Microsoft: 'Unlikely' that credit card details can be lifted from Xbox consoles

Microsoft: 'Unlikely' that credit card details can be lifted from Xbox consoles

Summary: Microsoft claims that a data leakage is unlikely given that credit card information is not stored on the console.


Microsoft casts doubt over claims that credit card details and other sensitive information can be accessed from refurbished Xbox 360 consoles.

Researchers at Drexel University in Philadelphia claimed that they were able to harvest credit card details and other private information belonging to the previous owner from a refurbished Xbox 360 purchased from a Microsoft-authorized reseller.

See also:  Hackers can steal credit card data from used Xbox 360sMicrosoft investigating used Xbox 360 credit card hack

Speaking to gaming site Kotaku, Drexel University researcher Ashley Podhradsky said, "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data."

Information on how the data was accessed is limited, but the researchers claimed that they used a basic modding tool to gain access to the file system on the console, from which they were able to get access to the sensitive information.

Microsoft has issued a statement saying that is it investigating the claims, but says that such data leakage is unlikely given that credit card information is not stored on the console.

"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims.

Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

Whatever the outcome of this investigation, it does help to highlight the fact that data might still be present on electronic devices, and that once these devices are no longer under our control, it may be possible for others to access this data.

If you're worried about residual data on your Xbox console, detach the drive, connect it to a PC and securely wipe it with a program like Darik's Boot & Nuke.

It's the only way to be sure.

Image credit: Wikimedia Commons.


Topics: Microsoft, Banking, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • full of crap

    Researchers at Drexel University in Philadelphia are full of crap.
    • Your argument is so persuasive

      Any more gems of wisdom?
      • @ShqTth says it's so

        So that [b]must[/b] make it so.

  • Or just yank the harddrive

    They can buy a new one :p
    • Just like turning in a computer

      Most places that take them in make you or highly recommend you remove the hard drive completely.
    • Cause

      The cost of the Hard Drive is almost the same as what used consoles are being sold for. That's the true beauty of a PS 3, you can use any 2.5" 5,400 rpm Hard Drive. Does Microsoft still require you to buy a specially branded drive at three times the cost? The last drive I put in my PS 3 cost me $59.99 at Best Buy. at that time a drive that was half the size, for the xBox 360 was $150. I was thinking 250 GB for $59.99, or 120 GB for $149.99? It's a no brainier, Microsoft was (is?) gouging their customers. Have they stopped this Anti-consumer practice? If so then I guess I'm wrong tis time, if not, then shame on Microsoft for gouging customers
      Jumpin Jack Flash
  • When data on the subject is "limited", it gets you wondering

    if it's really what they claim, or if they discovered later on that it wasn't a reset HD.

    Then there's this line - [i]Xbox is not designed to store credit card data locally on the console[/i]

    So how can you get something which isn't there?
    William Farrel
    • "Not designed"

      When something is "not designed" for a particular use, that seems a little open-ended: is it impossible to do, or is it not intended to be used that way? I'm not sure what to make of it.
      • Agreed.

        You're right - even those something's not designed to do something, doesn't mean it can't do something else.

        Could be a 3rd party game with an online component could store the CC number on the drive, even though MS never designed XBox live, or their games to do that.
        William Farrel
    • None of the Microsoft software

      I believe, if you ask Microsoft, if their software is designed to crash very often, then will definitely tell you it is not designed to do so. But, everyone knows all of their software crashes, frequently at that.

      So it is very probably, if not guaranteed that the software in the Xbox does things Microsoft did not even know it does. Like, caching the web pages that contain the credit card information on disk. Just a "wild" guess :)
  • Greed is Job 1

    [i]???Microsoft does a great job of protecting their proprietary information. But they don???t do a great job of protecting the user???s data.???[/i]

    Didn't you know? Greed is Job 1
  • Why isn't this called

    Information-gate? If it was an Apple product, it would certainly be some sort of -gate issue.
    Jumpin Jack Flash
    • Maybe because they have only done it on 1 so far?

