$1.2 Million Worth of MS Points Taken After Hackers Figure Out Code Algorithm

The Save and Quit blog reports that a group of hackers figured out the algorithm behind a set of promotional codes that were each redeemable for 160 MS points, the currency used on Xbox Live. Quoting: "A person would just have to sit back and refresh over and over and rack up the 160MSP codes. Not every code would work, but a majority would. The site started to 404 due to the heavy traffic. If you have closer ties to the pirating community, you could find a program to get the codes for you. ... This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out. ... Microsoft found out about this exploit and put a stop to it immediately, but internet pirates still had enough time to steal $1.2 million worth of Microsoft Points."

$1.2 million worth of Microsoft Points

[elrous0]

Wow, that's almost a full tank of gas.

Re:$1.2 million worth of Microsoft Points

[adamofgreyskull]

Firstly, welcome to The Internet. Secondly, I believe elrous0 was using a rhetorical device, common in English, called "Hyperbole"

Re:$1.2 million worth of Microsoft Points

[semiotec]

In case you've never come across this before, it can also be used to point out when something is ridiculously low or worthless, as I believe is the intention of the original post, that at least in his/her opinions MS points are worthless, specifically that even though they are technically worth $1.2 million, there's very little you can buy with them.

Re:$1.2 million worth of Microsoft Points

[badboy_tw2002]

Ughhhh, I can just imagine your high pitched snotty voice as if you were actually saying that. I hope you get "shagged" by a "lorry" while chasing a "football", and thus your "jeans" don't "continue".

Re:Dumb kids

[thebra]

I doubt it'll be hard for Microsoft to figure out who redeemed an excessively large number of these codes.

If they are valid codes I don't see how Microsoft could tell the difference.

Exchange rate

[DrugCheese]

What's the exchange rate from MS points to Schrute Bucks?

Re:Exchange rate

[Dayofswords]

Same as the ratio of unicorns to leprechauns

Re:Exchange rate

[pvera]

Same as Unicorns to Leprechauns.

Re:Dumb kids

[smelch]

The difference between redeeming 1 valid code and redeeming 10? Thats pretty easy. Most people learn how to count pretty early on. Or looking at how fast they redeemed them. "Oh, it only took them 1.28 seconds to type in this 25 character string of random numbers.... how odd!"

They didn't steal anything.

[jeremymiles]

It's not like MS ran out of codes.

Re:They didn't steal anything.

[BradleyUffner]

It's not like MS ran out of codes.

Tell that to someone who legitimately had one of these codes that couldn't redeem it because someone else used it.

Re:They didn't steal anything.

[MyFirstNameIsPaul]

If I understand those point things correctly, if points are used to purchase something, say, a game, then Microsoft has to pay the developer. So, in a certain sense, it is stealing, and could be a good source of revenue for a developer.

Didn't hack the algorithm

[russotto]

It appears the algorithm wasn't actually determined. Rather, Microsoft essentially left a code generator which took unencrypted parameters available on a web page. Amateur mistake.

Re:Didn't hack the algorithm

[anyGould]

$1.2 Million is pretty cheap to learn that lesson, all considered.

And I'll be very surprised if they take any action against the lucky winners - the bad publicity (and risk of accidentally tagging someone who just happened to redeem their three codes at the wrong time) won't be worth the hassle.

Re:Didn't hack the algorithm

[wbav]

Microsoft has taken action already:
http://kotaku.com/#!5780686

Re:Dumb kids

[natehoy]

Don't the codes get associated with some sort of account somewhere? Could Microsoft not simply look for accounts with some arbitrarily reasonable amount of points on them, then query the purchasing/issuing database to see which of those accounts got most of their credit in short order in 160-point increments then drain those accounts?

Or just simply look for any issuance of points using these promo codes to any accounts, and make sure that credit is only given for ONE promo code per account, and remove all other credits but the first one issued to each account?

It's probably non-trivial, but would cost them far less than, say, a million bucks.

Either that or they just allow the hackers their little victory and consider it a lesson in predictability in promotional codes. After all, Microsoft really hasn't "lost" $1.2 million in cash. Take the department that is running that promo and tell them they lost $1.2M in next years' budget.

Re:Dumb kids

[natehoy]

why do you cower behind a chosen underwear based pseudonym? what are you afraid of?

Perhaps he meant a striped, horse-like animal, and he has a lisp, you insensitive clod.

