More Trouble In Apple's App Store

quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.

It must be important

The title bar was red!

"problems go far deeper than Apple is admitting"

[bradgoodman]

...oh, like the antenna issue?!

But they were approved!

[Kohenkatz]

Wait, wasn't this the whole reason Apple wanted to approve apps - so they could keep the garbage out?!

Re:But they were approved!

[emag]

No, the apps that compete with theirs. Otherwise, there'd never be all the fart apps and such...

Re:But they were approved!

[natehoy]

Yeah, reality's a bitch, ain't it?

Seriously, though, this should not come as a surprise. The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly. And, just as importantly, it's unlikely this particular miscreant will be able to exploit the app store again. The "walled garden" approach doesn't mean you won't have problems, and when you have so many developers signing up for accounts it's basically impossible to ensure that none of them will ever misbehave. The problems that do occur stand a good chance of being contained and eliminated quickly, however.

I don't think anyone in their right mind with any concept of security would expect Apple to keep each and every rogue developer out 100% of the time. Maybe that's what Apple's marketing division wants you to think, but Apple's security division knows better. Make the security as good as you can make it, then set up a system to catch those who manage to circumvent it, because there will always be people who can manage to circumvent it.

The walls aren't enough. You also need gardeners. Apple just proved they have gardeners on the job for when the walls get breached.

It appears that the system worked about as well as could be realistically expected.

I'm still not a proponent of the walled garden - I don't like giving up control. The only Apple device I own is an iPod I won in a contest and it doesn't see a lot of use. But for those who prefer it for their protection this should be good news.

The second layer of defense kicked in, precisely as it should, the crack in the wall was patched, and life in the walled garden moves on.

Re:But they were approved!

[Mark19960]

Apple did not catch him, the users did... when they lost their money and had no choice but to go to their banks to get it back.
Perhaps they should not approve apps that have no purpose?
Can a developer REALLY put together almost 5,000 apps?
That is to the point of being obvious as hell that your gaming the system, yet was allowed to.

All Apple proved here was the gardeners were inept.

Re:But they were approved!

[Missing.Matter]

I'd say over 75% of the apps on the app store are either cookie cutter, functionally useless, don't work as advertised or completely ignore Apples HIG. Apple doesn't mind this, however, because they enjoy putting out press releases touting they now however many hundreds of thousands of apps in the App Store.

Re:But they were approved!

[TheKidWho]

Can you point to some of them? I'd like to recreate them as innovative, functionally useful, applications that work as advertised while following Apple's HIG.

Re:But they were approved!

[ergo98]

The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly.

Apple didn't catch him. The "apps" in question were absolute trash (along with the 300+ iFart apps), making a mockery of any illusions that it's a curated garden.

However just to be clear, we already know that the Android market can do precisely the same thing, forcefully reaching out and removing rogue content. Instead of any ridiculous notions of curation, however, Android relies upon a permissions system that makes a user aware of the potential reach of any given application. It is far from perfect, yet despite some ignorant criticism directed at it recently it beats the hell out of anything on the iPhone.

Not really sure why we're talking about the phones though. The exploit in this case didn't necessarily have much to do with the actual handsets themselves.

Re:But they were approved!

[Kitkoan]

Can a developer REALLY put together almost 5,000 apps?

Sure they can, make them mini-apps for things like money, exp, items, ect.... for an online game like FarmVille and whatnot. Like buying gift cards though the AppStore

Re:But they were approved!

[socz]

Eh, the system didn't work. Last night on TV, some dude on the "tech spot" for the local news said that up to $10,000 were spent from a single account!

The whole bit was REALLY lame. They explained it like this:

There's a warehouse, and 1 dude in there shouting "books, books" with no one buying because they can't hear his voice from the many other. So then, somehow he rigs it (hacks) so that he goes into peoples accounts and buys his own book. Then apple is like, o`rly? Why is this lowly book #1 beating out ze twinkle series? And so they noticed and are like arrrrg! We've been piz0wn0red, right And they recall the app and remove it from the store.

I think that, regardless of how bad they portrayed what happened, the damage is done. All the arguments the smug iPhonies have made of "well macs don't get viruses...(implying security)" "it's good that there is so much control because it makes it safer..." are now??? But, thankfully for apple, many of their fans will just turn their heads and look the other way.

So I guess only time will tell but I'm guessing those with that white veil over their eyes won't let this problem affect them. As one windows to mac user said "I just got tired of windows... and macs just work!"

Re:But they were approved!

[erroneus]

Nice attempt at spin, but that's not how it went down.

Apple was able to respond to the situation, TRUE. Apple did not discover the situation, but they did CREATE it and ENABLE it. How this might be different from other internet based purchasing methods is a bit technical, but it comes down to most web based e-commerce enables the user to protect transactions with other forms of identity confirmation and gives the user the opportunity to not store this critical information.

To Apple's credit, they maintain the ability to erase apps from people's devices... most people actually don't like that. But in the event that another genie gets out of the bottle [they created] they can shut things down again.

Over all, the concept of an app store is nice but look at the way people have managed to turn it against the users?

Re:But they were approved!

[Dragoniz3r]

They'd never make it through the approval process.

Re:But they were approved!

[tibit]

Methinks that stupid/useless apps are not an issue. There's a lot of crappy books in every bookstore, and I have no problem with that. But the issue is that people's iTunes credentials got stolen, and I don't think it was Apple's fault unless the exploits were running on OS X...

Re:But they were approved!

[KarmaKhameleon]

I Agree - I woke up this morning and Lady GaGa was downloaded to my iPhone - and I sure as hell never did such a thing.

Wait, hang on - oh right, I was drunk.

Never mind.

Re:But they were approved!

[DJRumpy]

One additional note. You can also just use a PayPal account, and fund it with whatever amount you need, as needed.

Re:But they were approved!

[speculatrix]

I wonder if you graphed app store purchases against localtime + local bar/pub closing times you'd see a big correlation

Re:But they were approved!

[erroneus]

The problem is that credentials were contained without user control and thereby stolen and/or used. That should never be able to happen without at least a password -- a program shouldn't be able to do that on its own.

Re:But they were approved!

