Hackers Can Easily Lift Credit Card Info From a Used Xbox 106
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
I made the point earlier (Score:3, Insightful)
Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.
Re:I made the point earlier (Score:4, Insightful)
I agree that Open Source is no different. But I think it's harder to get away with it because it's harder to hide what you're doing. And even if you do for a time, someone will come along and fix it, and if you don't accept their fix you'll lose your users to the fork.
Re: (Score:1)
Open source is different in that anyone peeved about some missing or unfriendly feature can implement it. You do not need to become an official committer; just put your patch on the mailing list and it is likely to be picked up and integrated.
Open source is different in that people generally strive to build the best software they can; there is no management saying "This is good enough; we're not going to bother with feature/problem X", or worse, as in this case, "there is no problem X".
Details of the academic paper (Score:1, Informative)
From http://aisel.aisnet.org/amcis2011_submissions/54 [aisnet.org]:
Re: (Score:3)
What? No torrents?
Re:Details of the academic paper (Score:5, Interesting)
Got myself a copy (my employer appears to have a subscription), The really critical bit here is:
"Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10."
While they conclude that it's likely this is a credit card, based on the card identifier (first four numbers) and that it matches the Luhn algorithm (mis-spelt as "Luhr" in the article - that took a while to figure out!), however the Luhn algorithm isn't designed for this sort of use, it's primarily there to catch data entry mistakes. I'm fairly happy that the chances of a match like this on a multi-GB hard drive are fairly good, just through random chance. A good follow-up experiment here would be to buy new XBox 360s, buy points and then scan the hard drive for the card used.
IMHO their points raised about finding gamer tags, friend lists, etc. are probably far more relevant, especially in relation to this data not being destroyed when a factory reset is done.
There's some really odd bits, though... "In this particular instance, we can see NAT (Network Address Translation) rules for a site called Bungle.net[sic], where Halo players can have their stats tracked or purchase games and merchandise [36]." - which as far as I can tell is actually a list of errors you can get if your NAT setup is causing problems.
I'd also be more confident if the work had less odd errors; "Book and Nuke, by DBAN is", presumably refers to "Darik's Boot and Nuke", frequently abbreviated to "DBAN".
"Factory Reset" means nothing on the 360... (Score:5, Informative)
The so-called "Factory Reset" on the 360 doesn't do anything. It blows away a few settings, but the majority of the Flash NAND that everything else is stored in remains untouched- that is, the data is still there- just not in any reference-able format (this is analogous to unlinking a file- the data is still there, just not listed in the filesystems TOC).
If you really want to nuke a 360, you need to go into the System Info page (the one with the console serial numbers, kernel version, etc)- then enter in a combination of button presses that is usually specific to your console or the machine model (nobody has really figured that one out). Usually this combination starts with LT, LR, X, Y, LB, RB- but then there's anywhere between 2 and 8 additional button events. You might be able to guess it with some patience, I've done it before- but I think that was just blind luck (in my case, the remaining buttons to press were on the D-Pad- up, down, left, right, then the X, Y, A, and B buttons).
If you call Microsoft, they can usually get you the combo for your console if you make up a story about losing the parental controls or some bullshit (they won't just give it to you if you ask for it- they want a reason).
Once you do that, you'll get a screen that will basically confirm you really, really want to blow the console away. If you confirm, the 360 will reset itself to the actual factory state- that is, all your HDMI settings, wireless settings, account information- everything will be nuked.
But the publicly available "factory reset"- the one you can get to without any secret combos or anything, isn't really a reset. A lot of settings will linger around, and the only way to nuke them totally is with the aforementioned wipe.
-AC
Re: (Score:1)
And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.
Re: (Score:1, Insightful)
And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.
What is wrong with you exactly? You are clearly damaged in some way.
First Sale Doctrine: I buy shit from you, the shit is mine now, I sell shit to someone else. You don't get to stop or interfere with that.
Sorry but I like liberty and being free. I don't want to live in a nation where all my stuff belongs to the aristocracy and I'm just renting it from them at their pleasure, that's just slavery in a different name.
