Forgot your password?
typodupeerror
Apple

Mystery of Vanishing iTunes Credit Shows No Sign of Fading 195

Posted by timothy
from the sounds-like-the-fraud-department-at-amex dept.
E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."
This discussion has been archived. No new comments can be posted.

Mystery of Vanishing iTunes Credit Shows No Sign of Fading

Comments Filter:
  • Great (Score:3, Insightful)

    by Antisyzygy (1495469) on Saturday September 10, 2011 @12:39PM (#37362814)
    Apple should really look into this more, rather than just passing off the blame. Typical.
    • Re:Great (Score:5, Insightful)

      by DurendalMac (736637) on Saturday September 10, 2011 @12:45PM (#37362846)
      We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.
      • Re:Great (Score:5, Interesting)

        by iamhassi (659463) on Saturday September 10, 2011 @01:00PM (#37362936) Journal
        A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

        If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.

        Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]
        • Re: (Score:2, Funny)

          A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

          A few hundred = a not even that sucessfull phishing expedition. Even a few thousand would be a drop in the bucket.

          Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]

          They could ask him but they don't have enough to block him. Someone also bought Monkey Island 2, does that mean Apple should block Lucasarts ?
          Apple should issue refunds, just because it's good business but the problem here in all likelihood is on the client side.

      • by AmiMoJo (196126)

        This is just a rumor so make of it what you will, but some sources claim that it is an attack on credit voucher serial numbers. After all why buy random apps if you can't use them? The will be tied to the owners phone.

        • Re:Great (Score:5, Interesting)

          by brusk (135896) on Saturday September 10, 2011 @01:16PM (#37363030)

          After all why buy random apps if you can't use them? The will be tied to the owners phone.

          No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.

          • by hedwards (940851)

            That's one possibility, a couple more are that it's for lulz or that it's revenge by some developer that's pissed because of Apple's ridiculous policies for being granted access to the App store.

          • by w0mprat (1317953)
            Obviously, one of the random apps purchased will belong to the crooked developer/hacker. But if they've bought apps from multiple developers it would hide their fraud amongst random transactions. Steal $100 million to get $1 million? Probably worth it, if also untraceable.
      • by zill (1690130)
        We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.
    • by alteran (70039)

      I don't get why you're complaining. It's clear that the users were holding their iTunes accounts wrong.

      • Who says I am complaining? I am merely stating facts. Passing off the blame on users for a known issue before addressing it in full is never a good way to handle business, asshole.
  • Weak passwords?! (Score:5, Insightful)

    by NFN_NLN (633283) on Saturday September 10, 2011 @12:44PM (#37362832)

    Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

    Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

    • by Antisyzygy (1495469) on Saturday September 10, 2011 @12:59PM (#37362922)
      That would infringe on peoples desire to have passwords like "cats" or "1234".
      • by Nerdfest (867930)
        Apple generally doesn't care much about infringing on people's desire to do certain things. This might be one of the few times when their control-freakery would be well placed.
    • Re:Weak passwords?! (Score:5, Informative)

      by Anonymous Coward on Saturday September 10, 2011 @01:08PM (#37362980)

      There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:

      Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.

      The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.

      • by hedwards (940851)

        8 characters is a joke. Even a decade ago 8 characters was a joke. Even if you include a punctuation mark, it's still pretty ridiculous.

        • by Roogna (9643)

          8 characters isn't all that bad, considering it's unlikely even the best methods will find the match in the first 3 guesses. Apple does lock accounts after 3 failed attempts and force a password change through the e-mail on file. This of course does -nothing- against phishing, but neither does the most secure password on the planet if it's typed into a false site. Of course if they hacked these peoples e-mail then they can reset the password to whatever they want... but this should just teach everyone t

        • by Duradin (1261418)

          After a few password failures the iTunes account clears your CC security code (ie can't purchase anything), so 8 characters is more than enough.

          I've never used stored credit so I don't know what happens when there's too many failed attempts.

        • 8 characters is a joke. Even a decade ago 8 characters was a joke.

          8 mixed case alphanumeric characters is 281474976710656 passwords to brute force. Assuming there is no way to achieve an offline attack (which is likely in this case), that means you would have to hit apple's server that many times with an incorrect password before finding the correct one.

          Lets say you have a really fast internet connection, and can attempt to log into apple's servers at a rate of, oh, a million times per second... that means it would take you almost TEN YEARS to guess the correct password.

