Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

Didn't Sony say the same thing at first?

[crazyjj]

IIRC, Sony said something very similar at the beginning of the PSN breach [wikipedia.org]--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

Re:Microsoft is right

[not already in use]

No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

Re:Well they would

[Garybaldy]

Well at least MS denies it. Apple just covers it up.

Re:Microsoft is right

[Anonymous Coward]

No reasonable person would cache credit card details.

OK, let's say MS are 'reasonable' and do not specifically and deliberately cache CC data.
Are you seriously saying that it's not possible that such data would get cached incidentally as part of a larger chunk of data? Stored in some Xbox equivalent of pagefile.sys or whatever? That despite all sorts of data gets cached all over the place, magically somehow CC data never gets in any cache ever?

For once I agree with MS

[Anonymous Coward]

After seeing the original article I tried finding my own credit card number on my xbox hard disk. Through a search of the entire hard disk not even the first 4 digits of my credit card were found, which is part of the issuer identification number. http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

Additionally- the article that put this scare on found a number that matched the issuer identification number for a Discover card issued by Bank of America. Microsoft doesn't even take Discover cards. You can't even give this credit card number to Microsoft's system for storage. I find it very hard to believe that Microsoft is storing the credit card number of a card they can't even process.

Re:Didn't Sony say the same thing at first?

[s.petry]

Take a common sense view of how this could happen. Xbox kernel sees user input, caches input in case the connection is lost. Cache gets written to drive in case of power failure.

This is the same mindset we see with other Microsoft products like "Active Installer" for IE. Obviously there are security implications but Microsoft chose to put convenience over security.

To many of us, the security problems released are not excusable. To Microsoft, it's the best business decision.

In short, it is not a bad intention that brings something like this out necessarily. It's actually a good intention, but poorly planned from the security perspective.