Slashdot Mirror
iTunes Gift Card Key System Cracked, Exploited
moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."
It's still easier to use BitTorrent.
There's no -1 for "I don't get it."
"but we make more money as the amount of customers is growing rapidly."
Brilliant business model there, Taobao. I used to feel bad that Amazon's MP3 Service only worked inside the United States but now it's pretty clear: I doubt Apple will have much luck prosecuting anyone in this case whereas it would have been different had it happened on American soil.
... hahahaha sorry, couldn't quite say that with a straight face. Seriously, we must look like ripe-for-the-picking rubes to places like China. They're sitting there with free copies of Vista, Adobe Suites and now cheap "legal" music. I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries while the status quo is free for the taking with no repurcussions.
I'm sure the Chinese government will help protect Apple's
My work here is dung.
I'd be interested to know what algorithm was being used for the keycards. Did Apple use a weak scheme, did someone leak the secret, or (most interestingly) has someone managed to crack a good encryption algorithm.
(Alas, I'd guess it's probably a weak scheme. As recently as two years ago I noticed a bike products retailer was actually using sequential codes for its gift cards)
Possibility 1:
Apple doesn't use a database for cards, they use a hash even though that would be stupid.
That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.
Someone is generating and selling cards using that hash.
Possibility 2:
Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.
Possibility 1 is possible but unlikely.
Possibility 2 is very common, very easy and very likely.
Occam's Razor says people likely people are jumping to an unwarranted conclusion here.
http://lkml.org/lkml/2005/8/20/95
The other side to this is that when a legitimate customer buys a card that's code has already been found using a keygen their card won't work, I hope Apple has a refund system. The joys of security through obscurity in action.
No, kicking Apple in the nuts would be buying a fake iTunes card using MyFox on a jailbroken, unlocked iPhone 3G using a different carrier than the one the phone was sold from/for.
The real comedy will happen when someone in China actually comes up with some IP that they want to make a buck off of. Hopefully an entire cottage industry will pop up in the rest of the world that's devoted to doing nothing but cranking out copies of whatever it is that China suddenly values, and even more hopefully that cottage industry will be named "Fuck You Chinaman, Inc.!"
Personally, I think that will become the downfall of our county.
Our main products that we're making here are things that can be easily recreated at no cost. Sure, we've got laws that attempt to stop it, but many places don't.
We've shipped most of our jobs making actual products overseas. And we wonder why China is becoming so powerful? They're making physical goods, and freely recreating our virtual goods.
Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.
Let's assume that Apple cryptographers are at least half way competent.
You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?
I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.
To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".
Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.
I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet :p).
(proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)
If they're going to pirate, why do they bother paying $2 to a crook to get music with DRM which they could get for free from BitTorrent? The only advantage iTunes has over piracy is that it is legal - so what's the point of ripping them off with a fake gift card?
Even ethically, that way they'd at least not be supporting the criminal industry like the RIAA is (in this case accurately) claiming.
When it comes to international copyright it is no surprise to me that across borders people are far less inclined to respect copyright laws of another country.
It reminds me of something that I read once that stated that back in the 19th century before the US had established it's own home-grown authors and publishing industry, it was common place for Americans to simply copy and republish without consent the work of European authors and publishers. That was of course despite the constant complaints of European publishers and governments.
Of course eventually the US publishers had grown to a position where they themselves realized that they needed copyright in order to continue growing with the now booming local literature scene, hence the "true" birth of enforced US copyright.
(History repeating itself. Hmm, now how often does *that* ever happen - sarcasm)
Unfortunately I have no original sources to this 'tale', I would appreciate if anyone can either confirm or deny this with some evidence, as it is such a compelling story I would like to believe that it is true!
You can't identify the illegitimate cards. Each individual card isn't kept track of. The bar code on each of them is more like the answer to a math problem. If you know how to solve the problem, you get in, no questions asked. The only thing they can do is change the math problem and eventually get rid of the old one as a valid question to answer.
"Common sense will be the death of us all"
Isabella Bird, in her book The Englishwoman in America (1856) mention this copying causally, as something everyone knows.
In UK law, at least, which is what 90% of the world base their law systems on:
Very simple. It's fraud. They are *fake* cards, issued by a forger. Thus, you can be charged with fraud, or similar offences. Possibly even handling stolen/counterfeit goods, *whether you knew they were fake or not*! It's no different to faking a cheque, or a credit card. In the US, crossing state boundaries with such things can be a federal offence, so if you're not in the same state as the Apple store, it gets even worse.
