Microsoft: 'Unlikely' Credit Card Details Lifted From Xbox 360s

An anonymous reader writes with this excerpt from ZDNet: "Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information. Redmond is still investigating, but it's already calling the claims 'unlikely.'"

Microsoft is right

[Johnny Mister]

This just seems more like bad mouthing about MS and XBOX360. It was already debunked on Slashdot too, because MS doesn't store credit card details on the machine. They only store account details. Microsoft is right - this is just some unfounded rumor that has no basis on reality.

Re:

[autocannon]

I don't believe the CC numbers are stored on the HD either. But, take the extreme view that they are, and they're stored unencrypted. It still requires someone selling/losing/stolen their Xbox HD. This will never be a pandemic problem.

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer. That Xbox HD still could have your account name/email address/password. Could lead to far more problems than just losing a CC # if that email or password is used for more th

Re:Microsoft is right

[chrb]

I don't believe the CC numbers are stored on the HD either.

It might be possible that the data was written to a temporary file, or the memory was written to the swap partition, or that the number was written by a non-MS game or app.

That Xbox HD still could have your account name/email address/password.

Yes, apparently they recovered user names, gamer tags, purchase history etc.

Re:

[tibit]

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer.

That's quite silly if you're talking about modern mechanical hard drives. Apart from reallocated bad sectors, if you overwrite a hard drive with all-zeroes, the data is irreversibly gone. The only remaining fragments are sectors that got reallocated; those are likely not to be deleted even if you initialize the hard drive. Of course those fragments may, by chance, happen to have a credit card number in them, say if they were a part of a swap file at some point in time.

Re:

[triffid_98]

Apart from reallocated bad sectors, if you overwrite a hard drive with all-zeroes, the data is irreversibly gone.

Not precisely true. drive platters (even overwritten with zeros) can be forensically analyzed after the fact by examining the off-center track data...but that would require physical dis-assembly of the drives which they are clearly not doing here.

...also (at least for me personally) drives get retired when they die, therefore there would be no way to zero them out without repairing whatever t

Re:

[tibit]

Not precisely true. drive platters (even overwritten with zeros) can be forensically analyzed after the fact by examining the off-center track data...but that would require physical dis-assembly of the drives which they are clearly not doing here.

That was true maybe up to 15 years ago, and that's a stretch. There's no such forensic analysis. These days there is no space left between tracks. This means that magnetic domains from one track directly touch domains from another track. If you overwrite, there's nothing left. If there was anything left, it'd be a costly design omission: any unused magnetic domains are a waste, they should be used to store data! They engineered this as far as it goes.

Re:

[triffid_98]

That's just not true. Obviously there is 'something' left otherwise a write from one track would corrupt data from the adjacent track.

The inter-track spacing is certainly much smaller than it was 15 years ago, and therefore harder to analyze, but certainly not impossible.

If you're curious about the technique it's called 'magneto force microscopy' (MFM).

Re:

[tibit]

Having had access to MFM and having looked about 8 years ago at a then-state-of-the-art hard drive I can tell you that there is no inter-track spacing with anything resembling data in it, unless that particular drive was somehow a special case. It was a rather normal laptop hard drive. Have a look at the relevant wikipedia page [wikipedia.org]. There is effectively noise between the tracks of the old 3.2gb drive, but there's nothing between the tracks of the 30gb drive. A contemporary hard drive has very, very few domains

Re:

[triffid_98]

Even comparing both adjacent track areas? I find that difficult to believe. MFM allows resolutions as high as 10 nanometers and the inter-track spacing on modern drives is IIRC greater than 100 nanometers even on the highest density models.

Re:

[Tharkkun]

I don't believe the CC numbers are stored on the HD either. But, take the extreme view that they are, and they're stored unencrypted. It still requires someone selling/losing/stolen their Xbox HD. This will never be a pandemic problem.

