Mystery of Vanishing iTunes Credit Shows No Sign of Fading

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

Great

[Antisyzygy]

Apple should really look into this more, rather than just passing off the blame. Typical.

Re:Great

[DurendalMac]

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Re:Great

[iamhassi]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]

Re:

[CharlyFoxtrot]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

A few hundred = a not even that sucessfull phishing expedition. Even a few thousand would be a drop in the bucket.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]

They could ask him but they don't have enough to block him. Someone also bought Monkey Island 2, does that mean Apple should block Lucasarts ?
Apple should issue refunds, just because it's good business but the problem here in all likelihood is on the client side.

Re:Great

[iamhassi]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?

Re:

[abhi_beckert]

"significant" is subjective, but 0.0005% of iTunes customers is insignificant by anyone's standards.

And apple has only said "we think this is what's going on". They have not said "we aren't going to do anything about it". They never tell anyone what they're going to do until after they've done it.

Re:

[AmiMoJo]

This is just a rumor so make of it what you will, but some sources claim that it is an attack on credit voucher serial numbers. After all why buy random apps if you can't use them? The will be tied to the owners phone.

Re:Great

[brusk]

After all why buy random apps if you can't use them? The will be tied to the owners phone.

No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.

Re:

[hedwards]

That's one possibility, a couple more are that it's for lulz or that it's revenge by some developer that's pissed because of Apple's ridiculous policies for being granted access to the App store.

Re:

[w0mprat]

Obviously, one of the random apps purchased will belong to the crooked developer/hacker. But if they've bought apps from multiple developers it would hide their fraud amongst random transactions. Steal $100 million to get $1 million? Probably worth it, if also untraceable.

Re:

[zill]

We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.

Re:

[shoehornjob]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

Thank you. They need to enforce better password standards.

Re:

[UnknowingFool]

That does little for stolen passwords or phishing attacks. I know people who used the same email (username) and password for different accounts. Once one of them gets hacked, then those people have multiple accounts hacked.

Re:

[exomondo]

we need better passwords for regular people:
http://xkcd.com/936/ [xkcd.com]
http://preshing.com/20110811/xkcd-password-generator [preshing.com]

But that's not going to help, that method is easily defeated by brute forcing from the most rudimentary dictionary.

Re:

[guruevi]

Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

Re:

[LordSnooty]

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Re:

[gnasher719]

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Combine something that is easy to remember with a random sequence that you have to write down and pin to your monitor. Remote attack fails because of the random sequence, looking at the paper fails because the person looking is not an experienced hacker and doesn't know the "easy to remember" bit.

And even if an experienced hacker knew the random sequence, at least attacks using rainbow tables would now fail.

Re:

[Belial6]

That's actually a pretty good solution. It still doesn't solve the problem of having dozens of passwords though. I know that I have at least a hundred different passwords. I used to use a "Doesn't matter", "low security", "high security", "REALLY high security" set so that I could remember my 4 passwords, and didn't have to worry that the video game forum I posted to one time a couple of years ago wasn't going to have an admin that was going to clean out my bank account.

The problem is that once enough

Re:

[abhi_beckert]

Combine something that is easy to remember with a random sequence that...

What I've quoted is about as far as your suggestion will sink in, for a typical iTunes customer.

Apple should make each of these users go through some fairly painful steps to get their money refunded, and at the end give them good advice how to avoid such things in future.

The only solution is user training, and you can't train them without finding some motivation first.

Re:

[tehcyder]

Yes, whenever something happens to Apple customers, it's their fault, not Apple's.

Whereas with Microsoft, Sony, Google, Facebook or whoever it's always teh evil company's fault.

Re:

[hedwards]

I've got my parents to somewhat strengthen their passwords by using a pass phrase with substitutions. It's not great, but if you then abbreviate some of the words, you get something close to a proper password. Ultimately, there are dictionary attacks that handle it, but even that is significantly stronger than just a word and a number. Hopefully, they'll just move on down to the next account when they don't come up with anything the first time through.

