Hacked Apple iTunes accounts sell in China for pennies on the dollar

Posted:
in iPod + iTunes + AppleTV edited January 2014
A Chinese online store is selling hacked, illegal iTunes accounts tied to active credit cards, offering $200 worth of content from Apple's service for as little as $30.



China's Global Times this week revealed that about 50,000 illegal accounts are being sold through taobao.com, with prices ranging from just 1 yuan to about 200 yuan, or $30. Many of the sales are said to be stolen iTunes user accounts being re-sold by hackers.



"Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid," the report said. "The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao."



A reporter for the publication tested the sales by paying $5 to a seller on Taobao. In return, they were provided an iTunes username and password which allowed access to an account complete with credit card details and a U.S. billing address.



Last July, it was revealed that iTunes account holders were being targeted in a number of fraud cases, in which some iOS developers used stolen accounts to boost their sales rankings of iPhone software. Apple quickly made a public response to the matter, suggesting that customers review their iTunes account for unauthorized transactions.







"Developers do not receive any iTunes confidential customer data when an app is downloaded," the company said in a statement. "If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. WE also recommend that you change your iTunes account password immediately."



In August, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes and store credit card information for purchases. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
«1

Comments

  • Reply 1 of 31


    deleted

  • Reply 2 of 31
    8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.



    Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
  • Reply 3 of 31
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 4 of 31
    aaarrrggghaaarrrgggh Posts: 1,609member
    Quote:
    Originally Posted by hezetation View Post


    8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.



    Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.



    ...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.



    I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...



    The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
  • Reply 5 of 31
    Quote:
    Originally Posted by kellya74u View Post


    First, be careful of your security in what links you click on & have (windows) anti-virus & other software security. Also, simply select "no credit card" in your iTunes account, & just buy iTunes cards to redeem when you want to make purchases. I never keep a balance of over $10-20 in my account at any one time. That way, if my account is compromised, the crooks don't make any significant money. If you otherwise suffer a $1000 loss, you may eventually be able to successfully argue with your credit card company & have the charges reversed, but then the card company has to eat the loss. Either way, by selecting the credit card option in your iTunes account,YOU ALONE CHOOSE to provide the opportunity for these thieving ****s to profit & not have to otherwise honestly work for their money. They can only hack your account by tricking YOU into clicking on a bad link or compromising YOUR computer. Don't feed them.



    To my other note, a lot of people don't understand what makes a strong password & there are some pretty weak ones out there. Never use common words, try to use 10 characters or more, mix 4 types of characters. Just couple examples (please don't use these).



    Applerocks (Not strong, only a matter of time before you are hacked)

    Apples01 (Ok but not strong)

    Apples0001 (Much better but good programmer could create cracker that guesses common words)

    @pples0001 (Even better, no common word)

    @ppleS0001 (Very strong, uses upper & lowercase, symbol, & numbers)



    Always have a separate password for things like e-mail & web forums than what you use for financial stuff. If you have mobileme I strongly recommend creating an outside e-mail account like gmail that you give to signup pages or friends who you know who's accounts get hacked frequently. You should also create e-mail aliases in mobileme that you can send from so if an alias gets compromised you can just delete it & create a different one. You can't protect against everything 100% but these steps can go a long way. Then of course I second everything kellya74u is saying, especially clicking links in e-mail. Make sure you check automated looking e-mails, check that the name tagged to the sender actually matches the e-mail. Recently got an e-mail from a friend (had their name on it) but the sender address was [email protected]. It had a link with instructions to sign into a site, it was a spam company that then would steal your gmail credentials by tricking you into typing them in & then it would get all your contacts from your account. Don't get click happy!!! Use your brain & practice some skepticism! Never think of the web as a safe place, it's actually extremely hostile (even inside services like facebook).
  • Reply 6 of 31
    Quote:
    Originally Posted by aaarrrgggh View Post


    ...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.



    I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...



    The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.



    You can build complex passwords that are easy to remember, see my post on passwords.



    If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.
  • Reply 7 of 31
    reported so many times, it can't be news. Apple / the US government and China overlook this (among other things) to keep harmonious relations. Apple wants to sell its hardware, and is following, to some degree, Microsoft's China strategy which, in the early and late 90s, was to allow China to pirate its software to enable future sales. More 'free' Apple services, sells more Apple devices... Think about it... lots of similarities.



    Article doesn't mention that you can buy other country iTunes accounts for 1RMB (12 cents).



    Only thing surprising this week was alibaba (which owns taobao) removing 'iPad2 cases.' One can only Wonder why Apple pulled out its muscle for this and not the fake iTunes accounts that are openly sold
  • Reply 8 of 31
    Quote:
    Originally Posted by hezetation View Post


    You can build complex passwords that are easy to remember, see my post on passwords.



    If you think it's annoying to have to remember a more complex password or use captcha, try cleaning up your name after being a victim of identity theft. I guarantee that it will change your view on the inconvenience of security.



    Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.
  • Reply 9 of 31
    Quote:
    Originally Posted by Hellacool View Post


    Yes but how many of these accounts were phished? You can have the best password in the world but if you fall victim to a phishing scam your hosed.



    Doesn't negate my point, actually I mentioned that too. Like I said before, the internet is not a safe place, it is actually a very hostile environment & no one should use it lightly.
  • Reply 10 of 31
    I advise everyone who has an iTunes account to only use itunes gift cards, and never put your credit card info on your iTunes account.

    If you must us iTunes, go out and purchase the $10 gift cards and only activate them when you need to purchase something.

    My account was hacked to the tune of $63.

    No notification was sent to my email address (which was registered with my itunes account).

    The crook was able to change my login, password, email address, and purchase apps outside the US.

    The Apple terms expressly forbid US accounts purchases outside the US. (or they did at that time.).

    So iTunes security is non-existant. It's a joke. Worst security on the planet.
  • Reply 11 of 31
    Got to love those thieving asians. Too stupid to develop their own stuff, just steal everything.

    Thank god for sweatshops and ocean containers.
  • Reply 12 of 31
    auclaucl Posts: 19member
    Quote:
    Originally Posted by MacRulez View Post


    The article must be wrong, since everyone here knows that security issues only happen on Android.



    hello windows users, and jailbreakers
  • Reply 13 of 31
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by hezetation View Post


    You can build complex passwords that are easy to remember...



    There is a lot to said for that.



    Like this street directions method:



    Take5tothe55N&#1exit



    (How to get to my office)



    You get the idea, no that is not my real password.
  • Reply 14 of 31
    newbeenewbee Posts: 2,055member
    Quote:
    Originally Posted by aaarrrgggh View Post


    The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.



    and this is a bad thing because .... ??? I have spent several thousands of dollars on iTunes without losing one nights sleep over a hacked iTunes account. I only use gift cards and only keep a low balance (5.68 at this time) while keeping extra cards in my desk. For me, at least, this is the perfect solution to buying anything on the internet.
  • Reply 15 of 31
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by hezetation View Post


    8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.



    Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.



    A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.



    Quote:
    Originally Posted by MacRulez View Post


    The article must be wrong, since everyone here knows that security issues only happen on Android.



    This isn't a platform security issue. This is straight social engineering phishing attack exploitation. Every platform is equally vulnerable if a user successfully gets phished.
  • Reply 16 of 31
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by aaarrrgggh View Post


    ...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.



    I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...



    The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.





    There is no way to eliminate the risk without eliminating all forms of online access. Period. You can make your iTunes password as memorable or as long term crack-safe as you like. And if you are naive enough to get phished, the password security won't matter a whit. Short memorable mixed case and non alphabetic characters will save you from all but the most determined crackers, and those will only target you because they already know what they can get. And they will get it anyway because you will give it to them unwittingly through any of several almost foolproof techniques, none of them being password cracking.



    It was reported several months ago that many thousands of account users worldwide responded to a phishing attack. There isn't much Apple or anyone else can do to save you from that. You can change passwords on a time basis, but that has proven to be even less secure overall because then too many users change all their passwords to the same thing, and write it down, and/or get phished again. It's nasty, but stupidity once gets ruthlessly punished by the criminal element that can confirm it happened in the first place.
  • Reply 17 of 31
    frankiefrankie Posts: 381member
    Fastest way to balance the US budget...



    Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...



    I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you theiving bastards.
  • Reply 18 of 31
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 19 of 31
    trillion for pirated software, movies, music? you can not ignore that a big portion of buyers of those pirated stuff are from oversea. i am not convinced that piracy rate in china is worse than that in US in term of money loss.



    china moved up their currency exchange rate almost 30% over the past couple of years. can you tell me whether our economy improved 30% over the same period of time?



    Quote:
    Originally Posted by frankie View Post


    Fastest way to balance the US budget...



    Add up all the trillions of dollars owed from pirated software, movies, music, and everything else in China. Tack on the inflation for the undervalued Yen that China is purposely keeping ridiculously low. Budget balanced. Sorry China, we don't owe you a cent! Next...



    I mean seriously, if their government doesnt give a crap about even pretending to stop what been going on for decades why should we care about what we owe them. Keep the money coming! Sure well pay you back you thriving bastards.



  • Reply 20 of 31
    [QUOTE=Hiro;1779730]A false assumption for non-critical user data. Studies show most "long and strong" passwords systemically are more vulnerable to social engineering because people write them down. Shorter passwords not made of a single word vulnerable to a dictionary attack may be crackable in a few years worth of CPU time, but the info behind a non-special users short but well constructed password isn't worth that effort, so are reasonable safe.



    Doubt writing down my password on a sticky is going to risk it being stole by thieves in China. You are wrong about how much it takes to crack a password, that might have been true 5 years ago but as computers get faster & hackers get smarter about they throw random passwords at a machine.



    I totally agree with many posts though that phishing is probably biggest way accounts get hacked, but not the only way.
Sign In or Register to comment.