[ergo98]

So a total of 48 apps out of 200,000+ were bad 'Apples', and suddenly the entire App store is a 'dismal failure'

Still trying to figure out who you are quoting with the dismal failure bit. Or are you setting up a strawman, ready for the heroic striking down?

However there are countless terrible, terrible apps in the App Store. There are countless terrible, terrible apps in the Android market. The difference is that one of these claims that they curate their market (comparing themselves to a fine museum) -- their founder openly saying that user privacy is why they curate their market -- and the other makes no such notion (but instead protects privacy by forcing apps to declare rights requests that users need to allow). I'll let you guess which is which.

Re:But they were approved!

[E+IS+mC(Square)]

WTF? Did you just suck Steve's dick or something?

Re:But they were approved!

[Aphoxema]

No... more... analogies...

Re:But they were approved!

[DJRumpy]

This has nothing to do with the app store other than the fact it happened to be the vendor who was targeted. It's an online vendor that stores a credit card. It could (and does) happen to any high profile vendor that operates in this way. The 'quality' of the app in question is irrelevant, as the hacker could have chosen any app, good or bad, to purchase. Folks are jumping all over themselves trying to make this story about the 'walled garden' when it has absolutely nothing to do with Apples closed system, and everything to do with the fact that Apple gives the user the option to store a credit card number on file with the account.

Re:But they were approved!

[Aphoxema]

Or a large number of people can go in as a single entity.

Re:But they were approved!

[Stupendoussteve]

I haven't seen anything saying a program itself did anything without a password. Most likely scenario is developer got password through some other means, put up all these random apps, and began purchasing them.

Re:But they were approved!

[natehoy]

Sorry, should I have gone with car?

Re:But they were approved!

You seem to be confused, and should probably re-read the article. These apps are not scams, they are actually simple book apps, in and of themselves, unremarkable. The only reason apps are in the story is due to the fact that the hacker used the hacked account to buy his or her own apps to get them higher up in the rankings. They don't steal any information, request escalated privileges, or anything of the sort. This involves a hacked iTunes account with a stored credit card, which the hacker could buy any number of apps he or she wanted. The app itself doesn't matter.

Re:But they were approved!

[natehoy]

First, as I stated, I own only one Apple product and I won that in a contest. The point about the advantages (few as they are in my opinion) stands - if you control your users you have the power to protect them to some extent. I don't like it either. That's why I've never purchased an iFruit product. But there are some people who have, and the fact that Apple was able to reach in and rip out these applications and track down who was exposed by them is, to someone who wants Big Brother Steve to protect them, exactly the point of doing business with Apple.

Second, accusing me of fellatio and "foe"ing me because you disagree with that? Really? Have fun with that bitter little existence you got there, sparky.

Re:But they were approved!

[ergo98]

You seem to be confused, and should probably re-read the article. These apps are not scams, they are actually simple book apps, in and of themselves, unremarkable.

Did I say otherwise somewhere? If so, I apologize, but I'm quite sure I'm made no insinuation that these were any sort of exploit.

Instead they were just garbage fillers, used as a target for an exploit (the mechanism of which we have no idea of, though curiously lots of people are trotting out the Apple-can't-be-to-blamed simple passoard canards et al...which is curious because on any modern system you simply can't do dictionary attacks. Anyways...). I replied to a guy who made some argument for Apple's curation claims, and my point is simply that these "unremarkable book apps" have been widely noted as being trash (which is why it earned attention -- no one would seriously buy it). Curation indeed.

Re:But they were approved!

Only on /. would they mark your post insightful when it has nothing to do with TFA, simply because it slams Apple.

Re:But they were approved!

[Duradin]

Informative? Really? How is who is doing what to whose sexual organs rate informative?

Re:But they were approved!

[ergo98]

User privacy is why they curate their market?

Yeah, guy, Steve Jobs said it at D8. Feel free to do a search.

I believe the privacy angle you're referring is in

NO IT ISN'T.

Listen, I realize you might have a problem with threaded conversation, and you seem to be trying to mesh every comment with the submission, but that just isn't how it works. See, I was replying to someone who made a command, and this thread carried on from there.

Judging from your statements, it appears you didn't read the article

Are you new to Slashdot? You understand the conversational nature? You might want to get acquainted with theads and conversations.

The article is about hacked iTunes accounts with a stored credit card and the fact that hackers used them to purchase apps.

Fascinating. So you have inside knowledge on what happens? No, I don't think you do.

Re:But they were approved!

[Draek]

But on the plus side, you'd get the same functionality from Apple themselves in a couple months ;)

Re:But they were approved!

[MikeBabcock]

Not really sure why we're talking about the phones though. The exploit in this case didn't necessarily have much to do with the actual handsets themselves.

People still say PC to mean Windows though. They associate the hardware with the software they're most typically running on it.

Did Intel's chipsets or CPUs suck in some way to prevent addressing over 3GB of RAM? Not really, no. But people still commented on PCs not being able to use that memory, when they meant Windows. Linux users weren't affected the same way, for example.

The app store only exists on the iphone/pad/pod platform, and with Apple's attempt to integrate them so tightly, we may as well discuss them as one big entity.

Steve Jobs = Emmanuel Goldstein?

[WankersRevenge]

Problems or not, these apple stories are starting to feel like the slashdot version of Orwell's two minutes of hate.

Re:Steve Jobs = Emmanuel Goldstein?

Apple gets tons of coverage when they do something good, so they will likewise get tons of coverage when they do something bad.

You can't have your cake (pervasive marketing and mindshare) and eat it too (bad stories swept under the rug).

Re:Steve Jobs = Emmanuel Goldstein?

[h4rr4r]

So slashdot should stop reporting on them?

I think slashdot has done a good job avoiding that on the main page, or else they would have more stories about the antenna issues and supposed fix.

Re:Steve Jobs = Emmanuel Goldstein?

[WankersRevenge]

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

My point: Fuck apple ... I don't care about their rep ... it's this blind parroting that makes for a shitty discussion. If I wanted that ... I'd head over to Digg.

Re:Steve Jobs = Emmanuel Goldstein?

[something_wicked_thi]

Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.

Let's count the ways that Apple is just like Emmanuel Goldstein.

Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.

Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.

Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.

Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.

Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.

Re:Steve Jobs = Emmanuel Goldstein?

