Forgot your password?
typodupeerror
Crime Microsoft Privacy Security XBox (Games) Games

Hackers Can Easily Lift Credit Card Info From a Used Xbox 106

Posted by timothy
from the extra-sensitive-data dept.
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
This discussion has been archived. No new comments can be posted.

Hackers Can Easily Lift Credit Card Info From a Used Xbox

Comments Filter:
  • by Omnifarious (11933) * <eric-slash&omnifarious,org> on Friday March 30, 2012 @07:55PM (#39530483) Homepage Journal

    Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.

  • by billcopc (196330) <vrillco@yahoo.com> on Friday March 30, 2012 @08:00PM (#39530515) Homepage

    I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.

  • by Aldanga (1757414) on Friday March 30, 2012 @08:40PM (#39530829)
    Straight wiping of a 360 hard drive will destroy it for future 360 use. The hard drive security sector (hddss.bin) is stored on the disk and, if erased, will render the hard drive useless on a stock 360 console. The security sector cannot be "spoofed" or otherwise as each hddss.bin is unique to the specific hard drive on which it resides. Only by backing up the specific sectors where hddss.bin is stored before wiping, then restoring them afterward, will keep the hard drive usable in a 360 console.

    There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.
  • And this is why (Score:5, Insightful)

    by rikkards (98006) on Friday March 30, 2012 @08:53PM (#39530915) Journal

    I buy the gift cards when doing anything regarding the xbox

  • by Anonymous Coward on Friday March 30, 2012 @10:19PM (#39531369)

    And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.

    What is wrong with you exactly? You are clearly damaged in some way.

    First Sale Doctrine: I buy shit from you, the shit is mine now, I sell shit to someone else. You don't get to stop or interfere with that.
    Sorry but I like liberty and being free. I don't want to live in a nation where all my stuff belongs to the aristocracy and I'm just renting it from them at their pleasure, that's just slavery in a different name.

  • by ArundelCastle (1581543) on Friday March 30, 2012 @10:38PM (#39531487)

    I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.

    The point, I think, is that it's naive not to assume some engineer decided to store the info in *both* places. If you were trying to make the customer experience as smooth as possible, and you had 99% confidence that the home box was in possession of the Real User, you might want to make the process a little more "foolproof".

    Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen, which has a non-zero chance to frustrate the Real User to the point of cancelling the sale. Bad for a market built on instant gratification.

    Any goodheart engineer who cries foul from a system security training point of view, has probably never had to answer to a Director more concerned with their department operating at a loss for years. Xbox division regularly dipped into and out of the red until the last couple of years.

    And the bigger point is, with all the revisions to the Dashboard, it may be impossible to know when this purported "feature" was added, taken away, or actively used. I bet you 2800 MS Points that the next dash update roots out and purges this data. Won't stop the class-actions though.

  • by ClosedEyesSeeing (1278938) on Friday March 30, 2012 @11:34PM (#39531811)
    I miss when I didn't have to use cheat codes to clear my data. :(
  • by Omnifarious (11933) * <eric-slash&omnifarious,org> on Saturday March 31, 2012 @06:04AM (#39533013) Homepage Journal

    I agree that Open Source is no different. But I think it's harder to get away with it because it's harder to hide what you're doing. And even if you do for a time, someone will come along and fix it, and if you don't accept their fix you'll lose your users to the fork.

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"

Working...