Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

Microsoft is right

[Johnny+Mister]

This just seems more like bad mouthing about MS and XBOX360. It was already debunked on Slashdot too, because MS doesn't store credit card details on the machine. They only store account details. Microsoft is right - this is just some unfounded rumor that has no basis on reality.

Re:Microsoft is right

[not+already+in+use]

No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

Re:Microsoft is right

No reasonable person would cache credit card details.

OK, let's say MS are 'reasonable' and do not specifically and deliberately cache CC data.
Are you seriously saying that it's not possible that such data would get cached incidentally as part of a larger chunk of data? Stored in some Xbox equivalent of pagefile.sys or whatever? That despite all sorts of data gets cached all over the place, magically somehow CC data never gets in any cache ever?

Re:Microsoft is right

[autocannon]

I don't believe the CC numbers are stored on the HD either. But, take the extreme view that they are, and they're stored unencrypted. It still requires someone selling/losing/stolen their Xbox HD. This will never be a pandemic problem.

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer. That Xbox HD still could have your account name/email address/password. Could lead to far more problems than just losing a CC # if that email or password is used for more than the Xbox system.

Re:Microsoft is right

[chrisj_0]

Amazon or iTunes much?

Re:Microsoft is right

[Stenchwarrior]

Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.

That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).

Re:Microsoft is right

[chrb]

I don't believe the CC numbers are stored on the HD either.

It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.

That Xbox HD still could have your account name/email address/password.

Yes, apparently they recovered user names, gamer tags, purchase history etc.

Re:Microsoft is right

[s.petry]

The problem with your argument is really that the PCI auditors would not be reviewing an Xbox for standards. Those standards normally only apply to servers that house data, not the clients that input data (but also ATM machines and specific devices made to hold that type of data).

This is why you have telemarketers on lord-only-knows what kind of PC inputting data all day through a web browser. The rules cover the Servers that house the data and the connection the client comes in through, but bet your ass if a telemarketer had a keylogger it would not matter how strong the security is on the server or what SSL/TLS version you had.

Game platforms and PCs are not financial devices, and are not subject to the same rules you are claiming to have knowledge of.

Re:Microsoft is right

[tibit]

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer.

That's quite silly if you're talking about modern mechanical hard drives. Apart from reallocated bad sectors, if you overwrite a hard drive with all-zeroes, the data is irreversibly gone. The only remaining fragments are sectors that got reallocated; those are likely not to be deleted even if you initialize the hard drive. Of course those fragments may, by chance, happen to have a credit card number in them, say if they were a part of a swap file at some point in time.

Re:Microsoft is right

[Stenchwarrior]

From the PCI Security Standards Council "PCI Data Storage Do's and Don'ts":

Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones

And

At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs.

Based on that information, I would say that PCs and, certainly in this case, game platforms (since the Xbox is really just a PC) would fall under the "endpoint device" category. Especially since the end-user has no control over whether or not that information is stored on their device because only Microsoft can alter the code that allows or disallows the storage.

Re:Microsoft is right

[s.petry]

Come on now, what you stated originally is that Microsoft would be subject to audits so would have to comply. What you point to is the industry standard practices which can be found pretty much anywhere.

The fact is, that Xbox is not audited any more than your home PC,Smart Phone, or favorite web browser is audited.

Now if you want to show me a report from the FTC that shows the XBox listing as a financial device that is subject to audits like an ATM, I'll apologize for saying that you are full of shit.

Re:Microsoft is right

[Tharkkun]

I don't believe the CC numbers are stored on the HD either. But, take the extreme view that they are, and they're stored unencrypted. It still requires someone selling/losing/stolen their Xbox HD. This will never be a pandemic problem.

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer. That Xbox HD still could have your account name/email address/password. Could lead to far more problems than just losing a CC # if that email or password is used for more than the Xbox system.

I have a better chance of stealing receipts from Target than getting them from a recently formatted Xbox. This story is being blown way out of proportion.

Re:Microsoft is right

[Stenchwarrior]

Oh, so it's a semantic argument you want, is it? No thanks, take a stroll elsewhere, please.

Re:Microsoft is right

[Darinbob]

While I doubt that credit card details are being stored on xbox, stuff like this has happened in the past and it's often done without the company knowing. Despite the attitude to try and implicate some ulterior motives most often the upper management has literally no idea what the average worker is doing and even middle managers may be unaware.

So some programer may have just decided to use a cache file and forgotten to clean it up without there ever being someone doing a code review with an eye towards security or adherence to company policy. You describe details to a project manager, their eyes glaze over and they present a spreadsheet to middle management whose eyes glaze over, and powerpoint presentation is made to upper management who doze off, and a one page executive summary is shown to the CEO just before his golf game.

