Slashdot Mirror
Hackers Can Easily Lift Credit Card Info From a Used Xbox
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.
Need a Python, C++, Unix, Linux develop
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
-Billco, Fnarg.com
The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).
If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).
If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).
Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.
But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.
-AC
Pretty soon everyone will have had their credit card stolen so just don't worry about it!
Nothing gained, nothing lost!
The good ol' days when someone just stole your wallet/pocketbook from your grocery cart... how I miss them.
You want to know how to help your kids? LEAVE THEM THE F*&K ALONE. --George Carlin
Straight wiping of a 360 hard drive will destroy it for future 360 use. The hard drive security sector (hddss.bin) is stored on the disk and, if erased, will render the hard drive useless on a stock 360 console. The security sector cannot be "spoofed" or otherwise as each hddss.bin is unique to the specific hard drive on which it resides. Only by backing up the specific sectors where hddss.bin is stored before wiping, then restoring them afterward, will keep the hard drive usable in a 360 console.
There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.
I buy the gift cards when doing anything regarding the xbox
The jury is still out on this, absent real evidence I'm going to wait until more is known.
Exactly, those researchers at Drexel U have shown themselves to be repeatedly untrustworthy, and have huge commercial reasons to lie.
And those people who are unsure whether their credit cad details have been stolen shouldn't complain either.
I mean, which part of "Microsoft product" did they not understand?
"I've got more toys than Teruhisa Kitahara."
TFA: Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].
That's a solid find. Except for the fact that I can't find the option to enter in a Discover card to Xbox Live for it to store. Chances of this being a real valid Discover card number? I'd put it right around the same as /dev/urandom.
http://i.imgur.com/A0M4d.png
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
The point, I think, is that it's naive not to assume some engineer decided to store the info in *both* places. If you were trying to make the customer experience as smooth as possible, and you had 99% confidence that the home box was in possession of the Real User, you might want to make the process a little more "foolproof".
Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen, which has a non-zero chance to frustrate the Real User to the point of cancelling the sale. Bad for a market built on instant gratification.
Any goodheart engineer who cries foul from a system security training point of view, has probably never had to answer to a Director more concerned with their department operating at a loss for years. Xbox division regularly dipped into and out of the red until the last couple of years.
And the bigger point is, with all the revisions to the Dashboard, it may be impossible to know when this purported "feature" was added, taken away, or actively used. I bet you 2800 MS Points that the next dash update roots out and purges this data. Won't stop the class-actions though.
Credit card details were already leaked through Sony themselves. No need to physically get at the boxes.
-]Phreak Out[-
Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.
No need for multiple passes either, simply write binary zeros everywhere and you are done. The old FUD about the CIA recovering your info with electron microscopes is pure bull, and nobody has ever once successfully demonstrated that in public even when they had access to state of the art university electron microscopes.
Platter level forensics are a hoax.
Sig Battery depleted. Reverting to safe mode.
Got myself a copy (my employer appears to have a subscription), The really critical bit here is:
"Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10."
While they conclude that it's likely this is a credit card, based on the card identifier (first four numbers) and that it matches the Luhn algorithm (mis-spelt as "Luhr" in the article - that took a while to figure out!), however the Luhn algorithm isn't designed for this sort of use, it's primarily there to catch data entry mistakes. I'm fairly happy that the chances of a match like this on a multi-GB hard drive are fairly good, just through random chance. A good follow-up experiment here would be to buy new XBox 360s, buy points and then scan the hard drive for the card used.
IMHO their points raised about finding gamer tags, friend lists, etc. are probably far more relevant, especially in relation to this data not being destroyed when a factory reset is done.
There's some really odd bits, though... "In this particular instance, we can see NAT (Network Address Translation) rules for a site called Bungle.net[sic], where Halo players can have their stats tracked or purchase games and merchandise [36]." - which as far as I can tell is actually a list of errors you can get if your NAT setup is causing problems.
I'd also be more confident if the work had less odd errors; "Book and Nuke, by DBAN is", presumably refers to "Darik's Boot and Nuke", frequently abbreviated to "DBAN".