Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s 105
An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"
Microsoft is right (Score:3, Insightful)
Re:Terribly Misleading Headline (Score:5, Insightful)
Re:Didn't Sony say the same thing at first? (Score:5, Insightful)
IIRC, Sony said something very similar at the beginning of the PSN breach [wikipedia.org]--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."
If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.
And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.
It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.
Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.
And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.
Microsoft Correct (Score:0, Insightful)
I think there are probably a 1000's different ways to get credit card numbers. Finding them old xbox hard drives is going to be one of the more difficult ways to gather them.
Re:Didn't Sony say the same thing at first? (Score:4, Insightful)
The problem is, they haven't actually verified that what they have is an actual credit card number, they've just pulled a number out that happens to validate and have the same starting digits as a card type but there is no related information - so why would the credit card number on its own find it's way into these streams and not the other details off the card.
At the moment, they found a number, that's it. What would be an actual test is to use an Xbox, use a card on that Xbox, and then see if you can recover that card from that Xbox - that's not what they did, so the results can't be validated.