Ultimately, no matter how many times you tell users that

Re:

[guruevi]

We told user to reject the password because of Kevin Mitnick. He used social engineering very well to get somewhere. Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.

It also doesn't help against phishing attacks. What we need is a 3rd token (not something you know but something you have or are) for financial transactions. Could easily be handled with distributed authentication - you use a provider that gives you the right amount of security you w

Re:

[Ja'Achan]

Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.

Which means you have to actually know about them and call them, instead of just running some spammer botnet or spreading a virus. Sticky notes don't work against targeted attacks, but it's good enough for thwarting most distributed attacks.

Re:

[ShanghaiBill]

they'll just use the same password and change or add 1 character to satisfy your needs.

Then mission accomplished, since adding one additional character makes the password two orders of magnitude more difficult to guess.

Re:

[guruevi]

For a brute force attack, not for a dictionary attack. The passwords used in these compromised accounts seem to be simple dictionary attacks. These days dictionary attacks do include variations of numbers and characters on common passwords.

Re:

[tehcyder]

Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

That is only a security issue if the thief has physical access to your written notes or computer you stick your notes to, in which case you're fucked anyway.

Re:

[Quirkz]

I'm all for writing them down, and agree with you. I'd still suggest, at minimum, NOT taping it directly to your monitor, though (like one former dean of Engineering did at the university I worked at). Also, if your password is just your initials and the year of your birth, do you REALLY need to write it down? (Looking at that same dean of Engineering, again).

Re:

[zippthorne]

They do, but they have a stupid definition of "minimum security":

it's some small number of characters, at least one of which must be a number.

This is not a terribly onerous policy*, but iPods' screen keyboards do not have a number row. You have to switch to another page to input numbers, so people with iPods are going to tend to pick a specific subset of passwords with numbers - ones where all the numbers are together at either the beginning or the end.

I think that this may result in passwords that are act

Re:

[hedwards]

Unless this is a series of cracks purely for lulz, there really ought to be someway of tracking things efficiently. If the apps being bought are sold by scammers, then that's one thing, otherwise, I'm curious as to how this would result in profit for the people doing the cracks.

Find and prosecute whomever it is that is profiting and the problem should be solved. Ultimately, that's Apple's responsibility. This isn't like Android where Google has little say over what users load on their Android devices.

Re:Great

[CharlyFoxtrot]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

This is the password policy [apple.com], pretty standard stuff :

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9).
Contain at least one uppercase letter (A-Z).
Contain at least one lowercase letter (a-z).
Not contain three consecutive identical characters.
Not have been used in the past year.
Not be the same as your Apple ID username."

That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.

Re:

[Kalriath]

It is compulsory, despite the word "should". Passwords not conforming to the regime are rejected. They only say "should" because Apple doesn't like using the imperative.

Re:

[Colonel Korn]

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

Re:

[CharlyFoxtrot]

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

That's a pretty impressive number you just pulled out of your ass, this must be a serious problem.

Re:

[CharlyFoxtrot]

Why don't the customer get email receipts when the transaction happens?

You do get a receipt normally, however since the accounts were compromised and personal detail altered (according to the thread) that confirmation could've been sent elsewhere. Some people report do getting receipts and being informed that way something was going on. This is all on the first page of the linked Apple support discussion.

And why can't Apple figure out which device downloaded the app to provide that information to law enforcement?

You want Apple to track their customers ? Yeah, that'll go over great with the paranoid Slashdot crowd.

Re:

[Belial6]

When the customer explicit asks you to? Yes. There is a big difference between tracking a customers movements via GPS and looking up the deviceID and IP address accessed from when the customer specifically asks for it.

Re:

[shutdown -p now]

One problem with receipts you get from App Store is that they seem to come in quite a bit later - and I mean not just hours, but days later - after the purchase.

Re:

[CharlyFoxtrot]

That's true. Maybe they do this to avoid sending you an email every time you buy a track/app which could get annoying if you buy a lot of single track songs for example ? I don't know, it should probably be a user definable option.