Re: (Score:1)
You are correct, it's your shit now. Microsoft isn't stopping you from selling your shit. It's like bitching that the dealership won't help you transfer the title on the car you bought from them when you sell it to someone else several years later. It's your job to deal with that because it's your shit now.
Re:"Factory Reset" means nothing on the 360... (Score:4, Insightful)
They got your credit card anyway! (Score:4, Funny)
Pretty soon everyone will have had their credit card stolen [slashdot.org] so just don't worry about it!
Nothing gained, nothing lost!
Ah, nostalgia. (Score:4, Funny)
The good ol' days when someone just stole your wallet/pocketbook from your grocery cart... how I miss them.
Wiping a 360 hard drive is idiotic (Score:5, Insightful)
There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.
Re: (Score:2)
Oh, sorry about the ruckus. Those loud guffaws were just rms feeling vindicated again. :P
--okay, maybe the 360 shouldn't be full-on free software, but they really should ship HDD-reset CD thingers to properly wipe the disc so we don't turn our HDDs into blank coasters (from the console POV anyway) when this sort of wipe becomes necessary.
And this is why (Score:5, Insightful)
I buy the gift cards when doing anything regarding the xbox
crtl+f dban (Score:1)
not yet!
This article might as well read "used pcs". Why wouldnt you dban your console if you were going to sell it?
Answer: because people dont know and dont care./
I don't buy it (Score:5, Interesting)
TFA: Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].
That's a solid find. Except for the fact that I can't find the option to enter in a Discover card to Xbox Live for it to store. Chances of this being a real valid Discover card number? I'd put it right around the same as /dev/urandom.
http://i.imgur.com/A0M4d.png
Re: (Score:1)
Yeah, I thought the same. XBL purchases come out of your MSPoints wallet, which is (logically enough) stored in XBL, not the console - you can purchase stuff through the xbox.com website too, and stuff gets downloaded when you turn the console on again. Credit card info is stored on XBL too, as far as I can boundlessly speculate. Wouldn't make much sense to store it on the console, especially since the XBL account is not tied to a specific console.
However, as far as I can tell you can have multiple 360s log
Creepy (Score:1)
Woah! I was getting a bit creeped out by some of the more paranoid comments from our brethren and just at the right/wrong moment a junior spider abseils off my ceiling light across the room and onto my keyboard. The slightest movement of my hand makes it scurry in and under the ] (right angle bracket) key. It shall feast well tonight!
And my comment... don't use Xbox it's Microsoft shit. Easy.
Five year old Consoles... (Score:1)
Too bad credit card numbers never expire...
PS3 better uses HDD's that work on any sata system (Score:2)
PS3 better uses HDD's that work on any sata system so they are easy to nuke.
Re: (Score:2)
Yes, we know. That was true in 2006 and it's true today.
Re:PS3 better uses HDD's that work on any sata sys (Score:5, Interesting)
Re: (Score:2)
>My money is on most readers here aren't stupid enough to unload any data storage device w/o appropriately clearing it, or using throwaway credentials
Except that there's no practical method for actually wiping the damn thing other than microsoft's secret konami code.
Wipe the disk using DBAN or something and now microsoft's stupid "security"(the only thing it secures is their profits on selling commodity hardware) flag results in it not being usable in the system
Duh (Score:1)
HAH! (Score:2)
Re: (Score:1)
Congratulations, you have discovered that with unfettered physical access to a machine, no OS is secure. Do you want a sweetie or something?
Re: (Score:2)
Not surprising, if the user had reversible encryption enabled or you have physical access and can overwrite the hashed password with an arbitrary value. Of course, if the user ticked the box "Encrypt contents to secure data", or enabled Bitlocker full disk encryption, your "boot-cd" would be completely useless.
Too close (Score:1)
And?... (Score:1)
Stolen credit card numbers are cheap. Who's going to pay $50 for a used XBox just to steal somebody's credit card information?
