iTunes customers facing mysterious account hacks, disappearing gift card money

124»

Comments

  • Reply 61 of 67
    Quote:
    Originally Posted by triggs View Post


    - I notified them of the fraudulent purchases immediately and provided the order numbers from my account history. After 24 hours the response back was that they would credit me a refund but then tacked on, "The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final." Huh?! Reimbursing me after you've let someone access my account from a device which is not associated with my account is an 'exception to the terms and conditions'??



    Yeah. I did the same thing and got the same BS reply. Told them they should figure out what they did wrong before accusing the customer. Gotta wonder if/when this will stop.
  • Reply 62 of 67
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by conundrumz View Post


    I use a MBP. Change my passwords every 6 months or so. Maybe I should look into 1Password.



    I would definitely invest in 1Password.



    Changing your password is only useful if it's compromised. Even if you changed it once a month if you'd used it on a compromised machine or change many passwords to the same thing and se it on a compromosed server the damage is done.



    The beauty of 1Password is that you will never unique passwords that will be virtually inhackable with bruteforce. You can ever take it a step future by storing non-true answers to secret questions in 1Password so that even a password reset is more secure.



    The next step after that is storing personal information in 1Password so they aren't sitting in your Documents folder on your Mac. Of course, you can do all this without 1Password with an Encrypted DMG you create from Disk Utility but it does make it more pleasant and easier to stay secure.



    I won't lie to you, there will be some growing pains switching your passwords and updating everything but I'm sure you'll appreciate it afterwards, especially when it automatically syncs to Dropbox and to the iOS client apps.
  • Reply 63 of 67
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by ipen View Post


    I closed down my iTune account



    Not really. You just quit using it.

    Quote:

    and now only download free stuff on iTune using an account without a credit card #. That's the safest way.



    Why not simply change your password and security question and remove CC info. Add it back for purchase then immediately remove it or use gift cards.

    I don't leave my CC # in the account (add if I purchase then immediately remove it) and recommend the same to others.
  • Reply 64 of 67
    Quote:
    Originally Posted by Ungenio View Post


    Does Apple implement a try-limit for passwords? Like, enter 5 erroneous passwords and it blocks the account?



    I really ignore how brute force for password discovery works, but I don't think it's like we see in movies: a series of numbers roll-up in a display, and one by one, the passwords characters are cracked. I think the cracking software must start with a, say, whole 4-char password, then another 4-char password, then another, until all 4-char password are spent, then goes for a whole 5-char password, and another, until finally a match is found.



    That kind of behavior is easily detectable. Probably a 4-char password is good enough, if try-limit for passwords is implemented.



    Just for the record, I agree with you that the scenario you described for "Jill's Bolt Emporium" is the most likely happening.



    Let's say in my "Jill's Bolt Emporium" example that Jill's son decided to store user details in an encrypted form using their password as the key.



    Mr Hacker could still pull back the entire list of usernames and password but he would need to then need to have some kind of brute force utility to individually decrypt each users details.



    This is where brute force attacks and longer password comes into play, not directly attacking a website.
  • Reply 65 of 67
    Quote:
    Originally Posted by Firefly7475 View Post


    Let's say in my "Jill's Bolt Emporium" example that Jill's son decided to store user details in an encrypted form using their password as the key.



    Mr Hacker could still pull back the entire list of usernames and password but he would need to then need to have some kind of brute force utility to individually decrypt each users details.



    This is where brute force attacks and longer password comes into play, not directly attacking a website.



    Oops, and I thought I was clever with passwords! Thanks Firefly, I actually have a method to beat prying eyes, and I think also covers hackers:



    I have different passwords for all my accounts. The passwords are names of people I know and to trim and obfuscate them (the passwords, not the people ) I remove vowels and replace specific letters with numbers. I store accounts and passwords in Simplenote, so they are easily available to me anytime (Simplenote's password is the only one I have to learn).



    But I don't store the passwords per se. I store a mental association to the name. Like nicknames, but also names I assign to people that, in my own mind, look like some of the X-Men. Yes, I have fun with that: I loved the Darkchilde, and fought Magneto!!



    A hacker can't break my iTunes account using passwords of my other accounts. And he can not use the mnemonics on my Simplenote account. Sure, sometimes I have to use Simplenote to break into my own passwords... but since they are basically known names, the ones I use most are easily remenbered.



    Concerning brute force, since I believe every try has to be a communication to the server, try-limits is a reasonable solution.
  • Reply 66 of 67
    mstonemstone Posts: 11,510member
    I thought of a new password scheme which might be more secure. Similar to how the bank shows you a picture that you recognize before you log in, my idea also uses a picture.



    Instead of using text input passwords you need to click on the picture in a systematic way. Let's say it is a picture of your car. You would click on the front wheel hub, then the tip of the antenna, then the rearview mirror, or an oil stain on the pavement. Of course that wouldn't work if you were blind but in that case you would indicate that you were blind or physically challenged when you signed up for the account and would be using a traditional login form. Otherwise you wouldn't have a text password at all. If you forgot it they would email a temporary login like usual.



    Many Internet sites that require accounts do not have very secure databases. Unless it is a big name company that has telephone support, I would be cautious of letting them store my credit card.
  • Reply 67 of 67
    Good job summing up this long running story. Threatpost has reported on this very same phenomenon on multiple occasions in the last six months, and has run into the same wall of silence/PR talk from AAPL. Some related stories here:

    http://threatpost.com/en_us/blogs/it...t-hacks-030111

    and here: http://threatpost.com/en_us/blogs/ga...e-fraud-031011



    I even asked the Massachusetts AG, Martha Coakley, if she'd investigate after her credit card number was used to make bogus purchases through a compromised iTunes account. (Read here: http://threatpost.com/en_us/blogs/at...s-fraud-101711).



    Paul.
Sign In or Register to comment.