Re:

[Kalriath]

It's because the email is technically a tax invoice, and they only send it when they actually charge you. They wait up to about 3 days to charge you as it minimizes their transaction fees (since they only have to charge you one $3.96 charge rather than four $0.99 charges - and therefore only pay transaction fees once).

Re:

[alteran]

I don't get why you're complaining. It's clear that the users were holding their iTunes accounts wrong.

Re:

[Antisyzygy]

Who says I am complaining? I am merely stating facts. Passing off the blame on users for a known issue before addressing it in full is never a good way to handle business, asshole.

Weak passwords?!

[NFN_NLN]

Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

Re:Weak passwords?!

[Antisyzygy]

That would infringe on peoples desire to have passwords like "cats" or "1234".

Re:

[Nerdfest]

Apple generally doesn't care much about infringing on people's desire to do certain things. This might be one of the few times when their control-freakery would be well placed.

Re:Weak passwords?!

[Anonymous Coward]

There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:

Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.

The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.

Re:

[hedwards]

8 characters is a joke. Even a decade ago 8 characters was a joke. Even if you include a punctuation mark, it's still pretty ridiculous.

Re:

[Roogna]

8 characters isn't all that bad, considering it's unlikely even the best methods will find the match in the first 3 guesses. Apple does lock accounts after 3 failed attempts and force a password change through the e-mail on file. This of course does -nothing- against phishing, but neither does the most secure password on the planet if it's typed into a false site. Of course if they hacked these peoples e-mail then they can reset the password to whatever they want... but this should just teach everyone t

Re:

[Duradin]

After a few password failures the iTunes account clears your CC security code (ie can't purchase anything), so 8 characters is more than enough.

I've never used stored credit so I don't know what happens when there's too many failed attempts.

Re:

[abhi_beckert]

8 characters is a joke. Even a decade ago 8 characters was a joke.

8 mixed case alphanumeric characters is 281474976710656 passwords to brute force. Assuming there is no way to achieve an offline attack (which is likely in this case), that means you would have to hit apple's server that many times with an incorrect password before finding the correct one.

Lets say you have a really fast internet connection, and can attempt to log into apple's servers at a rate of, oh, a million times per second... that means it would take you almost TEN YEARS to guess the correct password.

T

Re:

[Man Eating Duck]

Don't use spaces

Why not? If it's not all spaces (prohibited by the three-chars-in-a-row requirement) you're good to go. I can't find it now, but I read an article a while ago that endorsed passwords containing spaces. They're apparently a lot more secure against dictionary attacks since very few people use them. On a side note my telco disallows *any* special characters, I have no idea why this is a part of any password policy.

Re:

[w0mprat]

Judging by that, Password123 fits Apples definition of a 'secure' password. So does something like S3cur1tyP355w0rd which is the kind of thing I've seen set by allegedly qualified administrators to highly critical systems.

Ultimately including numbers, mixed case and punctuation invites easy-to-remember common substitutions and number combinations, which is what will happen 90% of the time, this doesn't significantly draw out a brute force attack attempt. A few random lowercase letters has more possible c

Re:

[moderatorrater]

They don't allow spaces in their passwords and every password needs to be able to be typed into a touch device like the iPhone or iPad. They could definitely do more in this area.

Re:

[interval1066]

Trivially installed policy, and used by more than one web site I frequent. As much as I don't care for apple, and they should install such a policy, some of the blame does fall on the users. Having a contract with several web sites for tech support and not having access to their databases directly I have an occasion to ask users for their passwords to trouble shoot, and the amount of "abc123" or "qwerty" passwords is astounding.

Re:

[ArsenneLupin]

... and the amount of people just blurting out their password to you without wondering about your lack of database access is even more astounding...

Re:

[interval1066]

Well, in some cases its necessary, its not always convenient to gain access to a clients database directly. That most users don't give it a second thought isn't that extraordinary to me.

Re:

[Kenja]

That's like saying they could have an option to simply not store your credit card number. Insanity!