PCI-DSS Scope? (Score:2)
Is your XBox in scope? :-)
Re: (Score:1)
Re: (Score:2)
Key word: "Tokenization"
You store a KEY locally - which has cryptographic validation - but is not cryptographically derived from any actual card data itself. This token is stored, and can be used in place of the card info - which is stored per PCI-DSS specs, in the commerce infrastructure.
Re: (Score:3)
now we are in a loop.
A red ring of death?
Re: (Score:1)
Re:Jury is still out... (Score:4, Insightful)
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
Re: (Score:2)
I also thought the CC info was stored on Microsoft's servers.
TFA implies it's cached in system files.
Their advice is worth bearing in mind for desktop computers too, not just XBox 360s
"I think Microsoft has a longstanding pattern of this," Podhradsky said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate—the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate."
Re:Jury is still out... (Score:5, Informative)
Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.
No need for multiple passes either, simply write binary zeros everywhere and you are done. The old FUD about the CIA recovering [nber.org] your info with electron microscopes is pure bull, and nobody has ever once successfully demonstrated that in public even when they had access to state of the art university electron microscopes.
Platter level forensics are a hoax.
Re: (Score:2)
Any one of two dozen drive over-write utilities (free or paid) will make sure your drive is unreadable.
Yep I'm on Linux, so "dd if=/dev/zero of=/dev/sdx bs=1M" is good most of the time, or dban if I'm lazy.
This is more of a problem for people who think consoles (and computers) should be appliances.
Re: (Score:1)
> dd if=/dev/zero of=/dev/sdx bs=1M ..." instead. Apart from being faster, it will erase the entire disk, including any sectors which have been remapped, and will work on damaged disks (i.e. it won't abort or perform retries on write errors).
Use "hdparm --security-erase
Re: (Score:2)
Re: (Score:2)
The only thing people "know" about the CIA's abilities is whatever Hollywood dreams up for movies and TV gimmicks.
As an outsider, my caricatured perception of government intelligence is a bunch of failed lawyers tallying various stats and counting down the minutes to their next smoke break. Recovering data from an erased hard drive seems well beyond the reach of any federal employee I've ever met. Maybe the top engineers at Western Digital could pull it off, but they have better things to do like cramming
Re: (Score:2)
Urandom is much slower than /dev/zero.
$ dd if=/dev/zero of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.207047 s, 5.2 GB/s
$ dd if=/dev/urandom of=/dev/null bs=1M count=1024
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 95.5125 s, 11.2 MB/s
Re: (Score:1)
Platter forensics a hoax?
Today, yes. Yesterday? No.
Drive technology has changed. I seem to recall that it was the old non-S.M.A.R.T able drives that were subject to (successful) platter forensics. Long time ago =! Hoax.
Re: (Score:3)
You seem to remember wrong.
All that has ever been demonstrated is that with an electron microscope a couple of bytes were successfully "raised" after being over written with a uniform pattern. The prior content of the drive was known, which is how they were able to determine that they weren't recovering noise. It was a proof of concept recovery of literally a few bytes from a drive with known content overwritten with known content. This was the topic of a guy named Venugopal Veeravalli, for his Masters t
Re: (Score:2)
It was possible, whether it still is at current data densities I don't know.
What I do know is that it's astronomically expensive and the CIA can make you disappear a lot cheaper and easier if that's what they want so they don't bother much.
Re: (Score:2)
"When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased.
It's true though... when you reformat your computer you logically have a blank slate. Everything IS erased, it's just that some of the old data might not be irrecoverably destroyed, especially if you choose a quick format where you just get a clean filesystem w/clean volume metadata without going through every disk sector and zeroing or even clearing out directory tables..
The message pre
Re: (Score:2)
Re: (Score:2)
That's just an attack on Microsoft. Formatting does not erase your data, it erases the metadata, (re)initializing the filesystem structures to a clean, possibly blank state. The raw data remains, but since you no longer have an index to tell you where each file begins, how big it is and what it's called, you have no easy way to access it.
