More Trouble In Apple's App Store 186
quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.
Quick anecdote (Score:5, Interesting)
I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.
Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?
Re:But they were approved! (Score:1, Interesting)
Yeah, reality's a bitch, ain't it?
Seriously, though, this should not come as a surprise. The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly. And, just as importantly, it's unlikely this particular miscreant will be able to exploit the app store again. The "walled garden" approach doesn't mean you won't have problems, and when you have so many developers signing up for accounts it's basically impossible to ensure that none of them will ever misbehave. The problems that do occur stand a good chance of being contained and eliminated quickly, however.
I don't think anyone in their right mind with any concept of security would expect Apple to keep each and every rogue developer out 100% of the time. Maybe that's what Apple's marketing division wants you to think, but Apple's security division knows better. Make the security as good as you can make it, then set up a system to catch those who manage to circumvent it, because there will always be people who can manage to circumvent it.
The walls aren't enough. You also need gardeners. Apple just proved they have gardeners on the job for when the walls get breached.
It appears that the system worked about as well as could be realistically expected.
I'm still not a proponent of the walled garden - I don't like giving up control. The only Apple device I own is an iPod I won in a contest and it doesn't see a lot of use. But for those who prefer it for their protection this should be good news.
The second layer of defense kicked in, precisely as it should, the crack in the wall was patched, and life in the walled garden moves on.
New Credit Cards? (Score:5, Interesting)
Wait, so they suggest customers to get new credit cards? Well, one thing I do not understand is this: the credit card information is with Apple, but I thought only Apple has access to this stored information. There should be no way for the bad guys to obtain my credit card information from there. If they have the credentials to my apple account they can make Apple charge my credit card without my authorisation. But in this case Apple would have to give me back this money as I did not authorise it etc. And as soon as I have changed my password ... the problem should stop (as long as they don't get my new password somehow)...
Or what am I missing here?
Approved apps? (Score:5, Interesting)
Just wondering: So if harm is done with apps approved by Apple ... isn't Apple then also liable for the fraud done by them?
Re:Quick anecdote (Score:3, Interesting)
Consider either using iTunes gift cards.
Gift cards like those worry me and I refuse to buy them for ANY company. I've seen too many people buy gift cards (that just use a number string) try to get the credit from the card after buying them to only be told that the number has already been used by someone else (they use them by using a Random Key Generator). And since it's just about impossible to prove that you were the first and only owner of it, your typically SOL.
Apple Slashdot Attention (Score:2, Interesting)
Re:Quick anecdote (Score:4, Interesting)
> My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.
TFA agrees with you ("Remove your iTunes card details and consider using gift cards where possible."), but using a gift card is a really bad idea. The article also says to "try prevent any iTunes purchases from clearing." These suggestions show a misunderstanding of the legal protections afforded consumers when we use credit cards.
Under the law, you have 60 days to dispute credit card transactions. You can do this if the transaction has cleared (which is typically less than 24 hours). You can do this even if you've already paid your credit card bill. Your credit card company is required to refund the amount to your account until the dispute is resolved and help you in the dispute resolution process. The law has some antiquated restrictions about transactions occurring more than 50 miles from your home and technically gives you a liability of $50, and doesn't cover debit cards. However, both Visa and Mastercard have policies of zero liability that cover both credit and non-PIN-based debit transactions independent of how far from your home they occur. I've disputed numerous charges for various reason, including having someone make a copy of my card in Mexico (I still had the card but the bank said it was a card-present transaction). Disputes have always been resolved quickly and in my favor. In short, using a credit cards is the safest way to buy stuff. Always use a credit card for any purchase.
Think if you'd used a gift card. Gift cards are like cash. If the purchase was fraudulent, you only lose the value of the gift card, but you have no way to get it back. I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.
Where is Apple's due diligence? (Score:0, Interesting)
One has to wonder why Apple's policies allowed the situation to get to this point. Why are any apps being approved before Apple has preformed due diligence on them? No background checks on the coders? Apple is making more then enough money to make things right and come out looking to be the champion for iTune users but it doesn't look like it will be so.
Re:New Credit Cards? (Score:3, Interesting)
Stolen database backup? It's incredibly easy, and extremely embarrassing. Most companies don't want to admit, "Well, the intern that we foisted the backup jobs on gave the tapes to some guy in an Iron Mountain shirt and now we don't know where your data is." I know it's happened locally at least twice, and neither company fessed up to its customers.
mac keyboard infection (Score:1, Interesting)
For those just tuning in, parent poster is not making this up. Mac keyboards have been infected with keyloggers [digitalsociety.org] in the past. The mind boggles why Apple would make their keyboards re-flashable.
Re:Apple isn't arrogant? (Score:1, Interesting)
It happens to be true. Anyone who's used OSX for more than a few minutes quickly realizes that 1) it looks really nice and 2) it doesn't work very well. Let me give you a few examples of this and other evidence Apple is more about form than function:
1) In many cases, waking up an OSX laptop takes several minutes.
2) Network timeouts can freeze the entire OS for many seconds.
3) There is no simple, one button way to right-click, even though many things require right clicking.
4) The command shell doesn't accept mouse input.
5) Locking the screen doesn't always hide the screen.
6) You have to restart the computer to update safari.
7) Many of the new UI features lately have made the OS less usable but better looking. For example, the transparency in the dock makes it harder to tell which window is active. The transparent menus make them harder to read.
8) The laptops will get annoyingly hot (so that they are painful to touch) before the fans will turn on, presumably to lower the noise level at the expense of shortening the life of the laptops.
9) The metal case of the MacBook Pro dampens wireless signals.
I could go on, but I think you get the point. In all of these examples, either function is sacrificed completely or form is chosen over function. That's not to say that this is the wrong decision. I can definitely appreciate the design of the system, even if they have to make some sacrifices in other departments to achieve that goal. However, it is very clear that Apple often sacrifices function for form. Their customers pay for a product that is better looking, more consistent, and simpler than the competition and for that, they sacrifice customizability, utility, and reliability. This is no secret and there's nothing wrong with it and there's no point making fun of either side because they have different priorities. But pretending that Apple doesn't do this is just sticking your head in the sand.
The attacks on Apple continue (but not from apps) (Score:3, Interesting)