There is a security feature in iTunes that when you try and make a purchase from a device you haven't used before, it forces you to re-enter the security code for your credit card. I have encountered this myself when buying a new iMac.
So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?
Indeed. I know this works quite well on iOS devices, but is the same precaution used on desktops?
This fraud costs Apple nothing, because all they have to do is reverse the transaction. It's not like a physical product that has value has been lost; they can just mark the account as not having purchased the app and reverse the charge.
So of course they're not going to do much about it, because it costs them almost nothing to work around it and security is a difficult problem to solve.
This is why despite it being annoying, I reset my iTunes password fairly frequently.
It costs them plenty at least in my case, mentioned above. I had many communications with staff, sent evidence to them, more questions to them, questions from me. Long wait times.
In this case, the gift card hacked was the gift card received for the purchase of a MacBook pro for college from our local Apple store. When the gift card came a week or so later, and entered into my daughters account, iTunes rejected it for having already been used for a different machine to purchase a zero dollar app. My daughters account had not been hacked.
Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.
If iTunes servers have been hacked ? which I doubt ? then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.
PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.
It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.
But, in my case, it was there one day and gone the next.
I imagine the hackers are already working on ways to exploit NFC.
In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.
I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
The problem is that many people have hundreds of accounts for various things. Having unique passwords (and remembering them!) for hundreds of accounts is impractical.
You really need either a password service (which puts you at someone else's mercy). Ultimately, the problem will go away if biometrics ever becomes standard. We used to have a computer with a fingerprint scanner. If that was used routinely, the problem of creating passwords would go away.
Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.
Anything above 10 characters is definitely going to protect you.
Does Apple implement a try-limit for passwords? Like, enter 5 erroneous passwords and it blocks the account?
I really ignore how brute force for password discovery works, but I don't think it's like we see in movies: a series of numbers roll-up in a display, and one by one, the passwords characters are cracked. I think the cracking software must start with a, say, whole 4-char password, then another 4-char password, then another, until all 4-char password are spent, then goes for a whole 5-char password, and another, until finally a match is found.
That kind of behavior is easily detectable. Probably a 4-char password is good enough, if try-limit for passwords is implemented.
Just for the record, I agree with you that the scenario you described for "Jill's Bolt Emporium" is the most likely happening.
Jack signs up for iTunes using [email protected] and the secure password "MyD0G1$Br0wn"
Jack then signs up at a small business "Jill's Bolt Emporium" using the same email and password
Because the website behind "Jill's Bolt Emporium" was written by Jill's 15 year old son, Mr Hacker uses a simple SQL injection to pull back the entire database of user email addresses and passwords that were stored in the clear
"Jill's Bolt Emporium" is completely unaware anything has happened
Mr Hacker then checks the list of email addresses and passwords against other popular sites (like iTunes, PayPal, Facebook, Email services, banks etc) to see if anyone used the same email address and password.
Even though he used a secure iTunes password, and the iTunes servers remain impenetrable, Jack still gets his iTunes account drained.
This.
Use different passwords, people. If you can't remember them all, get a utility like 1Password to store them safely.
Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.
The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.
No. Vendors of gift cards do not have access to your account. Someone got a hold of your daughter's password.
It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.
But, in my case, it was there one day and gone the next.
I imagine the hackers are already working on ways to exploit NFC.
Of course it's not always user error... which my post clearly addresses. I'm inclined to believe that the issue with the iTunes Store GCs are that someone has figured out how the seemingly "random" codes are generated or have used some special device that can capture the alphanumerics from behind the coating on the card.
Have you ever heard of password utilities like 1Password? It'll type it for you or let you copy and paste it.
I use it on my MBP and am thinking about adding it to my phone. As advertised, I use one good long password with upper/lower case and numbers. After reading this thread I might add a special character.
Unlikely Apple's iTunes system has been hacked, or hacked and not fixed. 99% chance it's just users being lazy with password security. Nothing Apple can do about ID10T errors.
In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.
I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
i used to consult for a client where the super james bond IT people would change passwords every 6 months. some people would get 2 passwords, one for the Windows domain and one for the financial system.
and these weren't normal IT people where they forced you to change a password with say 8 characters and some complexity rules. these james bond wannabes would assign everyone computer generated random passwords that were very complex. So complex that no one could remember them and a lot of people just wrote them down and kept them close by
Curious to finally see I wasn't the only one this has happened to. About a year ago I checked my iTunes account information, which I routinely do, and noticed that my credit card information on file with iTunes had been changed to an address in Texas (I live in Arizona). I called Apple and they were perplexed as to how this could've happened but were helpful in removing all information related to that credit card from iTunes. There were no bogus charges posted subsequently to that credit card account.
Then last August I received an email from Apple thanking me for my recent iTunes purchases of $15.94. The purchase had been made by someone in SE Asia using the credit balance in my iTunes account. I emailed Apple (iTunes had stopped telephone support by then) a frantic message that my iTunes account had been hacked. To Apple's credit they addressed the problem right away and credited my iTunes account the next day. They also emailed me the usual bs to change my password, etc. I haven't had any problem with iTunes since. But on a humorous note, the purchase made by the "hacker" in Asia still shows on my purchase history in iTunes.
So there are security issues on several different levels in iTunes: unsecured credit card information and the ability to hack into and purchase stuff from iTunes using an existing balance in an iTunes account. You can never be too careful, I guess.
What timing - this just happened to me yesterday. Someone spent $65 of my iTunes credits in Kingdom Conquest, which I've never downloaded. Apple is crediting me the money so I won't complain, but here is what I found borderline-offensive:
- I received an email from Apple stating that my Apple ID had been used to make a purchase in KC from a computer or device that had not previously been associated with my account. To my knowledge it still isn't associated with my account, so why did Apple let the purchase occur?
- I notified them of the fraudulent purchases immediately and provided the order numbers from my account history. After 24 hours the response back was that they would credit me a refund but then tacked on, "The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final." Huh?! Reimbursing me after you've let someone access my account from a device which is not associated with my account is an 'exception to the terms and conditions'??
I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.
I'm on a Mac. My password was hacked either because it was used for another site, or by brute force. I don't think any of these hacks depend on locally installed malware.
Comments
There is a security feature in iTunes that when you try and make a purchase from a device you haven't used before, it forces you to re-enter the security code for your credit card. I have encountered this myself when buying a new iMac.
So I don't know how these hackers are able to buy things, on their devices, with your account. Unless all of the victims are gift card victims?
Indeed. I know this works quite well on iOS devices, but is the same precaution used on desktops?
Also, do gift cards not utilize a CV2 code?
This fraud costs Apple nothing, because all they have to do is reverse the transaction. It's not like a physical product that has value has been lost; they can just mark the account as not having purchased the app and reverse the charge.
So of course they're not going to do much about it, because it costs them almost nothing to work around it and security is a difficult problem to solve.
This is why despite it being annoying, I reset my iTunes password fairly frequently.
It costs them plenty at least in my case, mentioned above. I had many communications with staff, sent evidence to them, more questions to them, questions from me. Long wait times.
In this case, the gift card hacked was the gift card received for the purchase of a MacBook pro for college from our local Apple store. When the gift card came a week or so later, and entered into my daughters account, iTunes rejected it for having already been used for a different machine to purchase a zero dollar app. My daughters account had not been hacked.
Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.
If iTunes servers have been hacked ? which I doubt ? then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.
PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.
It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.
But, in my case, it was there one day and gone the next.
I imagine the hackers are already working on ways to exploit NFC.
In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.
I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
The problem is that many people have hundreds of accounts for various things. Having unique passwords (and remembering them!) for hundreds of accounts is impractical.
You really need either a password service (which puts you at someone else's mercy). Ultimately, the problem will go away if biometrics ever becomes standard. We used to have a computer with a fingerprint scanner. If that was used routinely, the problem of creating passwords would go away.
Not really.
Realistically a hacker isn't going to spend an hour trying to brute-force crack your password hash (remember they probably have thousands or millions if they stole a database of usernames and passwords) which means 8 characters is pretty safe.
Anything above 10 characters is definitely going to protect you.
Does Apple implement a try-limit for passwords? Like, enter 5 erroneous passwords and it blocks the account?
I really ignore how brute force for password discovery works, but I don't think it's like we see in movies: a series of numbers roll-up in a display, and one by one, the passwords characters are cracked. I think the cracking software must start with a, say, whole 4-char password, then another 4-char password, then another, until all 4-char password are spent, then goes for a whole 5-char password, and another, until finally a match is found.
