Re: Lapdog not watchdog
quote: "When will the ICO investigate all the Xbox Live account emptying that's been occuring for the last 2 years, where gamers are losing REAL money.. The answer is, they won't because Microsoft have done a great job of covering up the problem, unlike Sony's open and honest approach...."
OK, I'll bite :)
a) read the T&Cs and the EULA for XBox Live and MS Points; they specifically claim that once you turn cash into Points, it no longer has a monetary value; someone nicking all your Points (which they can't do directly, instead it gets spent on FIFA 13 players or some shit) has not relieved you of anything with a direct monetary value, according to the T&Cs / EULA you have already agreed to. Stupid, but apparently legally binding; you have not lost "real money", you've lost a bunch of "game coupons" with a face value of <0.0001p.
b) having a password of "password" or "abc123" does not, regardless of the backend security used, make your account secure. How many of these breaches were of accounts where they had been dictionary cracked due to lax password practises, instead of directly attributable to shoddy MS backend practises? I'm not (deliberately, anyway) an MS apologist, but I do know that some people use crap passwords, and then use the same crap password everywhere.
A friend of mine had his Live account cleared of points because he used the same email address and password as his PSN account (which was leaked in the attack). That particular cleanout could be easily attributed to Sony, not MS. It could also be easily attributed to him being an idiot and reusing the same credentials for both services. How many other people are in a similar boat?
I'm going to assume that you have had you Live account cleaned out, which is why you have a bee in your bonnet regarding this. If this is the case, can you confirm that your password was unique among all your accounts, strong, and that you used a different email address from any used on sites with weak / nonexistent security (preferably also unique amongst all accounts you hold)? Bear in mind that "Average Joe wouldn't, so I don't see why I should have to" is not going to get you any sympathy from me; sorry to rain on your parade, but the easy availability of domain names, and hosts with MPOP mailboxes, means that using unique addresses for everything is actually quite straightforward, if you don't want to cheap out on your account security.
I'm minded to start a company that offers to rejig all your physical locks to run from the same key; it's the physical security equivalent of reusing the same password, so surely a majority of people will be happy to give up the extra security for the increased simplicity? And when someone clones their key and cleans them out, they can just blame me for making the key easy to copy or something, instead of examining why they, deliberately, chose to cripple their security in the name of laziness :)