Re:Microsoft is right

Funny, I have a stack of drives that only work with controllers I don't have anymore that I've been too lazy to get rid of so far. The only thing that's destroying the data on them at this point is a hammer (or in my case, a drill press to go right through the cases and the platters.)

Plus, it's a lot faster with a drill press than a drive wiper, even if I could find the hardware to connect the drives to.

Re:Microsoft is right

[triffid_98]

Apart from reallocated bad sectors, if you overwrite a hard drive with all-zeroes, the data is irreversibly gone.

Not precisely true. drive platters (even overwritten with zeros) can be forensically analyzed after the fact by examining the off-center track data...but that would require physical dis-assembly of the drives which they are clearly not doing here.

...also (at least for me personally) drives get retired when they die, therefore there would be no way to zero them out without repairing whatever the fault was. In theory bad sectors or SMART would tell me in advance, but in theory (well, my theory) we'd all be driving flying cars with our robotic stepford wives by now.

Re:Microsoft is right

[tibit]

Not precisely true. drive platters (even overwritten with zeros) can be forensically analyzed after the fact by examining the off-center track data...but that would require physical dis-assembly of the drives which they are clearly not doing here.

That was true maybe up to 15 years ago, and that's a stretch. There's no such forensic analysis. These days there is no space left between tracks. This means that magnetic domains from one track directly touch domains from another track. If you overwrite, there's nothing left. If there was anything left, it'd be a costly design omission: any unused magnetic domains are a waste, they should be used to store data! They engineered this as far as it goes.

Re:Microsoft is right

[Kalriath]

If the Xbox is part of the payment system, then yes it would. Every application and all components that have access to the card data that processes payments are audited either as part of the PCI-DSS requirements or the PA-DSS requrements. For the Microsoft billing application to pass PCI-DSS, the Xbox which is software they control which has access to the card data as part of the transaction would have to be audited too.

And what the hell does the FTC have to do with anything? It's the merchant acquirer that demands audits, and cuts off merchants that do not comply or fail audit criteria.

Re:Microsoft is right

Yes, alright... it vibrates!

CAPTCHA? 'tradeoff'

Re:Microsoft is right

[triffid_98]

That's just not true. Obviously there is 'something' left otherwise a write from one track would corrupt data from the adjacent track.

The inter-track spacing is certainly much smaller than it was 15 years ago, and therefore harder to analyze, but certainly not impossible.

If you're curious about the technique it's called 'magneto force microscopy' (MFM).

Re:Microsoft is right

[tibit]

Having had access to MFM and having looked about 8 years ago at a then-state-of-the-art hard drive I can tell you that there is no inter-track spacing with anything resembling data in it, unless that particular drive was somehow a special case. It was a rather normal laptop hard drive. Have a look at the relevant wikipedia page. There is effectively noise between the tracks of the old 3.2gb drive, but there's nothing between the tracks of the 30gb drive. A contemporary hard drive has very, very few domains that don't carry data.

Re:Microsoft is right

[triffid_98]

Even comparing both adjacent track areas? I find that difficult to believe. MFM allows resolutions as high as 10 nanometers and the inter-track spacing on modern drives is IIRC greater than 100 nanometers even on the highest density models.

Re:Microsoft is right

[WarmBoota]

I was analyzing some issues for a client that was using Microsoft Site Server circa 1999. We took a look at the server and it had been caching every single credit card transaction because a debug setting was on. This wasn't custom code or a hack, this was Microsoft's out of the box configuration. I can COMPLETELY believe that Microsoft would store sensitive information on the local machine especially if they think that they've sandboxed it from the end user.

Terribly Misleading Headline

[rjstanford]

Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s

See the difference?

Re:Terribly Misleading Headline

[Robert+Zenz]

Even better: Microsoft says it's unlikely that Credit Card details can be lifted from XBox 360s.

Re:Terribly Misleading Headline

[cpu6502]

One fits in /.'s character limit and the other does not?

This is disappointing. I have a used Xbox filled with somebody's private credit information. Oh well.

Re:Terribly Misleading Headline

It was written with /.

Re:Terribly Misleading Headline

I'll let the article title slide. Have you seen all the annoying Slashdot advertisement articles lately?

Re:Terribly Misleading Headline

[Syphonius]

Yes, I see the difference. One follows the headline pattern of print and electronic media that has been established for probably 50-100 years. The other has extra garbage words that do not change the meaning and take up more space.

Re:Terribly Misleading Headline

I'll let the article title slide. Have you seen all the annoying Slashdot advertisement articles lately?

I'm not sure. It is hard to see the slashvertisements in between all the troll stories like this one.