      The Apple product issues weren't limited to a single device, but were found either on significant numbers of the products sold, or on [b]all[/b] of the products.

      However, to avoid starting fanboi wars, let's focus in here on the issue at hand.

      First, although I'll admit to never having heard of them before, a quick Internet search revealed that Drexel University is apparently a highly-ranked university in terms of the quality of their education -- both by US-based and by international groups (a Russia-based group ranked them the 98th best in the world). And they apparently are focused on research, so their qualifications may actually be OK.

      However, what we have is an instance in which they were able to retrieve user/credit card information from [b]one[/b] machine, & don't have more info on how it was done beyond an unnamed "basic modding tool". This wouldn't be a problem...except they extrapolated their results to mean that [b]all[/b] XBox units were vulnerable.

      Unfortunately for the researcher, a single instance of a vulnerable machine does [b]not[/b] indicate a fundamental flaw in [b]all[/b] machines. It could represent any number of situations:
      -- the data was left over from a temp file on the drive, & the reseller didn't do a full reformat/wipe on the drive;
      -- the prior user might have modded the XBox to save his credit card information so that he didn't have to keep reentering it;
      -- assuming his XBox could connect to the Internet, the prior user could have been a real idiot & kept his credit card information saved in an email or other online file that he could access from the XBox so he didn't have to get out of his chair to grab his wallet each time;

      If anything, what strikes me from the story is that the particular reseller in question (rather than Microsoft) may have dropped the ball when it came to information security...which only makes it Microsoft's fault in that they should be performing periodic inspections of their authorized resellers to ensure they're complying with all data protection requirements, but at most that would make [b]indirectly[/b] Microsoft's fault, rather than directly their fault due to bad design.
      • I see you believe in double standards...

        "The Apple product issues weren't limited to a single device, but were found either on significant numbers of the products sold, or on all of the products."

        So 2% is a significant number of iPhones? How about a single MacBook? Many of these -gate things were limited to a small percentage of the phones. When Charlie Miller put out his faked Apple is so insecure Dog and Pony show, everyone was so quick to jump on Apple's back, and ride them into the ground. All cellphones have issues when you bock the signal, tghis has been a known thing for the last decade. My HTC Touch Pro would drop calls, if I held it wrong. It was a company phone, not one I would have purchased on my own. It was so bad that I often used it as an excuse when I didn't want to listen to my boss. I'd simply say the phone dropped the call, and he bought it. I imagine that if held in the exact same way the majority of those phones would do the same thing. But since it was the iPhone, it's okay to make up issues? Location-gate was more Media BS. Making a mountain out of a molehill, just to slam Apple. Microsoft, and to a lesser extent Android were (are) collecting location data and storing it on their own servers, rather than on the device. But once again all those that aren't Apple got a pass.The issues at Foxconn were another case of double standards. Apple got bashed for working conditions, while Microsoft, Nokia, LG, HTC, Samsung, etc all got a pass. You do know that Xbox's, Lumia phones, just about every Wp7 phone, and the majority of Windows boxes are all made by Foxconn? So bash Apple, and give everyone else a pass?
        Jumpin Jack Flash
      • Depends on how you make the statistics lie.

        @Jumpin Jack Flash

        2% of 100 million products is 20,000 products...and I'm just guessing that Apple sold only 100 million products (actual sales figures are probably more like 300-500 million).

        So, unless you're claiming that Microsoft has only sold 50 XBox consoles (2% x 50 = 1, in case you needed some help with the math) in the last 7 years, the number of Apple products that recently had issues is [b]significantly[/b] higher than a [b]single[/b] XBox.