[yuriyg]

More like O'Brien. At first glance, he's an anti-establishment agent, determined to break down the oppressive system. But once he lures you in, you'll experience psychological pressure like never before and you will be assimilated!

Re:Steve Jobs = Emmanuel Goldstein?

[shutdown+-p+now]

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

When you get your moment of fame, be prepared for a pie in the face - these things always go hand in hand.

Similarly, I think that the sheer scale of those attacks is good news for Apple in a sense that it is a great testament to their success in the market. This kind of fraud primarily targets platforms with large overall user count, most of whom don't have a clue as to how the tech actually works - like, you know, Windows. Looks like iOS has joined that club.

Re:Steve Jobs = Emmanuel Goldstein?

That is the discussion, the anger comes from the 'fanatical' loyal following of apple users despite reason or logic.
This brainwashing doesn't happen with most companies, and it's frankly a little scary. To many it is a company that can do no wrong, and that in itself is wrong.
Apple customers act as spokes people and defense attorneys for apple and its freaky.

Re:Steve Jobs = Emmanuel Goldstein?

[Elbereth]

I think you're actually on to something here, and you've hit the nail on the head as to why I can't stand reading slashdot for an extended period of time.

If I ever needed to raise up an army of brainwashed minions who think they're impervious to brainwashing, I'd use slashdot.

Re:Steve Jobs = Emmanuel Goldstein?

[Too+Many+Secrets]

Obviously he must be talking about a different Emmanuel Goldstein. ;-)

Re:Steve Jobs = Emmanuel Goldstein?

[mean+pun]

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

And that's not even the worst:

The painful torture of logic reasoning: Apple are evil because they are arrogant because they don't admit there is a serious problem which is serious because at least ten bloggers have said there is a problem. Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications. Oh, and curating doesn't work because it doesn't block each and every app that Joe Blogger thinks shouldn't be in the store.

The armchair expertise: Gigahertz antenna design is a black art, but obviously Apple designers are far less competent than Joe Blogger. Apple could easily have foreseen each and every abuse of the store because, ehm, well, they just could. (Because Steve Jobs is god, perhaps?). Oh, and if they sell millions a week of something, and there is a shortage, that shortage is obviously artificial, because they should have known that they would sell millions. It is obviously only part of the hype they are creating.

The demand for a fix NOW, NOW, NOW: If Apple doesn't respond for a week, they obviously don't want to admit there is a problem, and they don't care, and they are incompetent, and they have really gone downhill and they only sell to sheeple in the first place. Oh and have I said already that I want a fix for this problem NOW, NOW, NOW?

Re:Steve Jobs = Emmanuel Goldstein?

I completely agree with you, how could this possibly be not viewed as positive, other than by perhaps a brainwashed minion

Re:Steve Jobs = Emmanuel Goldstein?

[phonewebcam]

You're right, especially as it's really easy now to make the iPhones most popular app

Re:Steve Jobs = Emmanuel Goldstein?

[LodCrappo]

for the most part i agree its pointless, but the troll/haters do give you some measure on the "word on the street". a couple years ago, the tone was fairly pro Apple here and on some other sites I frequent. The Apple haters were the oddballs. Now, it seems the oddballs are the folks defending Apple, and the haters have become a majority. It's a trend that seems to be growing over the past year and seems to be ever increasing.

So.. I do see some value in all this as a metric on Apple's place in the hearts of my fellow nerds. It's often said (especially by Apple folks) that nerds don't matter in the market and nobody cares what we think in the "real world". This is probably a good chance to see how true that is.. we have a clear trend on the forums and tech discussion sites, will it be mirrored in the world of retail sales, or will it make no difference? Time will tell.

Personally I'm not sure. A lot of people go to their friendly local nerd for advice on what phone or computer to buy, so I can see potential for a noticeable effect. On the other hand, often people buy things because it's cool or because they like the ads.

Anyway, I've been kind of rambling here, point is I do find the general trends in noise here interesting, if not the individual comments.

Re:Steve Jobs = Emmanuel Goldstein?

[pslam]

The recent concentration of meme-following anti-Apple trolls is because there's a lot of kids finishing their school terms. They're bored, and they come here to frustrate the rest of us.

In a couple of months they'll be back to school and we can start having (slightly more) profitable discussion of News for Nerds, instead of I'm So Clever Look I Can Post The Same Meme Everyone Else Is.

Re:Steve Jobs = Emmanuel Goldstein?

So.. I do see some value in all this as a metric on Apple's place in the hearts of my fellow nerds

I've always found it strange how the general opinions on slashdot has almost zero correlation to those of the geeks i know in real life; everyone I know who owns an apple product seems to be in love with it. more and more people i know seem to be switching to macbook pros. if I were to believe slashdot, all the geeks i know should apparently own androids and run ubuntu, and make endless rants about how 'the man' is keeping apple users from doing what they want with their devices.

Re:Steve Jobs = Emmanuel Goldstein?

[nolife]

Slashdot's Third Law of Apple stories...
For every vocal Apple hater, there is an equal and opposite vocal Apple lover.

Re:Steve Jobs = Emmanuel Goldstein?

[steelfood]

Let's play spot the troll!

*points*

Look ma, I found one!

Actually, reality probably lies somewhere in between.

Slashdot is an interesting place. It's a gathering of some of the most brilliant and free-thinking minds in the world and all of their groupies. What's more interesting is that both characterizations apply equally to each person here. We're geeks (or geeks-to-be). Our knowledge is specialized, focused, and usually at our level, obscure. Collectively, we know everything about everything, but no individual here could or would dare to make such a claim. So we seek knowledge on things we don't know, we form opinions based on that knowledge, and we make conclusions, whether they ultimately be right or wrong. That source of knowledge is often our peers, who know better than us.

When such a definitive source of knowledge does not exist, we speculate, hypothesize, and ultimately come to our own conclusion. But when the opposite of what we expect happens, there is some point when we stop defending our incorrect conclusions. Just as when Hans Reiser was definitively proven to be his estranged wife's killer, Apple's now shown that they have used their approval process not to protect their users, but to line their own pockets. It shouldn't be surprising that many people are angry at this betrayal of their trust, while others feel vindicated that their line of reasoning was ultimately shown correct.

