Microsoft Points Algorithm Cracked… They’re Out $1M

Looks like someone figured out the algorithm that Microsoft uses to generate unique codes for their alternative currency: Microsoft Points. We were always a bit baffled by the need to do this sort of thing (Disney dollars, tokens at arcades, etc.) but figured it’s just a grift to get you to spend more dough. Looks like this time it may have come back to bite them in the ass with early loss projections somewhere in the $1-$1.2 million range.

But as most of you know, it’s not just an algorithm that can cause this kind of havoc. Whomever figured out how to crunch the numbers apparently packaged the method into a nice GUI and distributed it over the Internet. Check out the video after the break to see that not only will it give you a code, but you can verify that it works at the click of a button. Microsoft is taking steps to invalidate all of the ill-gotten redemption codes, but we wonder how effective they can be at it. Surely they already had contingency plans for this and we wonder if the company didn’t also carry insurance against this kind of loss.

Try as we might, we couldn’t turn up a press release on the subject. If you know of any, please be kind and leave a link in the comments.


[Reddit via Geek]

44 thoughts on “Microsoft Points Algorithm Cracked… They’re Out $1M

  1. They could be out upto $1m if people use the ill-gotten points to purchase the games off of xbox live marketplace. You are able to purchase some full games “on demand” through the market place which i’m assuming microsoft then forwards on to the game’s publisher.

  2. As far as tokens in arcades go, they end up having multiple advantages for the location. The first of which is the short-term loan (“scam/grift”) aspect — you have an investment with the company that they “pay back” when you use all your tokens up, but it’s 0-interest and non-liquid. As soon as you’ve bought the tokens, they have your money, even though they haven’t rendered services to earn it yet (aka, you haven’t played the games yet). This is the same for Microsoft Points, as well as any other virtual currency like this. You usually end up with a virtual balance that you can’t spend, and can’t liquidate back into real money, so you end up giving them a free loan until you buy *more* of their currency, and spend it.

    The other advantage, for arcades, is significantly more legitimate: Tokens provide an easier-to-authenticate form of currency. It’s fairly easy to buy slugs online that will look to most coin authentication devices like quarters. Tokens for arcades, in many cases, are specific densities/weights/thicknesses that make them unique, and easier to automatically authenticate. It’s often cheaper, therefore, on a per-machine basis to reliably authenticate tokens than quarters, and the proper high-end currency authentication mechanisms can be invested in for the currency exchanging stations (rather than having to be redundant across all your machines). You also get the added bonus of, at the end of the day when you need to collect all the real money made by the machines (as to not leave it in them overnight), you only have to collect from your 2-4 currency exchanging stations.

    This problem isn’t had by these online services, but another parallel problem is introduced — one of microtransactions. As you want to sell things for low prices online (<$5, for instance), the credit card fees become a significant portion of the money that comes in. If you have to pay $0.20 per transaction fee, on a $20 item that's not a huge deal… on a $2, however, now you're talking about 10% of the item cost. By forcing the purchase of virtual currency, you're bundling what could be a series of transactions into one, saving significant money on the credit card processing fees.

    Not saying whether any of these systems are good or bad, just providing some facts about why they exist. There are more elements in play than I've listed here, as well, but these are basically the major ones (as I understand it).

  3. To Nick’s comment: Yes, these are virtual goods. However, just because they reside on MS’s servers, and it’s a MS currency, that doesn’t mean it’s no cost. If you were to buy a game with this currency, it actually *does* cost Microsoft money — they have to honor their currency, and pay the developer of that game for that “sale”. This is unlike the argument used by some music pirates that “just because I torrented the music doesn’t mean I would have bought it, so a pirated song doesn’t mean a lost sale” — there is a tangible cost to Microsoft for each download that uses these points. Now, Microsoft gets a percentage of each sale on their service, so $1M points ends up being whatever their % of the sales is in “lost revenue”, and then the rest in actual money they have to back (give to the developers).

  4. I would feel sorry for microsoft if their point system was 1:1 currency… I never liked buying 1000 points increments for some arbitrary price and then have to choose games/downloads that perfectly add up to that quantity or else have spare points that i dont want. This is karma, plain and simple.

  5. i am a big fan of microsoft and im sad to see them cracked but god damnit if you use a randomly generated code the algorithm will eventually be cracked! you should change it up a bit!

  6. With tokens in arcades I have noticed typically they charge 1$ for 3 tokens, They then have games which cost 4 tokens. So to play said game you have to spend 2$ and you end up with 2 extra tokens. So if you only want to play one game you have to spend 4$ so you don’t walk away with extra tokens. Games which cost 2 tokens leave you with one extra – and most arcades don’t have a 1 token game. It’s a way to make you pay just slightly more for a game which should cost 1$ to play, and usually you end up walking away with a token which you either lose or forget to bring next time.

    I wouldn’t be so bothered by tokens if it was 1$ for 4 tokens. But it’s annoying getting 3 for 1$ and having games cost even amount of tokens to play.

    1. Microsoft probably will loose a considerable amount of money in the percentage they take off the top, and what with all the people that buy movies, games, avatar items, subscription fee’s, ect.. I’d say that 1MIL might be possible and I could believe it. Microsoft will probably make an update or a new algorithim, they might just patch it but it will take time and within that time they may loose a good percent of their revenue. And to the person that cracked the algorithim BRAVO!

  7. @xeracy

    Microsoft’s point algorithm has nothing to do with the way they handled currency conversion – they would have gotten hacked either way. And am I honestly the only one who doesn’t care if I have a few points left over in my account after store purchases? Don’t be an impulse buyer and just leave those points for your next purchase. The most money you’ll ever be out is the few points left in your account if you ever sell your xbox.