Re:Terribly Misleading Headline

[Johnny+Mister]

One fits in /.'s character limit and the other does not?

The character limit isn't same for editors. I have previously submitted titles with last word being incomplete and it was fixed by editor before posting the story.

Re:Terribly Misleading Headline

[Oligonicella]

Actually, the header is ambiguous with 'unlikely' being closer to 'credit card' than 'details'.

Microsoft: Credit info lifting from XBox 360s is unlikely - is more clear.

Re:Terribly Misleading Headline

[FranktehReaver]

Indeed, at a first glance I thought they found some credit card information that was unlikely to be present on the system. Like sears cards or something lol, and not that it is unlikely that credit card data can be lifted from the device. Which using the word unlikely leaves room for doubt and that it is theoretically possible. Now if it said impossible or not true then okay you guys know what the heck is up. But unlikely? that is like saying is the cancer going to spread? and the doctor makes a ehhh face and goes it is unlikely.

Re:Terribly Misleading Headline

Yikes, all my credit card details are "unlikley". Now they've been lifted.

Re:Terribly Misleading Headline

Not that I think this should be the headline, but to me the least likely thing here is Microsoft's reassurance being anything but wishful thinking. It is apparently based on how things are supposed to be, which has proved to be shaky ground in the past.

Didn't Sony say the same thing at first?

[crazyjj]

IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

Re:Didn't Sony say the same thing at first?

[tgd]

IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.

And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.

Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...

Re:Didn't Sony say the same thing at first?

[jimicus]

The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

Considering the number of times I've seen applications reinvent the wheel because the developer clearly couldn't find what they were trying to do in an existing library, this wouldn't surprise me in the slightest.

Re:Didn't Sony say the same thing at first?

[tibit]

It may not be a risk, but the number shouldn't be there, per PCI standards. It's an interesting find.

Re:Didn't Sony say the same thing at first?

[s.petry]

Take a common sense view of how this could happen. Xbox kernel sees user input, caches input in case the connection is lost. Cache gets written to drive in case of power failure.

This is the same mindset we see with other Microsoft products like "Active Installer" for IE. Obviously there are security implications but Microsoft chose to put convenience over security.

To many of us, the security problems released are not excusable. To Microsoft, it's the best business decision.

In short, it is not a bad intention that brings something like this out necessarily. It's actually a good intention, but poorly planned from the security perspective.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The XBox just throws an error to the user if it loses connection to Live while you are doing something - thats why I had to add my card details via the website (XBox lost connection to the local wifi for a bit).

Re:Didn't Sony say the same thing at first?

[s.petry]

Personally I boycott all Microsoft products so have to take your word for how it acts during some type of outage. I was just pointing out that it's potentially something that does exist, and it's logical from some perspective. I have seen numerous releases of code from lots of vendors (not just Microsoft) with facilities similar to this. Features do not have to be complete, published, or even fully implemented in order to exist on a system.

Re:Didn't Sony say the same thing at first?

[s.petry]

Just a side note, I'm not sure if you read the full PDF. The research is very credible, and very thorough. They show a lot of the data being cache, not just credit card data.

If the research was just a bash with no merit I would probably just agree with you.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The problem is, they haven't actually verified that what they have is an actual credit card number, they've just pulled a number out that happens to validate and have the same starting digits as a card type but there is no related information - so why would the credit card number on its own find it's way into these streams and not the other details off the card.

At the moment, they found a number, that's it. What would be an actual test is to use an Xbox, use a card on that Xbox, and then see if you can recover that card from that Xbox - that's not what they did, so the results can't be validated.

Re:Didn't Sony say the same thing at first?

[s0nicfreak]

"And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers."

The thing is, there is already a fuckton of used xbox 360s floating around out there. Just do an ebay or craigslist search for "red ringed 360" and you will see people selling multiple and buying them (which probably means they have multiple). Heck, I have 2 used 360s in my house, and more have passed through. They are given away or sold very cheaply by people that don't know how to fix them to people that do, a simple fix is done on them and they are sold.

Re:Didn't Sony say the same thing at first?

[s.petry]

Valid point regarding the known testing. The known test would also be able to provide details on where and what other card data was being stored, if any was being stored. It is logical that if the Card # is being stored, other details are stored as well. Much harder to find a 4 digit date stamp and 3 digit CVV though, so would really need a way of expanding the test immensely. It would be pretty costly, but possible.

1. Boot system, patch, power down, dd drive1-snapa.

2. Enter details, register, CC numbers, etc..

3. Log in and play a few games "registered".

4. Power down, dd drive1-snapb

5. Diff drive1-snapa drive1-snapb

The way I read the report, the complete card number was validated not just the first 4 digits. It sounded like the team was well aware of false positives. They blanked out most of the string, and showed the prefix and who the owner was, but stated that the full string was validated.