There are no brainwashed minions on Slashdot. Only people who have knowledge, people who are looking for knowledge, and people who think they already have knowledge.

Re:Steve Jobs = Emmanuel Goldstein?

[something_wicked_thi]

Because at least ten bloggers have said there is a problem.

Actually, there's a class action lawsuit about the antenna problem. That suggests it's more than ten bloggers, but hey, don't let facts get in the way of your "satire."

Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications.

Actually, the argument, as I understand it, goes that if Apple were doing a good job curating, why are there so many useless apps? It seems they are curating only to block apps they don't like not ones that are bad for the customer. But I guess subtlety isn't your strong suit.

Besides, there's nothing wrong with curating. Android also has it. The problem is when the phone doesn't let you install apps by any other means except the curated source.

Gigahertz antenna design is a black art, but obviously Apple designers are far less competent than Joe Blogger. Apple could easily have foreseen each and every abuse of the store because, ehm, well, they just could.

Once again, subtlety isn't your thing. The point of the argument is that curating doesn't help. The majority of the apps are crap, so why bother? Plus, the antenna issue does seem exactly like the kind of thing that you ought to discover in QA. But I suspect this was due to Apple's well known secrecy, even within itself. If you have only a small number of people working on it, and even the ones who work on it don't get to know that they are (yes, this does happen within Apple; for example, you can be asked to implement feature X without knowing that feature X is for the new iPhone), then you have a lot less chance for testing the product before it goes to market. So yes, I blame Apple for the antenna problem. Perhaps if they hadn't been so paranoid and had dogfooded the phone more, someone would have noticed that the damned thing doesn't work if you happen to hold it in a way they didn't expect. Or maybe they did know and they went to market, anyway, and then realized it was a mistake. I can accept that a lot more since it means they aren't incompetent, they just misjudged their customers.

The demand for a fix NOW, NOW, NOW: If Apple doesn't respond for a week, they obviously don't want to admit there is a problem, and they don't care, and they are incompetent, and they have really gone downhill and they only sell to sheeple in the first place. Oh and have I said already that I want a fix for this problem NOW, NOW, NOW?

Honestly, WTF? I really don't see what's so hard about issuing a notice saying, "We're working on the problem. We expect to have more information in two weeks." If Apple leaves you hanging for a week with a broken phone without giving you even that much, you can complain all you like and return the thing. Serves 'em right.

Re:Steve Jobs = Emmanuel Goldstein?

[wall0159]

While I agree there are plenty of examples of herd-thinking on /. I also think there are some legitimate criticisms of Apple being made (albeit repeatedly). I think criticism of the "walled-garden" is legitimate, for example. You will also find many people talking about MacOS as the best/most-secure OS out there too -- as another poster said, it cuts both ways.

Re:Steve Jobs = Emmanuel Goldstein?

[L4t3r4lu5]

The Two Minute Hate was mandated by The Party. Something tells me that Apple isn't the one organising bad publicity, other than by being completely inept.

Re:Steve Jobs = Emmanuel Goldstein?

[nathanh]

Slashdot is an interesting place. It's a gathering of some of the most brilliant and free-thinking minds in the world and all of their groupies.

Pfft. Bullshit.

Re:Steve Jobs = Emmanuel Goldstein?

[Rand+Race]

Really? All I can figure out is that you are a pretentious wannabe pedant who can't fathom the meaning of "certain respects" because that would get in the way of your headlong rush to attempt to stun us all with your mighty intellect.

The analogy was apt as far as it went, your attempt to extend its relevance into something never intended is... well, moronic.

Re:Steve Jobs = Emmanuel Goldstein?

I know, and I'm about ready to quit reading and posting on /. Then what will you people do without Anonymous Coward?

Re:Steve Jobs = Emmanuel Goldstein?

[Haxzaw]

Hmmm, that got me to thinking, what if Osama Bin Laden is like Emmanuel Goldstein? Might explain a lot. Sorry to get off topic, but I don't really feel like bashing Apple right now.

Re:Steve Jobs = Emmanuel Goldstein?

[something_wicked_thi]

I know I shouldn't feed the trolls, but I do have to add one thing.

The analogy to the two minute hate doesn't just imply that there's a regularly allotted time for hatred. It also implies that the reasons for it are not well understood and possibly fabricated. If you don't understand that, you obviously haven't read the book, or you weren't smart enough to comprehend it.

Also, the words "certain respects" never appeared in the post to which I responded (nor, for that matter, anywhere in this thread except your post), and, last I checked, having read a book doesn't take a mighty intellect, but I realize that point may be contentious among some.

So much for app review

[Mark19960]

What happened there?
They won't allow flash or 'widgety' apps yet allow apps that do noting but get the developer points.
A developer with almost 5,000 apps?
So much for that 200,000 apps in the apple store.... perhaps half are fake?

Re:So much for app review

The screening process seems to be: does it use private APIs? Does it have naughty bits? Does it do one of the things that Apple/AT&T doesn't like? No? Approved!

They've never had a problem approving piles of worthless crap. That's why any claims of "curation", except in the Featured section, are laughable.

Re:So much for app review

[Mark19960]

I have seen 'fake' apps in the Android store so this is not isolated to just Apple.
If you see an app in the market with virtually no rating then you know to pass it by.
The one thing that the Android market lacks is filters.

Re:So much for app review

[Dishevel]

I would like Apple to tell us how many developers have over 500 apps.

Re:So much for app review

[socz]

I've seen those too! They can be found in the "test section" with author comments of "This is a test app"

Re:So much for app review

[cgenman]

But the Android market is known to lack filters. You go to the android market because it lacks filters.

Apple claims that all of the ridiculous app store shenanigans over the past few years have been in order to create a family-friendly, safe Disneyland. And hopefully they will deliver on that promise. But in the mean time, buyer beware. Using iTunes to turn hijacked computers into dollars is actually kind of brilliant. Hopefully we won't see that proliferate.

Re:So much for app review

[shutdown+-p+now]

If you see an app in the market with virtually no rating then you know to pass it by.

Well, the problem seems to be is that now you can see an app in the market with a 5-star rating, and you have no way of knowing that the rating was done via hacked user accounts...