Re:

[CharlyFoxtrot]

Because having a complicated password will prevent users from losing it in phishing scams ?

Re:

[Anubis IV]

^^^ This.

It doesn't matter how complicated it is if it's being compromised through social engineering. Were this a brute force attack, it wouldn't be drawn out. They'd have the data, they'd compute as many passwords as they could from the hashes for all 200M+ accounts, and they'd do as much damage as possible before anyone could respond appropriately (e.g. PS3 debacle). The pattern instead suggests this is an ongoing set of social engineering attacks which are yielding suckers on a regular basis over an ext

Re:

[gnasher719]

I think AppleIDs are reasonably easy to find. Mostly they are email addresses. Haven't tried if trying to login with a random email address and a random password gives any indication that the email address is an Apple ID; you would hope not. However, if hackers manage to read your emails, then they can read any purchase confirmation emails, and from these emails you can find the Apple ID.

Now if they know many Apple IDs, they can just randomly try to login with valid Apple ID and a random weak password, a

Re:

[abhi_beckert]

They do have some policies to enforce strong passwords, and it looks like those policies have been getting stricter recently (because of this?).

But "easily guessable" could just mean a password I use for some other service which was hacked. Apple has no way of verifying that your password is unique.

Re:

[broken_chaos]

Longer passwords are more secure than passwords with fancy characters

This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.

While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.

Re:

[NFN_NLN]

They do have a very strict policy, and it was stated above by CharlyFoxtrot but here it is again:

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9). ...

These threads aren't sorted by chronological order dipsh*t.

by CharlyFoxtrot (1607527) Alter Relationship on Saturday September 10, @02:30PM (#37363398)

by NFN_NLN (633283) on Saturday September 10, @12:44PM (#37362832)

It is difficult to respond to a post ~2 hours in the future.

Easy to prevent

[mehrotra.akash]

SMS based verification?

Re:

[brusk]

What if you buy the app for an iPod touch or wifi-only iPad? Or you buy it for an iPhone over wifi and are out of cellular range?

Not all machines running iTunes Store have SMS

[tepples]

What you recommend will work only for iPhone and iPad 3G. It won't work for a Mac computer, a PC running Windows OS, an iPod touch, or an iPad with Wi-Fi, none of which can receive SMS.

Re:

[Viceice]

Build an OTP function (Ala Google/Blizzard authenticator) into each iDevice that is ONLY eyeball readable into iTunes. The user only needs to read the field above and duplicate it in the field below as he confirms his purchase.

Re:

[CharlyFoxtrot]

Why make things difficult for me because of a few hundred dumbasses ? Apple should just eat the (relatively low) cost, refund people and turn over any relevant information to the authorities.

Re:

[Kalriath]

The iPad (3G) can't receive SMS either.

Re:

[mehrotra.akash]

Why do you need a text messaging plan to receive texts?

You're holding it wrong...

[quetwo]

Obligotory "You're holding it wrong" post.

My wife was bit

[oDDmON oUT]

            She had a Paypal account tied to her iTunes account emptied of over $400.

            Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.

            Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.

            I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.

            For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

Re:

[shutdown -p now]

She had a Paypal account tied to her iTunes account

That sounds like a very bad idea regardless of any issues with Apple's security.

Re:

[oDDmON oUT]

Agreed. But there again, she didn't ask me. :^D

Re:

[phantomfive]

Hard to say for sure, but if she used the same password on any other service that was compromised, whether she knows it or not, then it is no longer a secure password even if it's a 64 character randomly generated code. Those passwords go into a database that hackers use in brute force attacks. This could be Apple's fault, but there are other explanations for the scenarios you describe.

Re:

[oDDmON oUT]

Thanks for the 411, I'll recommend she look to change things up (though I can hear the weeping, wailing and gnashing of teeth starting in the background).

Happened to me

[vitaflo]

I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).

I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.

It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.

Re:

[tlhIngan]

A few months ago, there was an impressively done phishing email done. I believe it was something like "Adobe Photoshop CS at the Apple Store" - it really looked legit.

