or Connect
AppleInsider › Forums › General › General Discussion › iTunes customers facing mysterious account hacks, disappearing gift card money
New Posts  All Forums:Forum Nav:

iTunes customers facing mysterious account hacks, disappearing gift card money - Page 2

post #41 of 68
Why is it that when a problem appears everyone says Apple is ignoring it just because they don't jump up and scream it out? When ever has Apple ignored something that effects a mass user experience or security? If there is a problem that is Apples, or even one users create themselves on a mass scale I am sure Apple is working on it.
post #42 of 68
Quote:
Originally Posted by ascii View Post

There is a security feature in iTunes that when you try and make a purchase from a device you haven't used before, it forces you to re-enter the security code for your credit card. I have encountered this myself when buying a new iMac.

So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?

Indeed. I know this works quite well on iOS devices, but is the same precaution used on desktops?

Also, do gift cards not utilize a CV2 code?
post #43 of 68
Quote:
Originally Posted by zorinlynx View Post

This fraud costs Apple nothing, because all they have to do is reverse the transaction. It's not like a physical product that has value has been lost; they can just mark the account as not having purchased the app and reverse the charge.

So of course they're not going to do much about it, because it costs them almost nothing to work around it and security is a difficult problem to solve.

This is why despite it being annoying, I reset my iTunes password fairly frequently.

It costs them plenty at least in my case, mentioned above. I had many communications with staff, sent evidence to them, more questions to them, questions from me. Long wait times.

In this case, the gift card hacked was the gift card received for the purchase of a MacBook pro for college from our local Apple store. When the gift card came a week or so later, and entered into my daughters account, iTunes rejected it for having already been used for a different machine to purchase a zero dollar app. My daughters account had not been hacked.
post #44 of 68
Quote:
Originally Posted by SolipsismX View Post

Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.

If iTunes servers have been hacked which I doubt then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.

PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.

It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.

But, in my case, it was there one day and gone the next.

I imagine the hackers are already working on ways to exploit NFC.
post #45 of 68
Quote:
Originally Posted by Apple ][ View Post

In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.

I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.

The problem is that many people have hundreds of accounts for various things. Having unique passwords (and remembering them!) for hundreds of accounts is impractical.

You really need either a password service (which puts you at someone else's mercy). Ultimately, the problem will go away if biometrics ever becomes standard. We used to have a computer with a fingerprint scanner. If that was used routinely, the problem of creating passwords would go away.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #46 of 68
Quote:
Originally Posted by Firefly7475 View Post

Not really.
Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.

Anything above 10 characters is definitely going to protect you.

Does Apple implement a try-limit for passwords? Like, enter 5 erroneous passwords and it blocks the account?

I really ignore how brute force for password discovery works, but I don't think it's like we see in movies: a series of numbers roll-up in a display, and one by one, the passwords characters are cracked. I think the cracking software must start with a, say, whole 4-char password, then another 4-char password, then another, until all 4-char password are spent, then goes for a whole 5-char password, and another, until finally a match is found.

That kind of behavior is easily detectable. Probably a 4-char password is good enough, if try-limit for passwords is implemented.

Just for the record, I agree with you that the scenario you described for "Jill's Bolt Emporium" is the most likely happening.
post #47 of 68
Quote:
Originally Posted by Firefly7475 View Post

Here is how these hacks go down...
  1. Jack signs up for iTunes using jack@gmail.com and the secure password "MyD0G1$Br0wn"
  2. Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
  3. Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
  4. "Jill's Bolt Emporium" is completely unaware anything has happened
  5. Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
  6. Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.

This.

Use different passwords, people. If you can't remember them all, get a utility like 1Password to store them safely.
post #48 of 68
Quote:
Originally Posted by waldobushman View Post

Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.

The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.

No. Vendors of gift cards do not have access to your account. Someone got a hold of your daughter's password.
post #49 of 68
Quote:
Originally Posted by Apple ][ View Post

What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.

Have you ever heard of password utilities like 1Password? It'll type it for you or let you copy and paste it.
post #50 of 68
Quote:
Originally Posted by NoodlesNoodlemann View Post

It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.

But, in my case, it was there one day and gone the next.

I imagine the hackers are already working on ways to exploit NFC.

Of course it's not always user error... which my post clearly addresses. I'm inclined to believe that the issue with the iTunes Store GCs are that someone has figured out how the seemingly "random" codes are generated or have used some special device that can capture the alphanumerics from behind the coating on the card.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #51 of 68
Quote:
Originally Posted by Gustav View Post

Have you ever heard of password utilities like 1Password? It'll type it for you or let you copy and paste it.