With many filesystems, this metadata exists in several places and usually has one or more backup copies. A "quick" format tends to kill the main index, leaving the backu
Re:Jury is still out... (Score:5, Insightful)
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
The point, I think, is that it's naive not to assume some engineer decided to store the info in *both* places. If you were trying to make the customer experience as smooth as possible, and you had 99% confidence that the home box was in possession of the Real User, you might want to make the process a little more "foolproof".
Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen, which has a non-zero chance to frustrate the Real User to the point of cancelling the sale. Bad for a market built on instant gratification.
Any goodheart engineer who cries foul from a system security training point of view, has probably never had to answer to a Director more concerned with their department operating at a loss for years. Xbox division regularly dipped into and out of the red until the last couple of years.
And the bigger point is, with all the revisions to the Dashboard, it may be impossible to know when this purported "feature" was added, taken away, or actively used. I bet you 2800 MS Points that the next dash update roots out and purges this data. Won't stop the class-actions though.
Never happen at a professional software company (Score:1)
It's funny how just saying it as it is comes out as Microsoft bashing. A bit more testing on such show stopping bugs, probably only a handful more employees, and we wouldn't have these things to complain about.
Re: (Score:2)
It's absolutely far-fetched. But so were black swans. ;) I certainly agree with your conclusion.
1) I'm not making any realistic claims about the technology or the engineer's actions. I'm devil's advocating that Director of X is so worried about losing a sale they insist on a ridiculous layer of redundancy. It's not likely, but it is most definitely plausible. (Unless you're defending the intelligence of Microsoft management? oh snap!) And even though this story is about Xbox, information gets exposed elsewh
Re: (Score:2)
Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen
That doesn't make any sense at all. Microsoft's database framework: Microsoft SQL, Jet DB, SQL Azure... doesn't "corrupt" a copy of things in a database Microsoft's database system is a Tier1 application. If corruption was ever a significant issue they would have much larger problems on their hands, because they wouldn't be able to
Re: (Score:2)
That's because your clients are incompetent. All of them.
No company I've ever worked for has had an SQL server "corrupt" a database. Ever. The only thing even remotely similar was a disk failure, caused by shitty HP hardware, and recovered in an hour without even going to backups thanks to hotswapping disks in the RAID array.
Re: (Score:2)
That's what the EULA with the binding arbitration clause is for.
Re: (Score:2)
That's what the EULA with the binding arbitration clause is for.
That's what consumer protection laws that declare EULA clauses invalid are for.
Don't have one? Write your politician.
Re: (Score:2)
You've never dealt with accepting credit card info before have you?
Re: (Score:2)
Neither has that Director.
Re: (Score:3)
Re: (Score:2)
"It makes sense to store valuable information on xboxes, just like Microsoft Windows versions which retain a lot of information unless you use CCLeaner"
How, and why, does it make sense to store "valuable" information? And, who determines what "valuable" means, anyway? Personally, I store almost nothing on my machine. And, Microsoft doesn't store ANYTHING on my machine. I dumped Windows years ago, when I discovered how easy it is to retrieve data that most people don't even know is saved.
Crap, you can pr
Re: (Score:2, Informative)
Don't use CCleaner, it WILL fuck up your system eventually.
Re: (Score:2)
Re:Jury is still out... (Score:5, Funny)
The jury is still out on this, absent real evidence I'm going to wait until more is known.
Exactly, those researchers at Drexel U have shown themselves to be repeatedly untrustworthy, and have huge commercial reasons to lie.
And those people who are unsure whether their credit cad details have been stolen shouldn't complain either.
I mean, which part of "Microsoft product" did they not understand?
Re: (Score:1)
Before my fellow Dragons attack the parent post, please read it again after turning on your sarcasm detectors.
Re: (Score:2)
Re: (Score:1)
"Exactly, those researchers at Drexel U have shown themselves to be repeatedly untrustworthy, and have huge commercial reasons to lie."
Not much differnt than sloshdot editors these days!
Re: (Score:1)
In other news hackers can lift credit card details from used wallets. Point is don't leave credit cards in your wallet if you plan to sell it.
Re: (Score:3)