Re:Didn't Sony say the same thing at first?

[tomstockmail]

I love Slashdot! A posting about how 360 exposed credit card details is _finally_ posted, but it's in defense of Microsoft. And the third comment down is saying Sony is just as bad. Keep up the great work, everyone!

Re:Didn't Sony say the same thing at first?

[tgd]

They are given away or sold very cheaply by people that don't know how to fix them to people that do, a simple fix is done on them and they are sold.

And you can get into the right IRC channel and buy a bunch of zero-day card dumps for the same cost... and then you'll have a number you might actually be able to use. If you get numbers from the XBox, you'll have a number that may or may not be old. (The last time I entered a CC into my console was probably four or five years ago, and definitely expired!) You'll maybe have enough data to be able to run a CNP transaction with a site online. For durable good sites, that means shipping something somewhere and having a secure drop that can't be traced to you. For most shadier places, you'll trip the fraud detection and the bank will call the card owner, and you'll get nowhere.

And what's the risk to the owner, even if this was true? If you sold your XBox, it happened to have a valid number on it, and that number was expired and you happened to sell it to someone who was hunting for those sort of things and got your number, and somehow found your address and everything else needed to use the card your bank cancels the card, you have no liability and you have to maybe update your number for a few automated payments.

I'd be more concerned about being murdered or something by a bad guy. That's only 1/18,000.

Re:Didn't Sony say the same thing at first?

[s0nicfreak]

"And you can get into the right IRC channel and buy a bunch of zero-day card dumps for the same cost"

The cost of free? Either way, the type of people I think would do this probably don't know what IRC is. I'm thinking teenagers who know how to mod and repair xboxes, not programmers or career criminals. Armed with my credit card number and my xbox live or ebay name, my address is just a google search away - and if I sold it to someone and shipped it, it's right there on the return label. Never mind the fact that you don't really need anything more than a credit card number for most transactions. If they're buying something that I buy often, such as video games (which is what I think this sort of person would buy), it won't trip the fraud protection. No one is going to notice until I try to use my card elsewhere and have it declined. What many card companies have been doing in recent years is, when a card is renewed, the number stays the same and only the expiration date is updated. It would not be difficult for someone to guess the new expiration date based on the old expiration date and type of card. Depending upon which card it is, I might just be screwed. You might be able to call your bank and just not be held liable for the payments, but personally, if this happens to me, I'd just be out of whatever money the person spent.

I have no reason to worry about being murdered - I would not suffer from that, I'd be dead. I'm not even worried about this, really - though there are xboxes out there that, if this is true, have my credit card number on there, I can't remember if it is the same as my current one and I don't care enough about money to really worry about it. But (if this is true) there is the possibility that someone could be screwed over. If that possibility wasn't there, Microsoft would not give a second thought to the statement. I can say I discovered Xbox 360s eat babies, but no one is going to give that comment a second thought, Microsoft is not going to investigate it, because we all know it isn't possible.

Re:Didn't Sony say the same thing at first?

[Kalriath]

Except that the string cannot validate if it was used to sign up for Live - the Xbox 360 will not accept a Discover card because Microsoft does not accept them. This doesn't discount the possibility that the card was there because the former owner signed up to Final Fantasy or another MMO via the console and that application saved or cached the number, but it certainly reinforces that it's unlikely Microsoft is responsible.

Re:Didn't Sony say the same thing at first?

[Jonathan_S]

If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

Very true. And since Microsoft only appears to accept Visa, Mastercard, and AmEx (not Discover) for xbox live makes the chance that the investigators recovered a previous owner's Discover card number even less likely.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

I was going to post something similar to Kalriath, but my iPad ate my Safari instance last night, so here we go again...

They didn't validate the entire string, because thats not possible with the check numbers involved - only the card issuer or the payment networks can actually tell you if its a valid card number and they wouldn't tell you unless you tried to present the card. You can have a card number which validates as a card type, and internally validates as a correctly formed number, but those checks are actually fairly loose and its not necessarily a matter of fact that the number is a valid live number.

In any large raw dataset, its trivial to find one or two number strings which validate to a card issuer.

XBox 360 and fraud

I've been hit twice by fraudulent charges relating to XBox accounts on my CC. The common denominator in both cases was using this particular card at the same gas station in Panama City, FL.

In both cases, several XBox accounts were charged to my card. Microsoft for whatever reason cannot reverse the charges - they actually instruct you to file a complaint with the CC (and in both cases the charges were reversed).

