Hello, dev.to!
It is my displeasure to announce, today, that Microsoft – yes, the multibillion dollar company – is holding my Microsoft account hostage.
I have two main questions for everyone:
- How can I find and contact Microsoft employees?
- How, and where, can I make a big enough splash online to get on Microsoft's radar?
And I have four main concerns I wish to address:
- How I ended up where I am now.
- Microsoft's lack of attention to detail when designing a log-in system.
- Microsoft's slipperiness and noncooperation.
- What I am trying to do to rectify this issue.
Table of Contents
What happened?
Recently, my Microsoft account was hijacked, which I wrote an article about.
In summary, there was a (cleverly designed) phishing scam which got a hold of my Microsoft account by tricking me into giving them a OTP – and, as I recall, it didn't even require me to give them my email address, I was brought straight to Microsoft's log-in prompt.
How Microsoft Plays A Part
While phishing is usually thought to be the equally the fault of the scammer and the victim, certain phishing scams are more advanced than others and take advantage of a system that's already in place, which is the case here.
This scam took advantage of the vague wording of Microsoft's emails to convince me to give them a OTP under the pretext that it is a "verification code".
So, what did Microsoft's email, containing my one-time-password, look like?
This:
How could anyone fall for this?
Well, it's because of the vague wording – the use of "security code" instead of "one-time-password" or "account access code".
What's worse is that Microsoft has different types of "security code"s, which are also six-digit numbers, much like this OTP.
What else does Microsoft use these security codes for?
Verifying your email when you first sign up for a Microsoft account, verifying your email when you are talking to one of Microsoft's virtual chat agents, when confirming signins, et cetera. — While all these things are very similar, it can become confusing what code is a OTP and isn't a OTP.
While I should have maybe smelled something fishy when I got a code via email, I mistakenly thought that this code was in the vein of something like a Google Authenticator or Microsoft Authenticator code, especially due to the form and nature of the code.
Also, compare that email with this one, which does clearly state the intention of the code:
Microsoft's Coldness
Since about June fourteenth, I've been trying to get my account back; however, Microsoft has done very little to cooperate.
I tried to use both the ACSR (Automated Customer Support Representative) form and the Account Reinstatement form, but it has yielded very poor results.
At first, I was able to get Microsoft to realize that there was indeed illegitimate activity on my account.
... However, after some back-and-forth, I was emailed by a Microsoft employee, named Rhodz, that I would not get my account back due to "a severe violation of the Microsoft Service Agreement" — when I asked for elaboration, though, an employee named Luis refused to tell me what the violation was, saying “Pursuant to our terms, we cannot reactivate your account, nor provide details as to why it was closed. ”.
After talking with some more live support agents, I was told by one, named Angela, that "my account being hijacked can be the main reason the system disabled it".
What's next?
What am I going to do now...?
Well, I'm not quite sure.
I was hoping some people – along with discussing Microsoft's behavior – would be able to give me some suggestions for what to do.
Currently, the plan is just to become a hemorrhoid on Microsoft's ass, as being inert is going to lead to even poorer results.
So... what do you all think of Microsoft's actions?
Do you think they play a part in this, like I do, or no?
Cheers!
Top comments (0)