Re:So much for app review

The Android market has no moderation...that is true.
I think the thing people take issue with Apple over is that they insist on the ability to approve or reject every App that is submitted to the App store, under the auspices of protecting the consumer, only to allow rogue developers with do-nothing or duplicate, overpriced apps that are being used to rip off their customers. They're selling a "walled garden" but the gates are manned by these guys.

Re:So much for app review

The one thing that the Android market lacks is filters.

You mean reviewed by people manually, who, depending on their mood may reject something for no particular reason?

Re:So much for app review

[Mark19960]

I probably should have made this more clear.
When I say it lacks filters I mean search filters.
I don't want to see the apps that have been rated into hell itself.
I would like to be able to filter apps with say, less than 3 star rating.

Re:So much for app review

[Lars+T.]

The one thing that the Android market lacks is filters.

So where are the porn apps on the Android Market? No, not the porn app store for Android - the Android market that lacks filters.

Re:So much for app review

All this stupid finger pointing. Someone says hey look, Apple blah blah blah, and Apple users are quick to say, oh yeah, well so does blah blah blah, and they don't even know if it is true. You know, if Apple users don't like the lack of Apple being able to control the media, why don't you just stick to the Apple forums. Apple will make sure to delete stuff you might not like to read, and you will have plenty of other people who will agree with you if your information is factual or not, so why even come to a place like this? Don't expect any pitty when Linux and Windows people have had to put up with Apple trolls coming in for years pissing all over everyone. Now that Apple actually has success in one area (Mobile devices) Apple users are upset that all the people they pissed off over the years are coming back to bite them. I guess new Apple users don't realize how many doucebags were part of the Apple crowd before they joined, and now they have to deal with the repercussions of all that troll piss from Apples past.

Quick anecdote

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

Re:Quick anecdote

[mlts]

This is probably another quick and anonymous method of checking the validity of a stolen card. Before, credit card thieves would run cards through gas station card readers. This worked until the readers started prompting for the ZIP code of the cardholder.

My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

Re:Quick anecdote

[jfoobaz]

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated.

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

Re:Quick anecdote

[Kitkoan]

Consider either using iTunes gift cards.

Gift cards like those worry me and I refuse to buy them for ANY company. I've seen too many people buy gift cards (that just use a number string) try to get the credit from the card after buying them to only be told that the number has already been used by someone else (they use them by using a Random Key Generator). And since it's just about impossible to prove that you were the first and only owner of it, your typically SOL.

Re:Quick anecdote

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

It would be imprudent of me to not post anon, and even more so to quote the source of the information. Financial companies are as touchy as "Trendy Software/Hardware Marketing Companies" when it comes to proprietary information. You have every right to not believe the anecdote, just don't whine when you're the victim of fraud and no one is sticking up for you; we tried to warn you.

And since this is Slashdot, RTFP and point out anywhere that I implied I had evidence of causation.

Re:Quick anecdote

[swb]

Any small purchase can be used to "test" to make sure the card info is correct. For physical cards it's often a gas station, but that doesn't work when the fraud is 100% electronic (ie, no fake plastic) so any system where you can make small, but, verifiable purchases before maxing the card out on a larger purchase is desirable.

iTunes is great for that, but I've gotten calls about other small charges from my credit card company when they've flagged a questionable transaction.

Re:Quick anecdote

[node_chomsky]

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated.

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

Good rhetorical dissection, the world needs more people who understand the validity of certain forms of "proof".

Re:Quick anecdote

[Tharsman]

Keyloggers in the user's computers. People that manage their iTunes accounts in virus infested computers are the most likely reason for this kind of stuff.

No, you cant gift apps for other users in your iPhone, but you can phish up the iTunes account login and password so you can buy anything you want and sync it to your computer, and then to your phone.

Re:Quick anecdote

[jfoobaz]

It would be imprudent of me to not post anon, and even more so to quote the source of the information. Financial companies are as touchy as "Trendy Software/Hardware Marketing Companies" when it comes to proprietary information. You have every right to not believe the anecdote, just don't whine when you're the victim of fraud and no one is sticking up for you; we tried to warn you.

I neither believe or disbelieve you. I find your statement lacking in support and indistinguishable from bullshit; this is not to say it's bullshit, merely to say it's just one assertion without sourcing. It could well be true. Of course, phrases like "Trendy Software/Hardware Marketing Companies" make it seem like you have something of an ulterior motive in posting this, but that's not necessarily indicative of bullshit.

And since this is Slashdot, RTFP and point out anywhere that I implied I had evidence of causation.

And since this is Slashdot, RTFP and point out anywhere that I said you'd implied evidence of causation. The phrase gets trotted out constantly, whether or not it's warranted.

Re:Quick anecdote

[tlhIngan]

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

The iTunes thing is a credit card test.

If you think about it, if you steal a bunch of credit cards (e.g., hack a payment processor), the easiest way to test them is to run up a charage against something that has most people thinking is a normal charge.

E.g., a lot of people have iTunes accounts, so get iTunes to do run a charge and see if it goes through - you'll see this as a $0.99 billing mostly. The goal is to hide that 99 cent charge amongst hopefully other iTunes charges.

Earlier this year, a payment processor was hacked (one used by one of my favorite stores) - it's unusual because the store itself doesn't store credit card data (they can't), but a bunch of people who used that store noticed the iTunes charges, while others noticed and saw the strange charges as well (too late).

I don't think there's any credit card information being stolen from Apple (no app can get at it unless it key logs - at worst they'll get your iTunes account information as your credit card isn't transmitted to Apple at all - Apple looks up your stored credit card info).

As for enabling the activity, I think it's because iTunes is quite popular - a good chunk of those doing online shopping have probably bought something from iTunes, thus the change of burying a charge is greater, and there's probably some API that was hacked in order to rapidly test credit cards. Also, Apple delays charging for a week or so (to avoid multiple 99 cent charges, they'd rather do a batch charge) but iTunes does do a reservation for each charge to ensure credit is available.

Re:Quick anecdote

[pseudorand]

> My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

TFA agrees with you ("Remove your iTunes card details and consider using gift cards where possible."), but using a gift card is a really bad idea. The article also says to "try prevent any iTunes purchases from clearing." These suggestions show a misunderstanding of the legal protections afforded consumers when we use credit cards.

