Hackers Can Easily Lift Credit Card Info From a Used Xbox 106
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
Details of the academic paper (Score:1, Informative)
From http://aisel.aisnet.org/amcis2011_submissions/54 [aisnet.org]:
Couldn't find a free to access PDF though.
"Factory Reset" means nothing on the 360... (Score:5, Informative)
The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).
If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).
If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).
Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.
But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.
-AC
Re:Jury is still out... (Score:5, Informative)
Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.
No need for multiple passes either, simply write binary zeros everywhere and you are done. The old FUD about the CIA recovering [nber.org] your info with electron microscopes is pure bull, and nobody has ever once successfully demonstrated that in public even when they had access to state of the art university electron microscopes.
Platter level forensics are a hoax.
Re:Jury is still out... (Score:2, Informative)
Don't use CCleaner, it WILL fuck up your system eventually.