If you have the *suspicion* that they are fraudulent and / or a reasonable person would suspect them to be fraudulent (by the *court's* definition of reasonable, not yours), you can quite easily be convicted for fraud, or facilitating fraud, or breach of contract (technically a bad cheque is breach of contract and by trying to pass off this card with a retailer, you are saying that it is genuine, hence the sale could be seen as a breach of contract once they find out the money doesn't actually exist - thus they can happily charge you with fraud for the transaction AND breach of contract for failing to pay for the goods another way). It would *not* be as simple as "I just got them from some website." If a reasonable person would have had suspicions, you can *easily* be convicted - it's like saying that this gentleman knocked on the door selling an expensive in-car audio system with the wires cut and dangling, for a pittance. Whether you thought he was genuine or not, you SHOULD have known that he wasn't (just by the price, if nothing else), thus you can be found complicit in the fraud.
Notification of the breach would certainly work in your favour but isn't an automatic get-out clause. Chances are they would pass it over but ask at which point you became suspicious, where you got it from etc. and expect you to co-operate fully. Don't and those fraud charges pop up but now they know exactly who to aim them at... you.
Cyber-nothing. It's fraud, plain and simple, no better than making up credit card numbers and using them to buy things on Amazon. You're not the rightful keeper of any funds that you do manage to get authorized, so you're into theft (if someone can prove that *they* were entitled to the number on the card you used), fraud and maybe even counterfeiting if you can't point out where you got them from. Now, considering that Apple are both the issuer AND the recipient of the cards in question, they have a very good reason to prosecute. You've effectively stolen a credit card and then used it to pay your other Visa bill.
If the Chinese government doesn't start some kind of law enforcement, China is going to be a giant Black Hole. Blacklisting IP blocks from Chinese ISPs is the best thing I've ever done in terms of spam and malware control.
Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.
I believe itunes is DRM free as of Jan 6/09
http://apple.slashdot.org/article.pl?sid=09/01/06/1840225
Yes but surely with Apple's patented Time Machine technology they can overcome this minor hurdle.
Well,
Thanks very much for those links, they're really, really useful! Full of technical detail on the algorithm used.
For instance, check out these facts in the article Lars T linked to:
* The following letters and numbers can look very similar:
The letter A and the letter H
The letter B and the number 8
* Apple Gift Cards can be purchased from the Apple Online Store in any amount between $25-$2500
* To report a lost or stolen Apple Gift Card, please contact Apple at any Apple Retail Store location or by telephone at 1-800-MY-APPLE.
It's exciting technical comments like yours (without even a whiff of smug self-congratulatory superiority) that make slashdot what it is. Thanks for educating all of us on slashdot!
It is a federal crime to open mail shipped through the United states postal service that has not been delivered to the addressee.
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001702----000-.html
when the mail man messes up they don't open it (and there are exemptions somewhere to allow them to open it when required). If you receive something not meant for you then you should give it back to the post office, don't open it.
I agree that would be funny. But the real comedy here is that nothing is actually being stolen here. What is really happening is that a new unit of currency is being counterfeited. But that currency is backed by value in digital media, which in and of itself is ephemeral and can be obtained by other means for free. What a bizarre situation.
No, there is no currency exchange going on, the 'gift card' tells iTunes to exempt you from paying for the tracks as you have already presumably payed apple for the gift card. Apple is still paying the artist 70% of the cost of the music being downloaded, and they are paying in real currency.
For lack of a better signature...
This comment is not just funny, it is silly and obviously from someone who knows nothing about China.
For one, the Chinese themselves come up with a lot of IP. This ranges from music productions to technical innovations (yes also that, believe it or not). And yes they are copied big time, even though the Chinese government does try to enforce the protection of this IP. And yes it does so much more vigilantly than the protection of foreign IP. Mind that many US and other overseas patents are not valid in China in the first place, patents after all are limited to the countries/areas where they have been applied for and issued.
If someone comes with a new product in China and has some success, everyone will jump on the bandwagon and make it as well. Even if there is no protected IP involved. If someone starts making plastic coffee cups for example, and makes a good buck out of it, dozens of other factories will spring up and do the same. They all copy one another.
If you come up with some innovation in China and you really want to keep it for yourself you will have to keep it a secret. Don't tell anyone how you do it. This is why many Chinese are very reluctant to show you their production lines, and often you won't get access there at all. Taking photos of machines is also something that many Chinese really don't like. At trade shows many booths also have a no-photo-taking policy because otherwise within a few days they will find their newly designed jewellery at half the price all over the place. At their neighbour's booth for example (not joking).
IP in China is as if there is effectively no IP. Everyone copies from everyone with impunity. There is little enforcement, and what enforcement takes place is largely showing off to the outside world, staged media events making it look like something is being done. China can as such be used as case study for what happens if IP would be abolished. And it is overall not a pretty picture.
Except that I am sure Apple has to hand over a certain amount of money to the record labels. So a $200 card, they may have to hand over $180, and they get nothing from the consumer.
So actually something is being stolen, from Apple to the Music companies. They don't miss out, they would be loving this. All of a sudden, they are getting millions from Apple due to China.
I don't know how it works in the US but certainly in the UK iTunes gift cards are activated at the checkout to prevent shoplifting.