or Connect
AppleInsider › Forums › General › General Discussion › iTunes customers facing mysterious account hacks, disappearing gift card money
New Posts  All Forums:Forum Nav:

iTunes customers facing mysterious account hacks, disappearing gift card money

post #1 of 68
Thread Starter 
Scattered reports from customers suggest that Apple continues to have a difficult time combating hackers who are draining iTunes account balances and changing account information.

Earlier this week, The Global Mail called attention ( CNet) to an Apple Support Community thread with more than 70 pages of responses dating as far back as Nov. 2010.

According to and others like it, numerous iTunes customers were victims of fraudulent app purchases that drained gift card credits from their accounts. Others reported charges to their PayPal or credit card accounts and changes to their account information.

Given that the issue has persisted intermittently for over a year, some customers have begun to speculate that Apple has kept the problem under wraps despite not having fully resolved it. "It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it," forum user "glight" wrote.

When contacted by the publication, Apple responded with a generic statement assuring the security of its ecommerce transactions.

"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the company said.

Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked. In 2009, iTunes gift vouchers surfaced on Chinese websites for pennies on the dollar after hackers allegedly discovered a way to generate codes.

Another method has been described on forums as early as 2010. Sellers on TaoBao, the Chinese equivalent of eBay, have in the past offered a service that temporarily hijacked legitimate users' account to allow buyers to download batches of apps until eventually being locked out. The sellers would allegedly monitor compromised accounts and then change their information to a dummy address upon finding a customer.

Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.


"Kingdom Conquest" has attracted negative reviews as customers report being the victim of fraudulent purchases or hijacked accounts.


Ty Miller, chief technology officer at security firm Pure Hacking, speculated that Apple has decided that refunding fraudulent transactions is more cost effective than fixing the system.

"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller said.

[ View article on AppleInsider ]
post #2 of 68
Quote:
Originally Posted by AppleInsider View Post

Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.

You scared me there for a moment! The name "Kingdom Conquest" sounded real familiar to me and I remember buying a game recently which I've been playing a bit and I just quickly checked it on my iPad and the game which I'd been playing is called "Kingdom Rush", which happens to be a pretty good Tower Defense game.

Phew. I dealt with some telephone scammers awhile ago, and even had the FBI involved. I don't need to be dealing with any app scammers too.

These people need to be behind bars and molested at least four times a week. That'll teach them not to scam people.
post #3 of 68
Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.

If iTunes servers have been hacked — which I doubt — then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.

PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #4 of 68
Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.

The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.
post #5 of 68
Quote:
Originally Posted by SolipsismX View Post

Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.

This seems to be more about compromised gift cards than hacked personal passwords and the like. Luckily for me, I've never used or purchased any Apple gift card, and I don't plan on doing it in the future either.
post #6 of 68
Quote:
Originally Posted by SolipsismX View Post

they are not responsible for blatant user error.

That's a cop out.

It's Apple's responsibility to ensure it is easy for its users to secure their accounts.

For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.
post #7 of 68
This fraud costs Apple nothing, because all they have to do is reverse the transaction. It's not like a physical product that has value has been lost; they can just mark the account as not having purchased the app and reverse the charge.

So of course they're not going to do much about it, because it costs them almost nothing to work around it and security is a difficult problem to solve.

This is why despite it being annoying, I reset my iTunes password fairly frequently.
post #8 of 68
Quote:
Originally Posted by zorinlynx View Post

This is why despite it being annoying, I reset my iTunes password fairly frequently.

I found out that it can be max 32 characters and it's wise to use both uppercase and lowercase letters combined with numerical numbers and even throw in a special character or two for added protection.
post #9 of 68
Quote:
Originally Posted by Apple ][ View Post

I found out that it can be max 32 characters and it's wise to use both uppercase and lowercase letters combined with numerical numbers and even throw in a special character or two for added protection.

Lucky me, I got my iCloud password in before they set those restrictions. Hate capital letters.

