Microsoft Denies Used Xbox Credit Card Hack
Microsoft has said it is looking into reported allegations that hackers may be able to retrieve credit card information off an Xbox 360 -- even after the hard drive has been reformatted.
The initial report of the security issue came from researchers at Drexel University in Philadelphia, Pa. In it the researchers allege that even after restoring an Xbox 360 game console to factory settings, some personal data (including credit card information and billing address) is still stored on the HDD. It then can be retrieved with the use of "basic hacking tools."
Speaking to Kotaku in a phone interview, researcher Ashley Podhradsky said that Microsoft is not protecting consumers from data theft if a flaw like this could easily be exploited.
"Microsoft does a great job of protecting their proprietary information," said Podhradsky. "But they don't do a great job of protecting the user's data."
According to the researchers' ongoing study, the team purchased a refurbished Xbox 360 from a gaming retail chain for test purposes. Once the system was loaded with custom modding software, the researchers were able to retrieve the previous owner's credit card information.
While Microsoft said that it was investigating the claims, it also went as far as to deny the allegations: "Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described," said Jim Alkove, general manager of Microsoft's security of interactive entertainment business, to Joystiq. "Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
While Microsoft conducts its own investigation into the matter, Podhradsky said the only way to be sure that your credit card information is kept safe when turning in a used Xbox 360 is to reformat it to default system settings, hook it up to a computer and use a third-party tool to securely wipe the drive.