I don't even own an XBox and convincing both MS and the CC of this fact is very difficult.

Re:XBox 360 and fraud

[SomePgmr]

I can see why that's aggravating, but it makes sense. Your CC company can follow up on fraud by deactivating the old card, issuing a new one, reversing certain charges as fraudulent and watching for activity on the stolen one. If Microsoft does it, it's just a reversed charge on a compromised account.

Re:XBox 360 and fraud

[s0nicfreak]

That was the gas station being compromised, not Xboxes.

lol i thought macs don't get hacked!

oh wait this about xbox isn't it

Wait I have seen this one from Microsoft

Remember MS-12-020:

Microsoft’s Security Research and Defense Blog stated that they expected to see exploit code in the wild within 30 days according to a quote from their recent blog post addressing the flaws: ”During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days.”

3 days later.......

Re:Wait I have seen this one from Microsoft

[geraud]

In the infosec community, triggering a BSOD is considered a PoC, a working exploit means arbitrary code execution. AFAIK there is no public working exploit for MS12-020 atm.

Re:Well they would

[Garybaldy]

Well at least MS denies it. Apple just covers it up.

Microsoft Correct

I think there are probably a 1000's different ways to get credit card numbers. Finding them old xbox hard drives is going to be one of the more difficult ways to gather them.

boilerplate

[v1]

This is the standard boilerplate reply from almost any organization that has been publicly exposed as being compromised. They'll continue to tell the world it's the most minor, harmless possible case until lolsec, wikileaks, etc posts a dump of 10k credit cards or something, and only then will they begin to admit the actual scale of the breach.

In addition to laws that punish groups for being negligent in their security of private data, I'd like to see additional punishments passed out to companies that outright lie about the severity of security breaches. A bit like how the judicial system comes down harder on you if you are convicted after pleading innocent. Tried to game the system? Lost? --> Additional punishment, to discourage others from trying it as a standard response, "because they have nothing to lose"

Re:boilerplate

[tibit]

Tread carefully there, because the corporation often has a fiduciary duty to it shareholders, too. It's a fine line between being charged of negligence in disclosure due to insufficiency of the same, vs. being sued for negligence in disclosure due to possible customer backlash and financial loss.

Re:boilerplate

[v1]

It's a fine line between being charged of negligence in disclosure due to insufficiency of the same, vs. being sued for negligence in disclosure due to possible customer backlash and financial loss.

Horse has already left, too late to close the barn door. They had a "fiduciary duty to it shareholders", which they failed at by allowing the breach. They already screwed up and through their negligence damaged the company brand, stock prices, customer goodwill, etc. The responsible behavior of disclosing the breach to users that need to know that they've been exposed to risk just comes as another effect of the breach.

The problem here is like you, companies don't understand the need for disclosure, and that they've already committed the mistake that is going to trigger the bad P.R. as a result of full disclosure. It's too late to correct that mistake, and attempting shady "damage control / spin" is very likely to backfire when people who were victimized by unexpected fraud come looking for compensation. Because of the pinheads in management that think that they can "contain" this bad P.R., it's necessary to force disclosure to prevent them from gambling with their customers' futures since they have nothing to lose if they fail.

Compare it to say, the law requiring motorists to report accidents and to stay at an accident scene until the cops arrive. (usually in excess of a fixed amount, such as $100/300/500) Before those laws existed, it was in their best interest to try to get away, hit-and-run was more common, because there was no penalty for hit-and-run. It was in their best interest to flee and hope no one can identify you. If they got caught, they haven't lost anything, so they have nothing to lose and a lot to gain by trying to flee. This was such a problem that hit-and-run and damage-report laws were put on the books to make it illegal to try to sneak away from an accident you may have fault in. In addition to large fines, most (all?) states pull your license if you are convicted of hit&run. This is a fairly effective deterrent.

This hacking situation is very similar. Almost everyone attempts to sneak away quietly and hope nobody saw them. If they get outed, owell, take the regular hit. But why volunteer to take the hit when you can gamble on getting away with it, with no penalty if you fail to escape? The laws need to be changed to prevent this abuse because right now the companies are just doing what makes statistical financial sense.

What about Kinect?

If you can get the credit card details off a 'reset' XBox, can you also get photos from the Kinect off it? Seems to me you could make a fake ID with the amount of information you can scrape off an XBox!

The Paper

[chrb]

this is just some unfounded rumor that has no basis on reality

It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

The PDF (found via xbox-experts.com:
Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

The relevant text shows that they just got a credit card hit from some forensics tool:

Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

The authors appeal to have credible prior experience in digital forensics:

Dr. Asley L. Podhradsky, Drexel University
Dr. Rob D'Ovidio, Drexel University
Cindy Casey, Drexel University

They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

Re:The Paper

[damnbunni]

It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

So why would someone enter their Discover information on an Xbox anyway?

