Forgot your password?
typodupeerror
Crime Iphone Software Apple

Users Report Foul Play In App Store Rankings, Purchases 144

Posted by timothy
from the shouldn't-be-an-app-for-that dept.
An anonymous reader writes "Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen. What's more concerning is that it seems individuals' iTunes accounts have been hacked to make mass purchases of that one developer's apps." Among the comments attached to the linked story is one which suggests the security problem may lie elsewhere.
This discussion has been archived. No new comments can be posted.

Users Report Foul Play In App Store Rankings, Purchases

Comments Filter:
  • Re:Hrm (Score:5, Informative)

    by dlanod (979538) on Sunday July 04, 2010 @06:32PM (#32794302)

    I do use iTunes and the level of reviews are generally so crap as to be useless anyway. They tend to either be "this crashed on me once, 1 star" or "AWESOME!!! 5 stars!". That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

  • by immaterial (1520413) on Sunday July 04, 2010 @06:37PM (#32794324)

    Last month, a user posted a forum comment stating, "I am going to tell you the truth about what has been going on with your account." The anonymous user then explained, "let’s say you are a Chinese guy or girl with an iPhone or iPad and you want to get some music, movie or app. How you do you do it? You go to http://www.taobao.com/ [taobao.com] The (by far) largest online market in the world and type iTunes in the search bar. Immediately you will be presented with a list of more than 7,000 items.

    "You want to save money, so you filter the list to show only items under RMB25.00- (US $3.60) and still you have more than 3,600 offers. So you pick some one at random like, as an example, this one: http://item.taobao.com/item.htm?id=5516054242 [taobao.com]. You open the online chat and you transfer him RMB22.00 (US $3.20). He ask you in the online chat to provide a new iTunes account name and password, and you comply: User: qiuwge3foe3333@yahoo.com Password: qwer34567

    "He asks you to wait 10 minutes online. He has already a number of user accounts under surveillance, so he enters in the iTunes account of his victim, change his/her username and password to the one you provided, and come back to ask you try it and approve the transaction so Taobao.com releases his money. Even if you cant read Chinese you can see very clearly in his item description that this account will not last more than 24 hours (the time for his victim to see the charges mounting and then cancel the credit card).

    "He claims that he selects 'his' accounts so you can drain at least US $250.00 from them before they get cancelled. He urges you to be fast and buy and download as fast as you can. Start immediately! Keep the download going on for the full 24 hours! There is no warranties on how long it will last! Because he already changed the username and password, the victim can’t stop you.

    More details here [appleinsider.com] though so far there's no explanation of how the accounts are getting hacked.

  • PICNIC Problem (Score:1, Informative)

    by Anonymous Coward on Sunday July 04, 2010 @06:45PM (#32794382)

    This is a Problem In Chair Not In Computer problem. If users are stupid enough to respond to the iTunes phishing scams that circulate then they shouldn't be surprised when someone uses their details.

    My suggestions:
    1. Report any fraudulent transactions to your credit card company/bank so the transactions are stopped. And get your card cancelled.
    2. Login and choose a secure password morons

  • Re:Hrm (Score:3, Informative)

    by whisper_jeff (680366) on Sunday July 04, 2010 @06:47PM (#32794390)

    Perhaps this is just another reason why I don't use iTunes.

    Do you pay for everything with cash? And, I mean _everything_. No, really - you do realize that this situation is not unique to iTunes, right? Hackers could go after your Amazon account, your Hydro account, or even your bank account. If the information is stored on a computer, hackers can (and have) found ways to go after it. It is not unique to iTunes.

    If you don't like iTunes (as you clearly don't), just don't use it because you don't like it - there's no need to make up excuses. Otherwise, back it up and cancel your bank account and start paying for everything by cash. (*)

    *I've heard of some people, who were sufficiently concerned about their information getting into the wrong hands, who do exactly that. It's a bit extreme, in my opinion but they at least put their money where their mouth is, so to speak.

  • by noidentity (188756) on Sunday July 04, 2010 @06:55PM (#32794438)

    Oh, and it's a holiday in part of North _America_. That doesn't mean it's a holiday in the rest of the world. Just FYI.

    Refined that for you.

  • Re:Hrm (Score:5, Informative)

    by Mitsoid (837831) on Sunday July 04, 2010 @07:12PM (#32794518)
    Other problem with iTunes,
    "All sales are final."

    From Terms and conditions, security section:
    "You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

    So better hope something else protects those people harmed, as I don't think California law (The "fall back" for iTunes T&C) will help much if a hacker steals $100-300 from you from another country.

    Glad I stopped storing my CC info with iTunes after they pulled products I paid for from the store and wouldn't let me re-download. They may have nice hardware, but their policies are horrible for end-users.
  • Re:Hrm (Score:4, Informative)

    by BasilBrush (643681) on Sunday July 04, 2010 @08:05PM (#32794762)

    That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

    It would be pretty pointless mentioning them because for at least two years it's been impossible to review/rate an app unless you've actually bought it.

