Hackers figure out MS Point card algorithm and steal $1.2 million

xbox liveIf you’ve ever purchased a Microsoft Points card then you’ve seen the long line of characters you have to input to add the points to your Xbox Live account. Those codes are generated by an algorithm Microsoft relies on to always create unique codes and associates them with a given number of points.

The problem is, the algorithm Microsoft uses has been figured out by a group of hackers to some extent.Rather than generating completely new codes the hackers figured out how to add to a used code and get a brand new working code. In so doing, they were able to generate new codes that worked with Microsoft’s redemption system leading to a lot of stolen points.

Each code manages to accrue 160 points which isn’t a lot, but if you can keep generating new codes the total amount soon adds up. In some cases those using it generated 10,000 points before the codes stopped working.

Further work on the system managed to produce codes offering 48-hour free Live trials or a Halo Reach Banshee avatar, but the points were the most desirable outcome for anyone using the generating executable.

Microsoft has now blocked any new codes produced with this tool, but not before losing what is thought to be in the region of $1.2 million worth of points. What’s also unclear is whether they have the records in place to track which Xbox Live accounts redeemed the fake codes. If they haven’t, then there’s no way to demand the money back or block those accounts.

In order to track the fake codes Microsoft would need to have a list of which ones were fake, a list they probably don’t have. They’d also then have to spend time going through the transaction records locating the codes and the Live account they were redeemed for. That is going to take time and employees will have to be paid to do it. Then action would have to be taken against the account holder and any repercussions from that.

For $1.2 million it’s worth doing the work, but I don’t know if Microsoft is willing to spare the resources to carry it out, especially if there’s a chance they can’t get the points and content back. I’d be more concerned about fixing the problem that allowed used codes to be re-used in this way so as to stop it ever happening again.