And I'm sure everyone on this forums knows that the only way to truly wipe a HD requires a hammer. That Xbox HD still could have your account name/email address/password. Could lead to far more problems than just losing a CC # if that email or password is used for more than the Xbox system.

I have a better chance of stealing receipts from Target than getting them from a recently formatted Xbox. This story is being blown way out of proportion.

The Paper

[chrb]

this is just some unfounded rumor that has no basis on reality

It's more than a rumour, it's a research paper from some forensics experts that has been submitted to a conference. Of course, that does not mean that it is correct, and afaik it has not been published yet.

The PDF (found via xbox-experts.com [xbox-experts.com]:
Identity Theft and Used Gaming Consoles: Recovering Personal Information from Xbox 360 Hard Drives [hotfile.com]

The relevant text shows that they just got a credit card hit from some forensics tool:

Performing a fast scan on one of the drives resulted in a possible credit card hit as demonstrated in Image 10. Although this does not definitively prove there are any credit card numbers on the hard drive, it is highly probable given the results obtained. The Bank Identification Number in this hit identifies this as a Bank of America Discover Card [37].

The authors appeal to have credible prior experience in digital forensics:

Dr. Asley L. Podhradsky, Drexel University [drexel.edu]
Dr. Rob D'Ovidio, Drexel University [drexel.edu]
Cindy Casey, Drexel University [linkedin.com]

They have published work on XBOX 360 previously, so they may have some experience in this specific area (or not):
The Xbox 360 and Steganography: How Criminals and Terrorists could be Going Dark
A Practitioners Guide to the Forensic Investigation of Xbox 360 Gaming Consoles

Re:The Paper

[damnbunni]

It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

So why would someone enter their Discover information on an Xbox anyway?

Re:

[chrb]

So why would someone enter their Discover information on an Xbox anyway?

Someone didn't realise that, tried it anyway, and the failure got logged or swapped out? Or it could be outside of the context of Live: maybe they were running a Web browser and a page got cached? Or they sent or received the card number in an email or instant message and it got saved to the disk? The string could have even been stored in a temporary file and deleted, it seems the tool they use just scans the flat binary drive data, rather than interpreting the file system.

An ASCII string, bounded by non-

Re:

[wompa164]

Let me guess, he dumped it into Encase and ran the Credit Card Finder EnScript?

Re:

[wompa164]

So I just downloaded the report that someone linked above and that's exactly what he did, consider my blown away. Given my experience, the existence of a hit from that Enscript proves very little. This entire 'report' is cookie cutter at best, this 'forensics expert' is clearly an academic trying to keep his publish rate up.

Re: Why a Discover card?

[King_TJ]

It occurs to me that *maybe*, the only card info that winds up cached are not the VALID ones MS processes and accepts, but rather, cards like this which don't actually work on the network? (If so, that could be a bug in the XBox code, where they purposely refrain from caching or storing cards that successfully process, but neglected to consider people entering good, valid cards which simply aren't the right TYPE (Discover or AmEx).

Re:

[aztracker1]

More so.. does BofA, who's parent company owns Visa & MasterCard even issue Discover Cards?

Re:

[Kalriath]

Yes. The first six numbers of the card match up to a database of who issued it and what type of card it is - the researchers would have run it through whatever BIN database they have access to.

I'm not sure what you mean by Bank of America's parent company though, as they don't have a parent company. And Visa and MasterCard don't have owners, they're associations formed of large issuing banks.

Re:

[holmedog]

It seems especially unlikely in that Microsoft doesn't accept Discover cards - only Mastercard, AmEx, Visa, and PayPal.

So why would someone enter their Discover information on an Xbox anyway?

You, sir or madam, make me wish I could give something a +6. This completely calls bullshit on the whole endeavor in my opinion.

Re:The Paper

[Sir_Sri]

Which may actually make it unlikely in microsofts eyes. Being able to have a team of professional forensics experts potentially extract data from a console is a far cry from it being actively exploited by hackers.

