Forgot your password?
typodupeerror
Crime Microsoft Privacy Security XBox (Games) Games

Hackers Can Easily Lift Credit Card Info From a Used Xbox 106

Posted by timothy
from the extra-sensitive-data dept.
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
This discussion has been archived. No new comments can be posted.

Hackers Can Easily Lift Credit Card Info From a Used Xbox

Comments Filter:
  • by Anonymous Coward on Friday March 30, 2012 @07:57PM (#39530499)

    So basically you commented to let everyone know that you don't know shit. Quite worthwhile.

  • I don't buy it (Score:5, Interesting)

    by Anonymous Coward on Friday March 30, 2012 @09:04PM (#39530985)

    TFA: Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

    That's a solid find. Except for the fact that I can't find the option to enter in a Discover card to Xbox Live for it to store. Chances of this being a real valid Discover card number? I'd put it right around the same as /dev/urandom.

    http://i.imgur.com/A0M4d.png

  • by TrancePhreak (576593) on Friday March 30, 2012 @10:39PM (#39531497)
    Credit card details were already leaked through Sony themselves. No need to physically get at the boxes.
  • by Xugumad (39311) on Saturday March 31, 2012 @12:11PM (#39534599)

    Got myself a copy (my employer appears to have a subscription), The really critical bit here is:

    "Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10."

    While they conclude that it's likely this is a credit card, based on the card identifier (first four numbers) and that it matches the Luhn algorithm (mis-spelt as "Luhr" in the article - that took a while to figure out!), however the Luhn algorithm isn't designed for this sort of use, it's primarily there to catch data entry mistakes. I'm fairly happy that the chances of a match like this on a multi-GB hard drive are fairly good, just through random chance. A good follow-up experiment here would be to buy new XBox 360s, buy points and then scan the hard drive for the card used.

    IMHO their points raised about finding gamer tags, friend lists, etc. are probably far more relevant, especially in relation to this data not being destroyed when a factory reset is done.

    There's some really odd bits, though... "In this particular instance, we can see NAT (Network Address Translation) rules for a site called Bungle.net[sic], where Halo players can have their stats tracked or purchase games and merchandise [36]." - which as far as I can tell is actually a list of errors you can get if your NAT setup is causing problems.

    I'd also be more confident if the work had less odd errors; "Book and Nuke, by DBAN is", presumably refers to "Darik's Boot and Nuke", frequently abbreviated to "DBAN".

To err is human -- to blame it on a computer is even more so.

Working...