iTunes Gift Card Key System Cracked, Exploited

moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."

Re:Ouch.

[teh moges]

I actually didn't think this would be possible.
In Australia, when you buy mobile phone recharge (extra credit to make calls), you buy a coupon which is only activated after its brought from an authorized dealer. Once the code is used, that code is useless.
It does mean that each retailer has to have some connectivity to base office, but it stomps out generating new keys as much as you want.

Re:BitTorrent

[Anonymous Coward]

Not everything on iTunes is on BitTorrent or the like.

Re:Ouch.

[smellsofbikes]

>but it stomps out generating new keys as much as you want.

Sort of. As the previous poster was alluding to, if the card numbers are generated sequentially and stored on the card, all you need to do is know your number, add about 100, put that number on your card, and wait for it to be activated so you can use it. You don't have to access the main server: you just wait for your number to show up.
There was a neato scam running a while back where people would steal piles of seemingly useless blank gift cards, record the number off the card into a database, put them back in stores, wait a month, then try and use the number. If the card had been activated but not used (a gift card sitting in a present or a wallet somewhere) they bought what they could as fast as they could.
I assume companies now sell entirely blank cards, that are programmed at time of sale, rather than pre-enumerated cards merely being scanned for activation.

Re:Let's consider the crypto solution

[Anonymous Coward]

That check won't work for integers - people won't redeem cards sequentially.

Re:Ouch.

[Lehk228]

no they still use the pre numbered cards. now they have a foil covered pin on the back but who would notice if it was missing.

Re:Occam's razor

[plover]

Well, I personally know that InComm [incomm.com] is an authorizer to companies that sell iTunes cards at retail, and that unactivated cards have no value. No algorithm is used for those cards, other than the non-sequential generator (to prevent my_card_number+1 fraud.)

But I also know that TFA claims that an algorithm is broken allowing for virtually unlimited generation of cards.

So either TFA is either wrong or deliberately lying (improbable, but not impossible) or both the algorithm and on-line methods are being used by iTunes (neither particularly odd nor improbable.)

It's not an XOR situation.

Re:And You Wonder Why Amazon MP3 Only Works in the

[SectoidRandom]

When it comes to international copyright it is no surprise to me that across borders people are far less inclined to respect copyright laws of another country.

It reminds me of something that I read once that stated that back in the 19th century before the US had established it's own home-grown authors and publishing industry, it was common place for Americans to simply copy and republish without consent the work of European authors and publishers. That was of course despite the constant complaints of European publishers and governments.

Of course eventually the US publishers had grown to a position where they themselves realized that they needed copyright in order to continue growing with the now booming local literature scene, hence the "true" birth of enforced US copyright.

(History repeating itself. Hmm, now how often does *that* ever happen - sarcasm)

Unfortunately I have no original sources to this 'tale', I would appreciate if anyone can either confirm or deny this with some evidence, as it is such a compelling story I would like to believe that it is true!

Buy them here but . . .

[essinger]

I would really think twice about using your credit card!

http://search1.taobao.com/browse/0/n-g,nf2hk3tfom-------2-------b--40--commend-0-all-0.htm?at_topsearch=1&ssid=e-s1

Re:And You Wonder Why Amazon MP3 Only Works in the

[tacarat]

You can't identify the illegitimate cards. Each individual card isn't kept track of. The bar code on each of them is more like the answer to a math problem. If you know how to solve the problem, you get in, no questions asked. The only thing they can do is change the math problem and eventually get rid of the old one as a valid question to answer.

Re:And You Wonder Why Amazon MP3 Only Works in the

[mean pun]

Isabella Bird, in her book The Englishwoman in America (1856) mention this copying causally, as something everyone knows.

China: One big Black Hole

[NineNine]

If the Chinese government doesn't start some kind of law enforcement, China is going to be a giant Black Hole. Blacklisting IP blocks from Chinese ISPs is the best thing I've ever done in terms of spam and malware control.

Re:Ouch.

[bluefoxlucid]

They work right off the truck. No activation.