If you look at the paper in question they ran half a dozen tools to try and extract part of a single credit card. And pretty much everything they're looking at is pretty standard hard drive forensics sort of problems, they're discussing in specific to the 360, but there's nothing there that doesn't apply to any HDD. How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly. A general 'delete personal data' just deletes files the same way most OS's do, it just forgets the links to the files, but they still hang out on the drive and can be extracted.

It seems like the trick with the Xbox is that it has various partitions and not all of them are always overwritten, and then the general problems with magnetic storage. So sure, if the police have a specific reason to dig through one xbox 360 they might be able to recover something. But beyond that, I wouldn't count on it being a major issue.

Re:

[tibit]

How 'erased' is erased data (when you write 0's to the drive), the answer is not perfectly.

If you only access the hard drive using published ATA protocols, it is a perfect erasure. You can't recover any of the original data, period. If you access the drive using manufacturer-specific protocols, you may be able to read the contents of reallocated sectors, and those may, by chance, happen to contain useful data. That's it, though. If you were to open up the drive and access the platters using, say, magnetic force microscope, you'd not have access to any other data apart from drive's housekeeping a

Re:Microsoft is right

[not already in use]

No reasonable person would cache credit card details. It's not exactly the type of data, regardless of its sensitivity, that would need to be cached anyway. Let's face the real issue at hand: There is a *huge* market for anti-Microsoft "journalism." You monkeys will piss pageviews on anything that makes any absurd claim, and you won't think twice about whether or not it's credible.

Re:

[Anonymous Coward]

No reasonable person would cache credit card details.

OK, let's say MS are 'reasonable' and do not specifically and deliberately cache CC data.
Are you seriously saying that it's not possible that such data would get cached incidentally as part of a larger chunk of data? Stored in some Xbox equivalent of pagefile.sys or whatever? That despite all sorts of data gets cached all over the place, magically somehow CC data never gets in any cache ever?

Re:

[chrisj_0]

Amazon or iTunes much?

Re:Microsoft is right

[Stenchwarrior]

Fortunately "reasonable" doesn't have to come into play here. PCI auditing standards exist so the human fallacies (potentially) of reason and common sense are mitigated by explicitly defined controls that anyone who deals with credit cards at all must adhere to. Someone like Microsoft, thankfully, would probably be even more scrutinized by auditors, not only because they are Microsoft, but because Microsoft would want to make sure they are compliant.

That being said, PCI, in part, states that credit card info must never be stored, cached, saved...etc., in any device that is directly accessible to the customer or attached to the vendor's network unless sufficiently encrypted with even more controls guarding the public and private encryption keys. Basically, no XBOX should ever store credit card information, only account information at the very least. Even then, the credit card info that CAN be saved on Microsoft's servers can contain the CC number, cardholder name, service code and expiration date (cardholder data), but it CANNOT store the PIN, magentic stripe data or CAV2 code (card authentication data).

Re:

[s.petry]

The problem with your argument is really that the PCI auditors would not be reviewing an Xbox for standards. Those standards normally only apply to servers that house data, not the clients that input data (but also ATM machines and specific devices made to hold that type of data).

This is why you have telemarketers on lord-only-knows what kind of PC inputting data all day through a web browser. The rules cover the Servers that house the data and the connection the client comes in through, but bet your ass

Re:Microsoft is right

[Stenchwarrior]

From the PCI Security Standards Council "PCI Data Storage Do's and Don'ts" [pcisecuritystandards.org]:

Do not store any payment card data in payment card terminals or other unprotected endpoint devices, such as PCs, laptops or smart phones

And

At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs.

Based on that information, I would say that PCs and, certainly in this case, game platforms (since the Xbox is really just a PC) would fall under the "endpoint device" category. Especially since the end-user has no control over whether or not that information is stored on their device because only Microsoft can alter the code that allows or disallows the storage.

