iTunes App Store hit by developer and account fraud

13

Comments

  • Reply 41 of 71
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by NOFEER View Post


    HEY APPLE

    why can't we limit the amount spent per period, say $25, week, day, or 100/ month



    so we don't expose our accounts and credit cards



    i'll switch to gift cards its a hassle, but their may be more out there



    if this already exists, let me know how to set it.



    If you could set a limit, then anyone getting into your iTunes account can change/remove that limit so it would do no good to have a limit.
  • Reply 42 of 71
    djrumpydjrumpy Posts: 1,116member
    Quote:
    Originally Posted by solipsism View Post


    But the card still needs to get canceled. Your creditor may have charged Apple since the breach came from their end, but I have a feeling both are well insured and protected in these matters, just as you are.



    Either way, since it looks your CC data was itself compromised, not just some kid gifting himself some apps, you have to have the card canceled. Do you really want a 3rd-party company to be able to call up your creditor, close your card canceled and have a new one shipped to you in 5-7 business days? I sure don't. That is fraught with potential issues.



    Look into your iTunes account, and you still can't see the whole card number except for the point where you key it in when creating your new iTunes account. Look at it any time after the fact, and you can only see the last 4 digits, even if you go in and 'edit' your information. His card, if his story is even real, was stolen elsewhere.



    Basically, even if someone does 'hack' your iTunes account, they can't find out your credit card number. You are responsible, however, for using a proper password that a typically dictionary attack won't crack so easily.



    If your credit card number is lost or stolen, you don't contact people you've bought goods from, you contact your credit card company and they will immediately flag your account, and typically refund your money. There is no reason or value in contacting a vendor. Your credit card company will handle any reversal of charges.
  • Reply 43 of 71
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by NOFEER View Post


    why can't we limit the amount spent per period, say $25, week, day, or 100/ month



    so we don't expose our accounts and credit cards



    i'll switch to gift cards its a hassle, but their may be more out there



    if this already exists, let me know how to set it.



    Your choices are either a gift card or iTunes allowance. The gift card can be purchased with cash but the allowance will still be linked to an iTS account with a CC on file. This latter is akin to limiting the amount you spend, your info can still be compromised if their system is cracked.



    There is an inherent and direct correlation between security and convenience. You can't have one without the other. The best you can do is take precautions to limit the chance of risk and to make an issue as inconsequential as possible, but they will always exist.



    With iTS being the largest online music retailer in the world and containing so many CC numbers this will likely not be the last or worse news we'll hear about iTS.
  • Reply 44 of 71
    nofeernofeer Posts: 2,427member
    Quote:
    Originally Posted by Chris_CA View Post


    If you could set a limit, then anyone getting into your iTunes account can change/remove that limit so it would do no good to have a limit.





    thanks for the insight

    why not have a double entry system like my bank, i must put in my password AND choose the correct picture, if different computer, they ask me security questions



    HEY APPLE make itunes more secure
  • Reply 45 of 71
    firefly7475firefly7475 Posts: 1,502member
    Quote:
    Originally Posted by SDW2001 View Post


    Sorry for what happened, but it is clearly a secure downloading app. "Secure" does not mean fraud never happens. iTunes processes millions of transactions.



    No it isn't.



    Secure is a USB key with a rolling access code synchronized to the host.



    Secure is my bank sending me an SMS with an extra access code when I log in.



    Secure could even be selecting my favorite picture from a line-up when I log in.



    A simple username\\password is not secure at all.



    I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.



    As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.
  • Reply 46 of 71
    rbryanhrbryanh Posts: 263member
    Apple can be forgiven for not policing fraud adequately, given the vast resources they dedicate to suppressing porn. Given that their heads explode as the result of exposure, providing children a safe, sexuality-free world must be every company's highest priority.
  • Reply 47 of 71
    Quote:
    Originally Posted by rbryanh View Post


    Apple can be forgiven for not policing fraud adequately, given the vast resources they dedicate to suppressing porn.



    Apparently every bit as effectively:



    http://www.google.com/search?q=porn+on+iphone
  • Reply 48 of 71
    docno42docno42 Posts: 3,755member
    Quote:
    Originally Posted by Firefly7475 View Post


    A simple username\\password is not secure at all.



    Sure it is! If used with session encryption, there is nothing wrong with username/password.