Granted, there's still a maximum length problem and that cuts off my password, so I just have to remember when to stop.
post #10 of 68
Quote:
Originally Posted by Tallest Skil View Post

Granted, there's still a maximum length problem and that cuts off my password, so I just have to remember when to stop.

What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.
post #11 of 68
Quote:
Originally Posted by waldobushman View Post

The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.

One target may be Target (yeah, yeah). I've seen yet to be activated iTunes Gift Cards available on eBay, but those were the Beatles one (somewhat a collector's item). If they leak out that way, who know what else can happen.

Speaking of accounts, we run completely on gift cards in my household. Allows me to get a 5 percent discount by buying them at Target when using my Target Visa card (plus an additional 5 percent when I fill enough prescriptions).
post #12 of 68
I just checked and my $3.53 balance is safe and sound.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #13 of 68
Quote:
Originally Posted by Apple ][ View Post

This seems to be more about compromised gift cards than hacked personal passwords and the like. Luckily for me, I've never used or purchased any Apple gift card, and I don't plan on doing it in the future either.

The problem wouldn't be with Gift Cards... it's just that it is easier to get Gift Card funds.

If someone drains a Gift Card account Apple reimburses the customer and keeps the hack quiet... everyone wins! If someone charges a credit card or Pay Pal account their card issuer becomes involved as well as the authorities.

Here is how these hacks go down...
  1. Jack signs up for iTunes using jack@gmail.com and the secure password "MyD0G1$Br0wn"
  2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
  3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
  4. "Jill's Bolt Emporium" is completely unaware anything has happened
  5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
  6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.



EDIT:

I use a three tier password system. It's the best combination of usability and security.

Tier 1: Critical services
These require the top level of security and all have unique passwords. Included are the two banks I use, PayPal and Last Pass.

Tier 2: Trusted services
The services I trust will protect my information. These have similar or the same passwords. Included are anything from Apple, Google, Microsoft or Facebook.

Tier 3: Untrusted services
Basically everything else. These use randomly generated passwords that are stored in Last Pass. I can't remember any of these, so I need to look up the password in Last Pass before I can log on.
post #14 of 68
Quote:
Originally Posted by Apple ][ View Post

What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.

*shrug* It's safe. I wish more places allowed spaces in their passwords; then it'd be safer.
post #15 of 68
Double post
post #16 of 68
Quote:
Originally Posted by Firefly7475 View Post


Here is how these hacks go down...
  1. Jack signs up for iTunes using jack@gmail.com and the secure password "MyD0G1$Br0wn"
  2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
  3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
  4. "Jill's Bolt Emporium" is completely unaware anything has happened
  5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
  6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.

In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.

I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
post #17 of 68
Quote:
Originally Posted by Apple ][ View Post

In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts.

The trouble is you're describing 99% of people who use computers. Even I use the same or similar passwords across "trusted" services.

Telling people to use a different password across every account is unrealistic when people have 50 different account passwords they need to remember.

There are better ways to handle security other than a simple username/password combination and it's Apple's responsibility to implement these measures on iTunes accounts.
post #18 of 68
I sometimes wonder if the simple keyboard on the iPad causes people to choose simple passwords. To get to the odd kind of characters that defeat bruce force attacks you have to jump to a second keyboard, and then a third.
post #19 of 68
Quote:
Originally Posted by Firefly7475 View Post

[*]Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password[*]Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear

That is more likely what is happening than an actual server hack. After all if it was the server it wouldn't likely be such scant occurrences all the time.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #20 of 68
Last month, I saw an unfamiliar iTunes charge of $30-something dollars on my credit card statement. When I checked my purchase history on my iTunes account, the charge was not there.

According to Apple, my credit card number was used to open another account and make purchases. They said they've since shut down that account.

I think I may be one of the customers who've suffered the effects of these Chinese iTunes account hijackers.
post #21 of 68
Quote:
Originally Posted by Apple ][ View Post

I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.

Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.

Score one for the hacker.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #22 of 68
Quote:
Originally Posted by Firefly7475 View Post


There are better ways to handle security other than a simple username/password combination and it's Apple's responsibility to implement these measures on iTunes accounts.