Re:

[s.petry]

Come on now, what you stated originally is that Microsoft would be subject to audits so would have to comply. What you point to is the industry standard practices which can be found pretty much anywhere.

The fact is, that Xbox is not audited any more than your home PC,Smart Phone, or favorite web browser is audited.

Now if you want to show me a report from the FTC that shows the XBox listing as a financial device that is subject to audits like an ATM, I'll apologize for saying that you are full of shit.

Re:

[Stenchwarrior]

Oh, so it's a semantic argument you want, is it? No thanks, take a stroll elsewhere, please.

Re:

[Kalriath]

If the Xbox is part of the payment system, then yes it would. Every application and all components that have access to the card data that processes payments are audited either as part of the PCI-DSS requirements or the PA-DSS requrements. For the Microsoft billing application to pass PCI-DSS, the Xbox which is software they control which has access to the card data as part of the transaction would have to be audited too.

And what the hell does the FTC have to do with anything? It's the merchant acquirer t

Credibility

[ozmanjusri]

Ashley L Podhradsky, Doctor of Science in Information Systems

Education:
Doctoral Information Systems, Specializing in Information Assurance, Dakota State University
M.S., Information Systems, Specializing in Network Security, Dakota State University
B.S., Electronic Commerce and Computer Security, Dakota State University
Certificate: Computer Hacking Forensic Investigator, AccessData Certified Examiner

Areas of Expertise:
Computer Forensics
Digital Forensics
Consumer Privacy
Risk Management

http://goodwin.drexel.edu/sotaps/Ashley_Podhradsky.php [drexel.edu]

Vs

Jim Alkove
Aliases and Other Names: James Alkove

Bio
Software Design Engineer at Microsoft Corporation
Career
Microsoft Corporation
Software Design Engineer

Achievements and Recognition:
.
.
.

http://www.spoke.com/info/p1N6wTr/JimAlkove [spoke.com]

Re:

[Genda]

If his expertise is security I'd say yeah, I'd take his word over some guy on the front line, because this is the guy who invented the software the guy on the front line is using, is collecting the data on its effectiveness, is determining where the vulnerabilities for existing software are, and writing the next generation of software the guy on the front line will be using in 5 years. If he tells you your security is lax, and he can get critical information off your product, you should at least let him sho

Re:

[ozmanjusri]

If his expertise is security I'd say yeah, I'd take his word over some guy on the front line, because this is the guy who invented the software the guy on the front line is using,

Girl, not guy.

She's a woman.

Re:

[Kalriath]

One of the best analyses I've seen of this issue, that debunks it completely, is that the card number that the researcher found was a Bank of America Discover card which is impossible - as Microsoft doesn't take Discover.

It could, however, just as easily have been someone who subscribed to Final Fantasy or a similar MMO, as the card details are entered via the Xbox too and not billed by Microsoft or in Microsoft's control at all.

Re:

[LordKronos]

If he tells you your security is lax, and he can get critical information off your product, you should at least let him show you where the mistake

From TFA:

We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims

Re:

[thsths]

> Dakota State University

"Is that were you learn to raise cattle?" :-) No, it isn't but as far as scientific reputation goes, it is pretty far down the list. But heritage is the smaller part of the questions - show me your work - and I will tell you what it is worth.

And the original story was very much lacking there. So they found a string that looked like a credit card number on the hard disk, without any idea how it got there. Note: this is not a controlled experiment, this an xBox from ebay - pretty m

Re:

[Darinbob]

While I doubt that credit card details are being stored on xbox, stuff like this has happened in the past and it's often done without the company knowing. Despite the attitude to try and implicate some ulterior motives most often the upper management has literally no idea what the average worker is doing and even middle managers may be unaware.

