Microsoft investigating used Xbox 360 credit card hack

Microsoft investigating used Xbox 360 credit card hack

Summary: Security researchers say they can extract credit card information from Xbox 360s even after they have been restored to factory settings. Microsoft says it is investigating the claims.

SHARE:

Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information.

"We are conducting a thorough investigation into the researchers' claims," Jim Alkove, General Manager of Security in the Interactive Entertainment Business division at Microsoft, said in a statement. "We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims. Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

Here's what I said the software giant needs to do in my previous coverage:

Microsoft will need to verify whether or not all Xbox 360 hard drives, as well as USB drives that have had profiles transferred onto them, store the sensitive information and why the factory reset option isn't deleting this data. If this turns out to be the case, Redmond will have to offer instructions for what users can do to protect their credit card details, especially if they're looking to sell their console.

I will keep you posted on Microsoft's investigation as this story develops.

See also:

Topics: Banking, Hardware, Microsoft, Mobility

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • What? Microsoft security issue on XBox?

    Say it ain't so!
    Pete&Pete
    • Yes! It is! It is so!

      [i]hackers can retrieve credit card data and other personal information from old Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped.[/i]

      That is pretty sad. Talk about piss poor
      ScorpioBlack
  • That would be a serious issue

    No matter what company, if it's true. If not then the media needs to get real. I don't own an xbox (I prefer my PS 3 for the bonus Blu-Ray player), but the media neeeds to stop being petty.
    Edit: I wonder if it's a simple case of deleting the regisrty,rather than the actual data?
    Jumpin Jack Flash
    • full of crap

      The hacker was full of himself. even more sad.
      ShqTth
  • Interestingly...

    The researchers have yet to explain how they did it to the public or to Microsoft..

    @ScorpioBlack, go back to your basement you troll..

    Let us all wait to see if this pans out, if so they need to fix it ASAp, if not well......
    On-the-edge
    • yeah, none of the articles have any real meat.

      Just speculations and quotes from somebody quoting somebody else....
      otaddy
    • @On-the-edge

      You can defend this, shill. No amount of spin from the Borg Collective will be able to explain it
      ScorpioBlack
  • wow

    that's real crazy if its true.
    dhbat
  • Android

    http://www.tweaktown.com/news/23303/warning_a_factory_reset_on_an_android_device_could_leave_behind_sensitive_or_private_data/index.html
    AndreRS
  • well

    It wont be to do with the registry, they have probably used disk recovery software on the hard drive to restore the information.

    If you format a disk, it normally only sets the data as overwritable, so any half decent recovery software could find it, if the information hadnt already been written over.

    This is also true of any hard drive, unless the information is encrypted.
    danjames2012
    • Exactly!

      Even with a DOD wipe, it has been proven that you can still access data on that media.
      smashandgrab