Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

Microsoft is right

[Johnny+Mister]

This just seems more like bad mouthing about MS and XBOX360. It was already debunked on Slashdot too, because MS doesn't store credit card details on the machine. They only store account details. Microsoft is right - this is just some unfounded rumor that has no basis on reality.

Re:Microsoft is right

[not+already+in+use]

No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

Re:Microsoft is right

No reasonable person would cache credit card details.

OK, let's say MS are 'reasonable' and do not specifically and deliberately cache CC data.
Are you seriously saying that it's not possible that such data would get cached incidentally as part of a larger chunk of data? Stored in some Xbox equivalent of pagefile.sys or whatever? That despite all sorts of data gets cached all over the place, magically somehow CC data never gets in any cache ever?

Re:Microsoft is right

[autocannon]

I don't believe the CC numbers are stored on the HD either. But, take the extreme view that they are, and they're stored unencrypted. It still requires someone selling/losing/stolen their Xbox HD. This will never be a pandemic problem.

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer. That Xbox HD still could have your account name/email address/password. Could lead to far more problems than just losing a CC # if that email or password is used for more than the Xbox system.

Re:Microsoft is right

[Stenchwarrior]

Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.

That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).

Re:Microsoft is right

[chrb]

I don't believe the CC numbers are stored on the HD either.

It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.

That Xbox HD still could have your account name/email address/password.

Yes, apparently they recovered user names, gamer tags, purchase history etc.

Re:Microsoft is right

[tibit]

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer.

That's quite silly if you're talking about modern mechanical hard drives. Apart from reallocated bad sectors, if you overwrite a hard drive with all-zeroes, the data is irreversibly gone. The only remaining fragments are sectors that got reallocated; those are likely not to be deleted even if you initialize the hard drive. Of course those fragments may, by chance, happen to have a credit card number in them, say if they were a part of a swap file at some point in time.

Re:Microsoft is right

[Stenchwarrior]

From the PCI Security Standards Council "PCI Data Storage Do's and Don'ts":

Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones

And

At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs.

Based on that information, I would say that PCs and, certainly in this case, game platforms (since the Xbox is really just a PC) would fall under the "endpoint device" category. Especially since the end-user has no control over whether or not that information is stored on their device because only Microsoft can alter the code that allows or disallows the storage.

Terribly Misleading Headline

[rjstanford]

Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s

See the difference?

Re:Terribly Misleading Headline

[Robert+Zenz]

Even better: Microsoft says it's unlikely that Credit Card details can be lifted from XBox 360s.

Re:Terribly Misleading Headline

[Syphonius]

Yes, I see the difference. One follows the headline pattern of print and electronic media that has been established for probably 50-100 years. The other has extra garbage words that do not change the meaning and take up more space.

Re:Terribly Misleading Headline

[Oligonicella]

Actually, the header is ambiguous with 'unlikely' being closer to 'credit card' than 'details'.

Microsoft: Credit info lifting from XBox 360s is unlikely - is more clear.

Didn't Sony say the same thing at first?

[crazyjj]

IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

Re:Didn't Sony say the same thing at first?

[tgd]

IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.

And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.

Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...

Re:Didn't Sony say the same thing at first?

[s.petry]

Take a common sense view of how this could happen. Xbox kernel sees user input, caches input in case the connection is lost. Cache gets written to drive in case of power failure.

This is the same mindset we see with other Microsoft products like "Active Installer" for IE. Obviously there are security implications but Microsoft chose to put convenience over security.

To many of us, the security problems released are not excusable. To Microsoft, it's the best business decision.

In short, it is not a bad intention that brings something like this out necessarily. It's actually a good intention, but poorly planned from the security perspective.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The problem is, they haven't actually verified that what they have is an actual credit card number, they've just pulled a number out that happens to validate and have the same starting digits as a card type but there is no related information - so why would the credit card number on its own find it's way into these streams and not the other details off the card.