So some programer may have just decided to use a cache file and forgotten to clean it up without there ever being someone doing a code review with an eye towards sec

Re:

[WarmBoota]

I was analyzing some issues for a client that was using Microsoft Site Server circa 1999. We took a look at the server and it had been caching every single credit card transaction because a debug setting was on. This wasn't custom code or a hack, this was Microsoft's out of the box configuration. I can COMPLETELY believe that Microsoft would store sensitive information on the local machine especially if they think that they've sandboxed it from the end user.

Terribly Misleading Headline

[rjstanford]

Bad: 'Unlikely' Credit Card Details Lifted From Xbox 360s
Better: 'Unlikely' that Credit Card Details have been Lifted From Xbox 360s

See the difference?

Re:Terribly Misleading Headline

[Robert Zenz]

Even better: Microsoft says it's unlikely that Credit Card details can be lifted from XBox 360s.

Re:

[cpu6502]

One fits in /.'s character limit and the other does not?

This is disappointing. I have a used Xbox filled with somebody's private credit information. Oh well.

Re:

[Syphonius]

Yes, I see the difference. One follows the headline pattern of print and electronic media that has been established for probably 50-100 years. The other has extra garbage words that do not change the meaning and take up more space.

Re:

[Oligonicella]

Actually, the header is ambiguous with 'unlikely' being closer to 'credit card' than 'details'.

Microsoft: Credit info lifting from XBox 360s is unlikely - is more clear.

Re:

[FranktehReaver]

Indeed, at a first glance I thought they found some credit card information that was unlikely to be present on the system. Like sears cards or something lol, and not that it is unlikely that credit card data can be lifted from the device. Which using the word unlikely leaves room for doubt and that it is theoretically possible. Now if it said impossible or not true then okay you guys know what the heck is up. But unlikely? that is like saying is the cancer going to spread? and the doctor makes a ehhh face a

Didn't Sony say the same thing at first?

[crazyjj]

IIRC, Sony said something very similar at the beginning of the PSN breach [wikipedia.org]--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

Re:Didn't Sony say the same thing at first?

[tgd]

IIRC, Sony said something very similar at the beginning of the PSN breach [wikipedia.org]--something along the lines of "This was a minor incident. It was probably only a few accounts. Nothing to see here."

If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

It also sounds like there's no evidence from the article that the numbers were actually credit card numbers. I know every Discover card starts with 6011, but not all 16 digit numbers that start with 6011 are Discover cards, as an example. You also can't assume that any 16 digit number that starts with a 3, 4, or 5 and ends with a valid check digit is a credit card number.

Until someone enters *their* credit card number on an XBox, and finds *that* number saved on it, I don't think this is credible. And, really, it needs to have the CID, expiration, address verification digits AND the user's name to really be a risk.

And even then, its really not a risk, given how easy it is to get valid cards in bulk from more nefarious sources.

Re:

[tibit]

It may not be a risk, but the number shouldn't be there, per PCI standards. It's an interesting find.

Re:

[s0nicfreak]

"And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers."

The thing is, there is already a fuckton of used xbox 360s floating around out there. Just do an ebay or craigslist search for "red ringed 360" and you will see people selling multiple and buying them (which probably means they have multiple). Heck, I have 2 used 360s in my house, and more have passed thro

Re:

[tgd]

They are given away or sold very cheaply by people that don't know how to fix them to people that do, a simple fix is done on them and they are sold.

And you can get into the right IRC channel and buy a bunch of zero-day card dumps for the same cost... and then you'll have a number you might actually be able to use. If you get numbers from the XBox, you'll have a number that may or may not be old. (The last time I entered a CC into my console was probably four or five years ago, and definitely expired!) You'll maybe have enough data to be able to run a CNP transaction with a site online. For durable good sites, that means shipping something somewhere an

Re:

[s0nicfreak]

"And you can get into the right IRC channel and buy a bunch of zero-day card dumps for the same cost"

The cost of free? Either way, the type of people I think would do this probably don't know what IRC is. I'm thinking teenagers who know how to mod and repair xboxes, not programmers or career criminals. Armed with my credit card number and my xbox live or ebay name, my address is just a google search away - and if I sold it to someone and shipped it, it's right there on the return label. Never mind the fa

Re:

[Jonathan_S]

If someone was claiming they hacked the Xbox/Live network and got access to credit cards, the comparison might be accurate. In this case, they're claiming they got credit card information from a device that doesn't have it.