Re:The Paper

[chrb]

So why would someone enter their Discover information on an Xbox anyway?

Someone didn't realise that, tried it anyway, and the failure got logged or swapped out? Or it could be outside of the context of Live: maybe they were running a Web browser and a page got cached? Or they sent or received the card number in an email or instant message and it got saved to the disk? The string could have even been stored in a temporary file and deleted, it seems the tool they use just scans the flat binary drive data, rather than interpreting the file system.

An ASCII string, bounded by non-ASCII beginning and end values, 16 characters long, containing only values from [0-9], that passes the Luhn algorithm. What is the probability of this occurring randomly, given the other data that typically occurs on XBox 360 hard drives? Given that they only got one hit on the whole hard drive, it can't be that high. The authors say "Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained.". It would be very interesting to run the algorithm on a bunch of hard disks and see what the hit rate is, and whether the matched strings represent real card numbers that once passed through the drive, to evaluate what the probability actually is...

Re:The Paper

[Sir_Sri]

Which may actually make it unlikely in microsofts eyes. Being able to have a team of professional forensics experts potentially extract data from a console is a far cry from it being actively exploited by hackers.

If you look at the paper in question they ran half a dozen tools to try and extract part of a single credit card. And pretty much everything they're looking at is pretty standard hard drive forensics sort of problems, they're discussing in specific to the 360, but there's nothing there that doesn't apply to any HDD. How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly. A general 'delete personal data' just deletes files the same way most OS's do, it just forgets the links to the files, but they still hang out on the drive and can be extracted.

It seems like the trick with the Xbox is that it has various partitions and not all of them are always overwritten, and then the general problems with magnetic storage. So sure, if the police have a specific reason to dig through one xbox 360 they might be able to recover something. But beyond that, I wouldn't count on it being a major issue.

Re:The Paper

[tibit]

How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly.

If you only access the hard drive using published ATA protocols, it is a perfect erasure. You can't recover any of the original data, period. If you access the drive using manufacturer-specific protocols, you may be able to read the contents of reallocated sectors, and those may, by chance, happen to contain useful data. That's it, though. If you were to open up the drive and access the platters using, say, magnetic force microscope, you'd not have access to any other data apart from drive's housekeeping and firmware (yeah, most HDs store the firmware on the platter, and the bootloader reads it from the platter). Any other claims are ridiculous myths and stem from ignorance of modern hard drive technology.

Re:The Paper

[aztracker1]

More so.. does BofA, who's parent company owns Visa & MasterCard even issue Discover Cards?

Re:The Paper

[wompa164]

Let me guess, he dumped it into Encase and ran the Credit Card Finder EnScript?

Re:The Paper

[wompa164]

So I just downloaded the report that someone linked above and that's exactly what he did, consider my blown away. Given my experience, the existence of a hit from that Enscript proves very little. This entire 'report' is cookie cutter at best, this 'forensics expert' is clearly an academic trying to keep his publish rate up.

Re:The Paper

Because they're stupid. It's a rather common trend among consumers. It's a vector commonly exploited by advertising.

Re:The Paper

[holmedog]

It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

So why would someone enter their Discover information on an Xbox anyway?

You, sir or madam, make me wish I could give something a +6. This completely calls bullshit on the whole endeavor in my opinion.

Re:The Paper

Is it feasible that a hard disk used for another type of machine was used? Didn't read tfa.

Re:The Paper

[Kalriath]

Yes. The first six numbers of the card match up to a database of who issued it and what type of card it is - the researchers would have run it through whatever BIN database they have access to.

I'm not sure what you mean by Bank of America's parent company though, as they don't have a parent company. And Visa and MasterCard don't have owners, they're associations formed of large issuing banks.

For once I agree with MS

After seeing the original article I tried finding my own credit card number on my xbox hard disk. Through a search of the entire hard disk not even the first 4 digits of my credit card were found, which is part of the issuer identification number. http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

Additionally- the article that put this scare on found a number that matched the issuer identification number for a Discover card issued by Bank of America. Microsoft doesn't even take Discover cards. You can't even give this credit card number to Microsoft's system for storage. I find it very hard to believe that Microsoft is storing the credit card number of a card they can't even process.

At least they didn't do Vizzini mistake

[Medievalist]

I think they should be applauded, for using the word "unlikely" instead of "inconceivable".

Re:At least they didn't do Vizzini mistake

[Stenchwarrior]

I think they should be applauded, for using the word "unlikely" instead of "incontheevable".

