Forgot your password?
typodupeerror
Crime Microsoft Privacy Security XBox (Games) Games

Hackers Can Easily Lift Credit Card Info From a Used Xbox 106

Posted by timothy
from the extra-sensitive-data dept.
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
This discussion has been archived. No new comments can be posted.

Hackers Can Easily Lift Credit Card Info From a Used Xbox

Comments Filter:
  • by Omnifarious (11933) * <eric-slash AT omnifarious DOT org> on Friday March 30, 2012 @07:55PM (#39530483) Homepage Journal

    Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.

  • by Anonymous Coward

    From http://aisel.aisnet.org/amcis2011_submissions/54 [aisnet.org]:

    Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives

    Dr. Asley L. Podhradsky, Drexel University
    Dr. Rob D'Ovidio, Drexel University
    Cindy Casey, Drexel University

    Information Systems Security and Privacy

    Abstract
    Traditionally, when individuals wanted online access they connected their PCs to the internet. Now, non-traditional devices such as cell phones, smart phones, and gaming consoles serve as common means of

    • What? No torrents?

    • by Xugumad (39311) on Saturday March 31, 2012 @12:11PM (#39534599)

      Got myself a copy (my employer appears to have a subscription), The really critical bit here is:

      "Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10."

      While they conclude that it's likely this is a credit card, based on the card identifier (first four numbers) and that it matches the Luhn algorithm (mis-spelt as "Luhr" in the article - that took a while to figure out!), however the Luhn algorithm isn't designed for this sort of use, it's primarily there to catch data entry mistakes. I'm fairly happy that the chances of a match like this on a multi-GB hard drive are fairly good, just through random chance. A good follow-up experiment here would be to buy new XBox 360s, buy points and then scan the hard drive for the card used.

      IMHO their points raised about finding gamer tags, friend lists, etc. are probably far more relevant, especially in relation to this data not being destroyed when a factory reset is done.

      There's some really odd bits, though... "In this particular instance, we can see NAT (Network Address Translation) rules for a site called Bungle.net[sic], where Halo players can have their stats tracked or purchase games and merchandise [36]." - which as far as I can tell is actually a list of errors you can get if your NAT setup is causing problems.

      I'd also be more confident if the work had less odd errors; "Book and Nuke, by DBAN is", presumably refers to "Darik's Boot and Nuke", frequently abbreviated to "DBAN".

  • by Anonymous Coward on Friday March 30, 2012 @08:15PM (#39530651)

    The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).

    If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).

    If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).

    Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.

    But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.

    -AC

    • by maitai (46370)

      And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.

        What is wrong with you exactly? You are clearly damaged in some way.

        First Sale Doctrine: I buy shit from you, the shit is mine now, I sell shit to someone else. You don't get to stop or interfere with that.
        Sorry but I like liberty and being free. I don't want to live in a nation where all my stuff belongs to the aristocracy and I'm just renting it from them at their pleasure, that's just slavery in a different name.

        • by Nos9 (442559)

          You are correct, it's your shit now. Microsoft isn't stopping you from selling your shit. It's like bitching that the dealership won't help you transfer the title on the car you bought from them when you sell it to someone else several years later. It's your job to deal with that because it's your shit now.

    • by ClosedEyesSeeing (1278938) on Friday March 30, 2012 @11:34PM (#39531811)
      I miss when I didn't have to use cheat codes to clear my data. :(
  • by damm0 (14229) on Friday March 30, 2012 @08:17PM (#39530661) Homepage Journal

    Pretty soon everyone will have had their credit card stolen [slashdot.org] so just don't worry about it!

    Nothing gained, nothing lost!

  • by Cazekiel (1417893) on Friday March 30, 2012 @08:28PM (#39530747)

    The good ol' days when someone just stole your wallet/pocketbook from your grocery cart... how I miss them.

  • by Aldanga (1757414) on Friday March 30, 2012 @08:40PM (#39530829)
    Straight wiping of a 360 hard drive will destroy it for future 360 use. The hard drive security sector (hddss.bin) is stored on the disk and, if erased, will render the hard drive useless on a stock 360 console. The security sector cannot be "spoofed" or otherwise as each hddss.bin is unique to the specific hard drive on which it resides. Only by backing up the specific sectors where hddss.bin is stored before wiping, then restoring them afterward, will keep the hard drive usable in a 360 console.

    There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.
    • by game kid (805301)

      Oh, sorry about the ruckus. Those loud guffaws were just rms feeling vindicated again. :P

      --okay, maybe the 360 shouldn't be full-on free software, but they really should ship HDD-reset CD thingers to properly wipe the disc so we don't turn our HDDs into blank coasters (from the console POV anyway) when this sort of wipe becomes necessary.

  • And this is why (Score:5, Insightful)

    by rikkards (98006) on Friday March 30, 2012 @08:53PM (#39530915) Journal

    I buy the gift cards when doing anything regarding the xbox

  • not yet!

    This article might as well read "used pcs". Why wouldnt you dban your console if you were going to sell it?

    Answer: because people dont know and dont care./

  • I don't buy it (Score:5, Interesting)

    by Anonymous Coward on Friday March 30, 2012 @09:04PM (#39530985)

    TFA: Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

    That's a solid find. Except for the fact that I can't find the option to enter in a Discover card to Xbox Live for it to store. Chances of this being a real valid Discover card number? I'd put it right around the same as /dev/urandom.

    http://i.imgur.com/A0M4d.png

    • by WWWWolf (2428)

      Yeah, I thought the same. XBL purchases come out of your MSPoints wallet, which is (logically enough) stored in XBL, not the console - you can purchase stuff through the xbox.com website too, and stuff gets downloaded when you turn the console on again. Credit card info is stored on XBL too, as far as I can boundlessly speculate. Wouldn't make much sense to store it on the console, especially since the XBL account is not tied to a specific console.

      However, as far as I can tell you can have multiple 360s log

  • Woah! I was getting a bit creeped out by some of the more paranoid comments from our brethren and just at the right/wrong moment a junior spider abseils off my ceiling light across the room and onto my keyboard. The slightest movement of my hand makes it scurry in and under the ] (right angle bracket) key. It shall feast well tonight!

    And my comment... don't use Xbox it's Microsoft shit. Easy.

  • by Anonymous Coward

    Too bad credit card numbers never expire...

  • PS3 better uses HDD's that work on any sata system so they are easy to nuke.

  • It may not run WIndows, but don't forget that the Xbox is a Microsoft product, so of course it is a liability.
  • Let's see them pry personal credit card information from my Sega Genesis!
  • ... to April 1st to not say this could be an elaborate April Fools joke.
  • by Anonymous Coward

    Stolen credit card numbers are cheap. Who's going to pay $50 for a used XBox just to steal somebody's credit card information?

A CONS is an object which cares. -- Bernie Greenberg.

Working...