Close
Report Comment to a Moderator Our Moderators review all comments for abusive and offensive language, and ensure comments are from Verified Users only.
Please report a comment only if you feel it requires our urgent attention.
I understand, report it. Cancel

Old Xbox 360s can give up credit card info to hackers

Old Xbox 360s can give up credit card info to hackers

Fri 30 Mar 2012 8:25pm GMT / 4:25pm EDT / 1:25pm PDT
HardwareSecurity

Researchers show how used and refurbished Xbox 360 units can be mined for personal information

Researchers at Drexel University have told Kotaku that used Xbox 360s can be hacked with common tools to get at personal information stored on the hard drive, including old credit card numbers. Drexel researchers Ashley Podhradsky and Cindy Casey, alongside Dakota State University's Pat Engebretson, purchased a refurbished Xbox 360 last year and cracked it open with a basic modding tool found online.

"Microsoft does a great job of protecting their proprietary information, but they don't do a great job of protecting the user's data," said Podhradsky. "I think Microsoft has a longstanding pattern of this. When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate-the data is still available. So when Microsoft tells you that you're resetting something, it's not accurate."

For users concerned about completely clearing their personal information, Podhradsky recommends unhooking the hard drive from your 360, hooking it up to a PC, and using a third-party program to cleanly wipe the data. Otherwise, seasoned hackers will have no problem finding the same informationa given the same tools.

"A lot of them already know how to do all this," she said. "Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."

Microsoft Xbox security general manager Jim Alkove told Joystiq that the company was looking into the issue.

"We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims," Alkove said in his statement.

"Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."

6 Comments

Private Industry

1,176 182 0.2
That`s why should never do a lazy formatting but a proper formatting :)

It might be more something along the lines of restoring the profile data and getting the credit card data out of that.

Posted:2 years ago

#1

Andrew Goodchild Studying development, Train2Game

1,254 421 0.3
But if it was restoring the profile to see card data, pretty sure the console only shows the last 4 digits, plus to restore a profile I'm pretty sure you need the windows live password.
It does worry me on my WP7 I can't set it to require a password for purchases.

Edited 1 times. Last edit by Andrew Goodchild on 31st March 2012 3:08pm

Posted:2 years ago

#2

Alan Pierce Programmer, Digital Delight

63 19 0.3
Sounds to me like it's nothing to do with recovering the profile. More like examining the hard drive sectors to retrieve the files.

Posted:2 years ago

#3

Craig Page Programmer

384 220 0.6
Who cares? My credit card number gets stolen every year anyway, if someone had my old refurbished xbox 360 the credit card information on it would be two versions behind anyway. Sorry would be thieves but you're too late, the first thieves to get my number already went on a shopping spree at gas stations and walmarts.

Posted:2 years ago

#4

robert troughton UK General Manager, Epic Games

222 96 0.4
What about all the 360s that were returned to MS due to RRODs only to be replaced with a refurbished one? My son's Xbox had an RROD after only 6 weeks... we sent it to Microsoft in pristine condition - they sent us someone else's refurbished Xbox back complete with scratches on top and front. I wonder whether either had their data completely wiped?

Posted:2 years ago

#5

Jeff Wilson

46 0 0.0
If you do sell your old XBox remove the Hard Drive and sell it as an Arcade version (no risk of data theft).

The article stated that Windows does not fully delete data on reformat. But, most data is very difficult to fully recover if you reformat a PC with Windows.

For those concerned about integrity of data destroy your old hard drive or buy a 3rd Party hard drive reformatting software that writes zeros to the surface of the hard drive sectors. It takes a few hours but it is worth it.

Posted:2 years ago

#6

Login or register to post

Take part in the GamesIndustry community

Register now