I use it on my MBP and am thinking about adding it to my phone. As advertised, I use one good long password with upper/lower case and numbers. After reading this thread I might add a special character.
post #52 of 68
Unlikely Apple's iTunes system has been hacked, or hacked and not fixed. 99% chance it's just users being lazy with password security. Nothing Apple can do about ID10T errors.
post #53 of 68
Quote:
Originally Posted by Apple ][ View Post

In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.

I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.


i used to consult for a client where the super james bond IT people would change passwords every 6 months. some people would get 2 passwords, one for the Windows domain and one for the financial system.

and these weren't normal IT people where they forced you to change a password with say 8 characters and some complexity rules. these james bond wannabes would assign everyone computer generated random passwords that were very complex. So complex that no one could remember them and a lot of people just wrote them down and kept them close by
post #54 of 68
Burned once shame on you. Burned twice shame on me.
I closed down my iTune account and now only download free stuff on iTune using an account without a credit card #. That's the safest way.
post #55 of 68
Quote:
Originally Posted by ipen View Post

Burned once shame on you. Burned twice shame on me.
I closed down my iTune account and now only download free stuff on iTune using an account without a credit card #. That's the safest way.

post #56 of 68
Curious to finally see I wasn't the only one this has happened to. About a year ago I checked my iTunes account information, which I routinely do, and noticed that my credit card information on file with iTunes had been changed to an address in Texas (I live in Arizona). I called Apple and they were perplexed as to how this could've happened but were helpful in removing all information related to that credit card from iTunes. There were no bogus charges posted subsequently to that credit card account.

Then last August I received an email from Apple thanking me for my recent iTunes purchases of $15.94. The purchase had been made by someone in SE Asia using the credit balance in my iTunes account. I emailed Apple (iTunes had stopped telephone support by then) a frantic message that my iTunes account had been hacked. To Apple's credit they addressed the problem right away and credited my iTunes account the next day. They also emailed me the usual bs to change my password, etc. I haven't had any problem with iTunes since. But on a humorous note, the purchase made by the "hacker" in Asia still shows on my purchase history in iTunes.

So there are security issues on several different levels in iTunes: unsecured credit card information and the ability to hack into and purchase stuff from iTunes using an existing balance in an iTunes account. You can never be too careful, I guess.
post #57 of 68
Edited
post #58 of 68
What timing - this just happened to me yesterday. Someone spent $65 of my iTunes credits in Kingdom Conquest, which I've never downloaded. Apple is crediting me the money so I won't complain, but here is what I found borderline-offensive:
- I received an email from Apple stating that my Apple ID had been used to make a purchase in KC from a computer or device that had not previously been associated with my account. To my knowledge it still isn't associated with my account, so why did Apple let the purchase occur?
- I notified them of the fraudulent purchases immediately and provided the order numbers from my account history. After 24 hours the response back was that they would credit me a refund but then tacked on, "The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final." Huh?! Reimbursing me after you've let someone access my account from a device which is not associated with my account is an 'exception to the terms and conditions'??
post #59 of 68
I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.
post #60 of 68
Quote:
Originally Posted by SixnaHalfFeet View Post

I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.

I'm on a Mac. My password was hacked either because it was used for another site, or by brute force. I don't think any of these hacks depend on locally installed malware.
post #61 of 68
Quote:
Originally Posted by SixnaHalfFeet View Post

I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.

I use a MBP. Change my passwords every 6 months or so. Maybe I should look into 1Password.
post #62 of 68
Quote:
Originally Posted by triggs View Post

- I notified them of the fraudulent purchases immediately and provided the order numbers from my account history. After 24 hours the response back was that they would credit me a refund but then tacked on, "The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final." Huh?! Reimbursing me after you've let someone access my account from a device which is not associated with my account is an 'exception to the terms and conditions'??

Yeah. I did the same thing and got the same BS reply. Told them they should figure out what they did wrong before accusing the customer. Gotta wonder if/when this will stop.
post #63 of 68
Quote:
Originally Posted by conundrumz View Post

I use a MBP. Change my passwords every 6 months or so. Maybe I should look into 1Password.

I would definitely invest in 1Password.

Changing your password is only useful if it's compromised. Even if you changed it once a month if you'd used it on a compromised machine or change many passwords to the same thing and se it on a compromosed server the damage is done.

The beauty of 1Password is that you will never unique passwords that will be virtually inhackable with bruteforce. You can ever take it a step future by storing non-true answers to secret questions in 1Password so that even a password reset is more secure.