        Yeah, 2% sounds like a small number... until you start looking beyond the percentages & start looking at the actual numbers. At a minimum, 20,000 is a significant number all by itself. It's a larger number than the typical sample you see used for political & opinion polls (including recent polls on this site & TechRepublic where predictions are made based on the opinions of less than 1,000 IT "experts"), or the number of P-51 Mustangs built (one of the more iconic WW2 fighters, & the most numerous one built by the US during that conflict), it's close to the height of Mt. Everest in feet as well as the Earth's equatorial circumference and radius of a geosynchronous orbit in miles, it's larger than the annual salary you would have if you were paid the Federal minimum wage in the US, it's close to the average price for a new automobile in the US in dollars... need I go on?

        On the other hand, 1 is [b]less[/b] than the number of winning tickets sold in the recent Mega Millions jackpot... you know, the one where the odds of picking a winning ticket (1 in 175-176 million, or about 0.0000006%) were so long that you're more likely to be struck by lightning in your entire lifetime (176 times more likely, or 0.0001%), or even die from having a TV set fall on your head (9 times more likely, or about 0.000005%).

        So yes, 2% of the millions of Apple products sold [b]is[/b] significantly higher than a single XBox purchased from 1 single reseller. Maybe it'll become a big deal if they can a) duplicate it on multiple XBoxes that they purchase, b) provide more information to show how & where the data was stored (particularly since Microsoft's official notification is that the data [b]isn't[/b] normally stored on said hard drive), c) show that it's not merely an issue involving this particular reseller (i.e. the reseller isn't properly wiping the hard drives before reselling them -- something that, BTW, has happened recently with non-Apple vendors selling returned Apple & non-Apple products), and d) test with a large enough sample group to show with a reasonable range of probability that it is a problem endemic to the XBox console's design.
      • And yet, you ignored the part

        Where Charlie Miller faked a security issue on [b]One MacBook[/b] and ZDNet used the title All Macs. There was an article a day for over a week on how insecure OS X was. Never Mind that the computer in question was using modified drivers and an external WiFi adapter.
        Never mind that Miller logged into the MacBook in question, using the proper credentials (user name and password). Never mind he has an agenda, and wanted to physically harm anyone arrogant enough to buy a Mac. So what you're saying is One in that instance is acceptable, but it has to be widespread in the case of an xbox?
        but back to the main point. Can you honestly say it can't be done on other ones? That this hack is limited to a single unit? who's to say that the millions of consoles that get traded in, refurbished due to the RRoD, etc, aren't all susceptible to this flaw?
        Jumpin Jack Flash
      • Re:Depends on how you make the statistics lie.

        2% of 100,000,000 is 2 million, not 20,000. Even more significant a number, and still more than one. :)
      • The modding tool

        Without knowing first hand what did modding tool does (never seen an Xbox live, apparently they aren't at all popular outside of the US), according to the description they found the data in the filesystem. To me, this means that:

        - the modding tools lets you run another OS on the Xbox;
        - you have access to the file system;
        - they were not decoding data from the raw drive (which could extract the data even after the Xbox's drive is reformatted);
        - data was found on the file system, which clearly indicates that the Xbox was not wiped. Or if it was "wiped", the process that Microsoft uses for that purpose is grossly inadequate.

        Whether this is Microsoft's fail is irrelevant. But there are two problems that this case highlights:
        - you need to consider the fact that disposing any of your devices has to happen 'securely', best you never give these things to somebody else, or destroy them mechanically beyond any repair (which is not trivial for most users);
        - the common practice by many consumers to just return the device they used for replacement etc is very dangerous in the electronic world. It might be ok for devices without any memory, but for anything that does -- you are effectively giving up your privacy and sharing your private information with unknown parties.
    • The attempted Appleisation of Microsoft continues

      First with Microsoft buying into the whole "Post PC" with Windows 8 and now with the our products are too good to be hacked stance the Apple reality distortion field has enveloped Redmond
      • One problem with that...

        "now with the our products are too good to be hacked stance" has been the claim from Microsoft for over the last decade. Bill Gates claimed that XP was the most secure OS available. When did Gates leave Microsoft? You get it now?
        Jumpin Jack Flash