Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bitcoin IOS Apple

Fake App On Apple's App Store Scams User Out of 17.1 Bitcoins ($600,000) (msn.com) 198

Long-time Slashdot reader phalse phace quotes the Washington Post: Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for "Trezor," the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company's padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.

In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.

But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store. Christodoulou, once a loyal Apple customer, said he no longer admires the company. "They betrayed the trust that I had in them," he said in an interview. "Apple doesn't deserve to get away with this."

Apple bills its App Store as "the world's most trusted marketplace for apps," where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it's easy for scammers to circumvent Apple's rules, according to experts. Criminal app developers can break Apple's rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple. When Apple finds out, it removes the apps and bans the developers, the company says. But it's too late for the people who fell for the scam.

The Post also points out that the 15 to 30 percent commission Apple collects on all sales in the App Store "goes to fund the 'highly curated' customer experience, the company has said."
This discussion has been archived. No new comments can be posted.

Fake App On Apple's App Store Scams User Out of 17.1 Bitcoins ($600,000)

Comments Filter:
  • Question (Score:5, Interesting)

    by quonset ( 4839537 ) on Saturday April 03, 2021 @05:42PM (#61233892)

    Am I missing something? The guy already had the hardware portion for his account, but didn't have the software portion? If he had the hardware portion, why didn't he get the software portion at the same time from the same place? Did he not think at some point he would want to check his balance?

    I'm not blaming the victim, I'm asking questions. It seems odd he'd have everything set up except the ability to check his account.

    • Re:Question (Score:5, Insightful)

      by doug141 ( 863552 ) on Saturday April 03, 2021 @05:58PM (#61233930)

      He didn't want to have to plug in his hardware wallet to check his balance, so he downloaded an app that would "check it from his iphone" and gave it the passwords it asked for, reasoning if it was malware then it wouldn't be 5 stars, or on the apple store to begin with, because they tout the safety of their walled garden so much.

      In addition to his obvious 2 mistakes, I'll add a third: apps that are honest today might not be honest tomorrow, after a buyout or hack.

      • Re:Question (Score:5, Insightful)

        by DrFalkyn ( 102068 ) on Saturday April 03, 2021 @06:08PM (#61233956)

        You shouldn't have to divulge your private keys in order to "check your balance". The entire payment history of everyone is available on the blockchain as public knowledge. Signing transactions is a different matter, however.

        I'm thinking platofmrs with smart contracts, such as EOS and Etherreum could help fix this problem. I know that EOS allow you to tie token transfers to notification actions which can have user configurable results. EOS also has levels of keys so you can have a "hot" key and a "cold" key which could prevent overriding the notification however contract. Bitcoin, being a pure payments system, with only one key, lacks these feature.

      • He didn't want to have to plug in his hardware wallet to check his balance

        That doesn't make sense. Then what is the point of the hardware in the first place? How were the coins stolen from a hardware wallet when the wallet was not plugged in?

        • by doug141 ( 863552 )

          "If a hardware wallet is lost or destroyed, the information can be restored with a secret “seed phrase.” Some people keep the seed phrase in a safe-deposit box, hoping they’ll never have to use it, or etched on durable metal that can survive a fire. Scammers use phishing to trick people into giving up their seed phrases. "

        • Re: Question (Score:4, Interesting)

          by reanjr ( 588767 ) on Saturday April 03, 2021 @10:59PM (#61234546) Homepage

          What doesn't make sense is using a complicated, encrypted hardware wallet.

          I've never heard of anyone who accidentally lost the password to their paper wallet. Hardware wallets have their role to play, but they are marketed to newbs as the most secure way to hold cryptocurrency. And they are. But only if you're not a newb.

          Paper wallets make more sense. They are easy to understand how to secure. They have known failure conditions. They make it very clear what you should never send to a third party.

          Literally two safety deposit boxes and two pieces of paper are all this guy needed to get all the features it seems he was looking for.