FTFY

Credibility

[ozmanjusri]

Ashley L Podhradsky, Doctor of Science in Information Systems

Education:
Doctoral Information Systems, Specializing in Information Assurance, Dakota State University
M.S., Information Systems, Specializing in Network Security, Dakota State University
B.S., Electronic Commerce and Computer Security, Dakota State University
Certificate: Computer Hacking Forensic Investigator, AccessData Certified Examiner

Areas of Expertise:
Computer Forensics
Digital Forensics
Consumer Privacy
Risk Management

http://goodwin.drexel.edu/sotaps/Ashley_Podhradsky.php

Vs

Jim Alkove
Aliases and Other Names: James Alkove

Bio
Software Design Engineer at Microsoft Corporation
Career
Microsoft Corporation
Software Design Engineer

Achievements and Recognition:
.
.
.

http://www.spoke.com/info/p1N6wTr/JimAlkove

Re:Credibility

You're not seriously claiming some piled high and deep academic has more 'credibility' than someone who actually works in the industry, are you?

Re:Credibility

[Genda]

If his expertise is security I'd say yeah, I'd take his word over some guy on the front line, because this is the guy who invented the software the guy on the front line is using, is collecting the data on its effectiveness, is determining where the vulnerabilities for existing software are, and writing the next generation of software the guy on the front line will be using in 5 years. If he tells you your security is lax, and he can get critical information off your product, you should at least let him show you where the mistake.

Of course it might been a little kinder if he'd nudged somebody at Microsoft and said "Eh, I need to talk to someone about a big problem with the Xbox..." instead of yelling from a mountain top "You have no pants on... ", but none of that detracts from his findings, and if they are indeed validated by peer review, M$ "Has got some 'splainin' to do." That and some work to make sure the next version doesn't have a gaping security hole in it.

Re:Credibility

[ozmanjusri]

If his expertise is security I'd say yeah, I'd take his word over some guy on the front line, because this is the guy who invented the software the guy on the front line is using,

Girl, not guy.

She's a woman.

Re:Credibility

[Kalriath]

One of the best analyses I've seen of this issue, that debunks it completely, is that the card number that the researcher found was a Bank of America Discover card which is impossible - as Microsoft doesn't take Discover.

It could, however, just as easily have been someone who subscribed to Final Fantasy or a similar MMO, as the card details are entered via the Xbox too and not billed by Microsoft or in Microsoft's control at all.

Re:Credibility

[thsths]

> Dakota State University

"Is that were you learn to raise cattle?" :-) No, it isn't but as far as scientific reputation goes, it is pretty far down the list. But heritage is the smaller part of the questions - show me your work - and I will tell you what it is worth.

And the original story was very much lacking there. So they found a string that looked like a credit card number on the hard disk, without any idea how it got there. Note: this is not a controlled experiment, this an xBox from ebay - pretty much the opposite of a controlled experiment. Could it have been in an email? Or maybe it was not a credit card in the first place, but just a number starting with 4? We don't know, and to be honest it does not look like Dr Ashley L Podhradsky. A publicity stunt certainly, but research it is not.

Re:Credibility

[LordKronos]

If he tells you your security is lax, and he can get critical information off your product, you should at least let him show you where the mistake

From TFA:

We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims

Comment

I like this story

Who cares how likely it is?

[Torodung]

Really, who cares? Here is what happens with credit card number fraud. It is used once or twice, the bank catches it early because they watch for unusual spending patterns, sometimes even the vendor does (at places like jewelry or electronics merchants where fraud is more common, and insurance against theft becomes expensive), they expire the number and reissue you a card. The vendor gets reimbursed from insurance against theft. Sometimes you get a phone call, asking if it's really you, based on contact information at the bank, not given at the POS. I don't know a card issuer in the world that would hold you liable for "forensic recovery and fraudulent use of a number recovered from a discarded electronic device." It gets added to the premiums of the vendor's theft insurance, if they don't catch it, and they often do.

You all should be more worried about all those bank people and vendors tracking and monitoring all your purchases, and perhaps sending your daughter expectant mother mailers.

As for the "stolen" number, they can have it for as far as it will get them. If you're deeply concerned about this "problem," you should consider waiters and cashiers with eidetic memories to be a more clear-and-present danger than forensic analysis of discarded hard disks.

Re:Who cares how likely it is?

[tibit]

"sending your daughter expectant mother mailers" -- how is that bad? Isn't it a successful use of technology? I'd love to get targeted marketing instead of getting all the usual irrelevant junk that seems nothing more but a waste of resources. Last year I've got about 40lbs of paper junk mail :(

Re:Who cares how likely it is?

