Microsoft Points algorithm cracked… they’re out $1M

Looks like someone figured out the algorithm that Microsoft uses to generate unique codes for their alternative currency: Microsoft Points. We were always a bit baffled by the need to do this sort of thing (Disney dollars, tokens at arcades, etc.) but figured it’s just a grift to get you to spend more dough. Looks like this time it may have come back to bite them in the ass with early loss projections somewhere in the $1-$1.2 million range.

But as most of you know, it’s not just an algorithm that can cause this kind of havoc. Whomever figured out how to crunch the numbers apparently packaged the method into a nice GUI and distributed it over the Internet. Check out the video after the break to see that not only will it give you a code, but you can verify that it works at the click of a button. Microsoft is taking steps to invalidate all of the ill-gotten redemption codes, but we wonder how effective they can be at it. Surely they already had contingency plans for this and we wonder if the company didn’t also carry insurance against this kind of loss.

Try as we might, we couldn’t turn up a press release on the subject. If you know of any, please be kind and leave a link in the comments.

[Reddit via Geek]

Comments

  1. I’m not sure if they’re ‘out’ $1M – that’s kinda like music industry math. Unless you can buy physical things with Microsoft points…

  2. Lee says:

    According to some comments it wasn’t the algorithm that was cracked, but rather the way they exploited the system that sent out promotional codes for points. Big difference. Here’s the url for the forum where it supposedly originated: http://www.thetechgame.com/Forums/viewtopic/t=954941.html

  3. Anthony Thornton says:

    They could be out upto $1m if people use the ill-gotten points to purchase the games off of xbox live marketplace. You are able to purchase some full games “on demand” through the market place which i’m assuming microsoft then forwards on to the game’s publisher.

  4. mrasmus says:

    As far as tokens in arcades go, they end up having multiple advantages for the location. The first of which is the short-term loan (“scam/grift”) aspect — you have an investment with the company that they “pay back” when you use all your tokens up, but it’s 0-interest and non-liquid. As soon as you’ve bought the tokens, they have your money, even though they haven’t rendered services to earn it yet (aka, you haven’t played the games yet). This is the same for Microsoft Points, as well as any other virtual currency like this. You usually end up with a virtual balance that you can’t spend, and can’t liquidate back into real money, so you end up giving them a free loan until you buy *more* of their currency, and spend it.

    The other advantage, for arcades, is significantly more legitimate: Tokens provide an easier-to-authenticate form of currency. It’s fairly easy to buy slugs online that will look to most coin authentication devices like quarters. Tokens for arcades, in many cases, are specific densities/weights/thicknesses that make them unique, and easier to automatically authenticate. It’s often cheaper, therefore, on a per-machine basis to reliably authenticate tokens than quarters, and the proper high-end currency authentication mechanisms can be invested in for the currency exchanging stations (rather than having to be redundant across all your machines). You also get the added bonus of, at the end of the day when you need to collect all the real money made by the machines (as to not leave it in them overnight), you only have to collect from your 2-4 currency exchanging stations.

    This problem isn’t had by these online services, but another parallel problem is introduced — one of microtransactions. As you want to sell things for low prices online (<$5, for instance), the credit card fees become a significant portion of the money that comes in. If you have to pay $0.20 per transaction fee, on a $20 item that's not a huge deal… on a $2, however, now you're talking about 10% of the item cost. By forcing the purchase of virtual currency, you're bundling what could be a series of transactions into one, saving significant money on the credit card processing fees.

    Not saying whether any of these systems are good or bad, just providing some facts about why they exist. There are more elements in play than I've listed here, as well, but these are basically the major ones (as I understand it).

  5. H3xx says:

    Anonymous FTW

  6. mrasmus says:

    To Nick’s comment: Yes, these are virtual goods. However, just because they reside on MS’s servers, and it’s a MS currency, that doesn’t mean it’s no cost. If you were to buy a game with this currency, it actually *does* cost Microsoft money — they have to honor their currency, and pay the developer of that game for that “sale”. This is unlike the argument used by some music pirates that “just because I torrented the music doesn’t mean I would have bought it, so a pirated song doesn’t mean a lost sale” — there is a tangible cost to Microsoft for each download that uses these points. Now, Microsoft gets a percentage of each sale on their service, so $1M points ends up being whatever their % of the sales is in “lost revenue”, and then the rest in actual money they have to back (give to the developers).

  7. xeracy says:

    I would feel sorry for microsoft if their point system was 1:1 currency… I never liked buying 1000 points increments for some arbitrary price and then have to choose games/downloads that perfectly add up to that quantity or else have spare points that i dont want. This is karma, plain and simple.

  8. @mrasmus – good point, I didn’t think about that. It probably still didn’t cost them $1M, but maybe it cost them $800k in transfer payments to license holders.