        • Because that is how bitcoin solves the double-spending problem. You can duplicate a hardware wallet and have the coins in both wallets. But if you spend the coins in one wallet, they go from the other as well, even if it is in an air-gapped safe and not connected to anything.

    • why didn't he get the software portion at the same time from the same place

      What place do you get software for your phone from other than the App store? His problem is very real. You search for an app on an app store what guarantees are you that it's official? The only guarantee you have is the word of the curator who you assume would do something such as checking to see if a company is legit when they promote themselves as a safe market place.

      • Yeah, it'd be great if you could install apps directly to the phone from included install media, but Apple needs its cut.

    • by msauve ( 701917 )
      >Am I missing something?

      Yes, because wallet balances are public. Bitcoin wouldn't work if the balance for any given wallet address wasn't on the blockchain. He made the mistake of giving up his private key, which isn't needed to check a balance, only to transfer funds outward.

      Storing value in something you don't understand is a recipe for failure. He has no one to blame but himself. What I'd like to know is whether the app told him what his balance was before stealing it - if so, it did what it claime
    • by AmiMoJo ( 196126 )

      Looking at their website it seems that to use their hardware you have to use their website. The website uses web USB or web Bluetooth to talk to the wallet. There is some kind of desktop app if your browser doesn't support that.

      So I guess he figured he could use it with his phone instead and went looking for an official app, which as far as I can tell does not exist.

  • by couchslug ( 175151 ) on Saturday April 03, 2021 @05:52PM (#61233912)

    is not possible because there will always be too many applications.

    A serious walled garden would not allow outsider software, but convenience and greed always trump security.

    Faux money like Bitcoin will always be more vulnerable than physical objects like precious metals but there is a passionate desire to own symbols without owning objects which crypto fits well.

    If you put your life's savings in one place and fail to diversify you're, to put this as kindly as possible, fucking stupid. There is no excuse to live a life of lazy ignorance because it has such painful consequences.

    • Even old fashioned banks are not immune to this. A guy I know recently got screwed over royally by Wells Fargo, resulting in his entire account getting drained. I won't go into details except the bank said "tough luck bub".

      And people wonder why people are stuffing money under their mattress.

    • is not possible because there will always be too many applications.

      So.... what are you saying here? That you just download any old executable code you can get your hands on from the Internet?

      A serious walled garden would not allow outsider software, but convenience and greed always trump security.

      A serious walled garden like... what? Are we talking NSA that goes through serious vetting processes for all of their purchases? Or are we talking about just rolling our own code for everything here? Because Solarwinds has shown that you can get software even into very restricted government agencies through a well executed supply chain attack.

      Faux money like Bitcoin will always be more vulnerable than physical objects like precious metals but there is a passionate desire to own symbols without owning objects which crypto fits well.

      If you put your life's savings in one place and fail to diversify you're, to put this as kindly as possible, fucking stupid. There is no excuse to live a life of lazy ignorance because it has such painful consequences.

      So are we blaming Apple here, the user, or

  • Ugh stupid (Score:5, Insightful)

    by bsdetector101 ( 6345122 ) on Saturday April 03, 2021 @06:00PM (#61233934)
    nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone You DON'T put most of your savings in ONE place, especially Bitcoin ! Stupid ! When it first came out, it was touted as being safe and secure and over the years, we've seen how false that is !
    • Re: (Score:3, Insightful)

      by slazzy ( 864185 )
      It actually is quite safe and secure, but there are a few rules you have to follow. If you give someone else your private keys, your money is gone. Probably would be the same with your bank account too.
      • by doug141 ( 863552 )

        Probably would be the same with your bank account too.

        If you notify the bank a transfer was fraud, they will reverse it. Maybe someone should build THAT into the next cryptocurrency.

