BusyDizzys

The algorithm that generates the codes used on them Microsoft Xbox live MS point card thingys was apparently exploited to generate new key codes from old codes. A new code was not created instead it was figured out how to add to a exsisting/old code to create a new one from that, kind of like a template, there is a name for this its called "explorate" ( I think). Each code was worth upto 160 MS points, may not sound alot or even be worth alot on its own, but when you can generate as many as you want... you eventually cost M$ $1.2mil :p The tool/attack no longer works and it will be interesting to see what Microsoft do about this to users since they effectively robbed them (new ban wave? going further?)

...

Story :

If you’ve ever purchased a Microsoft Points card then you’ve seen the long line of characters you have to input to add the points to your Xbox Live account. Those codes are generated by an algorithm Microsoft relies on to always create unique codes and associates them with a given number of points.

The problem is, the algorithm Microsoft uses has been figured out by a group of hackers to some extent.Rather than generating completely new codes the hackers figured out how to add to a used code and get a brand new working code. In so doing, they were able to generate new codes that worked with Microsoft’s redemption system leading to a lot of stolen points.

Each code manages to accrue 160 points which isn’t a lot, but if you can keep generating new codes the total amount soon adds up. In some cases those using it generated 10,000 points before the codes stopped working.

Further work on the system managed to produce codes offering 48-hour free Live trials or a Halo Reach Banshee avatar, but the points were the most desirable outcome for anyone using the generating executable.

Microsoft has now blocked any new codes produced with this tool, but not before losing what is thought to be in the region of $1.2 million worth of points. What’s also unclear is whether they have the records in place to track which Xbox Live accounts redeemed the fake codes. If they haven’t, then there’s no way to demand the money back or block those accounts.

Sources :  Joystiq and Save and Quit