  9. biozz says:

    i am a big fan of microsoft and im sad to see them cracked but god damnit if you use a randomly generated code the algorithm will eventually be cracked! you should change it up a bit!

  10. j says:

    With tokens in arcades I have noticed typically they charge 1$ for 3 tokens, They then have games which cost 4 tokens. So to play said game you have to spend 2$ and you end up with 2 extra tokens. So if you only want to play one game you have to spend 4$ so you don’t walk away with extra tokens. Games which cost 2 tokens leave you with one extra – and most arcades don’t have a 1 token game. It’s a way to make you pay just slightly more for a game which should cost 1$ to play, and usually you end up walking away with a token which you either lose or forget to bring next time.

    I wouldn’t be so bothered by tokens if it was 1$ for 4 tokens. But it’s annoying getting 3 for 1$ and having games cost even amount of tokens to play.

    • FTW says:

      Microsoft probably will loose a considerable amount of money in the percentage they take off the top, and what with all the people that buy movies, games, avatar items, subscription fee’s, ect.. I’d say that 1MIL might be possible and I could believe it. Microsoft will probably make an update or a new algorithim, they might just patch it but it will take time and within that time they may loose a good percent of their revenue. And to the person that cracked the algorithim BRAVO!

  11. Brennan says:

    @xeracy

    Microsoft’s point algorithm has nothing to do with the way they handled currency conversion – they would have gotten hacked either way. And am I honestly the only one who doesn’t care if I have a few points left over in my account after store purchases? Don’t be an impulse buyer and just leave those points for your next purchase. The most money you’ll ever be out is the few points left in your account if you ever sell your xbox.

  12. wosser says:

    I don’t think MS will be able to recover from the loss of such a gigantic sum of revenue. I mean that’s a MILLION dollars, people! Maybe now that they are facing inevitable bankruptcy, it’s a good time for Atari to start up again. Their games were better anyway.

  13. xeracy says:

    @Brennan – first, I made no claim as to the reason/method for the hack being related to the point quantities they offer. Your justification for being ok with the extra points makes sense on a person-to-person basis. However, if you add up all the unspent points in EVERY SUBSCRIBER’S ACCOUNT, I can assure you MS is making a boat load of money on those unspent points. Their system is designed to ensure that users will likely carry a balance so they can make extra income without having to actually provide a service or good. It’s a business model that, in my opinion, is unethical.

  14. cigawoot says:

    The description of the Youtube movie is asking me to download and run an executable as local administrator.

    Sorry, I’m not that stupid.

    Why is this on Hack A Day? This garbage doesn’t belong here, especially a youtube video that is an obvious scam to install malware on your PC.

  15. Drake says:

    @Anthony

    Microsoft points cannot purchase games on demand. . . which is one of my gripes with the “points” system. Stick to one currency or another or both but don’t mix the two for the same media.

    eg don’t charge a dollar for a loaf of bread and charge 3 euros for some Bologna.

  16. fartface says:

    @Anthony Thornton so if I buy a game then someone else cant buy that game? I deprive someone of that copy of a game?

    Nope. It’s free, $0.00 cost to them. all it represents a potential loss of profits. Stop spreading the lies they Copyright cartels programmed you to spread.

  17. wilfite says:

    @wosser:
    Uh…you’re kidding, right? MS made $4.52 BILLION dollars in profits last quarter. A mill here or there is just an annoyance.

  18. JSqrt says:

    “varify”?
    I guess it really must have been easy.

  19. mrasmus says:

    @fartface: You’re a bit mistaken on this — Your argument is legitimate (though I wouldn’t agree that it’s justification, the point is sound that downloads represent only a potential loss of sales) for torrented/downloadable titles, it’s no longer true when you’re talking about virtual currency, as each sale using the duped virtual currency costs Microsoft actual money that they have to pay to the developers of whatever content was purchased. But I’ve already detailed this — see my second comment (the sixth to the article).

  20. hackersmith says:

    Easy now. Ars Technica is reporting that it is likely not “ONE MILLION DOLLARS” (touches pinky to lips) but more like a couple of thousand. Not good but they are looking at maybe invalidating them. Here read it all:

    http://arstechnica.com/gaming/news/2011/03/xbox-live-points-hack-cost-microsoft-thousands-not-millions.ars

  21. bunedoggle says:

    After the hell MS put me through to cancel my Gold subscription I’m inclined to agree with the karma theory.

    A multi-billion dollar software company that doesn’t allow you to cancel through the website? Instead required hours of time on hold with a live operator? An operator who asks you to hold and hangs up, repeatedly? Sleazy MS. Serves you right.

  22. kwajkid says:

    Anyone who used this is an idiot. You have to apply these credits to your Xbox Live account, and those accounts will definitely get banned once they inevitably figure out how to prove who gamed the system.

