Even though the consoles had been restored to factory settings, security researchers at Drexel University and Dakota State University were able to easily find credit card and other personal info.
Ashley Podhradsky, Rob D'Ovidio, and Cindy Casey of Drexel University, along with Pat Engebretson at Dakota State University purchased a refurbished Xbox 360 from a Microsoft-authorized retailer and used a very basic modding tool to gain access to the previous owner's credit card info, even though the hard drive had been wiped and the console restored to factory settings.
Says Podhradsky: "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data. A lot of them already know how to do all this. Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."
Microsoft says it is investigating the case: "We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims. Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
If Microsoft is slow to come with a fix, the college students say using Darik's Boot and Nuke (DBAN) will protect you.
Says Podhradsky: "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data. A lot of them already know how to do all this. Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."
Microsoft says it is investigating the case: "We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims. Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
If Microsoft is slow to come with a fix, the college students say using Darik's Boot and Nuke (DBAN) will protect you.