The next step after that is storing personal information in 1Password so they aren't sitting in your Documents folder on your Mac. Of course, you can do all this without 1Password with an Encrypted DMG you create from Disk Utility but it does make it more pleasant and easier to stay secure.

I won't lie to you, there will be some growing pains switching your passwords and updating everything but I'm sure you'll appreciate it afterwards, especially when it automatically syncs to Dropbox and to the iOS client apps.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #64 of 68
Quote:
Originally Posted by ipen View Post

I closed down my iTune account

Not really. You just quit using it.
Quote:
and now only download free stuff on iTune using an account without a credit card #. That's the safest way.

Why not simply change your password and security question and remove CC info. Add it back for purchase then immediately remove it or use gift cards.
I don't leave my CC # in the account (add if I purchase then immediately remove it) and recommend the same to others.
post #65 of 68
Quote:
Originally Posted by Ungenio View Post

Does Apple implement a try-limit for passwords? Like, enter 5 erroneous passwords and it blocks the account?

I really ignore how brute force for password discovery works, but I don't think it's like we see in movies: a series of numbers roll-up in a display, and one by one, the passwords characters are cracked. I think the cracking software must start with a, say, whole 4-char password, then another 4-char password, then another, until all 4-char password are spent, then goes for a whole 5-char password, and another, until finally a match is found.

That kind of behavior is easily detectable. Probably a 4-char password is good enough, if try-limit for passwords is implemented.

Just for the record, I agree with you that the scenario you described for "Jill's Bolt Emporium" is the most likely happening.

Let's say in my "Jill's Bolt Emporium" example that Jill's son decided to store user details in an encrypted form using their password as the key.

Mr Hacker could still pull back the entire list of usernames and password but he would need to then need to have some kind of brute force utility to individually decrypt each users details.

This is where brute force attacks and longer password comes into play, not directly attacking a website.
post #66 of 68
Quote:
Originally Posted by Firefly7475 View Post

Let's say in my "Jill's Bolt Emporium" example that Jill's son decided to store user details in an encrypted form using their password as the key.

Mr Hacker could still pull back the entire list of usernames and password but he would need to then need to have some kind of brute force utility to individually decrypt each users details.

This is where brute force attacks and longer password comes into play, not directly attacking a website.

Oops, and I thought I was clever with passwords! Thanks Firefly, I actually have a method to beat prying eyes, and I think also covers hackers:

I have different passwords for all my accounts. The passwords are names of people I know and to trim and obfuscate them (the passwords, not the people ) I remove vowels and replace specific letters with numbers. I store accounts and passwords in Simplenote, so they are easily available to me anytime (Simplenote's password is the only one I have to learn).

But I don't store the passwords per se. I store a mental association to the name. Like nicknames, but also names I assign to people that, in my own mind, look like some of the X-Men. Yes, I have fun with that: I loved the Darkchilde, and fought Magneto!!

A hacker can't break my iTunes account using passwords of my other accounts. And he can not use the mnemonics on my Simplenote account. Sure, sometimes I have to use Simplenote to break into my own passwords... but since they are basically known names, the ones I use most are easily remenbered.

Concerning brute force, since I believe every try has to be a communication to the server, try-limits is a reasonable solution.
post #67 of 68
I thought of a new password scheme which might be more secure. Similar to how the bank shows you a picture that you recognize before you log in, my idea also uses a picture.

Instead of using text input passwords you need to click on the picture in a systematic way. Let's say it is a picture of your car. You would click on the front wheel hub, then the tip of the antenna, then the rearview mirror, or an oil stain on the pavement. Of course that wouldn't work if you were blind but in that case you would indicate that you were blind or physically challenged when you signed up for the account and would be using a traditional login form. Otherwise you wouldn't have a text password at all. If you forgot it they would email a temporary login like usual.

Many Internet sites that require accounts do not have very secure databases. Unless it is a big name company that has telephone support, I would be cautious of letting them store my credit card.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #68 of 68
Good job summing up this long running story. Threatpost has reported on this very same phenomenon on multiple occasions in the last six months, and has run into the same wall of silence/PR talk from AAPL. Some related stories here:
http://threatpost.com/en_us/blogs/it...t-hacks-030111
and here: http://threatpost.com/en_us/blogs/ga...e-fraud-031011

I even asked the Massachusetts AG, Martha Coakley, if she'd investigate after her credit card number was used to make bogus purchases through a compromised iTunes account. (Read here: http://threatpost.com/en_us/blogs/at...s-fraud-101711).

Paul.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › iTunes customers facing mysterious account hacks, disappearing gift card money