At the moment, they found a number, that's it. What would be an actual test is to use an Xbox, use a card on that Xbox, and then see if you can recover that card from that Xbox - that's not what they did, so the results can't be validated.

Re:Didn't Sony say the same thing at first?

[Kalriath]

Except that the string cannot validate if it was used to sign up for Live - the Xbox 360 will not accept a Discover card because Microsoft does not accept them. This doesn't discount the possibility that the card was there because the former owner signed up to Final Fantasy or another MMO via the console and that application saved or cached the number, but it certainly reinforces that it's unlikely Microsoft is responsible.

Re:Well they would

[Garybaldy]

Well at least MS denies it. Apple just covers it up.

The Paper

[chrb]

this is just some unfounded rumor that has no basis on reality

It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

The PDF (found via xbox-experts.com:
Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

The relevant text shows that they just got a credit card hit from some forensics tool:

Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

The authors appeal to have credible prior experience in digital forensics:

Dr. Asley L. Podhradsky, Drexel University
Dr. Rob D'Ovidio, Drexel University
Cindy Casey, Drexel University

They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

Re:The Paper

[damnbunni]

It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

So why would someone enter their Discover information on an Xbox anyway?

Re:The Paper

[Sir_Sri]

Which may actually make it unlikely in microsofts eyes. Being able to have a team of professional forensics experts potentially extract data from a console is a far cry from it being actively exploited by hackers.

If you look at the paper in question they ran half a dozen tools to try and extract part of a single credit card. And pretty much everything they're looking at is pretty standard hard drive forensics sort of problems, they're discussing in specific to the 360, but there's nothing there that doesn't apply to any HDD. How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly. A general 'delete personal data' just deletes files the same way most OS's do, it just forgets the links to the files, but they still hang out on the drive and can be extracted.

It seems like the trick with the Xbox is that it has various partitions and not all of them are always overwritten, and then the general problems with magnetic storage. So sure, if the police have a specific reason to dig through one xbox 360 they might be able to recover something. But beyond that, I wouldn't count on it being a major issue.

Re:The Paper

[aztracker1]

More so.. does BofA, who's parent company owns Visa & MasterCard even issue Discover Cards?

For once I agree with MS

After seeing the original article I tried finding my own credit card number on my xbox hard disk. Through a search of the entire hard disk not even the first 4 digits of my credit card were found, which is part of the issuer identification number. http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

Additionally- the article that put this scare on found a number that matched the issuer identification number for a Discover card issued by Bank of America. Microsoft doesn't even take Discover cards. You can't even give this credit card number to Microsoft's system for storage. I find it very hard to believe that Microsoft is storing the credit card number of a card they can't even process.

Credibility

[ozmanjusri]

Ashley L Podhradsky, Doctor of Science in Information Systems

Education:
Doctoral Information Systems, Specializing in Information Assurance, Dakota State University
M.S., Information Systems, Specializing in Network Security, Dakota State University
B.S., Electronic Commerce and Computer Security, Dakota State University
Certificate: Computer Hacking Forensic Investigator, AccessData Certified Examiner

Areas of Expertise:
Computer Forensics
Digital Forensics
Consumer Privacy
Risk Management

http://goodwin.drexel.edu/sotaps/Ashley_Podhradsky.php

Vs

Jim Alkove
Aliases and Other Names: James Alkove

Bio
Software Design Engineer at Microsoft Corporation
Career
Microsoft Corporation
Software Design Engineer

Achievements and Recognition:
.
.
.

http://www.spoke.com/info/p1N6wTr/JimAlkove

Re:XBox 360 and fraud

[SomePgmr]

I can see why that's aggravating, but it makes sense. Your CC company can follow up on fraud by deactivating the old card, issuing a new one, reversing certain charges as fraudulent and watching for activity on the stolen one. If Microsoft does it, it's just a reversed charge on a compromised account.

Re:Well they would

[Kalriath]

Except they have a point. The card number found was a Discover. Microsoft won't even let you enter a Discover to sign up for Live or buy points.