Of course, it presented you immediately with a fake Apple ID login in order to view the "special offer". It was a really-well done phishing email by someone with skill.

There are other phishing attacks as well.

And there are those who re-use passwords - I wonder if those complaining ever checked those online lists of accounts that were recovered

This happened to me

[ShanghaiBill]

This happened to me. There were a lot of mysterious charges for apps the neither I nor my wife purchased. I turns out that my wife forgot that she had given the password to our teenage daughter.

Credit card info changed

[gnasher719]

Here's a weird thing: Some people posted that their credit card info has been changed. So I think the following could happen: Crook hacks into my iTunes account. Crook also has a stolen credit card. He changes the credit card info to the stolen credit card. He then uses my account with the stolen credit card to buy stuff; the money probably goes to some associate of the crook. I don't notice unless I check my iTunes account because _my_ credit card is not affected. Still bizarre.

Not. A. Hack.

[Anubis IV]

This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.

Hate passwords!

[rueger]

The biggest challenge to getting people to use longer/better passwords is that no two site have the same requirements. Off the top of my head my various log ons require:

• six characters or more
• eight characters or more
• No more than eight characters
• at least one number
• any combination of numbers of letters
• at least one special character
• no special characters
• at least one uppercase character
• at least one uppercase character, one number, and one special character
• none of the above
• all of the above
• random questions about t

Re:

[rueger]

More to the point, when we had one or two log-ins to remember passwords made sense, but today I have log-ins for:

• - cel phone
• - home phone
• - desktop
• - lap top
• - bank web site
• - at least ten shopping web sites
• - at least ten sites like slashdot
• - at least ten user forums
• - ATM PINs
• - Credit Card PINS
• - PINS for three utility companies
• - Student cards #s and log-in PINs
• - Library card and PIN
• - the secret number to reset my car radio if the battery is disconnected

And a dozen other "use them once a year and then forget

Possible Solution

[AmberBlackCat]

I'm thinking they could make this a much smaller problem if all apps have a refund policy. If you notice an app has been purchased that you didn't want, you have time to notice the problem, undo the purchase, and change your password if you suspect the purchase was made without your permission. Of course the 15 minutes you get from the Android market would be inadequate. But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

Re:

[rdnetto]

But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

The problem is that a $1 app isn't going to give you even a week's worth of entertainment. The refund period has to be less than the period for which the app is useful/entertaining. A month refund period only makes sense for purchases a few orders of magnitude higher than that. Otherwise, you need a decent method of distinguishing between people who have been hacked/scammed and people who just got bored with the app. Even if the app were to phone home on installation with a device specific ID, it would be t

Re:

[AmberBlackCat]

I see a few things going on here. One is you're saying a $1 app isn't going to be worth its price for 30 days. Others are basically saying the same thing, that people will finish or become bored within the 30-day period, and app developers would be bankrupted by returned apps.

There are games, such as Pac-Man, Frogger, Super Mario Bros. and Tetris, that people have been playing for 20 or 30 years. If a game can't even remain fun for 30 days, I personally think the customer deserves a refund.

Also, possibly t

Re:

[rdnetto]

Those games are well known specifically because they're outliers. The majority of games can't sustain that level of entertainment. This would result in a substantial decrease in the number of games available in the app store. Because the app store's revenue is a proportion of the total value (qty*cost) of apps sold, a decrease in the number of games available would reduce their revenue. Furthermore, the decrease in revenue would result in an increase in the market fees, increasing the cost of the apps.

Addit

700 posts...

[smash]

... out of the few hundred million iTunes users?

I thought more people synced iDevices to Windows than that. My bet is that it is either shitty passwords, or crappy old Windows XP machines that have been compromised.

Maybe even people who had their password compromised by the Sony hack(s) a while ago,and use the same email/password on iTunes.

Nothing to see here, move along.

I think it's stupid people

[Nyder]

I have this friend, and he is, well stupid like most people.

