Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Media (Apple) Media The Almighty Buck

iTunes Gift Card Key System Cracked, Exploited 388

moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."
This discussion has been archived. No new comments can be posted.

iTunes Gift Card Key System Cracked, Exploited

Comments Filter:
  • Occam's razor (Score:5, Interesting)

    by YesIAmAScript ( 886271 ) on Tuesday March 10, 2009 @06:04PM (#27141755)

    Possibility 1:
    Apple doesn't use a database for cards, they use a hash even though that would be stupid.
    That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.
    Someone is generating and selling cards using that hash.

    Possibility 2:
    Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.

    Possibility 1 is possible but unlikely.
    Possibility 2 is very common, very easy and very likely.

    Occam's Razor says people likely people are jumping to an unwarranted conclusion here.

  • by Anonymous Coward on Tuesday March 10, 2009 @06:27PM (#27142071)

    So, if one were so inclined and was not bothered by the moral ramifications, would NOW be the time to buy and redeem a bunch of these? And, since you have to use your Apple iTunes account to redeem them, could you be threatened by legal people at Apple?

  • by jonaskoelker ( 922170 ) <jonaskoelker&yahoo,com> on Tuesday March 10, 2009 @06:38PM (#27142213)

    Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.

    Let's assume that Apple cryptographers are at least half way competent.

    You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?

    • It should be easy for Apple (the holder of some secret key) to generate valid gift certificates, of any amount
    • It should be difficult for anyone else to generate valid certificates (of any amount)
    • It should be easy for anyone to verify the validity of a certificate.

    I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.

    To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".

    Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.

    I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet :p).

    (proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)

  • by neil-ngc ( 1019290 ) on Tuesday March 10, 2009 @06:52PM (#27142383) Homepage

    I guess it probably depends on how valuable Apple's manufacturing business is to China. I'm willing to bet that iPods, laptops and pretty every other physical item in Apple's line is significant enough for them to pay attention. Some people might get disappeared.

    But really, maybe Apple has learned a lesson here. Don't just validate cards using an algorithm. Keep track of which numbers you've sold, same as a credit card issuer.

  • Re:BitTorrent (Score:5, Interesting)

    by earlymon ( 1116185 ) on Tuesday March 10, 2009 @06:53PM (#27142391) Homepage Journal

    It's still easier to use BitTorrent.

    I have no clue, access to BitTorrent, behind the Great Firewall of China. But from what I've read (horror stories) about net activities being traced and questioned, I'd use an illegal Apple Store access rather than BitTorrent.

    "Yes, Comrade Prosecutor - tell me what I did wrong ripping off the imperialists," sounds like a better defense than, "I promise I wasn't looking at porn."

    Never reward Behavior A and hope for Behavior B.

  • Re:what the fuck (Score:3, Interesting)

    by mkiwi ( 585287 ) on Tuesday March 10, 2009 @06:59PM (#27142449)

    I don't think Apple does a $200 gift card,

    See http://store.apple.com/us/browse/home/giftcards/itunes/gallery?mco=MjU4NTQ2MQ [apple.com]

  • by essinger ( 781940 ) on Tuesday March 10, 2009 @07:06PM (#27142533)
    I think it may even be simpler. I went to the site and, though I couldn't understand the language, it seemed as though you had to buy the iTMS certificate with a credit card! So all they have to do is use your card (or in the more elaborate scenario a previous idiot's card) to buy your gift certificate. And they buy whatever else they want with it.
  • by Cajun Hell ( 725246 ) on Tuesday March 10, 2009 @07:10PM (#27142575) Homepage Journal

    If you can identify the illegitimate cards

    ..then you can just make them not good for payment, instead of dealing with it at the DRM level.

    "No tunes for you!" is better than "Broken tunes for you!"

  • Re:Huh (Score:5, Interesting)

    by ledow ( 319597 ) on Tuesday March 10, 2009 @07:19PM (#27142683) Homepage

    In UK law, at least, which is what 90% of the world base their law systems on:

    Very simple. It's fraud. They are *fake* cards, issued by a forger. Thus, you can be charged with fraud, or similar offences. Possibly even handling stolen/counterfeit goods, *whether you knew they were fake or not*! It's no different to faking a cheque, or a credit card. In the US, crossing state boundaries with such things can be a federal offence, so if you're not in the same state as the Apple store, it gets even worse.

