iTunes customers facing mysterious account hacks, disappearing gift card money

Posted:
in General Discussion edited January 2014


Scattered reports from customers suggest that Apple continues to have a difficult time combating hackers who are draining iTunes account balances and changing account information.



Earlier this week, The Global Mail called attention ( CNet) to an Apple Support Community thread with more than 70 pages of responses dating as far back as Nov. 2010.



According to and others like it, numerous iTunes customers were victims of fraudulent app purchases that drained gift card credits from their accounts. Others reported charges to their PayPal or credit card accounts and changes to their account information.



Given that the issue has persisted intermittently for over a year, some customers have begun to speculate that Apple has kept the problem under wraps despite not having fully resolved it. "It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it," forum user "glight" wrote.



When contacted by the publication, Apple responded with a generic statement assuring the security of its ecommerce transactions.



"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the company said.



Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked. In 2009, iTunes gift vouchers surfaced on Chinese websites for pennies on the dollar after hackers allegedly discovered a way to generate codes.



Another method has been described on forums as early as 2010. Sellers on TaoBao, the Chinese equivalent of eBay, have in the past offered a service that temporarily hijacked legitimate users' account to allow buyers to download batches of apps until eventually being locked out. The sellers would allegedly monitor compromised accounts and then change their information to a dummy address upon finding a customer.



Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.





"Kingdom Conquest" has attracted negative reviews as customers report being the victim of fraudulent purchases or hijacked accounts.







Ty Miller, chief technology officer at security firm Pure Hacking, speculated that Apple has decided that refunding fraudulent transactions is more cost effective than fixing the system.



"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller said.



[ View article on AppleInsider ]

«134

Comments

  • Reply 1 of 67
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by AppleInsider View Post


    Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.



    You scared me there for a moment! The name "Kingdom Conquest" sounded real familiar to me and I remember buying a game recently which I've been playing a bit and I just quickly checked it on my iPad and the game which I'd been playing is called "Kingdom Rush", which happens to be a pretty good Tower Defense game.



    Phew. I dealt with some telephone scammers awhile ago, and even had the FBI involved. I don't need to be dealing with any app scammers too.



    These people need to be behind bars and molested at least four times a week. That'll teach them not to scam people.
  • Reply 2 of 67
    solipsismxsolipsismx Posts: 19,566member
    Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.



    If iTunes servers have been hacked — which I doubt — then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.



    PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.
  • Reply 3 of 67
    Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.



    The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.
  • Reply 4 of 67
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by SolipsismX View Post


    Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.



    This seems to be more about compromised gift cards than hacked personal passwords and the like. Luckily for me, I've never used or purchased any Apple gift card, and I don't plan on doing it in the future either.
  • Reply 5 of 67
    Quote:
    Originally Posted by SolipsismX View Post


    they are not responsible for blatant user error.



    That's a cop out.



    It's Apple's responsibility to ensure it is easy for its users to secure their accounts.



    For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.
  • Reply 6 of 67
    This fraud costs Apple nothing, because all they have to do is reverse the transaction. It's not like a physical product that has value has been lost; they can just mark the account as not having purchased the app and reverse the charge.



    So of course they're not going to do much about it, because it costs them almost nothing to work around it and security is a difficult problem to solve.



    This is why despite it being annoying, I reset my iTunes password fairly frequently.
  • Reply 7 of 67
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by zorinlynx View Post


    This is why despite it being annoying, I reset my iTunes password fairly frequently.



    I found out that it can be max 32 characters and it's wise to use both uppercase and lowercase letters combined with numerical numbers and even throw in a special character or two for added protection.
  • Reply 8 of 67
    Quote:
    Originally Posted by Apple ][ View Post


    I found out that it can be max 32 characters and it's wise to use both uppercase and lowercase letters combined with numerical numbers and even throw in a special character or two for added protection.



    Lucky me, I got my iCloud password in before they set those restrictions. Hate capital letters.



    Granted, there's still a maximum length problem and that cuts off my password, so I just have to remember when to stop.
  • Reply 9 of 67
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by Tallest Skil View Post


    Granted, there's still a maximum length problem and that cuts off my password, so I just have to remember when to stop.



