Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

Posted by timothy on from the faked-in-the-same-studio-as-the-moon-landings dept.

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

15 of 105 comments (clear)

  1. Microsoft is right by Johnny+Mister · · Score: 3, Insightful

    This just seems more like bad mouthing about MS and XBOX360. It was already debunked on Slashdot too, because MS doesn't store credit card details on the machine. They only store account details. Microsoft is right - this is just some unfounded rumor that has no basis on reality.

    1. Re:Microsoft is right by not+already+in+use · · Score: 4, Interesting

      No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

      --
      Similes are like metaphors
    2. Re:Microsoft is right by Stenchwarrior · · Score: 4, Informative

      Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.

      That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).

      --
      Loading...
    3. Re:Microsoft is right by chrb · · Score: 4, Informative

      I don't believe the CC numbers are stored on the HD either.

      It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.

      That Xbox HD still could have your account name/email address/password.

      Yes, apparently they recovered user names, gamer tags, purchase history etc.

    4. Re:Microsoft is right by Stenchwarrior · · Score: 3, Informative

      From the PCI Security Standards Council "PCI Data Storage Do's and Don'ts":

      Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones

      And

      At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs.

      Based on that information, I would say that PCs and, certainly in this case, game platforms (since the Xbox is really just a PC) would fall under the "endpoint device" category. Especially since the end-user has no control over whether or not that information is stored on their device because only Microsoft can alter the code that allows or disallows the storage.

      --
      Loading...
  2. Terribly Misleading Headline by rjstanford · · Score: 4, Informative

    Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
    Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s

    See the difference?

    --
    You're special forces then? That's great! I just love your olympics!
    1. Re:Terribly Misleading Headline by Robert+Zenz · · Score: 5, Insightful

      Even better: Microsoft says it's unlikely that Credit Card details can be lifted from XBox 360s.

  3. Didn't Sony say the same thing at first? by crazyjj · · Score: 3, Interesting

    IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

    --
    What political party do you join when you don't like Bible-thumpers *or* hippies?
    1. Re:Didn't Sony say the same thing at first? by tgd · · Score: 4, Insightful

      IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

      If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

      And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

      It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

      Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.

      And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.

    2. Re:Didn't Sony say the same thing at first? by Richard_at_work · · Score: 4, Informative

      The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

      I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.

      Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...

    3. Re:Didn't Sony say the same thing at first? by Richard_at_work · · Score: 3, Insightful

      The problem is, they haven't actually verified that what they have is an actual credit card number, they've just pulled a number out that happens to validate and have the same starting digits as a card type but there is no related information - so why would the credit card number on its own find it's way into these streams and not the other details off the card.

      At the moment, they found a number, that's it. What would be an actual test is to use an Xbox, use a card on that Xbox, and then see if you can recover that card from that Xbox - that's not what they did, so the results can't be validated.

  4. The Paper by chrb · · Score: 4, Informative

    this is just some unfounded rumor that has no basis on reality

    It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

    The PDF (found via xbox-experts.com:
    Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

    The relevant text shows that they just got a credit card hit from some forensics tool:

    Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

    The authors appeal to have credible prior experience in digital forensics:

    Dr. Asley L. Podhradsky, Drexel University
    Dr. Rob D'Ovidio, Drexel University
    Cindy Casey, Drexel University

    They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
    The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
    A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

    1. Re:The Paper by damnbunni · · Score: 4, Informative

      It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

      So why would someone enter their Discover information on an Xbox anyway?

    2. Re:The Paper by Sir_Sri · · Score: 3, Informative

      Which may actually make it unlikely in microsofts eyes. Being able to have a team of professional forensics experts potentially extract data from a console is a far cry from it being actively exploited by hackers.

      If you look at the paper in question they ran half a dozen tools to try and extract part of a single credit card. And pretty much everything they're looking at is pretty standard hard drive forensics sort of problems, they're discussing in specific to the 360, but there's nothing there that doesn't apply to any HDD. How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly. A general 'delete personal data' just deletes files the same way most OS's do, it just forgets the links to the files, but they still hang out on the drive and can be extracted.

      It seems like the trick with the Xbox is that it has various partitions and not all of them are always overwritten, and then the general problems with magnetic storage. So sure, if the police have a specific reason to dig through one xbox 360 they might be able to recover something. But beyond that, I wouldn't count on it being a major issue.

  5. Credibility by ozmanjusri · · Score: 3, Informative

    Ashley L Podhradsky, Doctor of Science in Information Systems

    Education:
    Doctoral Information Systems, Specializing in Information Assurance, Dakota State University
    M.S., Information Systems, Specializing in Network Security, Dakota State University
    B.S., Electronic Commerce and Computer Security, Dakota State University
    Certificate: Computer Hacking Forensic Investigator, AccessData Certified Examiner

    Areas of Expertise:
    Computer Forensics
    Digital Forensics
    Consumer Privacy
    Risk Management

    http://goodwin.drexel.edu/sotaps/Ashley_Podhradsky.php

    Vs

    Jim Alkove
    Aliases and Other Names: James Alkove

    Bio
    Software Design Engineer at Microsoft Corporation
    Career
    Microsoft Corporation
    Software Design Engineer

    Achievements and Recognition:
    .
    .
    .

    http://www.spoke.com/info/p1N6wTr/JimAlkove

    --
    "I've got more toys than Teruhisa Kitahara."