Mystery of Vanishing iTunes Credit Shows No Sign of Fading

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

Great

[Antisyzygy]

Apple should really look into this more, rather than just passing off the blame. Typical.

Weak passwords?!

[NFN_NLN]

Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

Re:Great

[DurendalMac]

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Re:Great

[CharlyFoxtrot]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

This is the password policy [apple.com], pretty standard stuff :

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9).
Contain at least one uppercase letter (A-Z).
Contain at least one lowercase letter (a-z).
Not contain three consecutive identical characters.
Not have been used in the past year.
Not be the same as your Apple ID username."

That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.

Re:Great

[iamhassi]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?