    What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.
  • Reply 10 of 67
    Quote:
    Originally Posted by waldobushman View Post


    The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.



    One target may be Target (yeah, yeah). I've seen yet to be activated iTunes Gift Cards available on eBay, but those were the Beatles one (somewhat a collector's item). If they leak out that way, who know what else can happen.



    Speaking of accounts, we run completely on gift cards in my household. Allows me to get a 5 percent discount by buying them at Target when using my Target Visa card (plus an additional 5 percent when I fill enough prescriptions).
  • Reply 11 of 67
    hill60hill60 Posts: 6,992member
    I just checked and my $3.53 balance is safe and sound.
  • Reply 12 of 67
    Quote:
    Originally Posted by Apple ][ View Post


    This seems to be more about compromised gift cards than hacked personal passwords and the like. Luckily for me, I've never used or purchased any Apple gift card, and I don't plan on doing it in the future either.



    The problem wouldn't be with Gift Cards... it's just that it is easier to get Gift Card funds.



    If someone drains a Gift Card account Apple reimburses the customer and keeps the hack quiet... everyone wins! If someone charges a credit card or Pay Pal account their card issuer becomes involved as well as the authorities.



    Here is how these hacks go down...
    1. Jack signs up for iTunes using [email protected] and the secure password "MyD0G1$Br0wn"

    2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password

    3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear

    4. "Jill's Bolt Emporium" is completely unaware anything has happened

    5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.

    6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.





    EDIT:



    I use a three tier password system. It's the best combination of usability and security.



    Tier 1: Critical services

    These require the top level of security and all have unique passwords. Included are the two banks I use, PayPal and Last Pass.



    Tier 2: Trusted services

    The services I trust will protect my information. These have similar or the same passwords. Included are anything from Apple, Google, Microsoft or Facebook.



    Tier 3: Untrusted services

    Basically everything else. These use randomly generated passwords that are stored in Last Pass. I can't remember any of these, so I need to look up the password in Last Pass before I can log on.
  • Reply 13 of 67
    Quote:
    Originally Posted by Apple ][ View Post


    What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.



    *shrug* It's safe. I wish more places allowed spaces in their passwords; then it'd be safer.
  • Reply 14 of 67
    Double post
  • Reply 15 of 67
    apple ][apple ][ Posts: 9,233member
    Quote:
    Originally Posted by Firefly7475 View Post




    Here is how these hacks go down...
    1. Jack signs up for iTunes using [email protected] and the secure password "MyD0G1$Br0wn"

    2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password

    3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear

    4. "Jill's Bolt Emporium" is completely unaware anything has happened

    5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.

    6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.




    In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.



    I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
  • Reply 16 of 67
    Quote:
    Originally Posted by Apple ][ View Post


    In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts.



    The trouble is you're describing 99% of people who use computers. Even I use the same or similar passwords across "trusted" services.



    Telling people to use a different password across every account is unrealistic when people have 50 different account passwords they need to remember.



    There are better ways to handle security other than a simple username/password combination and it's Apple's responsibility to implement these measures on iTunes accounts.
  • Reply 17 of 67
    asciiascii Posts: 5,936member
    I sometimes wonder if the simple keyboard on the iPad causes people to choose simple passwords. To get to the odd kind of characters that defeat bruce force attacks you have to jump to a second keyboard, and then a third.
  • Reply 18 of 67
    Quote:
    Originally Posted by Firefly7475 View Post


    [*]Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password[*]Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear



    That is more likely what is happening than an actual server hack. After all if it was the server it wouldn't likely be such scant occurrences all the time.
  • Reply 19 of 67
    Last month, I saw an unfamiliar iTunes charge of $30-something dollars on my credit card statement. When I checked my purchase history on my iTunes account, the charge was not there.



    According to Apple, my credit card number was used to open another account and make purchases. They said they've since shut down that account.



    I think I may be one of the customers who've suffered the effects of these Chinese iTunes account hijackers.
  • Reply 20 of 67
    Quote:
    Originally Posted by Apple ][ View Post


    I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.



    Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.



    Score one for the hacker.
Sign In or Register to comment.