or Connect
AppleInsider › Forums › Mobile › iPod + iTunes + AppleTV › Hacked Apple iTunes accounts sell in China for pennies on the dollar
New Posts  All Forums:Forum Nav:

Hacked Apple iTunes accounts sell in China for pennies on the dollar

post #1 of 32
Thread Starter 
A Chinese online store is selling hacked, illegal iTunes accounts tied to active credit cards, offering $200 worth of content from Apple's service for as little as $30.

China's Global Times this week revealed that about 50,000 illegal accounts are being sold through taobao.com, with prices ranging from just 1 yuan to about 200 yuan, or $30. Many of the sales are said to be stolen iTunes user accounts being re-sold by hackers.

"Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid," the report said. "The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao."

A reporter for the publication tested the sales by paying $5 to a seller on Taobao. In return, they were provided an iTunes username and password which allowed access to an account complete with credit card details and a U.S. billing address.

Last July, it was revealed that iTunes account holders were being targeted in a number of fraud cases, in which some iOS developers used stolen accounts to boost their sales rankings of iPhone software. Apple quickly made a public response to the matter, suggesting that customers review their iTunes account for unauthorized transactions.



"Developers do not receive any iTunes confidential customer data when an app is downloaded," the company said in a statement. "If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. WE also recommend that you change your iTunes account password immediately."

In August, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes and store credit card information for purchases. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
post #2 of 32

deleted


Edited by kellya74u - 7/24/13 at 10:22am
post #3 of 32
8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.

Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
post #4 of 32
deleted
post #5 of 32
Quote:
Originally Posted by hezetation View Post

8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.

Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.

...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.

I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...

The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
post #6 of 32
Quote:
Originally Posted by kellya74u View Post

First, be careful of your security in what links you click on & have (windows) anti-virus & other software security. Also, simply select "no credit card" in your iTunes account, & just buy iTunes cards to redeem when you want to make purchases. I never keep a balance of over $10-20 in my account at any one time. That way, if my account is compromised, the crooks don't make any significant money. If you otherwise suffer a $1000 loss, you may eventually be able to successfully argue with your credit card company & have the charges reversed, but then the card company has to eat the loss. Either way, by selecting the credit card option in your iTunes account,YOU ALONE CHOOSE to provide the opportunity for these thieving ****s to profit & not have to otherwise honestly work for their money. They can only hack your account by tricking YOU into clicking on a bad link or compromising YOUR computer. Don't feed them.

To my other note, a lot of people don't understand what makes a strong password & there are some pretty weak ones out there. Never use common words, try to use 10 characters or more, mix 4 types of characters. Just couple examples (please don't use these).

Applerocks (Not strong, only a matter of time before you are hacked)
Apples01 (Ok but not strong)
Apples0001 (Much better but good programmer could create cracker that guesses common words)
@pples0001 (Even better, no common word)
@ppleS0001 (Very strong, uses upper & lowercase, symbol, & numbers)

Always have a separate password for things like e-mail & web forums than what you use for financial stuff. If you have mobileme I strongly recommend creating an outside e-mail account like gmail that you give to signup pages or friends who you know who's accounts get hacked frequently. You should also create e-mail aliases in mobileme that you can send from so if an alias gets compromised you can just delete it & create a different one. You can't protect against everything 100% but these steps can go a long way. Then of course I second everything kellya74u is saying, especially clicking links in e-mail. Make sure you check automated looking e-mails, check that the name tagged to the sender actually matches the e-mail. Recently got an e-mail from a friend (had their name on it) but the sender address was notify@domain.com. It had a link with instructions to sign into a site, it was a spam company that then would steal your gmail credentials by tricking you into typing them in & then it would get all your contacts from your account. Don't get click happy!!! Use your brain & practice some skepticism! Never think of the web as a safe place, it's actually extremely hostile (even inside services like facebook).
post #7 of 32
Quote:
Originally Posted by aaarrrgggh View Post

...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.

I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...

The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.

You can build complex passwords that are easy to remember, see my post on passwords.