Under the law, you have 60 days to dispute credit card transactions. You can do this if the transaction has cleared (which is typically less than 24 hours). You can do this even if you've already paid your credit card bill. Your credit card company is required to refund the amount to your account until the dispute is resolved and help you in the dispute resolution process. The law has some antiquated restrictions about transactions occurring more than 50 miles from your home and technically gives you a liability of $50, and doesn't cover debit cards. However, both Visa and Mastercard have policies of zero liability that cover both credit and non-PIN-based debit transactions independent of how far from your home they occur. I've disputed numerous charges for various reason, including having someone make a copy of my card in Mexico (I still had the card but the bank said it was a card-present transaction). Disputes have always been resolved quickly and in my favor. In short, using a credit cards is the safest way to buy stuff. Always use a credit card for any purchase.

Think if you'd used a gift card. Gift cards are like cash. If the purchase was fraudulent, you only lose the value of the gift card, but you have no way to get it back. I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.

Re:Quick anecdote

Another common trick to see if cards are live is to donate a small amount (~£1) to charity. This happened to a friend's card, but the bank spotted it, saying it happens often, check the transaction with my friend and then blocked the card when he said he hadn't authorised it.

Re:Quick anecdote

[DdJ]

Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

Yes. The purchases are just like iTunes music purchases. They require an iTunes account. They're not bound to specific devices at all, they're bound to iTunes accounts. Even if you don't have an iOS device, nothing would stop you from going out and buying an app right now. If you ever did sync an iOS device to your iTunes library, the app would then install on that device (if you haven't deleted it from your library in the intervening time). Even if it's a hardware model and OS version that didn't exist when you made your purchase, yes.

I was thinking "if this is just someone probing credit card validity via the app store, why haven't we seen it with music before"? But I think the answer is, for music, Apple is paying out to a much smaller list of payment recipients. A single individual human being can sell apps. Doing the same for music is considerably harder. I think apps are just way more open to fraud than music is, because of the difference in publisher relationships.

If that's the case, why would we see this via apps but not books? The iBooks store also lets individuals contribute without other intermediaries.

But, with iBooks you can't sell for a device that doesn't exist yet. The only purchase interface is on the devices themselves, not the web or iTunes or anything. It'll be interesting to see if similar exploits appear for iBooks books if/when there are other purchase mechanisms for them.

Re:Quick anecdote

Easy fix. Stop using Windows and buy a Mac where keyloggers are not hiding behind every .js exploit around. Of course, as soon as people move to the Mac platform, some malware writer will reflash Mac keyboards to stick the keylogger code into the hardware.

Re:Quick anecdote

Fair enough, one bit of potential bullshit deserves another piece of potential bullshit then, eh? Is that what you're saying? Did you just stop by to point out that "people can indeed make shit up on the internet"? What a bit of insight, thank you so much for your input... Oh, or is this one of those tests, like you are saying anyone can make shit up on the internet except if people can make shit up on the internet then that means you just made that shit up about making shit up?

Do you see how quickly your line of logic leads to a pile of shit? Feel free to contribute useful information at any point, here.

Re:Quick anecdote

[cusco]

I personally think it's an Apple insider, actually. A couple of years ago anyone who had access to the store's database management tools had essentially free access to everything. People could literally dump a backup of the db to a USB hard drive and walk out the door with it. I'm sure they've tightened it up since then (well, moderately sure), so it would be interesting to see if the accounts getting attacked include new accounts or only accounts that have been around for a while.

A laid-off developer might well have run across the old db backup while looking for stuff to put on eBay to pay the rent and thought, "I'll bet someone would be interested . . ."

Re:Quick anecdote

[networkBoy]

I use a very low limit card for on-line purchases, and for travel.
Active limit is < $800, nominal limit is $10,000 if I go on-line to my bank's website and increase it.
I've had to re-issue that card number only twice, once for a lost wallet, once for on-line fraud.
-nB

Re:Quick anecdote

[MainframeGuruDennis]

If Apple was following the PCI (Payment Card Industry) requirements, any credit card info that was associated users itunes account should have been encrypted, thereby making it difficult for anyone who hacked the site to access the credit card data. Was Apple properly encrypting stored credit card details? Another question to add to the growing list.

Re:Quick anecdote

You have every right to not believe the anecdote, just don't whine when you're the victim of fraud and no one is sticking up for you; we tried to warn you.

Wow, thanks for looking out for us. It's important to let everyone know that if they are ever a victim of fraud, they should... umm...

Wait... how do you imagine that you helped? Are you suggesting that if we're ever victims of credit card theft, we should check our account to see if the thief first posted a dummy iTunes transaction? Perhaps we can tell our friends, "Oh, I read about this kind of thing on the internet."

Thanks, Internet Guy!

And since this is Slashdot, RTFP and point out anywhere that I implied I had evidence of causation.

Nobody will ever accuse you of providing evidence! But that doesn't seem to stop you from jumping to conclusions:

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app)

Anyhow, it's nice that you posted an unsourced anecdote, performed some dubious reasoning, and jumped to faulty conclusions. Without folks like you, Slashdot would be very boring. Thanks!

Re:Quick anecdote

I personally think it's an Apple insider, actually. A couple of years ago anyone who had access to the store's database management tools had essentially free access to everything. People could literally dump a backup of the db to a USB hard drive and walk out the door with it. I'm sure they've tightened it up since then (well, moderately sure), so it would be interesting to see if the accounts getting attacked include new accounts or only accounts that have been around for a while.

Source?

Re:Quick anecdote

The source of the hack is far more simple. They phish accounts like MySpace, and Facebook, and then use the credentials that got them into those sites, to log into your iTunes account. It's very common for people use the same usernames (email addresses) and passwords on social networking sites, that they do on their iTunes accounts.

Re:Quick anecdote

[Phroggy]

I could be mistaken, but I believe iTunes gift cards are activated at time of purchase, which should prevent that from happening. Also, unlike other gift cards which are often used for multiple purchases, iTunes gift cards are used to apply a one-time credit to your existing iTunes account, so if it works the first time, you know nobody can steal it because the card is already worthless. Finally, I would expect that Apple should have the ability to track the activation and use of a given iTunes gift card a lot better than some other companies, so if you did have a problem, their customer service people ought to be able to see when and where the card was activated and when it was used, on whose account.

