It's easy to get credit card numbers off used Xbox 360s


23 Responses to “It's easy to get credit card numbers off used Xbox 360s”

  1. Kevin says:

    Well… I am just shocked, shocked I tell you! 

  2. Brian Easton says:

    Microsoft claims that no credit card info is stored locally on the Xbox 360. I’m inclined to believe them.

    • eselqueso says:

      in that article, Microsoft claims the xBox is “not intended” to store credit card info locally, instead of that it “does not.” That’s a semantic hole you can drive a truck through.

  3. PrettyBoyTim says:

    There’s a couple of interesting posts on Slashdot:


    It seems they ran a program that just scans for potential credit card numbers – i.e. numbers that fit the credit card number format, pass the checksum and have a valid issuer id. This turned up one result.

    However, it appears to have been a Discovery card number and it doesn’t look as if Microsoft even supports Discovery cards for Xbox Live.

    It seems to me they may have just coincidentally found a number on the old Xbox drive that looks like a CC number. Certainly before claiming that CC numbers leak onto hard drives you’d expect them to find more than one ‘possible’ hit and even better actually confirm that it was a number previously entered to the Xbox.

    • JonS says:

      ” find more than one ‘possible’ hit”

      How many hits would you /expect/ to find on any given Xbox? I’m thinking that one (1) is the expected result.

      • PrettyBoyTim says:

        Actually I was thinking they might do it on more than one Xbox hard drive.

        More importantly, it would be better if they tried it on a hard drive with a known CC number on it as then it would be easier to rule out coincidence.

      • Multiple cards associated with a console isn’t uncommon which is possibly even scarier than the fact that people trust giving their info out in this manner at all.  Use prepaid subscription & point cards instead.

      • Timmy says:

        If the Xbox isn’t meant to store CC numbers, then perhaps they merely found the text of, say, a private message between users or something similar. If that’s the case, there could be any number of CC numbers and it isn’t really MS’ fault. 

  4. angusm says:

    The Red Ring of Identity Theft …

  5. Kimmo says:

    What’s more, the Digital Millennium Copyright Act, which regulates the
    breaking of software locks, makes it illegal to investigate the internal workings of devices like the Xbox 360, and to publish the details of your findings, where those findings might also aid people in choosing to run unauthorized software on their own property.

    So if the 360 does store CC numbers, and I had one, and verified that this bit of software will solve the issue, it’s a crime to tell anyone?


  6. Kimmo says:

    What, all edits require approval now?

    What happened?

  7. I stumbled across this earlier. From what it said, Microsoft stated that the Xbox 360 doesn’t even store credit card information on the system, and that they have requested information about the system and addon/mods these people used to get these results but haven’t had any reply.

    I personally think it was done by a group of PS3 lovers that got tired of people saying crap about the playstation network hack. So they came up with this to tarnish the name of Xbox like playstation’s is. (yes, I know the hack was a long time ago.)

    Think about it, it would be incredibly stupid to give a system that doesn’t really have anti-virus, or very poor if any anti-hack (from online sources) prevention systems to have the ability to save important info such as a credit card number.

    IF the system actually did, someone would have pointed this out ALONG time ago if it was as easy as the researchers claim it to be. There for, I think it’s a made up claim to get a red mark on Microsoft so play station isn’t the only one in the boat.

    To top it all of, if the Xbox did save said info. It would give Microsoft potential access to their credit card numbers when they get an Xbox back. Opening the chance for identity theft and leading to a lawsuit against Microsoft. So, I wouldn’t be surprised if they at some point in the past… oh I don’t know, like around the time of the PlayStation hack. Checked to make sure there wasn’t any potential problems such as this one.

    But main thing to think about. If this was possible, then as I said before some person messing around on their Xbox to see what they could find would of stumbled across this problem years ago.

    • That_Anonymous_Coward says:

      “IF the system actually did, someone would have pointed this out ALONG time ago if it was as easy as the researchers claim it to be.”

      So your from the Sony school of security, where it isn’t actually a problem until it is public.  The Sony network was compromised for a LONG time.  Sony was even made aware of the flaws and did nothing.  Until their entire network was ripped down they refused to admit anything.  People want to pretend LulzSec managed to teleport into their server farm in a mission impossible style raid, this is not the case.  They were most likely not the first, second, third, etc people to gain access to the system.

      Black Hats do not put up pastebins of everything they do or gain access to.
      Given the amount of identity theft out there, it is way to easy for a company to play the “it can’t be from us card” even as you show them how it was done.  And it doesn’t matter when or if they ever knew or suspected… the liability always ends up on the consumer.

      I’m not sure what these researchers found, and would enjoy seeing it repeated on more systems to verify the claims that have been made.  But to disregard it because MS says no can’t be done… is stupid.  They claimed no one could hack COA codes either.  The questioning of the researchers being PS3 fans trying to give Xbox a black eye… interesting attempt at spin.  If this was from a group called XboxSuxors maybe, but Drexel University doesn’t scream fanboi.

  8. Stooge says:

    A group of researchers at Drexel University have demonstrated a method of recovering credit card details and other sensitive information from used Xbox 360s

    Er… no, not really.
    A group of researchers claim to have recovered a number from one Xbox, which looks like it could be a valid credit card number, because their pattern-matching trawl through the hard drive was looking for sequences that could be valid credit card numbers.
    Have they demonstrated this to anyone? No
    Have they run their experiment more than once? No
    Have they determined that the number they found corresponds to an actual card that has actually been issued? No
    Have they found any “other sensitive information”? No
    Is it virtually impossible to find a number on a hard drive consisting of one of a plethora of 6 digit IIN prefixes followed by any 8 or 12 digit number and a valid single check digit by chance alone? Not even fucking close.
    Why didn’t they take an Xbox, enter a single known credit card number on it to sign up for Xbox live, reset the Xbox, and then search the Xbox for that number? Er… beats me.

  9. fugukl says:

    I learned long ago not to trust Microsoft with my financial details, anyway. Hell I can’t even manage to remove my PayPal details from them without prematurely cancelling my account. 

  10. bumpngrindcore says:

    And given most Xboxlive users, let me check how much sympathy I’d have if their banking details were discovered and their lives ruined…
    …nnnnnnope, can’t find any here, sorry! 

  11. Palomino says:

    Makes me shudder when I recall BB’s VUPEN post. 

  12. C W says:

    Wait, so people are actually buying this Snopesworthy. unable to reproduce and verify claim?

    Come on, internet.

  13. Fletch says:

    but it raises the ‘VALUE” because there will be less used machines out there!!! so its a win win for Microsoft!!!

Leave a Reply