Re:Dumb kids

you're an idiot.

And you have the social graces and sense of humor of a striped, horse like animal with a lisp.

Re:Dumb kids

[scot4875]

What is the arrestable offense here? They put some numbers in a website text box, and it gave them "Microsoft Points" which have only the 'value' that Microsoft ascribes to them -- they aren't even redeemable for cash. If, instead, they had used a code to generate 1.2 million gold pieces in WoW, would that be worthy of arrest? If it were 1.2 million in gold in a single-player-only game, would that warrant arrest?

My point is that nothing was "stolen" -- there wasn't even any arguable "unauthorized computer access" that would warrant hacking charges. They just guessed some numbers that in turn incremented a counter somewhere. Microsoft didn't lose anything. None of Microsoft's customers lost anything. As far as I'm concerned, Microsoft can roll back the redeemed codes and be happy that no real damage was done.

--Jeremy

Boggles the mind

[TheSpoom]

Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

Re:Boggles the mind

[Seth+Kriticos]

Only if you believe in a deterministic universe. Otherwise you get pretty good results with TRNG's and quantum mechanics.

http://www.random.org/randomness/
http://en.wikipedia.org/wiki/Quantum_cryptography

Re:Banned from Live

[geekoid]

Don't hate the farmers, hate the MMO. It's their fault.

Re:Dumb kids

[ConceptJunkie]

What is the arrestable offense here?

Making fools of a company rich and powerful enough to buy your arrest and punishment.

Re:Just like Pepsi iTunes codes. All you hadda do.

[demonbug]

...to find the caps with the codes was to tilt the bottle. .

Totally, completely, 100% off topic, but... this reminded me that when I looked at a map of Tripoli the other day I noticed this:

Pepsi-Cola Road.

I've been hoping to hear something about anti-government protesters on Pepsi-Cola Road ever since.

Just like, you know... stolen Microsoft Points. Or something.

Re:Dumb kids

[Sir_Sri]

After all, Microsoft really hasn't "lost" $1.2 million in cash

Careful now. Microsoft points can be used to purchase things from the MS store. Not all of which are owned by MS. If I developed and XBLA game, or DLC for something I expect my 70% (I think it's 70%, steam is 70%, I haven't worked with anyone using MS points in a while), whether the points where legitimate or not is MS's problem. The deal I have is to be compensated, in cash, for downloads of my product through their store.

If they give away 10 million MS points for the hell of it, I still expect to be paid, and it's their pocket it comes out of. If someone hacks the MS algorithm and uses that to buy my stuff either my stuff should be pulled from their account (a non trivial, but perhaps necessary thing to do), or I get paid.

There's a much deeper discussion here about points versus a cash wallet. Points they can give away, take back etc. all for free. But if it's real money there are all sorts of tax implications and so on to giving away, or winning 1000 free 'points'. Which is why they use points in the first place. But on the other side, if someone spends 800 points on my DLC, I expect to be paid the $7 or whater that works out to now.

Re:Dumb kids

[Ohrion]

In this case, stolen bits doesn't == lost sale. In this case, stolen bits == sale for the publisher. Microsoft has to pay the publisher of the game with real money that was bought with stolen bits. Also, congratulations on your ethics, that allows you to rationalize your behavior to this degree.

Re:Dumb kids

[RMingin]

Is that you, Charlie Sheen?

Re:Not hard to track down

[goose-incarnated]

Yes they do. A reseller brick-and-mortar store would have *printed* tickets. Unless MS is deliberately neglecting to keep track of which codes have been printed, they have a record of which codes have been already printed - those codes would be exempt from the double-checking.

It's quite possible that the set of generated codes on the website overlap with the set of codes on printed tickets, in which case I happily concede the argument to your favour, but my understanding is that the codes are different (due to being only 160 points on the website, but no 160 points on any printed tickets)

(I'm actually quite drunk at this point, so perhaps I'm missing your argument, if so - forgive me - I'm not being deliberately obtuse! Also, consider that an excuse if I'm not making much sense right now - sorry :-))

Kind Regards

Re:Dumb kids

[shentino]

Have the hackers arrested and thrown in prison for fraud.

Re:Dumb kids

[Opportunist]

And how many kids will come crying after they got nothing but MS-Points for their birthday (because they wanted them, remember, kids aren't really the most reasonable people on the planet) and now are accused of cheating?

Could you see how this could maybe ruin a few kids' birthdays?