If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.
post #8 of 32
reported so many times, it can't be news. Apple / the US government and China overlook this (among other things) to keep harmonious relations. Apple wants to sell its hardware, and is following, to some degree, Microsoft's China strategy which, in the early and late 90s, was to allow China to pirate its software to enable future sales. More 'free' Apple services, sells more Apple devices... Think about it... lots of similarities.

Article doesn't mention that you can buy other country iTunes accounts for 1RMB (12 cents).

Only thing surprising this week was alibaba (which owns taobao) removing 'iPad2 cases.' One can only Wonder why Apple pulled out its muscle for this and not the fake iTunes accounts that are openly sold
post #9 of 32
Quote:
Originally Posted by hezetation View Post

You can build complex passwords that are easy to remember, see my post on passwords.

If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.

Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.
post #10 of 32
Quote:
Originally Posted by Hellacool View Post

Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.

Doesn't negate my point, actually I mentioned that too. Like I said before, the internet is not a safe place, it is actually a very hostile environment & no one should use it lightly.
post #11 of 32
I advise everyone who has an iTunes account to only use itunes gift cards, and never put your credit card info on your iTunes account.
If you must us iTunes, go out and purchase the $10 gift cards and only activate them when you need to purchase something.
My account was hacked to the tune of $63.
No notification was sent to my email address (which was registered with my itunes account).
The crook was able to change my login, password, email address, and purchase apps outside the US.
The Apple terms expressly forbid US accounts purchases outside the US. (or they did at that time.).
So iTunes security is non-existant. It's a joke. Worst security on the planet.
post #12 of 32
Got to love those thieving asians. Too stupid to develop their own stuff, just steal everything.
Thank god for sweatshops and ocean containers.
post #13 of 32
Quote:
Originally Posted by MacRulez View Post

The article must be wrong, since everyone here knows that security issues only happen on Android.

hello windows users, and jailbreakers
post #14 of 32
Quote:
Originally Posted by hezetation View Post

You can build complex passwords that are easy to remember...

There is a lot to said for that.

Like this street directions method:

Take5tothe55N&#1exit

(How to get to my office)

You get the idea, no that is not my real password.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #15 of 32
Quote:
Originally Posted by aaarrrgggh View Post

The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.

and this is a bad thing because .... ??? I have spent several thousands of dollars on iTunes without losing one nights sleep over a hacked iTunes account. I only use gift cards and only keep a low balance (5.68 at this time) while keeping extra cards in my desk. For me, at least, this is the perfect solution to buying anything on the internet.
Apple, bigger than Google, ..... bigger than Microsoft,   The universe is unfolding as it should. Thanks, Apple.
Reply
Apple, bigger than Google, ..... bigger than Microsoft,   The universe is unfolding as it should. Thanks, Apple.
Reply
post #16 of 32
Quote:
Originally Posted by hezetation View Post

8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.

Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.

A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.

Quote:
Originally Posted by MacRulez View Post

The article must be wrong, since everyone here knows that security issues only happen on Android.

This isn't a platform security issue. This is straight social engineering phishing attack exploitation. Every platform is equally vulnerable if a user successfully gets phished.
.
Reply
.
Reply
post #17 of 32
Quote:
Originally Posted by aaarrrgggh View Post

...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.

I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...

The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.


There is no way to eliminate the risk without eliminating all forms of online access. Period. You can make your iTunes password as memorable or as long term crack-safe as you like. And if you are naive enough to get phished, the password security won't matter a whit. Short memorable mixed case and non alphabetic characters will save you from all but the most determined crackers, and those will only target you because they already know what they can get. And they will get it anyway because you will give it to them unwittingly through any of several almost foolproof techniques, none of them being password cracking.

It was reported several months ago that many thousands of account users worldwide responded to a phishing attack. There isn't much Apple or anyone else can do to save you from that. You can change passwords on a time basis, but that has proven to be even less secure overall because then too many users change all their passwords to the same thing, and write it down, and/or get phished again. It's nasty, but stupidity once gets ruthlessly punished by the criminal element that can confirm it happened in the first place.
.
Reply
.
Reply
post #18 of 32
Fastest way to balance the US budget...

Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...

I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you theiving bastards.
post #19 of 32
deleted
post #20 of 32
trillion for pirated software, movies, music? you can not ignore that a big portion of buyers of those pirated stuff are from oversea. i am not convinced that piracy rate in china is worse than that in US in term of money loss.

china moved up their currency exchange rate almost 30% over the past couple of years. can you tell me whether our economy improved 30% over the same period of time?

Quote:
Originally Posted by frankie View Post

Fastest way to balance the US budget...

Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...

I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you thriving bastards.
post #21 of 32
[QUOTE=Hiro;1779730]A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.

Doubt writing down my password on a sticky is going to risk it being stole by thieves in China. You are wrong about how much it takes to crack a password, that might have been true 5 years ago but as computers get faster & hackers get smarter about they throw random passwords at a machine.

I totally agree with many posts though that phishing is probably biggest way accounts get hacked, but not the only way.
post #22 of 32
I just use 'Android' and have spent years carefully cultivating an online persona who would never use that...

...doh!

I guess I'll have to change it now.

PS it won't be "Chrome".
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #23 of 32
Quote:
Originally Posted by res08hao View Post

Got to love those thieving asians. Too stupid to develop their own stuff, just steal everything.
Thank god for sweatshops and ocean containers.

Do not label all asians as thieves and/or too stupid to develop anything This is mainly a CHINESE problem. Japanese and Koreans do develop their own IP, and get along better with the West.
post #24 of 32
Quote:
Originally Posted by marokero View Post

Do not label all asians as thieves and/or too stupid to develop anything This is mainly a CHINESE problem. Japanese and Koreans do develop their own IP, and get along better with the West.

Koreans and Japanese had the same exact issues when they were just starting to make headway in technology. The only problem with china is that there is a lot more people and they have nearly all the manufacturing in the world there to allow for better copying.

Not sure what countries are "the West" but they do have better relations with the US, partly because US is their defense policy against China and North Korea.

On topic though, I would like to know if they are selling the cards themselves, or just the accounts of people. If it's just the accounts, how can there be a limit on spending (say $100) like on the picture.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #25 of 32
[QUOTE=hezetation;1779804]
Quote:
Originally Posted by Hiro View Post

A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.

Doubt writing down my password on a sticky is going to risk it being stole by thieves in China. You are wrong about how much it takes to crack a password, that might have been true 5 years ago but as computers get faster & hackers get smarter about they throw random passwords at a machine.

You need to study some combinatorics and probability, and sprinkle that with performance measurement. An intelligence agency has the computing power to put real dents in how long it would take, but in a desktop/laptop a good 8 character password crack is still measured with a mean time in years. Petty thieves won't have the patience.

http://www.lockdown.co.uk/?pg=combi#classF

Look up 96 characters (potential per place), 8 characters long. Use ClassE unless you work in an intelligence agency.

As for written passwords on stickies, do you have roommates, friends, coworkers, housekeepers/maintenance personnel? Friends of friends with access to your storage space ever? How secure do you think everyone else is given the above list. You may not have a problem, you think, but might it be possible for a couple of every 100,000 folks using iTunes users to insecurely store and have their passwords compromised and forwarded to an aggregator given the above?

Quote:
I totally agree with many posts though that phishing is probably biggest way accounts get hacked, but not the only way.

This is the gold standard tactic. Keylogging in botnets is popular too.
.
Reply
.
Reply
post #26 of 32
Erm...these accounts have literally been on sale for years. This is so not news.
post #27 of 32
Quote:
Originally Posted by hezetation View Post

Applerocks (Not strong, only a matter of time before you are hacked)
Apples01 (Ok but not strong)
Apples0001 (Much better but good programmer could create cracker that guesses common words)
@pples0001 (Even better, no common word)
@ppleS0001 (Very strong, uses upper & lowercase, symbol, & numbers)

And if you increased your examples to twelve characters, they would be orders of magnitude stronger as with each character, the numbers of permutations for a password increases exponentially.