Errm, many here seem to have no clue...

[Lars T.]

how the gift cards work.
http://www.apple.com/support/itunes/store/giftcard/ [apple.com]
http://store.apple.com/us/help/gifting#cards [apple.com]

Re:Occam's razor

[YesIAmAScript]

Yes, I would imagine that at least some of the gift codes (there are no cards here, just the codes) will be revoked soon.

As to the "no comment" situation, since when does Apple comment on anything?

Re:Ouch.

[HatofPig]

At Loblaw's our President's Choice gift cards need to be peeled out of the frame they are inset into, with backing. There's no way to get anything off of the card until then. Plus the frame holds the little hole so you can hang them on the shelf.

And phone cards all just have identical barcodes. The POS system then generates their activation code upon confirmation of payment, and prints it on their receipt.

This is in little ol' Canada, by the way.

Re:And You Wonder Why Amazon MP3 Only Works in the

[History's Coming To]

Here's a close analogy:

ISBN numbers are made out of a series of numbers identifying the language, publisher, imprint and title/edition. The last digit is the mod 11 of the sum of the numbers, each multiplied by a weighting digit based on its position in the string. To make a barcode you have three different image patterns for each digit. The last six are all represented by type "R". The first one is not represented, except for defining a pattern of "L" and "G" types for the first six numbers, and encoding itself in the process. Interesting programming exercise in the language of your choice.

So all you have to do is reverse engineer the method used and you're there..although I suspect Apple's system is somewhat more technically challenging.

Re: freebie

[edman007]

It is a federal crime to open mail shipped through the United states postal service that has not been delivered to the addressee.

http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001702----000-.html [cornell.edu]

when the mail man messes up they don't open it (and there are exemptions somewhere to allow them to open it when required). If you receive something not meant for you then you should give it back to the post office, don't open it.

Re:Huh

[thuerrsch]

In UK law, at least, which is what 90% of the world base their law systems on:

90 percent? More like 20 [wikipedia.org]. But then, 90 percent of all statistics are made up on the spot ...

Re:And You Wonder Why Amazon MP3 Only Works in the

[wvmarle]

This comment is not just funny, it is silly and obviously from someone who knows nothing about China.

For one, the Chinese themselves come up with a lot of IP. This ranges from music productions to technical innovations (yes also that, believe it or not). And yes they are copied big time, even though the Chinese government does try to enforce the protection of this IP. And yes it does so much more vigilantly than the protection of foreign IP. Mind that many US and other overseas patents are not valid in China in the first place, patents after all are limited to the countries/areas where they have been applied for and issued.

If someone comes with a new product in China and has some success, everyone will jump on the bandwagon and make it as well. Even if there is no protected IP involved. If someone starts making plastic coffee cups for example, and makes a good buck out of it, dozens of other factories will spring up and do the same. They all copy one another.

If you come up with some innovation in China and you really want to keep it for yourself you will have to keep it a secret. Don't tell anyone how you do it. This is why many Chinese are very reluctant to show you their production lines, and often you won't get access there at all. Taking photos of machines is also something that many Chinese really don't like. At trade shows many booths also have a no-photo-taking policy because otherwise within a few days they will find their newly designed jewellery at half the price all over the place. At their neighbour's booth for example (not joking).

IP in China is as if there is effectively no IP. Everyone copies from everyone with impunity. There is little enforcement, and what enforcement takes place is largely showing off to the outside world, staged media events making it look like something is being done. China can as such be used as case study for what happens if IP would be abolished. And it is overall not a pretty picture.

Re:Occam's razor

[denzacar]

If you do that, you have to ship the purchased items somewhere.

There is this strange concept called "rented apartment", I'm not sure if you have heard of it?
Have all the goods delivered within couple of days, loaded on a truck and then make like a tree and get out of there.

Also, you could sell stuff directly to other people.
Open up a store on ebay or amazon for real items - with an attractive discount.

- People come, pay you real cash over amazon or through paypal,
- You buy items from somewhere on the internet using your stolen cards and mail them directly to your customers.
- Wait a bit.
- Profit!