What did you have in mind? Hopefully not facial recognition, because that seems like a pretty big fail, at least on Android. People were using a photo to log in and it accepted the photo. That seemed more like a novelty than anything that was designed for security.

For one of my bank accounts, they gave me a small hardware dongle, and when I log in, I have to authenticate using digits from that dongle, which changes every time. I feel like that account is safer than my other bank account which just uses a regular password log in.
post #23 of 68
Quote:
Originally Posted by Tallest Skil View Post

*shrug* It's safe. I wish more places allowed spaces in their passwords; then it'd be safer.

Not really.

See my post above.

Drive-by hackers are just picking the low hanging fruit. Very few of their hacks are based on sophisticated brute force attacks.

If your password contains uppercase letters, lowercase letters, numbers and special characters the time to brute force are around:
  • 8 characters: About 1 hour
  • 10 characters: 920 hours (38 days)
  • 16 characters: 63 billion hours (about 91,000 lifetimes)
  • 32 characters: ... Many many trillions of times longer than the lifetime of the universe.

Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.

Anything above 10 characters is definitely going to protect you.
post #24 of 68
There is a security feature in iTunes that when you try and make a purchase from a device you haven't used before, it forces you to re-enter the security code for your credit card. I have encountered this myself when buying a new iMac.

So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?
post #25 of 68
Quote:
Originally Posted by charlituna View Post

Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.

Score one for the hacker.

Exactly.
post #26 of 68
Quote:
Originally Posted by charlituna View Post

That is more likely what is happening than an actual server hack. After all if it was the server it wouldn't likely be such scant occurrences all the time.

Yup. This is how basically all "random" hacks occur these days.

If a hacker is targeting a specific person it's a different story of course.
post #27 of 68
Quote:
Originally Posted by Apple ][ View Post

What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.

I used to use "I wish I wish I was a fish 24 times" just as my Time Caspsule's wireless network password.

Try brute force cracking that, you hacker bastards.

And on the off chance that they did, they would have been rewarded with my movie collection only.
The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
post #28 of 68
Quote:
Originally Posted by Firefly7475 View Post

The problem wouldn't be with Gift Cards... it's just that it is easier to get Gift Card funds.

If someone drains a Gift Card account Apple reimburses the customer and keeps the hack quiet... everyone wins! If someone charges a credit card or Pay Pal account their card issuer becomes involved as well as the authorities.

Here is how these hacks go down...
  1. Jack signs up for iTunes using jack@gmail.com and the secure password "MyD0G1$Br0wn"
  2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
  3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
  4. "Jill's Bolt Emporium" is completely unaware anything has happened
  5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
  6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.



EDIT:

I use a three tier password system. It's the best combination of usability and security.

Tier 1: Critical services
These require the top level of security and all have unique passwords. Included are the two banks I use, PayPal and Last Pass.

Tier 2: Trusted services
The services I trust will protect my information. These have similar or the same passwords. Included are anything from Apple, Google, Microsoft or Facebook.

Tier 3: Untrusted services
Basically everything else. These use randomly generated passwords that are stored in Last Pass. I can't remember any of these, so I need to look up the password in Last Pass before I can log on.

That's interesting.

I came up with the exact same system myself.
The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
post #29 of 68
Quote:
Originally Posted by charlituna View Post

Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.

Score one for the hacker.

Now I use 1Password with random words for the secret question but before I had the option to store and back up an infinite number of random passwords I had memorized a series of answers that were different from the standard questions being asked. I would also never use my birthday, but always make sure I picked a date that was at least 18yo.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #30 of 68
Quote:
Originally Posted by Firefly7475 View Post

That's a cop out.

It's Apple's responsibility to ensure it is easy for its users to secure their accounts.

For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.

It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsiblity. By saying it's a cop out you are suggesting that it's Apple's responsibility to keep the user from writing their password down in clear text in a text file, or writing down on paper next to their computer.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #31 of 68
They could simply not let users choose their password. It just tells you "your password is this."
post #32 of 68
Quote:
Originally Posted by GTR View Post

That's interesting.

I came up with the exact same system myself.

Great minds...

Realistically the "trusted services" group could contain a lot more sites, basically any site that isn't storing my details in the clear.

I wish there was a third party security agency that gave a website their "tick of approval" if the proper security measures were in place.
post #33 of 68
Quote:
Originally Posted by SolipsismX View Post

It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsibility.

It is beyond a typical users knowledge and ability to ensure their account is secure.

By simply asking a user to enter an email address and password Apple have failed to ensure that a users account is secure.

So yes, it is Apple's responsibility, and just saying that a user should possess the ability to ensure their account is secure and if they don't its their own fault (when research has shown people clearly don't possess the ability) is a cop out.
post #34 of 68
Surely Apple has it stated in all of their contracts that innocent sellers do not have monetary gain from a fraudulent purchase.

Thus it's hardly a niggle.
post #35 of 68
Passwords

I use this one for generating

https://www.grc.com/passwords.htm

This one for testing:-

https://www.grc.com/haystack.htm
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #36 of 68
I don't understand, if my iTunes account is hacked and that hacker has my password still he can't purchase anything as he needs my credit card CC code which is only on the credit card and is not saved in the iTunes account, right? so why these hackers can still do purchases on hacked accounts?

my way or the highway...

Macbook Pro i7 13" with intel SSD 320 series and 8GB RAM, iPhone 5, iPad 3 (Retina)

Reply

my way or the highway...

Macbook Pro i7 13" with intel SSD 320 series and 8GB RAM, iPhone 5, iPad 3 (Retina)

Reply
post #37 of 68
I doubt very much that Apple will discuss any of these cases publicly.

If your account has been compromised your first port of call should be to contact Apple immediately and report the incident.

You should then change your iTunes account password to something secure (say a minimum of 10 characters long including capital letters and numbers).

If you are running on windows you want to ensure your system is secure by downloading superantispyware (superantispyware.com along with malwarebytes (malwarebytes.org). Run superantispyware and do a full scan then follow that by running a malwarebytes quick scan. The combination of these two programs catch the majority of spyware and malware programs.

If someone tries to use your iTunes account on a 'new device' or PC/Mac they are prompted for your security information on top of your username and password, so if they are stealing from you they must also have this information.
post #38 of 68
Quote:
Originally Posted by Apple ][ View Post

This seems to be more about compromised gift cards than hacked personal passwords

Totally agree. Plus standard phishing scams. Surely the first place you look is the developers of the apps that attract the majority of the fraud as it's them who benefit from the sales.
post #39 of 68
As I posted a while back, my iTunes account was hacked shortly after I joined iTunes Match. I think it transpired pretty much according to what Firefly mentioned, or my password was brute force hacked, as it was only 8 alphanumerics (nothing in the dictionary though).

$25 of iTunes store credit was spent on music, all my computers were deauthorized and five unknown machines were authorized, presumably to mine the 22,000 tracks I had available on iTunes Match. Apple quickly (within 2 days) cancelled the new authorizations and wiped my authorizations clean, and refunded my $25.

Now I follow the three tier system, and iTunes is in the top tier, with a password that includes upper and lower case, numerals and special characters.
post #40 of 68
Quote:
Originally Posted by AppleInsider View Post

Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked.

That would only explain a scenario where a purchased gift card doesn't work because someone else has generated and used the code.

I think the account hacks are more likely to come from the fraudulent phishing emails that are being sent out:

http://www.net-security.org/secworld.php?id=9945
http://www.appleinsider.com/articles...customers.html

They are formatted identically to Apple's own ones and Apple actually does ask you to enter your login details in some of them. Apple's genuine ones have correct spelling and URLs that go to Apple's servers but people understandably don't always do a thorough check.

Once you login through any of those links, the phishermen have all the details they need to drain funds from an account, buy apps, change profile info etc. Apple can check if this is the case though by checking logins from different IP addresses using your genuine account details.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › iTunes customers facing mysterious account hacks, disappearing gift card money