    If you have the *suspicion* that they are fraudulent and / or a reasonable person would suspect them to be fraudulent (by the *court's* definition of reasonable, not yours), you can quite easily be convicted for fraud, or facilitating fraud, or breach of contract (technically a bad cheque is breach of contract and by trying to pass off this card with a retailer, you are saying that it is genuine, hence the sale could be seen as a breach of contract once they find out the money doesn't actually exist - thus they can happily charge you with fraud for the transaction AND breach of contract for failing to pay for the goods another way). It would *not* be as simple as "I just got them from some website." If a reasonable person would have had suspicions, you can *easily* be convicted - it's like saying that this gentleman knocked on the door selling an expensive in-car audio system with the wires cut and dangling, for a pittance. Whether you thought he was genuine or not, you SHOULD have known that he wasn't (just by the price, if nothing else), thus you can be found complicit in the fraud.

    Notification of the breach would certainly work in your favour but isn't an automatic get-out clause. Chances are they would pass it over but ask at which point you became suspicious, where you got it from etc. and expect you to co-operate fully. Don't and those fraud charges pop up but now they know exactly who to aim them at... you.

    Cyber-nothing. It's fraud, plain and simple, no better than making up credit card numbers and using them to buy things on Amazon. You're not the rightful keeper of any funds that you do manage to get authorized, so you're into theft (if someone can prove that *they* were entitled to the number on the card you used), fraud and maybe even counterfeiting if you can't point out where you got them from. Now, considering that Apple are both the issuer AND the recipient of the cards in question, they have a very good reason to prosecute. You've effectively stolen a credit card and then used it to pay your other Visa bill.

  • by Zerth ( 26112 ) on Tuesday March 10, 2009 @07:25PM (#27142769)

    The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.

    http://en.wikipedia.org/wiki/International_Copyright_Act_of_1891 [wikipedia.org]

  • by porges ( 58715 ) on Tuesday March 10, 2009 @07:30PM (#27142821) Homepage

    Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.

  • by citizenr ( 871508 ) on Tuesday March 10, 2009 @07:50PM (#27143025) Homepage

    I guess it will forever remain a mystery to them why their nation isn't home to prosperous software

    Guess who wrote code that runs on your Digital Picture Frame, your Camcorder, mp3 player, or your big screen LCD TV.
    Maybe you missed the story about 'Shanzai'?
    http://hardware.slashdot.org/article.pl?sid=09/02/27/049245&from=rss [slashdot.org]

    Wanna know how Chinese are able to go from design on a napkin to working product ready to ship in ONE month? They share, rip, mash-up, copy.
    Here is one of the sites used by Chinese Engineers/Developers to share brainpower
    http://www.pudn.com/ [pudn.com]

    There is no value in producing IP without a product, IP alone is worth zero. Chinese recognized it long ago.

  • Re:Occam's razor (Score:4, Interesting)

    by Sheafification ( 1205046 ) on Tuesday March 10, 2009 @08:33PM (#27143545)

    I said I was _able_ to go ahead and use it; I didn't say I _did_ go ahead and use it.

    That's irrelevant. Based on the fact that you knew it was a Christmas card with a gift certificate in it the GP inferred that you opened the mail which was not addressed to you. Which is a no no [cornell.edu] (last paragraph).

  • Re:Occam's razor (Score:1, Interesting)

    by Anonymous Coward on Tuesday March 10, 2009 @09:24PM (#27144149)

    Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.

    Certainly there are better ways to launder $200 in stolen credit card dollars, than selling them as an iTunes gift card for $2.60? Losing 97% during the laundering process is amazingly inefficient.

    If this is a fraud, I'm going to guess that it's a little more complex than just stolen credit card numbers.

  • by guydmann ( 1313789 ) on Tuesday March 10, 2009 @10:29PM (#27144775)
    I agree that would be funny. But the real comedy here is that nothing is actually being stolen here. What is really happening is that a new unit of currency is being counterfeited. But that currency is backed by value in digital media, which in and of itself is ephemeral and can be obtained by other means for free. What a bizarre situation.
  • Re:Ouch. (Score:1, Interesting)

    by I7D ( 682601 ) <<ian.shook> <at> <gmail.com>> on Wednesday March 11, 2009 @12:02AM (#27145629) Homepage
    I read that in your blog. You know, the Bob LobLaw Law Blog.

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson