There are better ways to handle security other than a simple username/password combination and it's Apple's responsibility to implement these measures on iTunes accounts.
What did you have in mind? Hopefully not facial recognition, because that seems like a pretty big fail, at least on Android. People were using a photo to log in and it accepted the photo. That seemed more like a novelty than anything that was designed for security.
For one of my bank accounts, they gave me a small hardware dongle, and when I log in, I have to authenticate using digits from that dongle, which changes every time. I feel like that account is safer than my other bank account which just uses a regular password log in.
32 characters: ... Many many trillions of times longer than the lifetime of the universe.
Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.
Anything above 10 characters is definitely going to protect you.
There is a security feature in iTunes that when you try and make a purchase from a device you haven't used before, it forces you to re-enter the security code for your credit card. I have encountered this myself when buying a new iMac.
So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?
Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.
That is more likely what is happening than an actual server hack. After all if it was the server it wouldn't likely be such scant occurrences all the time.
Yup. This is how basically all "random" hacks occur these days.
If a hacker is targeting a specific person it's a different story of course.
The problem wouldn't be with Gift Cards... it's just that it is easier to get Gift Card funds.
If someone drains a Gift Card account Apple reimburses the customer and keeps the hack quiet... everyone wins! If someone charges a credit card or Pay Pal account their card issuer becomes involved as well as the authorities.
Here is how these hacks go down...
Jack signs up for iTunes using jack@gmail.com and the secure password "MyD0G1$Br0wn"
Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
"Jill's Bolt Emporium" is completely unaware anything has happened
Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.
EDIT:
I use a three tier password system. It's the best combination of usability and security.
Tier 1: Critical services
These require the top level of security and all have unique passwords. Included are the two banks I use, PayPal and Last Pass.
Tier 2: Trusted services
The services I trust will protect my information. These have similar or the same passwords. Included are anything from Apple, Google, Microsoft or Facebook.
Tier 3: Untrusted services
Basically everything else. These use randomly generated passwords that are stored in Last Pass. I can't remember any of these, so I need to look up the password in Last Pass before I can log on.
Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.
Score one for the hacker.
Now I use 1Password with random words for the secret question but before I had the option to store and back up an infinite number of random passwords I had memorized a series of answers that were different from the standard questions being asked. I would also never use my birthday, but always make sure I picked a date that was at least 18yo.
It's Apple's responsibility to ensure it is easy for its users to secure their accounts.
For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.
It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsiblity. By saying it's a cop out you are suggesting that it's Apple's responsibility to keep the user from writing their password down in clear text in a text file, or writing down on paper next to their computer.
It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsibility.
It is beyond a typical users knowledge and ability to ensure their account is secure.
By simply asking a user to enter an email address and password Apple have failed to ensure that a users account is secure.
So yes, it is Apple's responsibility, and just saying that a user should possess the ability to ensure their account is secure and if they don't its their own fault (when research has shown people clearly don't possess the ability) is a cop out.
I don't understand, if my iTunes account is hacked and that hacker has my password still he can't purchase anything as he needs my credit card CC code which is only on the credit card and is not saved in the iTunes account, right? so why these hackers can still do purchases on hacked accounts?
I doubt very much that Apple will discuss any of these cases publicly.
If your account has been compromised your first port of call should be to contact Apple immediately and report the incident.
You should then change your iTunes account password to something secure (say a minimum of 10 characters long including capital letters and numbers).
If you are running on windows you want to ensure your system is secure by downloading superantispyware (superantispyware.com along with malwarebytes (malwarebytes.org). Run superantispyware and do a full scan then follow that by running a malwarebytes quick scan. The combination of these two programs catch the majority of spyware and malware programs.
If someone tries to use your iTunes account on a 'new device' or PC/Mac they are prompted for your security information on top of your username and password, so if they are stealing from you they must also have this information.
This seems to be more about compromised gift cards than hacked personal passwords
Totally agree. Plus standard phishing scams. Surely the first place you look is the developers of the apps that attract the majority of the fraud as it's them who benefit from the sales.
As I posted a while back, my iTunes account was hacked shortly after I joined iTunes Match. I think it transpired pretty much according to what Firefly mentioned, or my password was brute force hacked, as it was only 8 alphanumerics (nothing in the dictionary though).
$25 of iTunes store credit was spent on music, all my computers were deauthorized and five unknown machines were authorized, presumably to mine the 22,000 tracks I had available on iTunes Match. Apple quickly (within 2 days) cancelled the new authorizations and wiped my authorizations clean, and refunded my $25.
Now I follow the three tier system, and iTunes is in the top tier, with a password that includes upper and lower case, numerals and special characters.
Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked.
That would only explain a scenario where a purchased gift card doesn't work because someone else has generated and used the code.
I think the account hacks are more likely to come from the fraudulent phishing emails that are being sent out:
They are formatted identically to Apple's own ones and Apple actually does ask you to enter your login details in some of them. Apple's genuine ones have correct spelling and URLs that go to Apple's servers but people understandably don't always do a thorough check.
Once you login through any of those links, the phishermen have all the details they need to drain funds from an account, buy apps, change profile info etc. Apple can check if this is the case though by checking logins from different IP addresses using your genuine account details.
Why is it that when a problem appears everyone says Apple is ignoring it just because they don't jump up and scream it out? When ever has Apple ignored something that effects a mass user experience or security? If there is a problem that is Apples, or even one users create themselves on a mass scale I am sure Apple is working on it.
Comments
There are better ways to handle security other than a simple username/password combination and it's Apple's responsibility to implement these measures on iTunes accounts.
What did you have in mind? Hopefully not facial recognition, because that seems like a pretty big fail, at least on Android.
For one of my bank accounts, they gave me a small hardware dongle, and when I log in, I have to authenticate using digits from that dongle, which changes every time. I feel like that account is safer than my other bank account which just uses a regular password log in.
*shrug* It's safe. I wish more places allowed spaces in their passwords; then it'd be safer.
Not really.
See my post above.
Drive-by hackers are just picking the low hanging fruit. Very few of their hacks are based on sophisticated brute force attacks.
If your password contains uppercase letters, lowercase letters, numbers and special characters the time to brute force are around:
- 8 characters: About 1 hour
- 10 characters: 920 hours (38 days)
- 16 characters: 63 billion hours (about 91,000 lifetimes)
- 32 characters: ... Many many trillions of times longer than the lifetime of the universe.
Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.Anything above 10 characters is definitely going to protect you.
So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?
Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.
Score one for the hacker.
Exactly.
That is more likely what is happening than an actual server hack. After all if it was the server it wouldn't likely be such scant occurrences all the time.
Yup. This is how basically all "random" hacks occur these days.
If a hacker is targeting a specific person it's a different story of course.
What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.
I used to use "I wish I wish I was a fish 24 times" just as my Time Caspsule's wireless network password.
Try brute force cracking that, you hacker bastards.
And on the off chance that they did, they would have been rewarded with my movie collection only.
The problem wouldn't be with Gift Cards... it's just that it is easier to get Gift Card funds.
If someone drains a Gift Card account Apple reimburses the customer and keeps the hack quiet... everyone wins! If someone charges a credit card or Pay Pal account their card issuer becomes involved as well as the authorities.
Here is how these hacks go down...
EDIT:
I use a three tier password system. It's the best combination of usability and security.
Tier 1: Critical services
These require the top level of security and all have unique passwords. Included are the two banks I use, PayPal and Last Pass.
Tier 2: Trusted services
The services I trust will protect my information. These have similar or the same passwords. Included are anything from Apple, Google, Microsoft or Facebook.
Tier 3: Untrusted services
Basically everything else. These use randomly generated passwords that are stored in Last Pass. I can't remember any of these, so I need to look up the password in Last Pass before I can log on.
That's interesting.
I came up with the exact same system myself.
Yep and then she uses "My cat's name" as her security question and when you look her up on Facebook there she is with Mr Fluffy and right there is the rest of her birthdate.
Score one for the hacker.
Now I use 1Password with random words for the secret question but before I had the option to store and back up an infinite number of random passwords I had memorized a series of answers that were different from the standard questions being asked. I would also never use my birthday, but always make sure I picked a date that was at least 18yo.
That's a cop out.
It's Apple's responsibility to ensure it is easy for its users to secure their accounts.
For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.
It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsiblity. By saying it's a cop out you are suggesting that it's Apple's responsibility to keep the user from writing their password down in clear text in a text file, or writing down on paper next to their computer.
That's interesting.
I came up with the exact same system myself.
Great minds...
Realistically the "trusted services" group could contain a lot more sites, basically any site that isn't storing my details in the clear.
I wish there was a third party security agency that gave a website their "tick of approval" if the proper security measures were in place.
It's a cop out to suggest that users shouldn't care about having secure passwords that can be easily hacked because it's everyone's else responsibility.
It is beyond a typical users knowledge and ability to ensure their account is secure.
By simply asking a user to enter an email address and password Apple have failed to ensure that a users account is secure.
So yes, it is Apple's responsibility, and just saying that a user should possess the ability to ensure their account is secure and if they don't its their own fault (when research has shown people clearly don't possess the ability) is a cop out.
Thus it's hardly a niggle.
I use this one for generating
https://www.grc.com/passwords.htm
This one for testing:-
https://www.grc.com/haystack.htm
If your account has been compromised your first port of call should be to contact Apple immediately and report the incident.
You should then change your iTunes account password to something secure (say a minimum of 10 characters long including capital letters and numbers).
If you are running on windows you want to ensure your system is secure by downloading superantispyware (superantispyware.com along with malwarebytes (malwarebytes.org). Run superantispyware and do a full scan then follow that by running a malwarebytes quick scan. The combination of these two programs catch the majority of spyware and malware programs.
If someone tries to use your iTunes account on a 'new device' or PC/Mac they are prompted for your security information on top of your username and password, so if they are stealing from you they must also have this information.
This seems to be more about compromised gift cards than hacked personal passwords
Totally agree. Plus standard phishing scams. Surely the first place you look is the developers of the apps that attract the majority of the fraud as it's them who benefit from the sales.
$25 of iTunes store credit was spent on music, all my computers were deauthorized and five unknown machines were authorized, presumably to mine the 22,000 tracks I had available on iTunes Match. Apple quickly (within 2 days) cancelled the new authorizations and wiped my authorizations clean, and refunded my $25.
Now I follow the three tier system, and iTunes is in the top tier, with a password that includes upper and lower case, numerals and special characters.
Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked.
That would only explain a scenario where a purchased gift card doesn't work because someone else has generated and used the code.
I think the account hacks are more likely to come from the fraudulent phishing emails that are being sent out:
http://www.net-security.org/secworld.php?id=9945
http://www.appleinsider.com/articles...customers.html
They are formatted identically to Apple's own ones and Apple actually does ask you to enter your login details in some of them. Apple's genuine ones have correct spelling and URLs that go to Apple's servers but people understandably don't always do a thorough check.
Once you login through any of those links, the phishermen have all the details they need to drain funds from an account, buy apps, change profile info etc. Apple can check if this is the case though by checking logins from different IP addresses using your genuine account details.