If you're really concerned about it, you could even walk into an Apple Store, buy a gift card, then use one of the demo Macs to sign into your iTunes account and enter the card number before leaving the store. If it doesn't work, notify the salesperson you bought the card from. If you're extra paranoid, ask them to watch you do it. Don't forget to log out before leaving, obviously.

Re:Quick anecdote

Let's see if I understand your claim that this hack is "simpler" than the obvious alternative. You believe:

1. Thieves uses a phishing attack to get myspace account information.
2. Thieves use myspace credentials to log into victims iTunes accounts and purchase a song.
3. Thieves Exploit a bug in iTunes that allows them to extract full card information.
4. Thieves create a cloned credit card with the information from the iTunes attack.
5. Thieves use the cloned card in a brick-and-mortar store.

Remember, the original poster claim that the time between steps 2 and 5 is a matter of seconds. So, the thieves apparently bring a pocket-sized credit card printer into the store with them, and print out a new card while they wait in the checkout line.

Here's how it normally works:

1. Thieves obtain credit card information in the "usual" way.
2. Thieves clone a credit cards
3. Thieves bring already-cloned card into into store.
4. While waiting the in the checkout lane, thieves phone co-conspirators to verify cloned card is still valid.

Of course, the second scam isn't nearly as James Bond, since it doesn't involve nefarious iTunes hacks and pocket-sized card printers. Yeah... your idea is much better.

I don't know if you're the original anonymous coward, but just as helpful.

Thanks Internet Smart Guy! Thuy!

Re:Quick anecdote

[DJRumpy]

It's far easier to just use a PayPal account which can be limited to exactly the amount needed for a purchase.

If you don't want to go that far, just remove your card info all together and put it in as needed for purchases.

Re:Quick anecdote

[DJRumpy]

Your credit card number is not exposed in iTunes. The only time you can see the number is when you initially key it in when you are creating your iTunes account. It's hidden after that, even if you go in to verify and/or change your payment information. You can only see the last four digits of the card used. Easily verified by going into itunes, clicking on the Store -> View My Account menus, and then clicking the 'Edit Payment Information' button.

Re:Quick anecdote

[c1t1z3nk41n3]

Losing 20$ cash value is more palatable to me than dealing with the aftermath of fraud on my credit card, protections or no.

Re:Quick anecdote

[Trillan]

Wait, what? How would me using an iTunes gift card prevent someone from buying stuff using my credit card number, if they have it? If the iTunes purchase is a test of a credit card number, it's clear that they're not getting in through the iTunes store. iTunes store doesn't show the numbers of credit cards registered with it. It's not like you can do a test purchase of a song and then buy jewelry!

Re:Quick anecdote

[intheshelter]

I'm sorry if it offends you, but he has a valid point. The BS he's replying to simply isn't credible and he's correct to point out that the claim is vague and vaporous. No one in their right mind would take it seriously since it offers no source, no name of the supposed security company, etc.

Re:Quick anecdote

[rthille]

And if you are really paranoid, bring your own mac, since typing your password into another computer could be just as bad...

Re:Quick anecdote

[Atchuu]

I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.

Many credit providers allow you to create temporary/disposable one-time use card numbers. I know Chase allowed me to do it not to long ago for a TV I was purchasing online from a supplier I wasn't too thrilled about... Theres always an option. I avoid paypal as much as I can simple because their EULA is trash...

Re:Quick anecdote

I have a better solution. Don't use the iTunes music store at all. Use the Ubuntu Music Store, which costs less than iTunes, accepts PayPal transactions, features NO DRM on any tracks, and allows you to store your audio files in the Ubuntu One cloud service (free storage), and play them back on any computer you wish, using any music app, on any OS you like.

Freedom. It's what you've been waiting for.

Re:Quick anecdote

[Phroggy]

Quite so. All Apple Stores have free public wifi.

Apple account hacked months ago

[shidarin'ou]

The hackers attempted to order a macbook pro. I called Apple support- who kept asking what product I was having a problem with. One insisted that I was viewing the Apple website through a Mac, so therefore the problem was actually with the Mac.

Apparently they have no technical support/hacking section for their website- account issues don't exist according to them. I was finally able to reach level 2 tech support after faking a problem with my Macbook; where the account was flagged and order canceled.

Re:Apple account hacked months ago

you just talked to a stupid rep. they are perfectly capable of transferring you to any apple department, and there is most certainly a department for fraud handling.

Re:Apple account hacked months ago

[mjwx]

you just talked to a stupid rep. they are perfectly capable of transferring you to any apple department, and there is most certainly a department for fraud handling.

You've never dealt with CSR's before have you. No point in even trying to single Apple out here with the OP's experience, all CSR's that retarded.

Let me put it this way, would you be a level 1 phone CSR if you weren't borderline retarded, socially inept and/or had the intelligence to get a better job. People who work in call centres are like people who work in McDonalds but with fewer people skills.

Re:Apple account hacked months ago

Let me put it this way, would you be a level 1 phone CSR if you weren't borderline retarded, socially inept and/or had the intelligence to get a better job.

I probably would be a level 1 phone CSR if I weren't borderline retarded, socially inept, and/or had the intelligence to get a better job. As it stands, though, I am borderline retarded, socially inept, and/or have the intelligence to get a better job, so I got a job as an invisible walrus.

Re:Apple account hacked months ago

[mikael_j]

Try living in a college town in a rural area, lots of call centers love setting up shop in these places because there are plenty of smart students and recent grads who would rather do tech support than flip burgers until they graduate or find a real job.

Of course this does have the side effect of creating large numbers of burned-out and cynical young people who's first impression of having a job is that the employer only cares about working you to the bone and then spits you out when you burn out or make the tiniest of mistakes at the wrong time (wrong time is here defined as: when the boss is looking to lay some people off, right after you questioned anything the boss said or any number of other reasons).

Re:Apple account hacked months ago

[mjwx]

Of course this does have the side effect of creating large numbers of burned-out and cynical young people who's first impression of having a job is that the employer only cares about working you to the bone and then spits you out when you burn out or make the tiniest of mistakes at the wrong time (wrong time is here defined as: when the boss is looking to lay some people off, right after you questioned anything the boss said or any number of other reasons).