So, we are going to do some Free 2 Play games, and one of the websites wants (which is becoming very popular), your email address as your login name.

So when it comes to password, he says to me, why do they want my email address password?

I'm like, "WTF? No, they want you to make a new password for this account that is using your email address as your login name.

Needless to say, it took me like 5 mins to explain it to him. And he's not that computer stupid (though close).

So no, it doesn't surprise me that people use weak passwords, or will put in the wrong type of info (like your itunes account password) on websites that isn't iTunes.

One thing Apple could do

[gullevek]

Would be to confirm first purchases on a new iDevice. A confirmation mail to your email address where you have to confirm that it is really you and not someone else.

Re:

[gullevek]

It is new devices. New in the sense "first time purchase from a different iDevice".

I had a similar problem, if Apple would have let me confirm that this new device is mine, the could have avoided service hours to restore my account.

Re:

[meerling]

And they always blame the victim, but I know of at least one time it was one of their employees looting accounts that hadn't been logged into for a while so hopefully the users wouldn't notice. Of course when he finally got caught, they kept it quiet and continued to blame the users.

I'm not saying this is an inside job, but it's a definite possibility. (If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security. And although phishing occurs, it's ne

Re:

[gnasher719]

(If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security.

Let's say one in 10,000 users uses "123456" as their password. That means trying to login with a random Apple ID and the password "123456" has a one in 10,000 chance to succeed. Now let's say we have a list of the top 100 passwords used by idiots. A botnet could perform 10,000 login attempts per day (every time a different account, and a different one of the top 100 passwords) and crack one account per day. That would be very, very hard to notice.

that's interesting, but this is different

[YesIAmAScript]

First, iTunes cards have the number hidden on the cards in the store, you have to scratch off a coating.

Second, with an iTunes card, you transfer the card balance into your account all at once, after that the card is completely useless. So if you can complete the transfer, the card was valid and not compromised and after you transfer the card, it doesn't matter if it was compromised, because the value is gone from the card and is in your account now. You cannot use the card to spend the value on apps, you have to have access to the account you transferred the credit into.

What people are complaining about here is that they have a credit on their account (perhaps from one of these cards) and it is being spent out of their account. This can't be done with any kind of compromise of the gift cards themselves.

These people's accounts have been compromised. It's unclear how that happened.

Re:

[Culture20]

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

As far as passwords go, the requirements are a capital, a number, and more than eight digits long.

Not only are you incorrect regarding the requirements, what you list is

Re:

[UnknowingFool]

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

I think the OP is referring to using to a phishing attack on the username and password. For example johnsmith@yahoo.com was compromised and the Mr. Smith used the same username/password for his iTunes account (that can be reset as the attacker has his email password now).

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

Yes because someone who forges a credit card has no idea how to get forged ID cards. Forged ID cards are quite rare thesedays. Also grocery stores these days have automated check out lines where they do not check IDs.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

And you are sure abo

Re:

[Kalriath]

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

The grocery store is not permitted to request your ID. The credit card company told them they aren't allowed to ask. So no, you blast your credit card company for hamstringing merchants to prevent them keeping you safe from fraud.

Re:

[UnknowingFool]

Frankly if he worked at Amazon, PayPal, whatever, I suspect his story would still have been the same.

Re:

[Shoe Puppet]

Towson, MD, 21286-7840 (is that a real zip code?).

Apparently, yes [google.de]

Re:

[stewbacca]

I can only guess English is not your first language, or you are of the texting generation.

Re:

[konohitowa]

Man, that must be a little bubble if you don't know any Windows users with iPhones. Unless you're saying that not one of them used iTunes to activate their phones or that those that did immediately followed this up by uninstalling iTunes. Both are possible, but seem unlikely to me.

Re:

[konohitowa]

Wow. Okay, scratch my sarcasm. It really is a small bubble. So no iPod users on Windows either? Some of them don't mount as flash drives so you're stuck with iTunes (at least from a practical standpoint – there are workarounds but Windows users are less likely than Linux users to hunt them down).