Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

Posted by timothy on from the faked-in-the-same-studio-as-the-moon-landings dept.

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

9 of 105 comments (clear)

  1. Terribly Misleading Headline by rjstanford · · Score: 4, Informative

    Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
    Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s

    See the difference?

    --
    You're special forces then? That's great! I just love your olympics!
    1. Re:Terribly Misleading Headline by Robert+Zenz · · Score: 5, Insightful

      Even better: Microsoft says it's unlikely that Credit Card details can be lifted from XBox 360s.

  2. Re:Microsoft is right by not+already+in+use · · Score: 4, Interesting

    No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

    --
    Similes are like metaphors
  3. Re:Didn't Sony say the same thing at first? by tgd · · Score: 4, Insightful

    IIRC, Sony said something very similar at the beginning of the PSN breach--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

    If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

    And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

    It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

    Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.

    And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.

  4. Re:Didn't Sony say the same thing at first? by Richard_at_work · · Score: 4, Informative

    The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

    I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.

    Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...

  5. The Paper by chrb · · Score: 4, Informative

    this is just some unfounded rumor that has no basis on reality

    It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

    The PDF (found via xbox-experts.com:
    Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

    The relevant text shows that they just got a credit card hit from some forensics tool:

    Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

    The authors appeal to have credible prior experience in digital forensics:

    Dr. Asley L. Podhradsky, Drexel University
    Dr. Rob D'Ovidio, Drexel University
    Cindy Casey, Drexel University

    They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
    The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
    A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

    1. Re:The Paper by damnbunni · · Score: 4, Informative

      It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

      So why would someone enter their Discover information on an Xbox anyway?

  6. Re:Microsoft is right by Stenchwarrior · · Score: 4, Informative

    Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.

    That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).

    --
    Loading...
  7. Re:Microsoft is right by chrb · · Score: 4, Informative

    I don't believe the CC numbers are stored on the HD either.

    It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.

    That Xbox HD still could have your account name/email address/password.

    Yes, apparently they recovered user names, gamer tags, purchase history etc.