upon demand, has changed.

Re:

[jdgeorge]

"This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out."

Huh? When I was 12, I was programming in assembler.

So... this would have been simple enough for you to figure out when you were 12. Right?

Re:

[innerweb]

When I was 12, I wrote a decompiler for the Z80, I reverse engineered the Model III Rom and I networked the computers using tape cassettes. What this kid did was probably easier, and I don't think I am really that smart. I had time and focus on my side. No way I could have done the same today. I have no time and no time to focus.

Re:

[Kaenneth]

I met my elementry school bully as an adult once; the last thing I said to him was "No", when he asked if I wanted fries with that. (true story)

Re:

[Cryolithic]

Heh same, mine was pumping my gas :D

Re:

[plover]

Huh? When I was 12, I was programming in assembler.

Huh? When I was 11 I was bitbanging RS-232 at 300bps using a telegraph straight key. Got to the point where I could emulate a TTY well enough that I could launch vi and edit a file. We won't go into my privilege escalation exploits... ah, misspent youth.

Luxury. When I was 11 we used to dream of 300bps. We had to whistle FSK sounds directly into the 110bps modem, and if we failed two sign-ons in a row our teachers would thrash us with their belts.

Re:

[Viperpete]

Huh? When I was 12, I was programming in assembler.

Huh? When I was 11 I was bitbanging RS-232 at 300bps using a telegraph straight key. Got to the point where I could emulate a TTY well enough that I could launch vi and edit a file. We won't go into my privilege escalation exploits... ah, misspent youth.

Luxury. When I was 11 we used to dream of 300bps. We had to whistle FSK sounds directly into the 110bps modem, and if we failed two sign-ons in a row our teachers would thrash us with their belts.

Well, when I was 11 we had to mind link with our living quarters nano-bot hivemind just to get the wall display to turn on the ultra-porn and we only did that for the ironic nostalgia of it when we're bored of watching the 3D vids on our retinal implants. Pardon me, while I matter make up some popcorn and consider uploading myself to the compumatter dyson sphere or just getting that extra thumb on each hand upgrade, I hear it only takes a minute. TTFN, apeman.

Re:

[Sparks23]

In fairness to Gates, he's willingly given away something like $39 /billion/ dollars of his own money through philanthropic and charity efforts [businessinsider.com]. Even as a stockholder in MS, I doubt he cares much about $1.2 million. But there were probably some chairs thrown in Ballmer's office...

Re:

[smbarbour]

Actually, for that format, you could use all of any repeating number. For the more "advanced" CD Key which had 4 digits in the first group, you just had to change the 4th digit until it worked (i.e. 9990-999999999, 9991-999999999, etc.)

Re:

[nschubach]

I imagine seeing a ship off in the distance with a Microsoft Windows logo flag flapping in the wind. A cool breeze from the East and the sails go up. The pirates raise their colors and proceed to bombard the ship with cannon balls. They pull aside the ailing ship to seize their booty while off in the distance they see an armada of Microsoft ships coming their way. They act quickly, taking everything they can manage before re-boarding their ship and setting sail.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ConceptJunkie]

You're implying MS has management skills?

I think reality is the opposite: MS has plenty of technical skills but management is so utterly incompetent the company is unable to put most of the technical skill to good use.