But the card still needs to get canceled. Your creditor may have charged Apple since the breach came from their end, but I have a feeling both are well insured and protected in these matters, just as you are.
Either way, since it looks your CC data was itself compromised, not just some kid gifting himself some apps, you have to have the card canceled. Do you really want a 3rd-party company to be able to call up your creditor, close your card canceled and have a new one shipped to you in 5-7 business days? I sure don't. That is fraught with potential issues.
Look into your iTunes account, and you still can't see the whole card number except for the point where you key it in when creating your new iTunes account. Look at it any time after the fact, and you can only see the last 4 digits, even if you go in and 'edit' your information. His card, if his story is even real, was stolen elsewhere.
Basically, even if someone does 'hack' your iTunes account, they can't find out your credit card number. You are responsible, however, for using a proper password that a typically dictionary attack won't crack so easily.
If your credit card number is lost or stolen, you don't contact people you've bought goods from, you contact your credit card company and they will immediately flag your account, and typically refund your money. There is no reason or value in contacting a vendor. Your credit card company will handle any reversal of charges.
why can't we limit the amount spent per period, say $25, week, day, or 100/ month
so we don't expose our accounts and credit cards
i'll switch to gift cards its a hassle, but their may be more out there
if this already exists, let me know how to set it.
Your choices are either a gift card or iTunes allowance. The gift card can be purchased with cash but the allowance will still be linked to an iTS account with a CC on file. This latter is akin to limiting the amount you spend, your info can still be compromised if their system is cracked.
There is an inherent and direct correlation between security and convenience. You can't have one without the other. The best you can do is take precautions to limit the chance of risk and to make an issue as inconsequential as possible, but they will always exist.
With iTS being the largest online music retailer in the world and containing so many CC numbers this will likely not be the last or worse news we'll hear about iTS.
If you could set a limit, then anyone getting into your iTunes account can change/remove that limit so it would do no good to have a limit.
thanks for the insight
why not have a double entry system like my bank, i must put in my password AND choose the correct picture, if different computer, they ask me security questions
Sorry for what happened, but it is clearly a secure downloading app. "Secure" does not mean fraud never happens. iTunes processes millions of transactions.
No it isn't.
Secure is a USB key with a rolling access code synchronized to the host.
Secure is my bank sending me an SMS with an extra access code when I log in.
Secure could even be selecting my favorite picture from a line-up when I log in.
A simple username\\password is not secure at all.
I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.
As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.
Apple can be forgiven for not policing fraud adequately, given the vast resources they dedicate to suppressing porn. Given that their heads explode as the result of exposure, providing children a safe, sexuality-free world must be every company's highest priority.
Sure it is! If used with session encryption, there is nothing wrong with username/password.
To remain pedantic, let's flip it around - there is no way to make anything 100% secure either. Security is always about compromise (and just about anything else in life). Finding that middle ground where you achieve a balance between good enough to keep 80% or 90% of the bad out while cleaning up the rest.
If there weren't so many selfish a$$holes in the world, we wouldn't even have to have these discussions.
If you really want to rant about security, the credit card companies should be getting the bulk of your ire. What makes more sense - hundreds of thousands, if not millions, of merchants like Apple coming up with their own "secure" transaction functionality, or having four or five major credit card companies solve it for everyone?
And really, what we are talking about isn't even security - at least not how most people think of security. The actual transactions, I'm sure, are very secure. Session encryption and other controls make the transactions themselves very secure - even the fraudulent ones. What we are really talking bout here is authentication - when I present this credit card information, am I really authorized to do so? Here is where a simple username/password starts to really fall down.
I really like the "Verified by Visa" concept - except their password reset routine is so laughable if you knew just a little bit about someone (stuff that can be found out online all too easily) you can spoof a password reset in the system. So while I'm not thrilled with the current implementation, it's the right idea - it just needs to be cleaned up quite a bit. But at least once Visa does get it right, every merchant that takes Visa and ever card holder who has Visa now gets that extra set of authentication. As others have alluded, what is really needed is some sort of PKI or other crypto, with the crypto secret in a way that is an easy for the consumer to use. And that's the rub. Right now I have a pretty strong feeling that the costs of such a solution outweigh the overhead of the system as it stands now, with rampant fraud and all. I know a couple of people who work in the credit card industry on this stuff, and while they won't talk about what they do or don't do in detail (for obvious security reasons) I can state that they are smart, none of this is new, and they are constantly evaluating it. It's pretty easy to get jaded and think of a credit card company as this big, dumb abstract construct but at the end of the day CC companies, banks, even the government are made up of people...