Pasword length, more than anything else, is what is important.

And "password' is really a poor name - think pass-phrase more than password and you will have a far easier time coming up with something that is of a decent length (I shoot for at least 12 characters on any account with a credit card involved).

http://www.infoworld.com/d/security-...oes-matter-531
http://www.schneier.com/blog/archive...rld_passw.html

And as you can tell from the dates on these articles, this is not a new concept - and yet common misconception about real world password strength persists.

Sigh...
post #28 of 32
Quote:
Originally Posted by hezetation View Post

If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.

No kidding. Anyone who isn't using a password manager like 1Password is a fool and compromise waiting to happen. Especially those who use the same password(s) on more than one site.

Just look at what happened with the Gawker sites - that was pretty public, but companies are hacked all the time. And those are the ones we know about! How many undetected compromises are out there? It's pretty hard to know for sure since they are undetected but if you just look at the way many people view information security (as a bother against something that won't ever happen to me) you can pretty much assume it's happening all the time.

At least that's the safe assumption - and no, I am not a tin-foil-hat wearing conspiracy theorist. For a conspiracy there is necessarily an implication of intelligence to implement it; far to often what we have instead is a combination of apathy and ignorance.

It's an even deadlier combination
post #29 of 32
Quote:
Originally Posted by DocNo42 View Post

No kidding. Anyone who isn't using a password manager like 1Password is a fool and compromise waiting to happen. Especially those who use the same password(s) on more than one site.

Just look at what happened with the Gawker sites - that was pretty public, but companies are hacked all the time. And those are the ones we know about! How many undetected compromises are out there? It's pretty hard to know for sure since they are undetected but if you just look at the way many people view information security (as a bother against something that won't ever happen to me) you can pretty much assume it's happening all the time.

At least that's the safe assumption - and no, I am not a tin-foil-hat wearing conspiracy theorist. For a conspiracy there is necessarily an implication of intelligence to implement it; far to often what we have instead is a combination of apathy and ignorance.

It's an even deadlier combination

Every 3 months we should all be forced to re cycle to apple itunes a new password and credit card info .Maybe even a secret question part too.
or apple should 3rd party all itunes accounts like a paypal type deal .
whats in a name ? 
beatles
Reply
whats in a name ? 
beatles
Reply
post #30 of 32
Quote:
Originally Posted by brucep View Post

Every 3 months we should all be forced to re cycle to apple itunes a new password and credit card info .Maybe even a secret question part too.
or apple should 3rd party all itunes accounts like a paypal type deal .

There are several research papers in the past couple years that show this is not the good idea it seems on the surface. Users tend to generate significantly more trivial passwords when forced to change on short intervals, and/or write them down, making the overall system less secure.

Strong pass-phrases with special characters are FAR safer and easier to use, even if used over long periods.
.
Reply
.
Reply
post #31 of 32
They took out my balance of a gift card and charged about $12.

Definitely Chinese, because I got on my iPhone one morning and all my iTunes account stuff was in Chinese.

Apple doesn't refund gift cards, but my bank easily cut the charges off. And I ended up not being able to delete the 3 Beyonce albums from my downloads, so I ended up having to put them on my computer just to delete them. I don't like Beyonce. LOL

I pestered Apple enough, however, that they ended up giving me a $25 gift card (I lost $32 in gift card money). I also removed my credit card from the account and only use gift cards to buy anything now, and I only keep at most about $10 active on the account at any time.
post #32 of 32
Apple profits from these thefts via their cut of the "purchases" or in app purchases.
So Apple facilitates these thefts through their iTunes app store, collected a percentage of the stolen proceeds as commission, and this is legal how?
How is Apple not guilty of illegal money laundering?
Shouldn't they at least be required by law to return these I'll-gotten profits?
What's their motivation to fix this problem if they can make money on iTunes gift cards AND the profits from illegal purchases using stolen accounts?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPod + iTunes + AppleTV
AppleInsider › Forums › Mobile › iPod + iTunes + AppleTV › Hacked Apple iTunes accounts sell in China for pennies on the dollar