    To remain pedantic, let's flip it around - there is no way to make anything 100% secure either. Security is always about compromise (and just about anything else in life). Finding that middle ground where you achieve a balance between good enough to keep 80% or 90% of the bad out while cleaning up the rest.



    If there weren't so many selfish a$$holes in the world, we wouldn't even have to have these discussions.



    If you really want to rant about security, the credit card companies should be getting the bulk of your ire. What makes more sense - hundreds of thousands, if not millions, of merchants like Apple coming up with their own "secure" transaction functionality, or having four or five major credit card companies solve it for everyone?



    And really, what we are talking about isn't even security - at least not how most people think of security. The actual transactions, I'm sure, are very secure. Session encryption and other controls make the transactions themselves very secure - even the fraudulent ones. What we are really talking bout here is authentication - when I present this credit card information, am I really authorized to do so? Here is where a simple username/password starts to really fall down.



    I really like the "Verified by Visa" concept - except their password reset routine is so laughable if you knew just a little bit about someone (stuff that can be found out online all too easily) you can spoof a password reset in the system. So while I'm not thrilled with the current implementation, it's the right idea - it just needs to be cleaned up quite a bit. But at least once Visa does get it right, every merchant that takes Visa and ever card holder who has Visa now gets that extra set of authentication. As others have alluded, what is really needed is some sort of PKI or other crypto, with the crypto secret in a way that is an easy for the consumer to use. And that's the rub. Right now I have a pretty strong feeling that the costs of such a solution outweigh the overhead of the system as it stands now, with rampant fraud and all. I know a couple of people who work in the credit card industry on this stuff, and while they won't talk about what they do or don't do in detail (for obvious security reasons) I can state that they are smart, none of this is new, and they are constantly evaluating it. It's pretty easy to get jaded and think of a credit card company as this big, dumb abstract construct but at the end of the day CC companies, banks, even the government are made up of people...
  • Reply 49 of 71
    How about the "X cheats" applications?



    You type "Angry Birds" and you get "Angry Bi... Cheats", "Angry B... Walkthrough", "Golden Eggs Revealed-Angry Birds Guide", etc always with similar icons or almost exactly the same icon as the original application. Note that sometimes they type literally "Angry B..." to avoid using the original name and at the same time hide the "cheats/walkthrough/guide" part of the name. Hey Apple! "Angry B..."? really?



    The same happens if you type GTA or many of the most popular games.



    Sounds to me like they are trying to mislead the consumer disguising his guides as the original application.
  • Reply 50 of 71
    stottmstottm Posts: 14member
    If you experienced fraudulent purchases on your iTunes account, please ask yourself the following questions?



    1. Am I running a secure operating system? (Mac yes, Windows no)

    2. If I am running Windows, do I have up-to-date antivirus?

    3. Do I run regular Windows updates?

    4. Do I have net filtering to keep me from pr0n surfing?



    Fact is, even Win7 security is like Swiss cheese. All it takes is for Microsoft to be a little slow releasing a security update ( only once a month on patch. Tuesday ). Or for you not to patch your computer and you will get hacked. Once hackers er crackers are in they look for your credit card info.



    Course my wife's credit card was stolen and she now has a Time, People, subcription and a bunch of teeth whitener. We think either an employee at Western Union stole it or a Western Union employee computer running Windows was hacked.



    This is exactly what happened to Google and why they banned Windows on their internal network.



    iTunes is frequently used to vet a credit card by making small purchases before selling it on the black market.
  • Reply 51 of 71
    Seems nobody picking up the fact these frauds originated from China and with a Vietnamese 'developer' as the subject name in question. No surprises there. You just have yourself to look after and not to rely on others or vendors to look after your interest. It will stupid to leave everything to technology or expecting people to behave. Nonetheless, I sympathise.
  • Reply 52 of 71
    jfanningjfanning Posts: 3,398member
    Quote:
    Originally Posted by Chris_CA View Post


    Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.



    No they don't, a business like Apple will be paying less than 1%
  • Reply 53 of 71
    Quote:
    Originally Posted by hill60 View Post


    It sounds like a pretty dodgy credit card company if they are this forthcoming with their inner workings.



    Either that or you are a full of shit, bandwagon jumper.



