Forgot your password?
typodupeerror
Crime Microsoft Privacy Security XBox (Games) Games

Hackers Can Easily Lift Credit Card Info From a Used Xbox 106

Posted by timothy
from the extra-sensitive-data dept.
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
This discussion has been archived. No new comments can be posted.

Hackers Can Easily Lift Credit Card Info From a Used Xbox

Comments Filter:
  • by Anonymous Coward on Friday March 30, 2012 @07:03PM (#39530553)

    From http://aisel.aisnet.org/amcis2011_submissions/54 [aisnet.org]:

    Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

    Dr. Asley L. Podhradsky, Drexel University
    Dr. Rob D'Ovidio, Drexel University
    Cindy Casey, Drexel University

    Information Systems Security and Privacy

    Abstract
    Traditionally, when individuals wanted online access they connected their PCs to the internet. Now, non-traditional devices such as cell phones, smart phones, and gaming consoles serve as common means of online access. Gaming consoles, just like PCs need proper sanitization processes to help fight identity theft. Individuals understand you cannot simply throw away a computer that has your personal data on it without some sort of sanitization process; gaming consoles are no different. Simply returning your console back to “factory state” will not do the trick, you need to take things one step further.In this research paper the authors aim to bring awareness to the gaming public, researchers and practitioners that improperly discarding used consoles without proper sanitization practices can inadvertently release personal data which can result in identity theft. The researchers will demonstrate through a case study how easy it is to steal an identity through a discarded Xbox. Finally, the researchers will demonstrate how gamers can sanitize their game consoles when upgrading their systems to ensure their identity is not at risk when the used device is retired.

    Recommended Citation
    Podhradsky, Dr. Asley L.; D'Ovidio, Dr. Rob; and Casey, Cindy, "Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives" (2011). AMCIS 2011 Proceedings - All Submissions. Paper 54

    Couldn't find a free to access PDF though.

  • by Anonymous Coward on Friday March 30, 2012 @07:15PM (#39530651)

    The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).

    If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).

    If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).

    Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.

    But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.

    -AC

  • by icebike (68054) * on Friday March 30, 2012 @10:33PM (#39531803)

    Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.

    No need for multiple passes either, simply write binary zeros everywhere and you are done. The old FUD about the CIA recovering [nber.org] your info with electron microscopes is pure bull, and nobody has ever once successfully demonstrated that in public even when they had access to state of the art university electron microscopes.

    Platter level forensics are a hoax.

  • by Kaenneth (82978) on Saturday March 31, 2012 @02:50AM (#39532645) Homepage Journal

    Don't use CCleaner, it WILL fuck up your system eventually.

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...