You type "Angry Birds" and you get "Angry Bi... Cheats", "Angry B... Walkthrough", "Golden Eggs Revealed-Angry Birds Guide", etc always with similar icons or almost exactly the same icon as the original application. Note that sometimes they type literally "Angry B..." to avoid using the original name and at the same time hide the "cheats/walkthrough/guide" part of the name. Hey Apple! "Angry B..."? really?
The same happens if you type GTA or many of the most popular games.
Sounds to me like they are trying to mislead the consumer disguising his guides as the original application.
If you experienced fraudulent purchases on your iTunes account, please ask yourself the following questions?
1. Am I running a secure operating system? (Mac yes, Windows no)
2. If I am running Windows, do I have up-to-date antivirus?
3. Do I run regular Windows updates?
4. Do I have net filtering to keep me from pr0n surfing?
Fact is, even Win7 security is like Swiss cheese. All it takes is for Microsoft to be a little slow releasing a security update ( only once a month on patch. Tuesday ). Or for you not to patch your computer and you will get hacked. Once hackers er crackers are in they look for your credit card info.
Course my wife's credit card was stolen and she now has a Time, People, subcription and a bunch of teeth whitener. We think either an employee at Western Union stole it or a Western Union employee computer running Windows was hacked.
This is exactly what happened to Google and why they banned Windows on their internal network.
iTunes is frequently used to vet a credit card by making small purchases before selling it on the black market.
Seems nobody picking up the fact these frauds originated from China and with a Vietnamese 'developer' as the subject name in question. No surprises there. You just have yourself to look after and not to rely on others or vendors to look after your interest. It will stupid to leave everything to technology or expecting people to behave. Nonetheless, I sympathise.
Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.
No they don't, a business like Apple will be paying less than 1%
It sounds like a pretty dodgy credit card company if they are this forthcoming with their inner workings.
Either that or you are a full of shit, bandwagon jumper.
Well they were not willing to reveal it, but I inquired to know if it is Apple who has refunded the money back to my credit card acc or have they done it themselves? So that is what they told me.
You think Apple is greedy and you CC company is somehow a saint?
Read your credit card agreement and you will see that you agreed to contact your CC company for all disputes. It is up to them to contact the retailer for any charges you do not agree with.
Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.
This is why CC cards are so easy to use everywhere. As long as the retailer gets approval for the purchase from the CC company that your card is still valid, they will get paid.
Oh I never consider CC company's as saint.
Most of them are pure evil in terms of their fees and what not!
But when this happened, I did have a concern that my credit card was not hacked per se, but it was the iTunes account, since that is where all the charges stemmed from. And I had read some stories online with other banks and credit cards, where they had trouble getting money refunded, since the fraud occurred on Apple's end. Well, long story short, I am glad my cc was good to give my money back.
That said, Apple should fix their system. Like give option of paypal like thing - enter your phone number to receive a text message for entering code for any purchase. I feel much safer with that.
Or any of such measures - limiting the max purchase amount (set this with some secret code to be inserted first for changing it)
when u open an iTunes acct you're required to give a CC number
This is not true. You can open an iTunes account with an Apple Gift Card only, no CC at all. The process is not widely advertised, and in fact there was confusion among the Apple store when I asked before buying the gift card. But it IS possible. The worst thing that could happen to me is the loss of $15, which is the most I've ever had in that account.
I suspect (and hope) more people will consider this non-CC option after this round of fraud. I wish more people took this stuff seriously, and stopped depending on the CC companies to deal with stuff after the fact. If you think the big greedy banks just eat up those costs you're living in a fantasy land. Fraud costs are passed onto the consumers, through higher account fees, lower interest rates, higher merchant fees (which are passed along to us consumers),etc.
Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!
I even a PO Box specifically so my home address isn't used. Maybe I'm taking it too far.
Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.
For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!
