App Store fraud allegedly impacting major mobile payment firms in China

Posted:
in General Discussion edited October 11
Two major mobile payments companies in China have asked Apple to help reduce theft on their platforms, where customers' funds are being drained by criminals using stolen Apple IDs connected to their payment accounts for fraudulent App Store purchases.




The Alibaba-owned Alipay and Tencent-owned WeChat Pay have confirmed a number of their customers have been the subject of fraudulent App Store purchases. Alipay has, for the last few days, posted a warning online advising iPhone users of the thefts, and to secure their accounts where possible.

Alibaba's payments firm claims it has contacted Apple "multiple times" over the fraud, reports the Wall Street Journal, requesting the company to find out how they are taking place. Apple advised it was investigating the issue.

Customers have recently complained they received notifications of purchases in the App Store that they did not authorize, according to reports by the state media-controlled China National Radio. Social media posts from affected customers also note the notifications arrive at unusual times of day, and for some users has led to losses worth hundreds of dollars.

The notice by Alipay advised the affected customers included those who owned iPhones and had connected their accounts to other payment systems. Customers are "exposed to the risk of financial loss," until Apple deals with the issue, the notice warned, while also advising the losses could be minimized by lowering how much could be transferred in a transaction without requiring a password to be entered.

It is unknown exactly how the Apple IDs are being acquired by the fraudsters, nor how they are performing the App Store purchases. Alipay and WeChat Pay have to be registered to the Apple ID, potentially along with credit cards and other payment details, in order to perform the transactions.

While WeChat Pay didn't issue a notice to users about the issue, a statement from the company described similar circumstances.

An Apple spokeswoman advised there are instructions on the Apple support website explaining how to protect the Apple ID against fraud, including how to set up two-factor authentication.

WeChat Pay and AliPay are the largest payment services in the country, with approximately 800 million and 700 million users respectively as of the summer. Combined, the two companies handled in the region of $15 trillion in mobile transactions in the country during 2017, with the services used to pay for a vast number of everyday items and bills.

Comments

  • Reply 1 of 6
    zoetmbzoetmb Posts: 2,329member
    While we don't know exactly how this happened and I'm not going to make any claims about being technically sophisticated about how fraud schemes work, I wouldn't be surprised to learn that this happened because Apple doesn't have full control over its servers in China (right?) and they were hacked.   How else would one get someone else's Apple ID?

    This is also a problem because AFAIK, Apple provides no method for deleting, consolidating or changing Apple ID's anywhere.  This has always bugged me.  My Apple ID's have been screwed up for a decade or more, going back to when Apple stopped people from using their old AOL ID's as Apple ID's.   I also had a problem recently where an app would not update, even though the update was listed, because the program was purchased originally with a different Apple ID.   There was no error messaging - it just wouldn't update.   I called Apple Support and we figured out what the issue was, but IMO, if that app was purchased with a different Apple ID, it shouldn't have even displayed, even though that would have been even less helpful.    I also seem to remember getting stuck in loops when I tried to change passwords on Apple ID's. 

    Seems to me Apple has to secure those servers and if this scheme is widespread, assign new Apple ID's to everyone in China or at the very least, force everyone in China to pick a new password for their Apple ID the next time any type of purchase is made in the App Store.   I don't know if Apple Pay is used in China but if it is, wouldn't users be in danger of having fraud on purchases outside the App Store as well?


  • Reply 2 of 6
    foggyhillfoggyhill Posts: 4,758member
    This looks more like people get phished and there is not 2nd factor, once the account is compromised they can probably compromise other accounts to making fixing this hard.

    Phishing efforts on Chinese people are insane, the only spam/scams by phone and text are in chinese.and I live in Canada and I'm not chinese!
  • Reply 3 of 6
    JWSCJWSC Posts: 210member
    Two factor authentication.  Enough said.
  • Reply 4 of 6
    jcs2305jcs2305 Posts: 504member
    JWSC said:
    Two factor authentication.  Enough said.
    I totally agree..  I used to think it was a PITA when setting up new devices, but after hearing about this type of fraud and itunes credentials being stolen. I definitely feel better with this extra layer of protection and control with my ID and credit cards. 

  • Reply 5 of 6
    macguimacgui Posts: 904member
    zoetmb said:
    While we don't know exactly how this happened and I'm not going to make any claims about being technically sophisticated...  How else would one get someone else's Apple ID? While we don't know exactly how this happened and I'm not going to make any claims about being technically sophisticated...  How else would one get someone else's Apple ID? While we don't know exactly how this happened and I'm not going to makeΩany claims about being technically sophisticated...  How else would one get someone else's Apple ID? While we don't know exactly how this happened and I'm not going to make any claims about being technically sophisticated...

    How else would one get someone else's Apple ID?
    Well, that is the question, isn't it. Without knowing that, it's pretty difficult to draw any meaningful conclusions or solutions.
  • Reply 6 of 6
    Aren't App Store purchases tied to the Apple account?  If so then how is anyone (other then the companies whose software is being purchased) making money from this?  Either we aren't being given enough information or something else is going on.
Sign In or Register to comment.