And even if it did have it, I think there's better ways for bad guys to get credit card numbers then buying an Xbox one at a time, using a modding tool, grepping the filesystem and pulling out numbers.

It also sounds like there's no evidence from the article that the numbers were actually

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

I entered my card details on the XBox Live website directly, not via my Xbox - I don't see why Microsoft would deliberately store the card details in two places if you entered it on an XBox, when the card authorisation has to be done by the remote servers anyway, so thats why I'm personally leaning to the above understanding.

Also, it was noted in the last story about this that the example credit card number given as "successfully retrieved" was not of a type accepted by XBox Live as a payment source...

Re:

[jimicus]

The way I see this statement from Microsoft is "well, if all the processes are followed correctly by our developers, we don't see this happening, so its unlikely. However, there is a chance that a developer may have used the wrong caching or serialisation library for this routine which may have inadvertently left traces on the XBoxes hard disk, so we are going to look into it."

Considering the number of times I've seen applications reinvent the wheel because the developer clearly couldn't find what they were trying to do in an existing library, this wouldn't surprise me in the slightest.

Re:

[s.petry]

Take a common sense view of how this could happen. Xbox kernel sees user input, caches input in case the connection is lost. Cache gets written to drive in case of power failure.

This is the same mindset we see with other Microsoft products like "Active Installer" for IE. Obviously there are security implications but Microsoft chose to put convenience over security.

To many of us, the security problems released are not excusable. To Microsoft, it's the best business decision.

In short, it is not a bad inte

Re:

[Richard_at_work]

The XBox just throws an error to the user if it loses connection to Live while you are doing something - thats why I had to add my card details via the website (XBox lost connection to the local wifi for a bit).

Re:

[s.petry]

Personally I boycott all Microsoft products so have to take your word for how it acts during some type of outage. I was just pointing out that it's potentially something that does exist, and it's logical from some perspective. I have seen numerous releases of code from lots of vendors (not just Microsoft) with facilities similar to this. Features do not have to be complete, published, or even fully implemented in order to exist on a system.

Re:

[s.petry]

Just a side note, I'm not sure if you read the full PDF. The research is very credible, and very thorough. They show a lot of the data being cache, not just credit card data.

If the research was just a bash with no merit I would probably just agree with you.

Re:Didn't Sony say the same thing at first?

[Richard_at_work]

The problem is, they haven't actually verified that what they have is an actual credit card number, they've just pulled a number out that happens to validate and have the same starting digits as a card type but there is no related information - so why would the credit card number on its own find it's way into these streams and not the other details off the card.

At the moment, they found a number, that's it. What would be an actual test is to use an Xbox, use a card on that Xbox, and then see if you can recover that card from that Xbox - that's not what they did, so the results can't be validated.

Re:

[s.petry]

Valid point regarding the known testing. The known test would also be able to provide details on where and what other card data was being stored, if any was being stored. It is logical that if the Card # is being stored, other details are stored as well. Much harder to find a 4 digit date stamp and 3 digit CVV though, so would really need a way of expanding the test immensely. It would be pretty costly, but possible.

1. Boot system, patch, power down, dd drive1-snapa.

2. Enter details, register, CC numb

Re:

[Kalriath]

Except that the string cannot validate if it was used to sign up for Live - the Xbox 360 will not accept a Discover card because Microsoft does not accept them. This doesn't discount the possibility that the card was there because the former owner signed up to Final Fantasy or another MMO via the console and that application saved or cached the number, but it certainly reinforces that it's unlikely Microsoft is responsible.

