HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Xbox Live: The "Roach Motel" of Personal Information

Now I know I'm a bit behind the curve, but I finally got around to
purchasing an Xbox Live Gold membership so I could see how bad I really
am at Gears of War.  For a brief moment, I felt like Private Pyle from
"Full Metal Jacket" cleaning my rifle - "Everything is clean...smooth."
Registration was a snap; just enter my credit card number, verification
code, name, and current address - and in no time I'm online getting
fragged to death and spending more time as a spectator than I'm
actually fighting.

Well, once I got tired of watching everyone
else have fun, I decided to revisit my account settings so I could
remove my credit card information (as I commonly do with any online
account that stores my personal information).  Much to my surprise,
there's no "Delete" ability from the console menu. I can add all the
credit cards I want or update any existing information, but I can't
delete ANYTHING.  Thinking that it's just getting late and I'm missing
something obvious, I decided to let it go for the night and look into
it the next morning.

Since being an information security
professional is accompanied by a healthy amount of paranoia, the first
thing I did the next morning is start Googling terms such as
"delete|remove Credit Card Xbox Live" to see if anyone else has
encountered this problem.  Much to my dismay, it is indeed impossible
to remove.  Yes, I used the word "impossible." Some people "think" they
have the solution - but none of them are successful.  This is truly a
case of "You can put your personal information in, but it won't come
out." Getting a bit more concerned, I decided to take my chances and
call support.

Here's a short list of responses I received from calling 1.800.4MY.XBOX:

  • Yes, canceling your subscription will remove your billing information from your account.
  • Well,
    the only way to remove your billing information from your Xbox console
    is to completely wipe out your HDD drive and start a-new.
  • Sir, I don't understand what you're concerned about.  Only you can see your personal information.
  • Ok, I've entered a bogus name and address - so your billing information is now useless and you're all set.
  • I'm sorry sir, you'll have to call Microsoft for that.

the second response (which is just asinine and, in theory, would
probably work - but it's just a bit "bull in a china shop-ish"), all
proved false, incorrect, inaccurate or just plain wrong.  As for the
last one, well...you got me there.  I'm still trying to figure that one
out.  But customer
support isn't the problem - they're just doing their job and getting
frustrated with them gets you nowhere - there seems
to be something much more sinister at work here.

Next thing I
decided to do was closely re-read the privacy statement, conveniently
located right on the Xbox 360 console.  Sure enough, it explicitly
states I have the ability to "update" or "add" items for billing - but
conveniently leaves out the "delete" ability. I even found a KB article
that eerily ignores "removing" your personal information.

  Not only am I at a dead end with customer support,
now I'm suspicious and have only one burning question - Why?  What
benefit do I, the consumer, get by not being able to delete my personal
information and why all the barriers and misinformation? 
Unfortunately, I don't know - but rest assured I'm looking into it.

you've read this far, I'm sure you're probably wondering what I did to
relieve my all consuming paranoia. Unfortunately, there's not much you
can do, short of canceling your current credit card, that will be effective.

Although I was once fired up about joining the Xbox Live community and
the prepaid membership cards will indeed satisfy my privacy issue, I
still have a bad taste in my mouth from this experience and will have
to let this issue rest before I attempt another subscription request.

Apparently, it's more important for me to ensure
that I'm absolutely, positively certain that I want to close Microsoft
Word document without saving changes than it is to alert the user that
their personal information just checked in to the Xbox Live Roach Motel and can't check out.

Labels: Privacy
Random Dude | ‎01-20-2007 12:36 AM
I totally agree with you. While signing up just to get the latest console update I became concerned by the amount of info they wanted. Especially the way they ask for a little at a time so it's like the La Brea tar pits and you don't know how stuck you are until it's too late. On one page they want your telephone number. On a later page they want your full name. And later they want your CC info. Annoying...
| ‎01-22-2007 04:16 PM
Any reason the MS article is no longer found?
| ‎01-23-2007 10:12 PM
I've had the same experience.... I added my credit card to my son's Xbox 360 so that he could purchase a one-time game download and then afterwards was unable to remove it! He was given a 12 month Live renewal card for Christmas but before it was entered they charged another 12 months of Live on my card. I just had another look at my credit card online and found two more charges this month from Xbox Live which I assume are for downloads that my son requested but this has to stop! Very frustrating.

| ‎01-25-2007 05:37 PM
Thank you, I just ran in to the same problem and received about the same responses from Microsoft. I was actually told that if I was concerned, I should just cancel my credit card. I did file a complaint with the better business bureau and the FTC as well as my bank, but I get the feeling they aren't going to do anything.
| ‎02-02-2007 11:16 AM
I also recently picked up a 360 and thought I'd jump online via xbox live, but stopped when they wanted all the personal information so I would have time to see what they need it for. I found it more than annoying that to use my iPod with the 360, I have to get on xbox live to get a patch (seemingly for no other reason than to let them tally who has an iPod) The 360 does seem like a bit of a digital trojan horse.
| ‎02-27-2007 08:12 PM
And that, kiddies, is why you keep a throwaway credit card which only has a small balance. I call these 'proxy cards'. You can use your real credit card to 'fill up' your proxy card with X amount of dollars. If I want to sign up for 6 months of XBOX online, I put enough money on the card and sign up. I rarely have much money on my proxy card, but it works great for signing up for services which require a credit card (Blockbuster, XBOX online, etc.). I would never use a non-proxy credit card online...that's just crazy.
| ‎03-12-2007 10:45 PM
Did you ever get your information removed?

I can't believe that there is not a way to remove this information. I have an XBOX that I have an XBOX Live account with. Now I have a XBOX 360 and am getting rid of my XBOX. So now I have to leave my Information on this XBOX for the next person to use? or I have to cancel my credit card get another and set up that info on the 360. There should be a law against something like this.
| ‎06-29-2007 04:23 AM
I too experienced this problem. Despite all of its rebranding, it's still Microsoft and they will still screw you any way they can.
| ‎07-19-2007 09:30 AM
This may be a good place to use the one-time-use credit card numbers that card issuers often provide. I'm pretty much at the point of doing that for every transaction that doesn't require the physical card, now.

Ostensibly, at least for the card I've used, that one-time card number can only be used with a single vendor. Additional uses beyond that vendor should be flagged and fail.
| ‎12-07-2007 01:06 PM
You're best off using a prepaid subscription card and bogus contact info. Just write the bogus info down somewhere so you can refer to it if asked to confirm information you provided. Why you would give them a credit card in the first place when you don't have to?
| ‎04-24-2008 03:45 PM

yea i@ve heard from other forums that if you cancel your credit card or renew your credit card, xbox can still (somehow)legally trace it and continue scamming you

| ‎06-28-2008 05:04 PM

I called in yesterday to have my CC info wiped, and spent 45 minutes waiting for their "supervisor" to take the call.  I had to leave for urgent business, and had to cut the call there.  Now, I'm actually in the process of "waiting-for-the-supervisor-who-doesn't-exist", and it's been 15 minutes so far!  WHAT is going on here!!  I think things go about this way in the billing office:

Representative:  We have another guy wanting to clear up his CC info.

Supervisor:  Heh, heh!  Great! Let 'em hang for a while.  10 dollars say's he won't last 10 minutes waiting--any takers?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.