  23. Stu says:

    @ff: I would be inclined to agree with you if the issue in question was simple piracy. If you download a pirated game from an unauthorized source and run it on modified hardware, that represents a loss of potential money. However, if you walk into McDonald’s and buy a soda with counterfeit money, that’s a loss of real money. McDonald’s still has to pay the soda vendor for the product you consumed, but it doesn’t affect anyone else’s ability to purchase a drink.

    Now let’s say that everyone who purchased a drink at McDonald’s used counterfeit money. The drink vendor still wants to get paid, but McDonald’s isn’t making money from the drinks anymore. They have three options — raise drink prices in case they get a legitimate customer, stop offering drinks for sale, or give the drinks away and raise prices on the other items they sell to compensate.

    This is also why piracy doesn’t represent a perpetual loss. If someone steals a drink container and starts selling or giving those drinks away for free, there is a singular, fixed loss for McDonald’s that doesn’t change regardless of how many drinks the thief provides. There’s no indication that thirsty people would buy a drink from McDonald’s even if someone else wasn’t giving the product away for free…

  24. Spork says:

    Easy to catch them…
    M$ obviously tracks all the codes they themselves produce… Write a script to kill all codes that you haven’t produced and you’ve got an easy fix…. until you want to sell new codes. :)

  25. Tux320 says:

    @wilfite

    I believe he was employing that old, trustworthy form of humour, sarcasm. i.e. exaggerating the importance for humorous effect

  26. Spork says:

    @HaD

    They didn’t figure out the algorithm. They simply changed a URL… there were only ~10,000 ‘codes’ and they were only worth ~$2 USD to purchase.

    No million dollar losses… but lots of inaccuracies on HAD.

  27. Peanut says:

    Nobody seems to be addressing the important questions here:

    Does it still work?

    Is it traceable?

    And how do we do it??! :-D

  28. jsngrimm says:

    HACKERS: 1 MICROSOFT: -1,000,000 I got it ill tell you guys if it works =D

  29. jsngrimm says:

    it says the points will be put in my account in 12-24 hrs… when i put the code i just generated in my xbox it said invalid so i guess well see

  30. Jeditalian says:

    i think this is the first time i’ve ever seen something on Hackaday that is anywhere near my initial expectations of a site named ‘hack-a-day’

  31. polossatik says:

    the 160 points “freebies” generated with this script seam to be blocked now by Microsoft. The real Q is if the algorithm is capable of generating other codes who are less traceable.

    It might be this script was simply put online to see how easy it was to block/find counterfeit codes. aka use all the free tards as Guinea pigs :)

  32. Spork says:

    @polossatik

    If you bothered to read the forums all they did was modify a URL.. there IS no algorithm. [Mike]‘s post was just sadly misinformed.

  33. Sam says:

    @Jeditalian
    It’s Hack-A-Day, not Crack-A-Day. Please learn your terminology.

  34. John says:

    It’s supposed to be whoever, no whomever.

  35. Steve says:

    There is no crack and this is just a scam to get people to sign up for that damn promotions site. Do better research before posting a news item or don’t try and play add based revenue systems as a news item. This is like the full page ads that look like news stories in the paper.

  36. polossatik says:

    @spork ha ok, I did noticed the url was in a MS site (don’t have/use a xbox),
    I thought it was some kind of keygen script or so they used.
    By the way, I alsways wanted a Sprok to ask this: do you feel more spoon or more fork? :)

  37. BadCoding says:

    Just had to add to this: Those claiming they dont like it because it isnt a 1:1 currency conversion – there is more than the US $. There are pounds, euros, yen… A microsoft point in any denomination is still 1 point. So this one currency works the same worldwide.

  38. MoJo says:

    @mrasmus, are you sure they have to pay the game devs for the sale? I wouldn’t be surprised if there is a clause in the XBL contract that says the developer is liable for any fraud just as much as Microsoft is. I doubt it will actually cost an developers money but I would be surprised if they get paid for illegitimate purchases.

    After all that is how credit cards work. If someone makes a fraudulent purchase in a shop with a stolen card and the real owner reverses the transaction then the shop loses.

  39. edonovan says:

    @MoJo

    I don’t think Microsoft can prove that any of the purchases are fraudulent, so they’ll still have to pay the developer for the sale.

    I’m sure most of the points just got applied to XBoxLive subscriptions, anyway.

  40. Pup says:

    Looks like they won’t be able to buy that ivory backscratcher after all.

  41. PocketBrain says:

    Video removed.

  42. dan fruzzetti says:

    Microsoft doesn’t strike me as a company that’s ever felt the need to prepare contingencies — they just rest on their huge mass and inertia; every time I see them bested by some horny teenager, they just backpedal and say “ok ok hack our shit”

  43. xYORKSHIREx says:

    @ BadCoding

    Its not a universal currency because points purchased in America do not work in the UK
    Its just microsoft trying to make more money

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,138 other followers