Hacked Apple iTunes accounts sell in China for pennies on the dollar
A Chinese online store is selling hacked, illegal iTunes accounts tied to active credit cards, offering $200 worth of content from Apple's service for as little as $30.
China's Global Times this week revealed that about 50,000 illegal accounts are being sold through taobao.com, with prices ranging from just 1 yuan to about 200 yuan, or $30. Many of the sales are said to be stolen iTunes user accounts being re-sold by hackers.
"Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid," the report said. "The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao."
A reporter for the publication tested the sales by paying $5 to a seller on Taobao. In return, they were provided an iTunes username and password which allowed access to an account complete with credit card details and a U.S. billing address.
Last July, it was revealed that iTunes account holders were being targeted in a number of fraud cases, in which some iOS developers used stolen accounts to boost their sales rankings of iPhone software. Apple quickly made a public response to the matter, suggesting that customers review their iTunes account for unauthorized transactions.
"Developers do not receive any iTunes confidential customer data when an app is downloaded," the company said in a statement. "If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. WE also recommend that you change your iTunes account password immediately."
In August, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes and store credit card information for purchases. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
China's Global Times this week revealed that about 50,000 illegal accounts are being sold through taobao.com, with prices ranging from just 1 yuan to about 200 yuan, or $30. Many of the sales are said to be stolen iTunes user accounts being re-sold by hackers.
"Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid," the report said. "The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao."
A reporter for the publication tested the sales by paying $5 to a seller on Taobao. In return, they were provided an iTunes username and password which allowed access to an account complete with credit card details and a U.S. billing address.
Last July, it was revealed that iTunes account holders were being targeted in a number of fraud cases, in which some iOS developers used stolen accounts to boost their sales rankings of iPhone software. Apple quickly made a public response to the matter, suggesting that customers review their iTunes account for unauthorized transactions.
"Developers do not receive any iTunes confidential customer data when an app is downloaded," the company said in a statement. "If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. WE also recommend that you change your iTunes account password immediately."
In August, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes and store credit card information for purchases. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
Comments
deleted
Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.
Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.
I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...
The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
First, be careful of your security in what links you click on & have (windows) anti-virus & other software security. Also, simply select "no credit card" in your iTunes account, & just buy iTunes cards to redeem when you want to make purchases. I never keep a balance of over $10-20 in my account at any one time. That way, if my account is compromised, the crooks don't make any significant money. If you otherwise suffer a $1000 loss, you may eventually be able to successfully argue with your credit card company & have the charges reversed, but then the card company has to eat the loss. Either way, by selecting the credit card option in your iTunes account,YOU ALONE CHOOSE to provide the opportunity for these thieving ****s to profit & not have to otherwise honestly work for their money. They can only hack your account by tricking YOU into clicking on a bad link or compromising YOUR computer. Don't feed them.
To my other note, a lot of people don't understand what makes a strong password & there are some pretty weak ones out there. Never use common words, try to use 10 characters or more, mix 4 types of characters. Just couple examples (please don't use these).
Applerocks (Not strong, only a matter of time before you are hacked)
Apples01 (Ok but not strong)
Apples0001 (Much better but good programmer could create cracker that guesses common words)
@pples0001 (Even better, no common word)
@ppleS0001 (Very strong, uses upper & lowercase, symbol, & numbers)
Always have a separate password for things like e-mail & web forums than what you use for financial stuff. If you have mobileme I strongly recommend creating an outside e-mail account like gmail that you give to signup pages or friends who you know who's accounts get hacked frequently. You should also create e-mail aliases in mobileme that you can send from so if an alias gets compromised you can just delete it & create a different one. You can't protect against everything 100% but these steps can go a long way. Then of course I second everything kellya74u is saying, especially clicking links in e-mail. Make sure you check automated looking e-mails, check that the name tagged to the sender actually matches the e-mail. Recently got an e-mail from a friend (had their name on it) but the sender address was [email protected]. It had a link with instructions to sign into a site, it was a spam company that then would steal your gmail credentials by tricking you into typing them in & then it would get all your contacts from your account. Don't get click happy!!! Use your brain & practice some skepticism! Never think of the web as a safe place, it's actually extremely hostile (even inside services like facebook).
...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.
I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...
The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
You can build complex passwords that are easy to remember, see my post on passwords.
If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.
Article doesn't mention that you can buy other country iTunes accounts for 1RMB (12 cents).
Only thing surprising this week was alibaba (which owns taobao) removing 'iPad2 cases.' One can only Wonder why Apple pulled out its muscle for this and not the fake iTunes accounts that are openly sold
You can build complex passwords that are easy to remember, see my post on passwords.
If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.
Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.
Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.
Doesn't negate my point, actually I mentioned that too. Like I said before, the internet is not a safe place, it is actually a very hostile environment & no one should use it lightly.
If you must us iTunes, go out and purchase the $10 gift cards and only activate them when you need to purchase something.
My account was hacked to the tune of $63.
No notification was sent to my email address (which was registered with my itunes account).
The crook was able to change my login, password, email address, and purchase apps outside the US.
The Apple terms expressly forbid US accounts purchases outside the US. (or they did at that time.).
So iTunes security is non-existant. It's a joke. Worst security on the planet.
Thank god for sweatshops and ocean containers.
The article must be wrong, since everyone here knows that security issues only happen on Android.
hello windows users, and jailbreakers
You can build complex passwords that are easy to remember...
There is a lot to said for that.
Like this street directions method:
Take5tothe55Nexit
(How to get to my office)
You get the idea, no that is not my real password.
The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
and this is a bad thing because .... ??? I have spent several thousands of dollars on iTunes without losing one nights sleep over a hacked iTunes account. I only use gift cards and only keep a low balance (5.68 at this time) while keeping extra cards in my desk. For me, at least, this is the perfect solution to buying anything on the internet.
8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.
Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.
The article must be wrong, since everyone here knows that security issues only happen on Android.
This isn't a platform security issue. This is straight social engineering phishing attack exploitation. Every platform is equally vulnerable if a user successfully gets phished.
...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.
I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...
The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
There is no way to eliminate the risk without eliminating all forms of online access. Period. You can make your iTunes password as memorable or as long term crack-safe as you like. And if you are naive enough to get phished, the password security won't matter a whit. Short memorable mixed case and non alphabetic characters will save you from all but the most determined crackers, and those will only target you because they already know what they can get. And they will get it anyway because you will give it to them unwittingly through any of several almost foolproof techniques, none of them being password cracking.
It was reported several months ago that many thousands of account users worldwide responded to a phishing attack. There isn't much Apple or anyone else can do to save you from that. You can change passwords on a time basis, but that has proven to be even less secure overall because then too many users change all their passwords to the same thing, and write it down, and/or get phished again. It's nasty, but stupidity once gets ruthlessly punished by the criminal element that can confirm it happened in the first place.
Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...
I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you theiving bastards.
china moved up their currency exchange rate almost 30% over the past couple of years. can you tell me whether our economy improved 30% over the same period of time?
Fastest way to balance the US budget...
Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...
I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you thriving bastards.
Doubt writing down my password on a sticky is going to risk it being stole by thieves in China. You are wrong about how much it takes to crack a password, that might have been true 5 years ago but as computers get faster & hackers get smarter about they throw random passwords at a machine.
I totally agree with many posts though that phishing is probably biggest way accounts get hacked, but not the only way.