Xbox Payment Data Vulnerable? Microsoft Doubtful

April 5, 2012

Microsoft this week responded to a research team’s claims that it hacked credit card information from the hard drive of a used Xbox 360 game console, calling the claim “unlikely.” Xbox 360 stores payment account details so gamers can make in-game purchases and upgrades easily. A team of researchers from Drexel University in Pittsburgh says it was able to lift those details belonging to a previous owner from a refurbished console purchased from a Microsoft-authorized reseller. The team claims it used a basic “modding tool” to gain access to the file system on the console, from which they were able to get access to the sensitive information. A statement from the software giant says, however, that it doubts the researchers’ claims.

“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims,” according to the statement. “Xbox is not designed to store credit card data locally on the console, and, as such, it seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.”