Re:

[Richard_at_work]

I was going to post something similar to Kalriath, but my iPad ate my Safari instance last night, so here we go again...

They didn't validate the entire string, because thats not possible with the check numbers involved - only the card issuer or the payment networks can actually tell you if its a valid card number and they wouldn't tell you unless you tried to present the card. You can have a card number which validates as a card type, and internally validates as a correctly formed number, but those checks

Re:

[tomstockmail]

I love Slashdot! A posting about how 360 exposed credit card details is _finally_ posted, but it's in defense of Microsoft. And the third comment down is saying Sony is just as bad. Keep up the great work, everyone!

XBox 360 and fraud

[Anonymous Coward]

I've been hit twice by fraudulent charges relating to XBox accounts on my CC. The common denominator in both cases was using this particular card at the same gas station in Panama City, FL.

In both cases, several XBox accounts were charged to my card. Microsoft for whatever reason cannot reverse the charges - they actually instruct you to file a complaint with the CC (and in both cases the charges were reversed).

I don't even own an XBox and convincing both MS and the CC of this fact is very difficult.

Re:

[SomePgmr]

I can see why that's aggravating, but it makes sense. Your CC company can follow up on fraud by deactivating the old card, issuing a new one, reversing certain charges as fraudulent and watching for activity on the stolen one. If Microsoft does it, it's just a reversed charge on a compromised account.

Re:

[s0nicfreak]

That was the gas station being compromised, not Xboxes.

lol i thought macs don't get hacked!

[Anonymous Coward]

oh wait this about xbox isn't it

Re:

[Garybaldy]

Well at least MS denies it. Apple just covers it up.

Re:

[Kalriath]

Except they have a point. The card number found was a Discover. Microsoft won't even let you enter a Discover to sign up for Live or buy points.

Wait I have seen this one from Microsoft

[Anonymous Coward]

Remember MS-12-020:

Microsoft’s Security Research and Defense Blog stated that they expected to see exploit code in the wild within 30 days according to a quote from their recent blog post addressing the flaws: ”During our investigation, we determined that this vulnerability is directly exploitable for code execution. Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed w

Re:

[geraud]

In the infosec community, triggering a BSOD is considered a PoC, a working exploit means arbitrary code execution. AFAIK there is no public working exploit for MS12-020 atm.

boilerplate

[v1]

This is the standard boilerplate reply from almost any organization that has been publicly exposed as being compromised. They'll continue to tell the world it's the most minor, harmless possible case until lolsec, wikileaks, etc posts a dump of 10k credit cards or something, and only then will they begin to admit the actual scale of the breach.

In addition to laws that punish groups for being negligent in their security of private data, I'd like to see additional punishments passed out to companies that out

Re:

[tibit]

Tread carefully there, because the corporation often has a fiduciary duty to it shareholders, too. It's a fine line between being charged of negligence in disclosure due to insufficiency of the same, vs. being sued for negligence in disclosure due to possible customer backlash and financial loss.

Re:

[v1]

It's a fine line between being charged of negligence in disclosure due to insufficiency of the same, vs. being sued for negligence in disclosure due to possible customer backlash and financial loss.

Horse has already left, too late to close the barn door. They had a "fiduciary duty to it shareholders", which they failed at by allowing the breach. They already screwed up and through their negligence damaged the company brand, stock prices, customer goodwill, etc. The responsible behavior of disclosing the

For once I agree with MS

[Anonymous Coward]

After seeing the original article I tried finding my own credit card number on my xbox hard disk. Through a search of the entire hard disk not even the first 4 digits of my credit card were found, which is part of the issuer identification number. http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

Additionally- the article that put this scare on found a number that matched the issuer identification number for a Discover card issued by Bank of America. Microsoft doesn't even take Discover car

At least they didn't do Vizzini mistake

[Medievalist]

I think they should be applauded, for using the word "unlikely" instead of "inconceivable".

