Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

Posted by timothy on from the faked-in-the-same-studio-as-the-moon-landings dept.

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

6 of 105 comments (clear)

  1. Didn't Sony say the same thing at first? by crazyjj · · Score: 3, Interesting

    IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
    1. Re:Didn't Sony say the same thing at first? by s.petry · · Score: 2, Interesting

      Take a common sense view of how this could happen. Xbox kernel sees user input, caches input in case the connection is lost. Cache gets written to drive in case of power failure.

      This is the same mindset we see with other Microsoft products like "Active Installer" for IE. Obviously there are security implications but Microsoft chose to put convenience over security.

      To many of us, the security problems released are not excusable. To Microsoft, it's the best business decision.

      In short, it is not a bad intention that brings something like this out necessarily. It's actually a good intention, but poorly planned from the security perspective.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  2. Re:Microsoft is right by not+already+in+use · · Score: 4, Interesting

    No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

    --
    Similes are like metaphors
  3. Re:Well they would by Garybaldy · · Score: 2, Interesting

    Well at least MS denies it. Apple just covers it up.

  4. Re:Microsoft is right by Anonymous Coward · · Score: 2, Interesting

    No reasonable person would cache credit card details.

    OK, let's say MS are 'reasonable' and do not specifically and deliberately cache CC data.
    Are you seriously saying that it's not possible that such data would get cached incidentally as part of a larger chunk of data? Stored in some Xbox equivalent of pagefile.sys or whatever? That despite all sorts of data gets cached all over the place, magically somehow CC data never gets in any cache ever?

  5. For once I agree with MS by Anonymous Coward · · Score: 2, Interesting

    After seeing the original article I tried finding my own credit card number on my xbox hard disk. Through a search of the entire hard disk not even the first 4 digits of my credit card were found, which is part of the issuer identification number. http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

    Additionally- the article that put this scare on found a number that matched the issuer identification number for a Discover card issued by Bank of America. Microsoft doesn't even take Discover cards. You can't even give this credit card number to Microsoft's system for storage. I find it very hard to believe that Microsoft is storing the credit card number of a card they can't even process.