    Well they were not willing to reveal it, but I inquired to know if it is Apple who has refunded the money back to my credit card acc or have they done it themselves? So that is what they told me.
  • Reply 54 of 71
    Quote:
    Originally Posted by Chris_CA View Post


    You think Apple is greedy and you CC company is somehow a saint?

    Read your credit card agreement and you will see that you agreed to contact your CC company for all disputes. It is up to them to contact the retailer for any charges you do not agree with.

    Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.

    This is why CC cards are so easy to use everywhere. As long as the retailer gets approval for the purchase from the CC company that your card is still valid, they will get paid.



    Oh I never consider CC company's as saint.

    Most of them are pure evil in terms of their fees and what not!



    But when this happened, I did have a concern that my credit card was not hacked per se, but it was the iTunes account, since that is where all the charges stemmed from. And I had read some stories online with other banks and credit cards, where they had trouble getting money refunded, since the fraud occurred on Apple's end. Well, long story short, I am glad my cc was good to give my money back.



    That said, Apple should fix their system. Like give option of paypal like thing - enter your phone number to receive a text message for entering code for any purchase. I feel much safer with that.

    Or any of such measures - limiting the max purchase amount (set this with some secret code to be inserted first for changing it)
  • Reply 55 of 71
    blah64blah64 Posts: 993member
    Quote:
    Originally Posted by hdang221 View Post


    when u open an iTunes acct you're required to give a CC number



    This is not true. You can open an iTunes account with an Apple Gift Card only, no CC at all. The process is not widely advertised, and in fact there was confusion among the Apple store when I asked before buying the gift card. But it IS possible. The worst thing that could happen to me is the loss of $15, which is the most I've ever had in that account.



    I suspect (and hope) more people will consider this non-CC option after this round of fraud. I wish more people took this stuff seriously, and stopped depending on the CC companies to deal with stuff after the fact. If you think the big greedy banks just eat up those costs you're living in a fantasy land. Fraud costs are passed onto the consumers, through higher account fees, lower interest rates, higher merchant fees (which are passed along to us consumers),etc.



    Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!
  • Reply 56 of 71
    blah64blah64 Posts: 993member
    Quote:
    Originally Posted by solipsism View Post


    I even a PO Box specifically so my home address isn't used. Maybe I'm taking it too far.



    Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.



    For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!
  • Reply 57 of 71
    joindupjoindup Posts: 80member
    There certainly seems to be a lot of suspicious apps at the moment, like "visual tips" for $119.99 or "Mos Super Killer" for $114.99. Neither of which seem to do anything. The (c) credit suggests a Chinese author. The developer is listed as "ZZZ" and the Developer Website and Support links go to Google.com.



    http://itunes.apple.com/au/app/mos-k...375499504?mt=8



    Where is the app approval process when you need it?
  • Reply 58 of 71
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by Blah64 View Post


    Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.



    For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!



    I don?t get hit for that CC charge and I only have cards that pay me back, so I do make sure I use them whenever possible. I also pay them off, at least weekly, so I?m making some money off of them.
  • Reply 59 of 71
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by Blah64 View Post


    Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!



    But convenience almost always wins so I don?t think your ideas will make a dent here. I suppose the best you can hope for is a knowledgeable consumer. Having a separate card for internet, international or other questionable purchases. I try not to use my Debit Card for this reason.



    There is an up side to using a CC. Built in protection from theft, which may be difficult with money orders or gift cards, and reward programs (as mentioned above) but you have to be fiscally responsible because that little carrot is attached to a very big stick.
  • Reply 60 of 71
    sdw2001sdw2001 Posts: 18,012member
    Quote:
    Originally Posted by Firefly7475 View Post


    No it isn't.



    Secure is a USB key with a rolling access code synchronized to the host.



    Secure is my bank sending me an SMS with an extra access code when I log in.



    Secure could even be selecting my favorite picture from a line-up when I log in.



    A simple username\\password is not secure at all.



    I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.



    As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.



    No, those options are "extra" secure. iTunes is secure just based on the amount of fraud compared to how many transactions have happened in total. It's the result that makes it "secure."



    Think about the number of things that you access with just a name and password. Most of your online shopping is like this. I access my bank with just a username and password. It's the defacto standard.



    And do you really want to have to verify an image and/or use a freaking USB key to download some music? It's totally inconvenient. It's annoying enough that I have to reenter my password just to update my apps on my phone.
Sign In or Register to comment.