  8. I don’t think MS will be able to recover from the loss of such a gigantic sum of revenue. I mean that’s a MILLION dollars, people! Maybe now that they are facing inevitable bankruptcy, it’s a good time for Atari to start up again. Their games were better anyway.

  9. @Brennan – first, I made no claim as to the reason/method for the hack being related to the point quantities they offer. Your justification for being ok with the extra points makes sense on a person-to-person basis. However, if you add up all the unspent points in EVERY SUBSCRIBER’S ACCOUNT, I can assure you MS is making a boat load of money on those unspent points. Their system is designed to ensure that users will likely carry a balance so they can make extra income without having to actually provide a service or good. It’s a business model that, in my opinion, is unethical.

  10. The description of the Youtube movie is asking me to download and run an executable as local administrator.

    Sorry, I’m not that stupid.

    Why is this on Hack A Day? This garbage doesn’t belong here, especially a youtube video that is an obvious scam to install malware on your PC.

  11. @Anthony

    Microsoft points cannot purchase games on demand. . . which is one of my gripes with the “points” system. Stick to one currency or another or both but don’t mix the two for the same media.

    eg don’t charge a dollar for a loaf of bread and charge 3 euros for some Bologna.

  12. @Anthony Thornton so if I buy a game then someone else cant buy that game? I deprive someone of that copy of a game?

    Nope. It’s free, $0.00 cost to them. all it represents a potential loss of profits. Stop spreading the lies they Copyright cartels programmed you to spread.

  13. @fartface: You’re a bit mistaken on this — Your argument is legitimate (though I wouldn’t agree that it’s justification, the point is sound that downloads represent only a potential loss of sales) for torrented/downloadable titles, it’s no longer true when you’re talking about virtual currency, as each sale using the duped virtual currency costs Microsoft actual money that they have to pay to the developers of whatever content was purchased. But I’ve already detailed this — see my second comment (the sixth to the article).

  14. After the hell MS put me through to cancel my Gold subscription I’m inclined to agree with the karma theory.

    A multi-billion dollar software company that doesn’t allow you to cancel through the website? Instead required hours of time on hold with a live operator? An operator who asks you to hold and hangs up, repeatedly? Sleazy MS. Serves you right.

  15. Anyone who used this is an idiot. You have to apply these credits to your Xbox Live account, and those accounts will definitely get banned once they inevitably figure out how to prove who gamed the system.

  16. @ff: I would be inclined to agree with you if the issue in question was simple piracy. If you download a pirated game from an unauthorized source and run it on modified hardware, that represents a loss of potential money. However, if you walk into McDonald’s and buy a soda with counterfeit money, that’s a loss of real money. McDonald’s still has to pay the soda vendor for the product you consumed, but it doesn’t affect anyone else’s ability to purchase a drink.

    Now let’s say that everyone who purchased a drink at McDonald’s used counterfeit money. The drink vendor still wants to get paid, but McDonald’s isn’t making money from the drinks anymore. They have three options — raise drink prices in case they get a legitimate customer, stop offering drinks for sale, or give the drinks away and raise prices on the other items they sell to compensate.

    This is also why piracy doesn’t represent a perpetual loss. If someone steals a drink container and starts selling or giving those drinks away for free, there is a singular, fixed loss for McDonald’s that doesn’t change regardless of how many drinks the thief provides. There’s no indication that thirsty people would buy a drink from McDonald’s even if someone else wasn’t giving the product away for free…

  17. Easy to catch them…
    M$ obviously tracks all the codes they themselves produce… Write a script to kill all codes that you haven’t produced and you’ve got an easy fix…. until you want to sell new codes. :)

  18. @HaD

    They didn’t figure out the algorithm. They simply changed a URL… there were only ~10,000 ‘codes’ and they were only worth ~$2 USD to purchase.

    No million dollar losses… but lots of inaccuracies on HAD.

  19. the 160 points “freebies” generated with this script seam to be blocked now by Microsoft. The real Q is if the algorithm is capable of generating other codes who are less traceable.

    It might be this script was simply put online to see how easy it was to block/find counterfeit codes. aka use all the free tards as Guinea pigs :)

  20. There is no crack and this is just a scam to get people to sign up for that damn promotions site. Do better research before posting a news item or don’t try and play add based revenue systems as a news item. This is like the full page ads that look like news stories in the paper.

  21. @spork ha ok, I did noticed the url was in a MS site (don’t have/use a xbox),
    I thought it was some kind of keygen script or so they used.
    By the way, I alsways wanted a Sprok to ask this: do you feel more spoon or more fork? :)

  22. Just had to add to this: Those claiming they dont like it because it isnt a 1:1 currency conversion – there is more than the US $. There are pounds, euros, yen… A microsoft point in any denomination is still 1 point. So this one currency works the same worldwide.

  23. @mrasmus, are you sure they have to pay the game devs for the sale? I wouldn’t be surprised if there is a clause in the XBL contract that says the developer is liable for any fraud just as much as Microsoft is. I doubt it will actually cost an developers money but I would be surprised if they get paid for illegitimate purchases.

    After all that is how credit cards work. If someone makes a fraudulent purchase in a shop with a stolen card and the real owner reverses the transaction then the shop loses.

  24. @MoJo

    I don’t think Microsoft can prove that any of the purchases are fraudulent, so they’ll still have to pay the developer for the sale.

    I’m sure most of the points just got applied to XBoxLive subscriptions, anyway.

  25. Microsoft doesn’t strike me as a company that’s ever felt the need to prepare contingencies — they just rest on their huge mass and inertia; every time I see them bested by some horny teenager, they just backpedal and say “ok ok hack our shit”

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.