Re:

[Stenchwarrior]

I think they should be applauded, for using the word "unlikely" instead of "incontheevable".

FTFY

Who cares how likely it is?

[Torodung]

Really, who cares? Here is what happens with credit card number fraud. It is used once or twice, the bank catches it early because they watch for unusual spending patterns, sometimes even the vendor does (at places like jewelry or electronics merchants where fraud is more common, and insurance against theft becomes expensive), they expire the number and reissue you a card. The vendor gets reimbursed from insurance against theft. Sometimes you get a phone call, asking if it's really you, based on contact inf

Re:

[tibit]

"sending your daughter expectant mother mailers" -- how is that bad? Isn't it a successful use of technology? I'd love to get targeted marketing instead of getting all the usual irrelevant junk that seems nothing more but a waste of resources. Last year I've got about 40lbs of paper junk mail :(

Re:

[s0nicfreak]

What if it isn't unusual spending patterns, though? Let's say my xbox redrings, so I sell it on ebay and buy another. Then the person I sold it to fixes it, grabs my credit card number and goes on a 360 game buying spree. It isn't rare for my family to go on 360 game buying sprees, across multiple accounts and even multiple IPs. So it wouldn't be noticed quickly.

Re:

[Kalriath]

Suffice it to say that banks are a bit (nay, a lot) smarter than that. They'll never tell you how their fraud detection systems work, but it can be safely said that they use more factors than just IP address and merchant.

Re:

[s0nicfreak]

So you're saying that someone can have the exact same spending patterns as I do, yet somehow it will be detected as fraud. Sorry, but I find that a bit hard to believe.

Re:

[Kalriath]

It's more complex than that. The slightest deviation may be enough to trigger the watchful eye of an actual human, and the statistical possibility of someone having the exact same pattern as you is close to zero. Even something as odd as the person buying a game at 3:15pm when the bank usually sees a purchase at the local coffee shop at 3:15pm would likely be enough to raise an orange flag.

Re:

[s0nicfreak]

I think it is highly likely someone that steals credit card numbers in this fashion would do nothing with the card number except buy games - which is pretty much all I do. I go to the local coffee shop so rarely that they should be watching when I do; yet I have not yet had them cancel my card after I have done so.

I thought that was what MS Points were for?

[CCarrot]

It surprises me that so many people actually enter their CC info into their XBox.

Shucks, if it weren't for nice, anonymous, paid-for-by-cash MS Points cards, I wouldn't have any DLC on my box at all...similar to nice, anonymous Visa gift cards for Android Market (sorry, Play) purchases...and nice, anonymous iTunes gift cards for (shudder) iTunes* purchases.

* living in Canada sucks sometimes...we're so close yet at the same time so far from being able to buy digital content from the myriad of vendors availab

Re:

[Nukenbar]

Sounds like a VPN proxy in the US would do a lot of the things you want. You can get pretty decent ones with very little drop in bandwidth and very little added latency for about $8/month.

Re:

[CCarrot]

Sounds like a VPN proxy in the US would do a lot of the things you want. You can get pretty decent ones with very little drop in bandwidth and very little added latency for about $8/month.

Yess...and a decent torrent client can get even more of what I want with no added charge per month :) I simply want to 'play by the rules' and reward the artists I enjoy for creating great content, it just frustrates me that there is no 'legal' means for me to send my business where I would prefer. It's like they don't want my money...sure, it's colourful, but it spends pretty darn good up here!

Quelle Fscking Surprise

[ewhac]

How terribly convenient that, in December of last year, Microsoft jammed a new Xbox service "agreement" down everyone's throat where you "agree" to never sue Microsoft, either as an individual or as a member of a class, and instead "agree" to resolve all disputes via "neutral" arbitration.

It seems they saw Sony get its pants yanked down to its ankles, and all the consequent lawsuits, and thought to themselves, "We could apply the stunning engineering talent we've always claimed to have in this company to