There certainly seems to be a lot of suspicious apps at the moment, like "visual tips" for $119.99 or "Mos Super Killer" for $114.99. Neither of which seem to do anything. The (c) credit suggests a Chinese author. The developer is listed as "ZZZ" and the Developer Website and Support links go to Google.com.
Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.
For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!
I don?t get hit for that CC charge and I only have cards that pay me back, so I do make sure I use them whenever possible. I also pay them off, at least weekly, so I?m making some money off of them.
Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!
But convenience almost always wins so I don?t think your ideas will make a dent here. I suppose the best you can hope for is a knowledgeable consumer. Having a separate card for internet, international or other questionable purchases. I try not to use my Debit Card for this reason.
There is an up side to using a CC. Built in protection from theft, which may be difficult with money orders or gift cards, and reward programs (as mentioned above) but you have to be fiscally responsible because that little carrot is attached to a very big stick.
Secure is a USB key with a rolling access code synchronized to the host.
Secure is my bank sending me an SMS with an extra access code when I log in.
Secure could even be selecting my favorite picture from a line-up when I log in.
A simple username\\password is not secure at all.
I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.
As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.
No, those options are "extra" secure. iTunes is secure just based on the amount of fraud compared to how many transactions have happened in total. It's the result that makes it "secure."
Think about the number of things that you access with just a name and password. Most of your online shopping is like this. I access my bank with just a username and password. It's the defacto standard.
And do you really want to have to verify an image and/or use a freaking USB key to download some music? It's totally inconvenient. It's annoying enough that I have to reenter my password just to update my apps on my phone.
Comments
HEY APPLE
why can't we limit the amount spent per period, say $25, week, day, or 100/ month
so we don't expose our accounts and credit cards
i'll switch to gift cards its a hassle, but their may be more out there
if this already exists, let me know how to set it.
If you could set a limit, then anyone getting into your iTunes account can change/remove that limit so it would do no good to have a limit.
But the card still needs to get canceled. Your creditor may have charged Apple since the breach came from their end, but I have a feeling both are well insured and protected in these matters, just as you are.
Either way, since it looks your CC data was itself compromised, not just some kid gifting himself some apps, you have to have the card canceled. Do you really want a 3rd-party company to be able to call up your creditor, close your card canceled and have a new one shipped to you in 5-7 business days? I sure don't. That is fraught with potential issues.
Look into your iTunes account, and you still can't see the whole card number except for the point where you key it in when creating your new iTunes account. Look at it any time after the fact, and you can only see the last 4 digits, even if you go in and 'edit' your information. His card, if his story is even real, was stolen elsewhere.
Basically, even if someone does 'hack' your iTunes account, they can't find out your credit card number. You are responsible, however, for using a proper password that a typically dictionary attack won't crack so easily.
If your credit card number is lost or stolen, you don't contact people you've bought goods from, you contact your credit card company and they will immediately flag your account, and typically refund your money. There is no reason or value in contacting a vendor. Your credit card company will handle any reversal of charges.
why can't we limit the amount spent per period, say $25, week, day, or 100/ month
so we don't expose our accounts and credit cards
i'll switch to gift cards its a hassle, but their may be more out there
if this already exists, let me know how to set it.
Your choices are either a gift card or iTunes allowance. The gift card can be purchased with cash but the allowance will still be linked to an iTS account with a CC on file. This latter is akin to limiting the amount you spend, your info can still be compromised if their system is cracked.
There is an inherent and direct correlation between security and convenience. You can't have one without the other. The best you can do is take precautions to limit the chance of risk and to make an issue as inconsequential as possible, but they will always exist.
With iTS being the largest online music retailer in the world and containing so many CC numbers this will likely not be the last or worse news we'll hear about iTS.
If you could set a limit, then anyone getting into your iTunes account can change/remove that limit so it would do no good to have a limit.
thanks for the insight
why not have a double entry system like my bank, i must put in my password AND choose the correct picture, if different computer, they ask me security questions
HEY APPLE make itunes more secure
Sorry for what happened, but it is clearly a secure downloading app. "Secure" does not mean fraud never happens. iTunes processes millions of transactions.
No it isn't.
Secure is a USB key with a rolling access code synchronized to the host.