          T

      • Don't use spaces

        Why not? If it's not all spaces (prohibited by the three-chars-in-a-row requirement) you're good to go. I can't find it now, but I read an article a while ago that endorsed passwords containing spaces. They're apparently a lot more secure against dictionary attacks since very few people use them. On a side note my telco disallows *any* special characters, I have no idea why this is a part of any password policy.

      • by w0mprat (1317953)
        Judging by that, Password123 fits Apples definition of a 'secure' password. So does something like S3cur1tyP355w0rd which is the kind of thing I've seen set by allegedly qualified administrators to highly critical systems.

        Ultimately including numbers, mixed case and punctuation invites easy-to-remember common substitutions and number combinations, which is what will happen 90% of the time, this doesn't significantly draw out a brute force attack attempt. A few random lowercase letters has more possible c
    • They don't allow spaces in their passwords and every password needs to be able to be typed into a touch device like the iPhone or iPad. They could definitely do more in this area.
    • Trivially installed policy, and used by more than one web site I frequent. As much as I don't care for apple, and they should install such a policy, some of the blame does fall on the users. Having a contract with several web sites for tech support and not having access to their databases directly I have an occasion to ask users for their passwords to trouble shoot, and the amount of "abc123" or "qwerty" passwords is astounding.
      • ... and the amount of people just blurting out their password to you without wondering about your lack of database access is even more astounding...
        • Well, in some cases its necessary, its not always convenient to gain access to a clients database directly. That most users don't give it a second thought isn't that extraordinary to me.
    • by Kenja (541830)
      That's like saying they could have an option to simply not store your credit card number. Insanity!
    • Because having a complicated password will prevent users from losing it in phishing scams ?

      • ^^^ This.

        It doesn't matter how complicated it is if it's being compromised through social engineering. Were this a brute force attack, it wouldn't be drawn out. They'd have the data, they'd compute as many passwords as they could from the hashes for all 200M+ accounts, and they'd do as much damage as possible before anyone could respond appropriately (e.g. PS3 debacle). The pattern instead suggests this is an ongoing set of social engineering attacks which are yielding suckers on a regular basis over an ext

        • I think AppleIDs are reasonably easy to find. Mostly they are email addresses. Haven't tried if trying to login with a random email address and a random password gives any indication that the email address is an Apple ID; you would hope not. However, if hackers manage to read your emails, then they can read any purchase confirmation emails, and from these emails you can find the Apple ID.

          Now if they know many Apple IDs, they can just randomly try to login with valid Apple ID and a random weak password, a
    • They do have some policies to enforce strong passwords, and it looks like those policies have been getting stricter recently (because of this?).

      But "easily guessable" could just mean a password I use for some other service which was hacked. Apple has no way of verifying that your password is unique.

  • SMS based verification?

    • by brusk (135896)
      What if you buy the app for an iPod touch or wifi-only iPad? Or you buy it for an iPhone over wifi and are out of cellular range?
    • What you recommend will work only for iPhone and iPad 3G. It won't work for a Mac computer, a PC running Windows OS, an iPod touch, or an iPad with Wi-Fi, none of which can receive SMS.
      • by Viceice (462967)

        Build an OTP function (Ala Google/Blizzard authenticator) into each iDevice that is ONLY eyeball readable into iTunes. The user only needs to read the field above and duplicate it in the field below as he confirms his purchase.

        • Why make things difficult for me because of a few hundred dumbasses ? Apple should just eat the (relatively low) cost, refund people and turn over any relevant information to the authorities.

      • by Kalriath (849904)

        The iPad (3G) can't receive SMS either.

  • by quetwo (1203948) on Saturday September 10, 2011 @01:22PM (#37363064) Homepage

    Obligotory "You're holding it wrong" post.

  • My wife was bit (Score:5, Interesting)

    by oDDmON oUT (231200) on Saturday September 10, 2011 @02:15PM (#37363338)

                She had a Paypal account tied to her iTunes account emptied of over $400.

                Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.

                Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.

                I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.

                For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

    • She had a Paypal account tied to her iTunes account

      That sounds like a very bad idea regardless of any issues with Apple's security.

    • Hard to say for sure, but if she used the same password on any other service that was compromised, whether she knows it or not, then it is no longer a secure password even if it's a 64 character randomly generated code. Those passwords go into a database that hackers use in brute force attacks. This could be Apple's fault, but there are other explanations for the scenarios you describe.
      • Thanks for the 411, I'll recommend she look to change things up (though I can hear the weeping, wailing and gnashing of teeth starting in the background).