Re:And You Wonder Why Amazon MP3 Only Works in the

[Anonymous Coward]

our English works of good repute being a wanting The facility with which English books are reprinted in America and the immense circulation which they attain in consequence of their cheapness greatly increases the responsibility which rests upon our authors as to the direction which they give whether for good or evil to the intelligent and inquiring minds of the youth of America minds ceaselessly occupied both in religion and politics in investigation and inquiry in overturning old systems before they have devised new ones The Englishwoman in America By Isabella Lucy Bird [google.co.uk]

pbhj

Re:Huh

[Anonymous Coward]

Ummm....the majority of the world utilizes a civil law system, not a common law system such as England's.

Maybe you meant to say that the majority of the world has defined crimes similar to English fraud, but saying that 90% of the world bases their system on UK law is completely and utterly wrong.

Re:BitTorrent

[shmlco]

Not even one line??? Golly.

But if true, then why they have an entire subsite devoted to Open Source, with links to the source for Darwin and the Mach kernel, WebKit, Bonjour, and more???

http://developer.apple.com/opensource/index.html [apple.com]

Either you don't know what you're talking about or... you don't know what you're talking about.

If I were you I'd open my eyes.... (grin)

Re:Huh

[xtracto]

In UK law, at least, which is what 90% of the world base their law systems on:

Being an English, by majority of the world he meant Southern Ireland, Northern Ireland, Wales, Scotland and America (refering to the USA only)... oh! and also tath small Island how was it called? mmm Astralia or something

Re:Credit Card Ponzi Scheme

[oftenwrongsoong]

I imagine they're doing a superset of what you say. Mr. Idiot gives them his CC#. They sell Idiot a $50 gift card for $1. Idiot thinks all is well. Meanwhile they wait a month or two. Then they start using Idiot's CC to buy other stuff. Idiot goes WTF?! and reports the fraudulent transactions. Hundreds of similar idiots do the same. Some smart law enforcement people cross reference the transactions and find that all people who bought from a certain vendor ended up with fraudulent activity two months later. This happened before. In one example, a restaurant swiped credit cards twice, once to charge the card and once again in a second machine to record the card info. Weeks or months later they'd use the recorded info to buy stuff, until someone cross referenced and found them out. In the restaurant's case, the customers did no wrongdoing. But in this gift card case, the idiots are in some serious trouble. By reporting the fraudulent activity (which they have no idea is connected to the counterfeit gift card they bought), they will incriminate themselves because the same law enforcement people will figure out that the original, intentional, transaction was for counterfeit gift cards. Meanwhile the people running this scheme are in some other country and probably can't be touched. A bad deal any way you look at it, both for Apple and for the idiots trying to rip Apple off for cheap music.

Re:BitTorrent

[Anonymous Coward]

Ever hear of viruses spreading through "Autorun"?

fixed.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:And You Wonder Why Amazon MP3 Only Works in the

[MrAngryForNoReason]

I don't know how it works in the US but certainly in the UK iTunes gift cards are activated at the checkout to prevent shoplifting.

Re:Occam's razor

[RivieraKid]

Don't be ridiculous. You have six months, and you are required by law to inform the sender. They are obliged to collect it at their expense, but if they haven't within six months, then and only then, is it yours to do with as you please. The fact that it was not addressed to you, regardless of being sent to your address, means that you just committed an act of treason in the UK.

Please see section 84 of The Postal Services Act 2000 [opsi.gov.uk] which states:

128. Subsection (3) makes it an offence for a person, intending to act to a person's detriment and without reasonable excuse, to open a postal packet which he knows or suspects has been incorrectly delivered to him.

Why would it become your property after 28 days when the sender doesn't even know it didn't get to the intended recipient?

Even if the phone is duly reported lost or stolen after the 28 days then sorry, UK law permits the sale so it is entirely legal. I just wish they had sent me more phones ;)

So now you are seriously telling us that it is legal to sell stolen property, so long as the police don't catch you within 28 days?

You sir, are an ass.