That kind of behavior is easily detectable. Probably a 4-char password is good enough, if try-limit for passwords is implemented.
Just for the record, I agree with you that the scenario you described for "Jill's Bolt Emporium" is the most likely happening.
Here is how these hacks go down...
This.
Use different passwords, people. If you can't remember them all, get a utility like 1Password to store them safely.
Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.
The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.
No. Vendors of gift cards do not have access to your account. Someone got a hold of your daughter's password.
What do you mean? Your password is more than 32 characters? It sounds like you'd be writing a novel every time that you log in.
Have you ever heard of password utilities like 1Password? It'll type it for you or let you copy and paste it.
It's not always user error. I was given a gift card and one day it was wiped out. I hadn't used it at all at that point. But someone in China wiped out the balance. Apple quickly replaced without any drama, to their credit.
But, in my case, it was there one day and gone the next.
I imagine the hackers are already working on ways to exploit NFC.
Of course it's not always user error... which my post clearly addresses. I'm inclined to believe that the issue with the iTunes Store GCs are that someone has figured out how the seemingly "random" codes are generated or have used some special device that can capture the alphanumerics from behind the coating on the card.
Have you ever heard of password utilities like 1Password? It'll type it for you or let you copy and paste it.
I use it on my MBP and am thinking about adding it to my phone. As advertised, I use one good long password with upper/lower case and numbers. After reading this thread I might add a special character.
In that case, I'd say that this Jack fellow doesn't sound all that bright. One of the cardinal rules is of course to never use the same password across different accounts. But then again, I bet that there are a ton of people out there who do exactly that, and plus many people use really simple passwords that are easy to figure out, like the name of their pet or something else that is real important to them and easy to figure out if some hacker has evil intentions.
I also see people with usernames on sites like Jill78 for example. Right there I know that the girl's name is Jill and I also know what year the ignorant girl was born in. Maybe she should put her address in her screen name too. When people give out too much information in their screen names, it can make the job of somebody else with evil intentions a bit easier.
i used to consult for a client where the super james bond IT people would change passwords every 6 months. some people would get 2 passwords, one for the Windows domain and one for the financial system.
and these weren't normal IT people where they forced you to change a password with say 8 characters and some complexity rules. these james bond wannabes would assign everyone computer generated random passwords that were very complex. So complex that no one could remember them and a lot of people just wrote them down and kept them close by
I closed down my iTune account and now only download free stuff on iTune using an account without a credit card #. That's the safest way.
Burned once shame on you. Burned twice shame on me.
I closed down my iTune account and now only download free stuff on iTune using an account without a credit card #. That's the safest way.
Then last August I received an email from Apple thanking me for my recent iTunes purchases of $15.94. The purchase had been made by someone in SE Asia using the credit balance in my iTunes account. I emailed Apple (iTunes had stopped telephone support by then) a frantic message that my iTunes account had been hacked. To Apple's credit they addressed the problem right away and credited my iTunes account the next day. They also emailed me the usual bs to change my password, etc. I haven't had any problem with iTunes since. But on a humorous note, the purchase made by the "hacker" in Asia still shows on my purchase history in iTunes.
So there are security issues on several different levels in iTunes: unsecured credit card information and the ability to hack into and purchase stuff from iTunes using an existing balance in an iTunes account. You can never be too careful, I guess.
- I received an email from Apple stating that my Apple ID had been used to make a purchase in KC from a computer or device that had not previously been associated with my account. To my knowledge it still isn't associated with my account, so why did Apple let the purchase occur?
- I notified them of the fraudulent purchases immediately and provided the order numbers from my account history. After 24 hours the response back was that they would credit me a refund but then tacked on, "The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final." Huh?! Reimbursing me after you've let someone access my account from a device which is not associated with my account is an 'exception to the terms and conditions'??
I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.
I'm on a Mac. My password was hacked either because it was used for another site, or by brute force. I don't think any of these hacks depend on locally installed malware.
I wonder if these hacked accounts only happened to people who have iTunes on their Windoze computer. That would be a bit of telling information.
I use a MBP. Change my passwords every 6 months or so. Maybe I should look into 1Password.