[s0nicfreak]

What if it isn't unusual spending patterns, though? Let's say my xbox redrings, so I sell it on ebay and buy another. Then the person I sold it to fixes it, grabs my credit card number and goes on a 360 game buying spree. It isn't rare for my family to go on 360 game buying sprees, across multiple accounts and even multiple IPs. So it wouldn't be noticed quickly.

Re:Who cares how likely it is?

[Kalriath]

Suffice it to say that banks are a bit (nay, a lot) smarter than that. They'll never tell you how their fraud detection systems work, but it can be safely said that they use more factors than just IP address and merchant.

Re:Who cares how likely it is?

[s0nicfreak]

So you're saying that someone can have the exact same spending patterns as I do, yet somehow it will be detected as fraud. Sorry, but I find that a bit hard to believe.

Re:Who cares how likely it is?

[Kalriath]

It's more complex than that. The slightest deviation may be enough to trigger the watchful eye of an actual human, and the statistical possibility of someone having the exact same pattern as you is close to zero. Even something as odd as the person buying a game at 3:15pm when the bank usually sees a purchase at the local coffee shop at 3:15pm would likely be enough to raise an orange flag.

Re:Who cares how likely it is?

[s0nicfreak]

I think it is highly likely someone that steals credit card numbers in this fashion would do nothing with the card number except buy games - which is pretty much all I do. I go to the local coffee shop so rarely that they should be watching when I do; yet I have not yet had them cancel my card after I have done so.

I thought that was what MS Points were for?

[CCarrot]

It surprises me that so many people actually enter their CC info into their XBox.

Shucks, if it weren't for nice, anonymous, paid-for-by-cash MS Points cards, I wouldn't have any DLC on my box at all...similar to nice, anonymous Visa gift cards for Android Market (sorry, Play) purchases...and nice, anonymous iTunes gift cards for (shudder) iTunes* purchases.

* living in Canada sucks sometimes...we're so close yet at the same time so far from being able to buy digital content from the myriad of vendors available just south of teh border...I would love to switch my music buying habits to Amazon or Google, or try out Pandora, Spotify or Hulu, but I'd have to pretend to be in the States to do so. *sigh*

Re:I thought that was what MS Points were for?

[Nukenbar]

Sounds like a VPN proxy in the US would do a lot of the things you want. You can get pretty decent ones with very little drop in bandwidth and very little added latency for about $8/month.

Re:I thought that was what MS Points were for?

[CCarrot]

Sounds like a VPN proxy in the US would do a lot of the things you want. You can get pretty decent ones with very little drop in bandwidth and very little added latency for about $8/month.

Yess...and a decent torrent client can get even more of what I want with no added charge per month :) I simply want to 'play by the rules' and reward the artists I enjoy for creating great content, it just frustrates me that there is no 'legal' means for me to send my business where I would prefer. It's like they don't want my money...sure, it's colourful, but it spends pretty darn good up here!

Peer Review FTW?!

The PDF (found via xbox-experts.com:
  Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

So, they downloaded a commercial version that does the equivalent of "grep -a '[0-9]\{15\}' /dev/sda" and found a few 15-digit numbers ("OMFG! NUMBERZ! Those must be CREDIT CARD NUMBERZ! What else should there be NUMBERZ for?") in a 250 gigabyte dataset mostly consisting of random savegames, artwork (title caches) and media.

That's... impressive. Impressively stupid for two PhDs and a Research Assistant. And *they* have published work on Xbox 360 before?

Quelle Fscking Surprise

[ewhac]

How terribly convenient that, in December of last year, Microsoft jammed a new Xbox service "agreement" down everyone's throat where you "agree" to never sue Microsoft, either as an individual or as a member of a class, and instead "agree" to resolve all disputes via "neutral" arbitration.

It seems they saw Sony get its pants yanked down to its ankles, and all the consequent lawsuits, and thought to themselves, "We could apply the stunning engineering talent we've always claimed to have in this company to audit our systems, network architecture, and customer info handling processes to ensure such a thing never happens to us or our users... Or, we could forbid our customers from suing us."

Schwab

Re: Why a Discover card?

[King_TJ]

It occurs to me that *maybe*, the only card info that winds up cached are not the VALID ones MS processes and accepts, but rather, cards like this which don't actually work on the network? (If so, that could be a bug in the XBox code, where they purposely refrain from caching or storing cards that successfully process, but neglected to consider people entering good, valid cards which simply aren't the right TYPE (Discover or AmEx).

Re:Well they would

[Kalriath]

Except they have a point. The card number found was a Discover. Microsoft won't even let you enter a Discover to sign up for Live or buy points.