  • Re:Hrm (Score:5, Informative)

    by jrumney (197329) on Sunday July 04, 2010 @08:48PM (#32794954) Homepage
    Let your credit card company fight that fight. They are obliged to refund you, and have bigger pockets for lawyers to make Apple accept liability for its own security problems.
  • Re:Hrm (Score:2, Informative)

    by hedwards (940851) on Sunday July 04, 2010 @09:05PM (#32795008)
    I doubt very much that's an American thing. If you don't have any debt, as in no loans, CC etc., then they don't know how to rate your risk. Which doesn't make you high risk so much as an unknown. Which for reasons related to prudence mean that any lender should eye such a person with caution.
  • by hedwards (940851) on Sunday July 04, 2010 @09:09PM (#32795028)
    Eh, not just that, I got a call the other day from US Pharmacy, wanting to know about my Xanax prescription. I don't take Xanax and a quick google revealed it to be a phishing scam wherein they eventually ask for your CC number to supposedly look up the account information. Of course, I hung up when he wouldn't admit that I don't have a prescription for that from them.
  • by perpenso (1613749) on Sunday July 04, 2010 @09:28PM (#32795064)
    Some banks / credit cards allow you to generate temporary credit card numbers with a limit that you specify. The ones I've seen in use also tie themselves to the first vendor they are used with. The temporary credit card number is effectively an alias for your real number. Personally I think these temporary numbers are far better to use online than a real credit card number.

    --
    Perpenso Calc [perpenso.com] for iPhone. Classic Scientific and HEX functionality plus RPN, fractions, complex numbers, 32/64-bit signed/unsigned bitwise operations, UTF-8, IEEE FP decode, and RGB decode with color preview.
  • by noidentity (188756) on Sunday July 04, 2010 @09:45PM (#32795114)
    BTW, Slashdot has an automatic signature feature, which gives you two benefits: you don't have to add it manually after each post, and those readers who aren't interested in the clutter of signtures can turn them off. When you add it manually, you annoy the latter group.
  • Re:Hrm (Score:3, Informative)

    by LoRdTAW (99712) on Sunday July 04, 2010 @10:00PM (#32795194)

    Like the poster above said, sometimes its neither. My brothers Gmail was hacked during the big Chinese Google hacking debacle. His WoW account was then compromised. Thankfully he has a G1 phone and saw the change password notification email on his phone and put a quick stop to it. Blizzard restored everything and he now has the little FOB thing with the LCD screen. And he changed all his account passwords (he uses very strong completely random passwords). Hasn't had a problem since.

  • by Anonymous Coward on Sunday July 04, 2010 @10:00PM (#32795196)

    Hmmm, I wonder if I can guess what country you're from.

    I'm thinking it's probably one that claims to belong to its people, and in reality belongs to an oppressive plutocracy with an absolutely brilliant record for brainwashing its subjects.

  • by Anonymous Coward on Sunday July 04, 2010 @10:05PM (#32795206)

    The exact same thing used to happen (and possibly still does) with PalmOS apps and the associated online stores. Certain developers, mostly asian-based, would create very basic, sometimes useless apps, and list them on stores like Handango for low, low prices. Then they'd suddenly skyrocket in the listings. If you grabbed a demo version, you could see that a lot of these applications were complete duplicates with just the name changed. They'd bank on some legit sales once the app was ranked, but boost their own sales with stolen credit cards/accounts. Every now and then, someone would get delisted. I'm surprised, given that its been years since I did anything on the PalmOS (had a few apps myself, only I just created them out of boredom and could care less about sales), that this wasn't foreseen by Apple. It's a pretty basic scam.

  • Re:Unpossible! (Score:3, Informative)

    by Kitkoan (1719118) on Sunday July 04, 2010 @10:35PM (#32795314)

    Ignoring the 'X OS is more secure then Y OS' debate, nothing is immune to being hacked. It just takes times and a desire. Like every system, if someone wants to break into it enough then they will find a way. Something like this would have been a targeted attack which pretty much makes any normal security moot since the way it was done would have been unique to this system. Its a tailor-made attack and nothing short of disconnecting the iTunes server could have prevented it.

    On a side note though, it was an interesting move for them to do this on a long weekend since it's the 4th of July holiday weekend in the US and since this is a US company they no doubt have a lot of their staff off so they can enjoy the holiday. Least amount of physical presences and security to watch out for such an attack. Tomorrow might be one hell of a day at the office for Apple though.

  • Re:Hrm (Score:3, Informative)

    by shutdown -p now (807394) on Sunday July 04, 2010 @11:44PM (#32795720) Journal

    I do use iTunes and the level of reviews are generally so crap as to be useless anyway. They tend to either be "this crashed on me once, 1 star" or "AWESOME!!! 5 stars!". That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

    As a side note, that's almost exactly like in Android Market - with the sole difference that you can't write a review there without installing the app, so you don't have "didn't buy, 1 star". The rest is spot on.

  • Re:Hrm (Score:3, Informative)

    by winwar (114053) on Sunday July 04, 2010 @11:58PM (#32795830)

    "You are still responsible for your entire purchase. The FTC Will not force your card company to refund you (Letter of the law does not require it). If you notify your card company you are responsible for the first $50 in charges -- YOUR CARD COMPANY MAY be kinder, but the LAW does not require it."

    You might want to read the FTC site. Your liability is zero if the charge involves your CC number rather than your actual card.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...