        • Not if it was wired to a different country.
        • There are cryptocurrencies like this thought they often employee DApps which means you are still trusting a third-party. This is the effectively the same as a bank but the bank is federally secured and essentially vetted in this regard. I don't think more regulation is the solution but federal governments building into or finding ways to support the block-chain is in likely a good idea. I believe US taxes can already be paid in crypto and that alone raises a lot of questions about how those funds are handle

      • With a bank account number the transaction is reversible - anyone who ever got any check from you has that account number as it clearly printed on the check. One of the benefits of bitcoin is also one of it's drawbacks, untraceable and irreversible transactions. Even physical cash has serial number which can be used to try to track where the money went. Also, if crypto is only save for people who are very technology savvy, it's not really safe for the general public. It's like running your own web server -

      • Except he downloaded "Trutsed Wallet app" instead of "Trusted Wallet App", believing it was the real thing, because it was on the store as "Trusted Wallet App", with zero indication of it being fraudulent.

        And "we are so safe and secure" Apple let this happen.

        At this point, if Apple were to open a general appliance store, people can expect to end up with "Sony"s which are really "Sorny"s.

        • ^This now has me thinking how many counterfiet products end up in Apple Stores, including counterfeit Li-Ion batteries. :\

        • Apple does not check what the app is doing.
          How and why would they do that?

          They check which APIs it wants to access, if it tries to download additional code via internet etc.

          And that is basically all.

          However if you want to volunteer to "check such apps", perhaps you can sign up somewhere.

      • If you give someone else your private keys, your money is gone. Probably would be the same with your bank account too.

        Actually hundreds of millions of people enter the credentials to spend money from their bank account into their phones, laptops, and PCs every day of the week.

    • Almost! As! False! As! The! App! Store! Being! Safe! Sorry, I even got annoyed with myself for typing that.
  • by Joe_Dragon ( 2206452 ) on Saturday April 03, 2021 @06:10PM (#61233960)

    apple needs to ban bit coin pay in all apps if not then you must let EPIC have there own in app sales.

  • The question is, is there a better (for him) alternative to which he will switch? If not, that means he still thinks Apple is the best product for him.

  • by misnohmer ( 1636461 ) on Saturday April 03, 2021 @06:23PM (#61233994)

    If you have all life savings in bitcoin, you obviously are ok with risk and volatility. Risk in crypto includes not just the high volatility of the market, but also any technology related pitfalls. One of the drawback of untraceable currency is that thefts which can happen in split seconds cannot be traced and/or recovered, unlike conventional currency, which even in its least traceable form - printed money - has serial numbers which can be used to try to investigate and recover stolen cash.

  • forget third party apps, stick with apps made by google themselves, and the OEM that made the phone, or a known good app by a legitimate brick & mortar like your local bank, or insurance company
    as far as amazon or walmart. or paypal i will i have used them but i dont like keeping a lot of apps on my phones anymore, and prefer to go minimalist, and if it is something i dont really really need i get uninstall it or disable it, i would like to see Apple and Google come out with a choice of OSs when firmwa
  • by OrangeTide ( 124937 ) on Saturday April 03, 2021 @07:07PM (#61234102) Homepage Journal

    And could happen to any of us if the app instead was faked to looked like etrade/schwab/ameritrade/etc. Getting 100 shares of AMZN moved out of your brokerage account would be pretty shitty too.

    Except when I move an unusual sum out of my account, my broker calls me up. I say, yes I'm buying a house today and this is part of the down payment. And the transaction is approved. Sure I pay massively more in fees than someone using bitcoin. But a tiny fraction of a percent compared to such a large sum. Completely removing the human element is a level of convenience we probably don't need.

  • by nicolaiplum ( 169077 ) on Saturday April 03, 2021 @07:27PM (#61234144)

    Apple asserts that the 30% cut of all payments on apps in their App Store, as well as the developer registration payments, are necessary because their App Store ensures such high quality and safe software.

    Yet a thief got a fraudulent app onto the App Store which just took someone's life savings.