Secure is my bank sending me an SMS with an extra access code when I log in.
Secure could even be selecting my favorite picture from a line-up when I log in.
A simple username\\password is not secure at all.
I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.
As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.
Apple can be forgiven for not policing fraud adequately, given the vast resources they dedicate to suppressing porn.
Apparently every bit as effectively:
http://www.google.com/search?q=porn+on+iphone
A simple username\\password is not secure at all.
Sure it is! If used with session encryption, there is nothing wrong with username/password.
To remain pedantic, let's flip it around - there is no way to make anything 100% secure either. Security is always about compromise (and just about anything else in life). Finding that middle ground where you achieve a balance between good enough to keep 80% or 90% of the bad out while cleaning up the rest.
If there weren't so many selfish a$$holes in the world, we wouldn't even have to have these discussions.
If you really want to rant about security, the credit card companies should be getting the bulk of your ire. What makes more sense - hundreds of thousands, if not millions, of merchants like Apple coming up with their own "secure" transaction functionality, or having four or five major credit card companies solve it for everyone?
And really, what we are talking about isn't even security - at least not how most people think of security. The actual transactions, I'm sure, are very secure. Session encryption and other controls make the transactions themselves very secure - even the fraudulent ones. What we are really talking bout here is authentication - when I present this credit card information, am I really authorized to do so? Here is where a simple username/password starts to really fall down.
I really like the "Verified by Visa" concept - except their password reset routine is so laughable if you knew just a little bit about someone (stuff that can be found out online all too easily) you can spoof a password reset in the system. So while I'm not thrilled with the current implementation, it's the right idea - it just needs to be cleaned up quite a bit. But at least once Visa does get it right, every merchant that takes Visa and ever card holder who has Visa now gets that extra set of authentication. As others have alluded, what is really needed is some sort of PKI or other crypto, with the crypto secret in a way that is an easy for the consumer to use. And that's the rub. Right now I have a pretty strong feeling that the costs of such a solution outweigh the overhead of the system as it stands now, with rampant fraud and all. I know a couple of people who work in the credit card industry on this stuff, and while they won't talk about what they do or don't do in detail (for obvious security reasons) I can state that they are smart, none of this is new, and they are constantly evaluating it. It's pretty easy to get jaded and think of a credit card company as this big, dumb abstract construct but at the end of the day CC companies, banks, even the government are made up of people...
You type "Angry Birds" and you get "Angry Bi... Cheats", "Angry B... Walkthrough", "Golden Eggs Revealed-Angry Birds Guide", etc always with similar icons or almost exactly the same icon as the original application. Note that sometimes they type literally "Angry B..." to avoid using the original name and at the same time hide the "cheats/walkthrough/guide" part of the name. Hey Apple! "Angry B..."? really?
The same happens if you type GTA or many of the most popular games.
Sounds to me like they are trying to mislead the consumer disguising his guides as the original application.
1. Am I running a secure operating system? (Mac yes, Windows no)
2. If I am running Windows, do I have up-to-date antivirus?
3. Do I run regular Windows updates?
4. Do I have net filtering to keep me from pr0n surfing?
Fact is, even Win7 security is like Swiss cheese. All it takes is for Microsoft to be a little slow releasing a security update ( only once a month on patch. Tuesday ). Or for you not to patch your computer and you will get hacked. Once hackers er crackers are in they look for your credit card info.
Course my wife's credit card was stolen and she now has a Time, People, subcription and a bunch of teeth whitener. We think either an employee at Western Union stole it or a Western Union employee computer running Windows was hacked.
This is exactly what happened to Google and why they banned Windows on their internal network.
iTunes is frequently used to vet a credit card by making small purchases before selling it on the black market.
Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.
No they don't, a business like Apple will be paying less than 1%
It sounds like a pretty dodgy credit card company if they are this forthcoming with their inner workings.
Either that or you are a full of shit, bandwagon jumper.
Well they were not willing to reveal it, but I inquired to know if it is Apple who has refunded the money back to my credit card acc or have they done it themselves? So that is what they told me.
You think Apple is greedy and you CC company is somehow a saint?
Read your credit card agreement and you will see that you agreed to contact your CC company for all disputes. It is up to them to contact the retailer for any charges you do not agree with.
