{"id":59119,"date":"2025-08-01T19:14:09","date_gmt":"2025-08-01T19:14:09","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/tested-microsoft-recall-can-still-capture-credit-cards-and-passwords-a-treasure-trove-for-crooks\/"},"modified":"2025-08-01T19:14:09","modified_gmt":"2025-08-01T19:14:09","slug":"tested-microsoft-recall-can-still-capture-credit-cards-and-passwords-a-treasure-trove-for-crooks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/tested-microsoft-recall-can-still-capture-credit-cards-and-passwords-a-treasure-trove-for-crooks\/","title":{"rendered":"Tested: Microsoft Recall can still capture credit cards and passwords, a treasure trove for crooks"},"content":{"rendered":"

exclusive<\/span> Microsoft Recall, the AI app that takes screenshots of what you do on your PC so you can search for it later, has a filter that’s supposed to prevent it from screenshotting sensitive info like credit card numbers. But a The Register<\/em> test shows that it still fails in many cases, creating a potential treasure trove for thieves.<\/p>\n

Recall was introduced in 2024 as an exclusive app on Copilot+ PCs<\/a>, which are laptops that come with a dedicated Neural Processing Unit (NPU) to help with AI-related tasks. Initially, researchers found<\/a> serious security issues with it, and Redmond pulled it in the spring before re-introducing an ostensibly more secure version in fall 2024. These days, a screen encouraging you to enable it is part of the Windows setup experience on many new PCs.<\/p>\n

\"Microsoft's<\/a><\/p>\n

Microsoft’s out of the box experience pushes you to enable Recall – Click to enlarge<\/p>\n<\/div>\n

Although Microsoft claims that Recall is safe and private<\/a>, the software could be a goldmine of personal information if a miscreant manages to break into your system. The app has a “Filter sensitive information” setting enabled by default that’s supposed to exempt personal data such as credit card numbers and passwords from capture. However, according to our tests, that filter frequently fails. And there’s no way it would know to avoid potentially damaging entries in your web history that you’d rather keep private (such as things related to your medical history or personal life). Just as bad, the screenshots Recall takes are available to anyone who has your PIN number, even via remote access.<\/p>\n

Sensitive information filtering: good, but not good enough<\/h3>\n

To find out just how well the sensitive information filter works, I took a Lenovo Yoga Slim 7x Copilot+ PC with Recall enabled and tried entering many types of personal data that no one would want getting into the wrong hands. To give credit where it’s due, the tool correctly identified and excluded a lot of financial data, some passwords, and most instances of Social Security numbers.<\/p>\n

When I logged into my bank account, Recall snagged both my bank’s home page and several screens where my balance and a list of deposits appeared. On the bright side, it correctly excluded the screen with my account and ABA routing numbers on it. So an attacker would know which bank I use and how much money I have, both details that could help them, but not my credentials or account number.<\/p>\n

Recall did a pretty good job with shopping forms. When I went to the Microsoft site and added a credit card to my account, it took a screenshot with the card number, CVC and date fields blank. And when I created my own fake web page with a credit card entry form (with the letters CC: in front of the number field), the software filtered it out.<\/p>\n