So you're thinking about selling your Xbox 360 console, perhaps because you pre-ordered the Limited Edition Kinect Star Wars Bundle and want to offset part of the cost, or maybe you're going all-in with PC gaming. Whatever the reason for getting rid of your Xbox 360, there are some things you need to know before tossing it up on eBay or Craigslist, and it has to do with your credit card information.
Researchers at Drexel University told Kotaku in a phone interview that pretty much any armchair hacker can swipe another user's credit card details and other personal information from used Xbox 360 consoles without too much effort using commonly available tools (Edit: Microsoft disputes this claim -- see official statement at the end of this article).
"Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data," researcher Ashley Podhradsky informed Kotaku.
You might be thinking, 'So what, I'll just restore the console to factory settings and I'll be good to go,' but that isn't enough. Podhradsky and her fellow researchers downloaded a readily available modding tool and cracked a refurbished Xbox 360 purchased from an authorized Microsoft retailer without too much fuss. Just like that, a console that had been factory refurbished forked over credit card numbers and other details.
"Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity," Podhradsky said.
That doesn't mean you have to keep your Xbox 360 forever or toss the hard drive into a fire pit before selling the system or giving it away. However, you definitely should disconnect the hard drive, plug it into a PC, and scrub it clean. Podhradsky recommends Darik's Boot & Nuke, though there are several free options out there that will 'zero-out' hard drives, such as Kill Disk.
After catching wind of the researchers' claims, Microsoft got in touch with us to provide their side of the story and dispute the accuracy of the findings. Here is the official statement:
“We are conducting a thorough investigation into the researchers’ claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.
“Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.” – Jim Alkove, General Manager, Security, Interactive Entertainment Business at Microsoft