Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s 105
An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"
Terribly Misleading Headline (Score:5, Informative)
Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s
See the difference?
Wait I have seen this one from Microsoft (Score:1, Informative)
Remember MS-12-020:
Microsoft’s Security Research and Defense Blog stated that they expected to see exploit code in the wild within 30 days according to a quote from their recent blog post addressing the flaws: ”During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days.”
3 days later.......
Re:Didn't Sony say the same thing at first? (Score:5, Informative)
The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."
I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.
Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...
The Paper (Score:5, Informative)
this is just some unfounded rumor that has no basis on reality
It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.
The PDF (found via xbox-experts.com [xbox-experts.com]:
Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives [hotfile.com]
The relevant text shows that they just got a credit card hit from some forensics tool:
Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].
The authors appeal to have credible prior experience in digital forensics:
Dr. Asley L. Podhradsky, Drexel University [drexel.edu]
Dr. Rob D'Ovidio, Drexel University [drexel.edu]
Cindy Casey, Drexel University [linkedin.com]
They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles
Re:Microsoft is right (Score:5, Informative)
Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.
That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).
Re:Microsoft is right (Score:5, Informative)
I don't believe the CC numbers are stored on the HD either.
It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.
That Xbox HD still could have your account name/email address/password.
Yes, apparently they recovered user names, gamer tags, purchase history etc.
Re:The Paper (Score:5, Informative)
It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.
So why would someone enter their Discover information on an Xbox anyway?
Credibility (Score:4, Informative)
Ashley L Podhradsky, Doctor of Science in Information Systems
Education:
Doctoral Information Systems, Specializing in Information Assurance, Dakota State University
M.S., Information Systems, Specializing in Network Security, Dakota State University
B.S., Electronic Commerce and Computer Security, Dakota State University
Certificate: Computer Hacking Forensic Investigator, AccessData Certified Examiner
Areas of Expertise:
Computer Forensics
Digital Forensics
Consumer Privacy
Risk Management
http://goodwin.drexel.edu/sotaps/Ashley_Podhradsky.php [drexel.edu]
Vs
Jim Alkove
Aliases and Other Names: James Alkove
Bio
Software Design Engineer at Microsoft Corporation
Career
Microsoft Corporation
Software Design Engineer
Achievements and Recognition:
.
.
.
http://www.spoke.com/info/p1N6wTr/JimAlkove [spoke.com]
Re:The Paper (Score:4, Informative)
Which may actually make it unlikely in microsofts eyes. Being able to have a team of professional forensics experts potentially extract data from a console is a far cry from it being actively exploited by hackers.
If you look at the paper in question they ran half a dozen tools to try and extract part of a single credit card. And pretty much everything they're looking at is pretty standard hard drive forensics sort of problems, they're discussing in specific to the 360, but there's nothing there that doesn't apply to any HDD. How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly. A general 'delete personal data' just deletes files the same way most OS's do, it just forgets the links to the files, but they still hang out on the drive and can be extracted.
It seems like the trick with the Xbox is that it has various partitions and not all of them are always overwritten, and then the general problems with magnetic storage. So sure, if the police have a specific reason to dig through one xbox 360 they might be able to recover something. But beyond that, I wouldn't count on it being a major issue.
Re:Microsoft is right (Score:4, Informative)
From the PCI Security Standards Council "PCI Data Storage Do's and Don'ts" [pcisecuritystandards.org]:
Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones
And
At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs.
Based on that information, I would say that PCs and, certainly in this case, game platforms (since the Xbox is really just a PC) would fall under the "endpoint device" category. Especially since the end-user has no control over whether or not that information is stored on their device because only Microsoft can alter the code that allows or disallows the storage.