We live in trying times. As Sony discovered last spring, the security of customer information has become a matter of grave trust. Unfortunately, when hackers are determined and sufficiently motivated, no system is entirely secure. In the case of the PlayStation Network hack, that attack was motivated by ideological opposition to business decisions made by the Sony corporation. It was unfortunate that Sony’s customers found themselves in the crossfire, but the outcome was not nearly as bad as it could have been. In the months since then, attention has shifted to ever increasing reports of fraud on Xbox Live.

These account intrusions have come to be known as "FIFA hacks"; although, that is something of a misnomer. Typically, an Xbox Live user will be surprised to receive emails informing him of a large purchase of MS Live points. He will then discover that any balance of points he already had on his GamerTag have been spent. If he is lucky, his password hasn’t been changed, and he will be able to log in to his Windows Live account online, change his password, and regain control of his profile. The less fortunate will discover his password has been changed, his security questions altered, and in some cases, his account transferred to a different country.

In most cases, a call to Xbox Live customer support will be required to have any stolen points refunded, the charges to a credit card or PayPal account reversed, and any other alterations restored. In cases of reported fraud, the customer service representative will inform the customer that the Xbox Live account will need to be "locked" for up to 28 days while the claim is investigated. During that time, no further charges are supposed to be possible, but neither will the user be able to go online with his GamerTag. He can still play games offline and earn Achievements, but they will not be reflected online, nor will he be able to play any multiplayer sessions for nearly a month. Microsoft may even offer a free month of Gold membership to make up for the lost time.

At least, that’s what is supposed to happen.

There are many reports of frustrating, multi-month ordeals faced by Xbox users whose accounts were not properly locked, whose stolen points were never fully refunded, who were forced to dispute the unauthorized charges through their banks when Microsoft support appeared unwilling or unable to rectify the situation, or who lost their accounts for multiple months (if not permanently) because Microsoft claimed to be unable to reverse a region change initiated by the account thief.

Although it’s difficult to forgive the failures in customer service, the seeming surge of account compromises that began last fall appears to have placed considerable stress on Microsoft’s support structure. One common through-line appeared to be activity and downloadable-content (DLC) purchases related to the EA Sports FIFA games. This lead many to speculate that there may be some kind of security breach or fault in Electronic Arts' online profile system that was to blame for the rash of hijackings. In truth, FIFA does not act as the vector for an attack but rather the motivation behind them.

Unlike the PSN intrusion, these Xbox Live hackers are not motivated by a desire to publicly shame Microsoft. Instead, they are purely driven by profit. Prior to last year, there was little money to be made off stolen Xbox Live accounts. A compromised account does not actually reveal enough payment details to be used outside the service, and purchased MS points could not be easily transferred to other GamerTags. That changed when EA introduced a new microtransaction-inspired player trading system and DLC to the FIFA franchise.

In the game, EA has created a marketplace for players as part of their "Ultimate Team" system. FIFA gamers can spend in-game currency to buy their favorite soccer players to add to their collections or earn coins by selling their own. Serious gamers will spend a lot for the best players available. This would be fine if it was a closed, in-game system, but EA also sells a DLC item that can be purchased over and over again like a pack of baseball cards, which gives the buyer a random chance at a high-value soccer star and other potentially lucrative bonuses. This, coupled with a gray market that has cropped up outside the game where FIFA enthusiasts arrange to buy high-value player cards for real-world money, is where the real trouble begins.

The implication of this type of microtransaction may not be obvious at first, but what the hackers have realized -- and what the thousands of "FIFA hack" victims have discovered -- is that EA has created a way to launder stolen MS points for real-world cash. Suddenly, there is a significant profit motive to hack random Live accounts that just was not there before. For every account a hacker breaks into, he can buy as many MS points as possible using the payment method already attached to the account, spend as many points as he can on this particular FIFA DLC, and trade all the cards of any value he gets to a dummy GamerTag where they can be held until they are sold through an online auction site. Repeat until the account’s owner notices what is happening or the point purchases will no longer go through, and move on to the next hacked account.

But how are these accounts being compromised in the first place?