    Either the App Store has such high quality and so much control from Apple that Apple is responsible if something like this happens, or it is not worth the 30% that customers are paying Apple (via that cut from payments in apps).

    Which is it, Apple? You can't take all that money and deliver nothing.

    • Apple implements best effort security and privacy protection--but it isn't perfect. The world is safer with locks on doors, but they aren't perfect--that doesn't mean they are useless.
      • > Apple implements best effort security

        What's the best effort that a trillion-dollar corporation can conceivably muster?

        Is verifying signatures in scope? Calling the developer?

        They certainly put much more effort into demanding specifics from Hey! when it comes to Apple getting a cut.

  • "Apple claims that 30% is appropriate since Apple must work to secure their store. However here we have a case where Apple failed to secure their store and when money was on the line refused to compensate someone for their security failing. So what exactly is Apple providing except for a backless claim?"

    • no, no, no - see - this is proof that 30% wasn't enough funding to secure the walled prison. Proof - PROOF I tell 'ya. They'll have to raise it to 50% to be on the safe side.

  • I needed a good laugh at someone else's expense.

  • If Bitcoin had been designed to use dual-credentials, where the B credentials can only read (only the A credentials can actually carry out a transaction), this kind of thing might be prevented. The fakers would have to use other tricks like hoping the victim enters the A credentials when the fake app acts like the B credentials are invalid.

  • And as such should be held responsible. If I went to a convention and someone sold me a dodgy product, and that convention said they vetted everyone, the convention would be held responsible.

    • With any luck you'll get $50.

      https://www.apple.com/legal/in... [apple.com]

      "If I went to a convention and someone sold me a dodgy product, and that convention said they vetted everyone, the convention would be held responsible."

      Are you sure? Maybe that's true. But first you'd have to find a convention that claimed they did that, and then find one that ALSO had no disclaimers of liability built into entrance documentation.

      In the end, Apple does not guarantee you anything. None of its rhetoric approaches a legal commitmen

  • If Apple wants to "curate" apps, then impose a heap of extra curation on apps that have anything to do with crypto or real currency (e.g. forex) trading, banking, trading, gambling, payment systems etc. Make it so onerous pain in the ass to get one of these apps approved including additional auditing of things like keys, security, service urls that only legitimate services are going to bother.
  • If he wants to launch a successful claim against Apple, then he should 'lose' hundreds of bitcoin.
  • And now Apple have removed the app.. .

    Because it didn't give them a cut of the stolen money

  • by Tom ( 822 ) on Sunday April 04, 2021 @05:45AM (#61235044) Homepage Journal

    Keeping that much money in Bitcoin - well, if you like danger, ok.

    But trusting that much money to an app you downloaded without careful checking? Seriously? You couldn't take two looks or something? You couldn't go on their official website and follow the link to their official app there or something?

    Fools and their money...

  • by emeitner ( 513842 ) on Sunday April 04, 2021 @08:34AM (#61235290) Homepage Journal

    With a Trezor wallet once it is set up the keys never leave the device. The user keeps a backup of the recovery seed and only needs to use it in the case of device failure, loss, etc.

    The ONLY way that the scammer could have stolen the Bitcoins is by asking the user to perform a few steps when setting up the app , like:
    * Enter the Trezor recovery seed( https://en.bitcoin.it/wiki/BIP... [bitcoin.it] )
    * Enter any passphrases used on the Trezor.

    If the person did this then they gave away the Bitcoin and neither Apple, Bitcoin, or the Russians had anything to do with it. A fool and his money....

  • Trezor or similar companies that do not have an app should nevertheless have created a dummy app, with their name and logo, five-starred by default and showing up first in search, alerting people that there is no legit app! Also, name and logo should have been fenced in, not allowed to be used by others; is that too hard for Apple or Google?!

Parts that positively cannot be assembled in improper order will be.

Working...