Keep in mind CC company gets 2%-3% from the retailer for every single charge (in addition to any interest you pay on your account). This money is used guarantee payment to the retailer.
This is why CC cards are so easy to use everywhere. As long as the retailer gets approval for the purchase from the CC company that your card is still valid, they will get paid.
Oh I never consider CC company's as saint.
Most of them are pure evil in terms of their fees and what not!
But when this happened, I did have a concern that my credit card was not hacked per se, but it was the iTunes account, since that is where all the charges stemmed from. And I had read some stories online with other banks and credit cards, where they had trouble getting money refunded, since the fraud occurred on Apple's end. Well, long story short, I am glad my cc was good to give my money back.
That said, Apple should fix their system. Like give option of paypal like thing - enter your phone number to receive a text message for entering code for any purchase. I feel much safer with that.
Or any of such measures - limiting the max purchase amount (set this with some secret code to be inserted first for changing it)
when u open an iTunes acct you're required to give a CC number
This is not true. You can open an iTunes account with an Apple Gift Card only, no CC at all. The process is not widely advertised, and in fact there was confusion among the Apple store when I asked before buying the gift card. But it IS possible. The worst thing that could happen to me is the loss of $15, which is the most I've ever had in that account.
I suspect (and hope) more people will consider this non-CC option after this round of fraud. I wish more people took this stuff seriously, and stopped depending on the CC companies to deal with stuff after the fact. If you think the big greedy banks just eat up those costs you're living in a fantasy land. Fraud costs are passed onto the consumers, through higher account fees, lower interest rates, higher merchant fees (which are passed along to us consumers),etc.
Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!
I even a PO Box specifically so my home address isn't used. Maybe I'm taking it too far.
Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.
For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!
http://itunes.apple.com/au/app/mos-k...375499504?mt=8
Where is the app approval process when you need it?
Nah, see above. I do all that AND don't use plastic except in emergency or in situations where it cannot (in a practical sense) be avoided, like airline tickets.
For all you lazy kiddos (not singling out you, solip), try using only cash for a while! It's actually really refreshing. Every purchase you make does not send 2-3% of your purchase to greedy bank coffers, it does not allow merchants and banks to profile your purchasing habits, and just feels less "dirty" in general when you get used to it. And there are some merchants around (like gas stations) where you can get a cash discount. THAT feels great!
I don?t get hit for that CC charge and I only have cards that pay me back, so I do make sure I use them whenever possible. I also pay them off, at least weekly, so I?m making some money off of them.
Using CCs and debit cards for every whimsical purchase may be convenient, but each and every time you use these cards adds one more vector for someone to steal your money, your personal information, and in the worst cases, your identity. Before you pull out the tinfoil hat comments, according to the FTC, 8.3 million people were victims of identity theft in 2005 in the U.S. alone. 8.3 million!
But convenience almost always wins so I don?t think your ideas will make a dent here. I suppose the best you can hope for is a knowledgeable consumer. Having a separate card for internet, international or other questionable purchases. I try not to use my Debit Card for this reason.
There is an up side to using a CC. Built in protection from theft, which may be difficult with money orders or gift cards, and reward programs (as mentioned above) but you have to be fiscally responsible because that little carrot is attached to a very big stick.
No it isn't.
Secure is a USB key with a rolling access code synchronized to the host.
Secure is my bank sending me an SMS with an extra access code when I log in.
Secure could even be selecting my favorite picture from a line-up when I log in.
A simple username\\password is not secure at all.
I might call it "approaching secure" if they enforced strong password policies and had some sophisticated pattern matching on the host side to detect fraudulent activity.
As it stands Apple do the absolute minimum they are required to and I doubt they will change anything. Each barrier they erect to improve security is a barrier between your money and their bank account... and make no mistake getting your money is their primary concern.
No, those options are "extra" secure. iTunes is secure just based on the amount of fraud compared to how many transactions have happened in total. It's the result that makes it "secure."
Think about the number of things that you access with just a name and password. Most of your online shopping is like this. I access my bank with just a username and password. It's the defacto standard.
And do you really want to have to verify an image and/or use a freaking USB key to download some music? It's totally inconvenient. It's annoying enough that I have to reenter my password just to update my apps on my phone.