iTunes Gift Card Key System Cracked, Exploited 388
moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."
Occam's razor (Score:5, Interesting)
Possibility 1:
Apple doesn't use a database for cards, they use a hash even though that would be stupid.
That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.
Someone is generating and selling cards using that hash.
Possibility 2:
Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.
Possibility 1 is possible but unlikely.
Possibility 2 is very common, very easy and very likely.
Occam's Razor says people likely people are jumping to an unwarranted conclusion here.
Time to buy some of these quickly??? (Score:1, Interesting)
So, if one were so inclined and was not bothered by the moral ramifications, would NOW be the time to buy and redeem a bunch of these? And, since you have to use your Apple iTunes account to redeem them, could you be threatened by legal people at Apple?
Let's consider the crypto solution (Score:5, Interesting)
Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.
Let's assume that Apple cryptographers are at least half way competent.
You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?
I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.
To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".
Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.
I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet :p).
(proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:2, Interesting)
I guess it probably depends on how valuable Apple's manufacturing business is to China. I'm willing to bet that iPods, laptops and pretty every other physical item in Apple's line is significant enough for them to pay attention. Some people might get disappeared.
But really, maybe Apple has learned a lesson here. Don't just validate cards using an algorithm. Keep track of which numbers you've sold, same as a credit card issuer.
Re:BitTorrent (Score:5, Interesting)
It's still easier to use BitTorrent.
I have no clue, access to BitTorrent, behind the Great Firewall of China. But from what I've read (horror stories) about net activities being traced and questioned, I'd use an illegal Apple Store access rather than BitTorrent.
"Yes, Comrade Prosecutor - tell me what I did wrong ripping off the imperialists," sounds like a better defense than, "I promise I wasn't looking at porn."
Never reward Behavior A and hope for Behavior B.
Re:what the fuck (Score:3, Interesting)
I don't think Apple does a $200 gift card,
See http://store.apple.com/us/browse/home/giftcards/itunes/gallery?mco=MjU4NTQ2MQ [apple.com]
Credit Card Ponzi Scheme (Score:2, Interesting)
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:3, Interesting)
"No tunes for you!" is better than "Broken tunes for you!"
Re:Huh (Score:5, Interesting)
In UK law, at least, which is what 90% of the world base their law systems on:
Very simple. It's fraud. They are *fake* cards, issued by a forger. Thus, you can be charged with fraud, or similar offences. Possibly even handling stolen/counterfeit goods, *whether you knew they were fake or not*! It's no different to faking a cheque, or a credit card. In the US, crossing state boundaries with such things can be a federal offence, so if you're not in the same state as the Apple store, it gets even worse.
If you have the *suspicion* that they are fraudulent and / or a reasonable person would suspect them to be fraudulent (by the *court's* definition of reasonable, not yours), you can quite easily be convicted for fraud, or facilitating fraud, or breach of contract (technically a bad cheque is breach of contract and by trying to pass off this card with a retailer, you are saying that it is genuine, hence the sale could be seen as a breach of contract once they find out the money doesn't actually exist - thus they can happily charge you with fraud for the transaction AND breach of contract for failing to pay for the goods another way). It would *not* be as simple as "I just got them from some website." If a reasonable person would have had suspicions, you can *easily* be convicted - it's like saying that this gentleman knocked on the door selling an expensive in-car audio system with the wires cut and dangling, for a pittance. Whether you thought he was genuine or not, you SHOULD have known that he wasn't (just by the price, if nothing else), thus you can be found complicit in the fraud.
Notification of the breach would certainly work in your favour but isn't an automatic get-out clause. Chances are they would pass it over but ask at which point you became suspicious, where you got it from etc. and expect you to co-operate fully. Don't and those fraud charges pop up but now they know exactly who to aim them at... you.
Cyber-nothing. It's fraud, plain and simple, no better than making up credit card numbers and using them to buy things on Amazon. You're not the rightful keeper of any funds that you do manage to get authorized, so you're into theft (if someone can prove that *they* were entitled to the number on the card you used), fraud and maybe even counterfeiting if you can't point out where you got them from. Now, considering that Apple are both the issuer AND the recipient of the cards in question, they have a very good reason to prosecute. You've effectively stolen a credit card and then used it to pay your other Visa bill.
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:3, Interesting)
The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.
http://en.wikipedia.org/wiki/International_Copyright_Act_of_1891 [wikipedia.org]
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:5, Interesting)
Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:2, Interesting)
I guess it will forever remain a mystery to them why their nation isn't home to prosperous software
WHAT?
Guess who wrote code that runs on your Digital Picture Frame, your Camcorder, mp3 player, or your big screen LCD TV.
Maybe you missed the story about 'Shanzai'?
http://hardware.slashdot.org/article.pl?sid=09/02/27/049245&from=rss [slashdot.org]
Wanna know how Chinese are able to go from design on a napkin to working product ready to ship in ONE month? They share, rip, mash-up, copy.
Here is one of the sites used by Chinese Engineers/Developers to share brainpower
http://www.pudn.com/ [pudn.com]
There is no value in producing IP without a product, IP alone is worth zero. Chinese recognized it long ago.
Re:Occam's razor (Score:4, Interesting)
I said I was _able_ to go ahead and use it; I didn't say I _did_ go ahead and use it.
That's irrelevant. Based on the fact that you knew it was a Christmas card with a gift certificate in it the GP inferred that you opened the mail which was not addressed to you. Which is a no no [cornell.edu] (last paragraph).
Re:Occam's razor (Score:1, Interesting)
Certainly there are better ways to launder $200 in stolen credit card dollars, than selling them as an iTunes gift card for $2.60? Losing 97% during the laundering process is amazingly inefficient.
If this is a fraud, I'm going to guess that it's a little more complex than just stolen credit card numbers.
Re:And You Wonder Why Amazon MP3 Only Works in the (Score:5, Interesting)
Re:Ouch. (Score:1, Interesting)