  • Happened to me (Score:5, Interesting)

    by vitaflo (20507) on Saturday September 10, 2011 @02:18PM (#37363352) Homepage

    I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).

    I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.

    It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.

    • by tlhIngan (30335)

      A few months ago, there was an impressively done phishing email done. I believe it was something like "Adobe Photoshop CS at the Apple Store" - it really looked legit.

      Of course, it presented you immediately with a fake Apple ID login in order to view the "special offer". It was a really-well done phishing email by someone with skill.

      There are other phishing attacks as well.

      And there are those who re-use passwords - I wonder if those complaining ever checked those online lists of accounts that were recovered

  • This happened to me. There were a lot of mysterious charges for apps the neither I nor my wife purchased. I turns out that my wife forgot that she had given the password to our teenage daughter.

  • Here's a weird thing: Some people posted that their credit card info has been changed. So I think the following could happen: Crook hacks into my iTunes account. Crook also has a stolen credit card. He changes the credit card info to the stolen credit card. He then uses my account with the stolen credit card to buy stuff; the money probably goes to some associate of the crook. I don't notice unless I check my iTunes account because _my_ credit card is not affected. Still bizarre.
  • by Anubis IV (1279820) on Saturday September 10, 2011 @02:31PM (#37363406)

    This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.

  • The biggest challenge to getting people to use longer/better passwords is that no two site have the same requirements. Off the top of my head my various log ons require:
    • six characters or more
    • eight characters or more
    • No more than eight characters
    • at least one number
    • any combination of numbers of letters
    • at least one special character
    • no special characters
    • at least one uppercase character
    • at least one uppercase character, one number, and one special character
    • none of the above
    • all of the above
    • random questions about t
  • by AmberBlackCat (829689) on Saturday September 10, 2011 @07:54PM (#37364896)
    I'm thinking they could make this a much smaller problem if all apps have a refund policy. If you notice an app has been purchased that you didn't want, you have time to notice the problem, undo the purchase, and change your password if you suspect the purchase was made without your permission. Of course the 15 minutes you get from the Android market would be inadequate. But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.
    • by rdnetto (955205)

      But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

      The problem is that a $1 app isn't going to give you even a week's worth of entertainment. The refund period has to be less than the period for which the app is useful/entertaining. A month refund period only makes sense for purchases a few orders of magnitude higher than that. Otherwise, you need a decent method of distinguishing between people who have been hacked/scammed and people who just got bored with the app. Even if the app were to phone home on installation with a device specific ID, it would be t

      • I see a few things going on here. One is you're saying a $1 app isn't going to be worth its price for 30 days. Others are basically saying the same thing, that people will finish or become bored within the 30-day period, and app developers would be bankrupted by returned apps.

        There are games, such as Pac-Man, Frogger, Super Mario Bros. and Tetris, that people have been playing for 20 or 30 years. If a game can't even remain fun for 30 days, I personally think the customer deserves a refund.

        Also, possibly t

        • by rdnetto (955205)

          Those games are well known specifically because they're outliers. The majority of games can't sustain that level of entertainment. This would result in a substantial decrease in the number of games available in the app store. Because the app store's revenue is a proportion of the total value (qty*cost) of apps sold, a decrease in the number of games available would reduce their revenue. Furthermore, the decrease in revenue would result in an increase in the market fees, increasing the cost of the apps.

          Addit

  • ... out of the few hundred million iTunes users?

    I thought more people synced iDevices to Windows than that. My bet is that it is either shitty passwords, or crappy old Windows XP machines that have been compromised.

    Maybe even people who had their password compromised by the Sony hack(s) a while ago,and use the same email/password on iTunes.

    Nothing to see here, move along.

  • by Nyder (754090) on Saturday September 10, 2011 @11:08PM (#37365638) Journal

    I have this friend, and he is, well stupid like most people.

    So, we are going to do some Free 2 Play games, and one of the websites wants (which is becoming very popular), your email address as your login name.

    So when it comes to password, he says to me, why do they want my email address password?

    I'm like, "WTF? No, they want you to make a new password for this account that is using your email address as your login name.

    Needless to say, it took me like 5 mins to explain it to him. And he's not that computer stupid (though close).

    So no, it doesn't surprise me that people use weak passwords, or will put in the wrong type of info (like your itunes account password) on websites that isn't iTunes.

  • Would be to confirm first purchases on a new iDevice. A confirmation mail to your email address where you have to confirm that it is really you and not someone else.

"Say yur prayers, yuh flea-pickin' varmint!" -- Yosemite Sam

Working...