A Toronto woman blames Microsoft for what she calls lax security, after her 11-year-old son’s Xbox Live account was hacked, which she believes allowed a thief to charge $300 in gaming purchases to her credit card.

"I wasn’t aware that these purchases were happening," said Jennifer Stubbs. "Someone had gone into our device remotely."

Stubbs said she had no idea hacking of the popular FIFA 13 Ultimate game on Xbox Live was a problem until her son Dylan went to play one morning and found all the players he had bought to build his virtual team — with her permission — had been stolen.  

"We hear these screams from the living room and we go, ‘My god, what has happened?!’" said Stubbs. "He was beside himself."

mi-bc-130322-fifa-hacking-1

Jennifer Stubbs and her son Dylan had no idea hacking was a problem with FIFA 13 on Xbox Live until all of his players were stolen. (CBC)

Dylan is an avid soccer player and his mom said he’d been building the virtual team for months.

"He was so proud … and all of his friends play it as well. So it’s a really important social thing, and it’s good for his soccer," said Stubbs.

Not alone

She said she and her husband were surprised to then find several online articles and posts in forums written by others whose players and points had also been stolen. They also discovered unauthorized charges on their credit cards.

Some gamers suggest Microsoft has not done enough to make the online Xbox service secure.  

"We found blogs everywhere. Even on the Microsoft website. There are forums about this. There are people complaining," said Stubbs.

Submit your story ideas:

  • Go Public is an investigative news segment on CBC-TV, radio and the web.
  • We tell your stories and hold the powers that be accountable.
  • We want to hear from people across the country with stories they want to make public.

Submit your story ideas to Kathy Tomlinson at Go Public

Follow @CBCGoPublic on Twitter 

Many Xbox Live subscribers keep credit card information linked to their devices, so they can buy points online, which they use to buy better players for their FIFA team.

Stubbs’s son charged his purchases to her Visa account that way. She said her records indicate he’d spent less than $100.

"After he was hacked, I checked and summarized all of the emails I received and did the math. I realized that out of 42 purchases, I’d only been notified [by Microsoft] of 17," said Stubbs.

Nasty surprise charges

When she got her Visa statement, she found $409 in charges from Microsoft, almost four times as many purchases than what her son’s Xbox shows.

mi-bc-130322-fifa-hacking-2

The FIFA virtual soccer games are hugely popular worldwide, but there are several complaints online about hacking, going back a couple of years. (CBC)

"The device says he bought 7,000 points," said Stubbs. "The Visa says he bought 25,000 points."

Stubbs pointed out Microsoft is making a lot of money from these purchases, including questionable ones.

"It’s big business. They are targeting the kids, especially under 13. The kids think this is the best thing since sliced bread, so I feel that they are targeting the kids and getting their parents to pay more and more and more into a digital [player] add-on system."

Microsoft declined to be interviewed, but sent a statement saying it is working on improvements.

"In this industry, security is an ongoing challenge and we are working every day to bring new forms of protection to Xbox Live," said the company. 

Brazen hackers

Xbox Live hackers are easy to find online, where some actually boast. At least one has a Facebook page advertising he can "get the best players" and will sell or trade them.

mi-bc-130322-fifa-hacking-3

Stubbs compared her Visa charges with information on her son's Xbox Live and said she found several charges for purchases he didn't make. (CBC)

In Stubbs's case, EA Sports – which produces the FIFA 13 game – replaced all of her son’s lost points, so he could buy back his players and more, after she complained about the theft.

But Microsoft has so far refused to reverse the charges on her credit card.

"I thought I had foolproof proof … that we don’t have records of all these billings," said Stubbs. "Microsoft just said … look at our terms and conditions. If you buy something, that’s it."  

Experts say a key problem for consumers – with many other companies, not just Microsoft – is after the customer agrees to terms and conditions online, the company can legally hold them responsible for any charges to their account.

"All companies are using end-user licence agreements, but almost all consumers are not reading them," said University of British Columbia Prof. Jon Festinger, an expert in video game law.

"The law has generally adopted the position that the agreement has been read."

Big profits

Joel Bakan, who wrote the book Childhood Under Siege, said it costs nothing to replace stolen virtual players, as EA Sports did for Stubbs’s son, but it would cost Microsoft to improve security.

mi-bc-130322-fifa-hacking-6

Microsoft has refused to reverse the disputed charges from Stubbs account. (CBC)

"Since it costs them nothing to give them their players back, that’s going to have lower costs than really addressing the hacking problem," said Bakan.

The sale of virtual goods is the fastest growing and most profitable part of the gaming industry worldwide, he said.

"It’s $15 billion a year today. In 2007, it was $2 billion a year," said Bakan.

Many of the games, he said, are designed to hook children into buying digital add-ons.

"There’s no doubt kids are being victimized by thieves and hackers and what not, but arguably they are being victimized or at least preyed upon by the big companies," Bakan said.

Microsoft said to protect accounts, security information should be changed often.

"Many of our security enhancements and recovery processes are dependent upon our members being able to verify their identities using information that is unique to them, such as secondary email addresses, phone numbers, security questions and answers, and trusted devices," said the company.

"The best way to protect an account is to maintain up-to-date security information with Microsoft."

Self-protection advised

EA Sports also sent a statement advising users to learn more about security.

"We try to educate FIFA players to take measures to keep their accounts safe. We do this via our social media channels like Facebook and Twitter, our FIFA online forums, and our customer experience team. When issues surface, we work directly with the individual to resolve the matter quickly," said the company.

mi-bc-130322-fifa-hacking-5

Expert Joel Bakan shows reporter Kathy Tomlinson how virtual goods like FIFA soccer players are big business online. (CBC)

Stubbs has now removed her Visa information from the Xbox Live account.

If her son wants to buy points for players, she said she now gets him a pre-paid purchase card from a gaming store.

"I tell every parent that I know what has happened to us," said Stubbs. "I am now cautious of anything to do with the Xbox."

Submit your story ideas to Kathy Tomlinson at Go Public

Follow @CBCGoPublic on Twitter