Consider yourselves lucky, in my country call centres have been outsourced to India.

Too many eggs in one basket!

Isn't this why you don't put all of your eggs in one basket?

You're holding it wrong

Maybe if people would just hold their phones the right way this wouldn't have happened.

Would this be

[DevConcepts]

Apple Farming?

Re:Would this be

[jgagnon]

Undoubtedly there are techs at Apple that will be hitting the hard cider tonight...

Re:Would this be

[Rockoon]

Farmville for Developers.

the problems go far deeper than Apple is admitting

They are saying that only 5,000 apps were pilfered a day, when really it's more like 60,000 a day. (yeah just making it up)

Apple, the new BP

Re:"problems go far deeper than Apple is admitting

[phonewebcam]

Speaking of which, there's a demotivational poster for that.

New Credit Cards?

[fluch]

Wait, so they suggest customers to get new credit cards? Well, one thing I do not understand is this: the credit card information is with Apple, but I thought only Apple has access to this stored information. There should be no way for the bad guys to obtain my credit card information from there. If they have the credentials to my apple account they can make Apple charge my credit card without my authorisation. But in this case Apple would have to give me back this money as I did not authorise it etc. And as soon as I have changed my password ... the problem should stop (as long as they don't get my new password somehow)...

Or what am I missing here?

Re:New Credit Cards?

[Tharsman]

You may miss that the same virus or site or whatever method used to compromise your password may had been used to compromise your credit card information, if you ever used it in any online retailer, including theirs.

Re:New Credit Cards?

[fluch]

Well, of course if this is the case it makes sense...

Re:New Credit Cards?

[cusco]

Or what am I missing here?

Stolen database backup? It's incredibly easy, and extremely embarrassing. Most companies don't want to admit, "Well, the intern that we foisted the backup jobs on gave the tapes to some guy in an Iron Mountain shirt and now we don't know where your data is." I know it's happened locally at least twice, and neither company fessed up to its customers.

Re:New Credit Cards?

[UnknowingFool]

There's no clear information on what is happening in the article only speculation. Lots of charges were passed through Apple. There are a number of possibilities:

1. Apple iTunes was hacked and account information was accessed.
2. User's account information was phished/obtained/guessed and Apple iTunes is being used to ring up lots of charges.

If it was #1, Apple is not being very forth coming. If it was #2, then the user has to get new passwords.

Re:New Credit Cards?

[Vancorps]

Hope those tapes were encrypted! I know mine are

Obligatory Star Wars quote

[boristdog]

"The more you tighten your grip, Tarkin, the more star systems will slip through your fingers"

- Princess L

Re:Obligatory Star Wars quote

[BonquiquiShiquavius]

I know, I know...Slashdot...News for Nerds...etc. And Star Wars falls squarely into this demographic.

But am I the only one that finds a quote from Princess Leia just sounds stupid?

Re:Obligatory Star Wars quote

[Haffner]

This has now been quoted in back-to-back threads, both times used effectively.

Approved apps?

[fluch]

Just wondering: So if harm is done with apps approved by Apple ... isn't Apple then also liable for the fraud done by them?

Re:Approved apps?

[billy8988]

Nah...that's MS yardstick. If a rogue developer hijacks IE then it's a MS problem. If a rogue developer does something to Appstore then it is that damn rogue developer.

Re:Approved apps?

[socz]

What do their ToS for buying, downloading, and installing apps on THEIR devices say?

Re:Approved apps?

[countSudoku()]

You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

BTW, who the hell is still visiting the crApp Store anyway? I froze my iTouch at 2.2.1 because I refuse to pay another $10 for the elusive Copy/Paste bug they failed to ship, or fix, in my rev. I downloaded all the free games, fart apps, tip computers, and two useful apps back in 2008 and never went back. Not all that impressed with the garden. In fact, it mostly sucks ass. Enjoy at your own peril!

Re:Approved apps?

BTW, who the hell is still visiting the crApp Store anyway?

Obviously, all the people out there who aren't nearly as clever as you are. They are so very all stupid and you are so much very smart. In fact, there is something you need to go be smart about with your clever smarts over there somewhere. Way far over there. They're way far over there because you're so much more cleverer than they are with your amazing jokes like that and how much you hate things.

(side note to us not-clever people: think that'll at least placate his ego for long enough for the rest of us to have a real discussion?)

Re:Approved apps?

[MobileTatsu-NJG]

You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

What company with an app store wouldn't?

Re:Approved apps?

[nedlohs]

A bankrupt one?

Re:Approved apps?

[agent_vee]

Can't wait to see Steve Jobs e-mail reply to a user asking what Apple is going to do about this problem. "Just don't purchase those apps. -Steve"

Re:Approved apps?

In what jurisdiction? Say a toxic toothpaste is sold by a store. Generally, the store is considered a victim as well UNLESS it can be shown that the store knew full well it was selling toxic toothpaste. Depending where you are, there may or may not be much of a civil case if it is shown the store shows reasonable concern and stops selling the toothpaste upon notification. Retail and retail disputes are as old as the oldest profession -- you'll have local law that you can reference for this.

The only interesting can of worms you just introduced is Software Liability. Yeah -- certain /.ers now have to balance their um, "distaste", for Apple's walled garden with a very serious threat to FOSS. Is Apple liable for crime committed with software it has approved?

Personally, I don't see it. Omniscience isn't practical. Just because a company restricts some freedom does not make it follow that they become completely responsible for how people use the remaining freedom. They should only be on the hook for fraud if they are consciously misrepresenting what can be done with that software.

Saying 'we restrict software that we consider to be harmful to users' is not the same as 'we guarantee our software cannot be used in a harmful manner'.

Re:Approved apps?

agreed. i got an iphone 3G and have been pretty disappointed with the apps. i just use a couple news apps, the facebook app and a few core ones like mail, safari, maps and the calculator. i'll have no problem switching to an android phone as i don't think the appstore is all that great.

Re:Approved apps?

[Trillan]

The apps themselves are harmless shit. There's no reason they shouldn't've been approved, unless Apple is going to reject apps for simply being lame.

The problem is that someone (presumably the developer) has iTunes account names and passwords, and used them to buy the apps. There's conspiracy theories as to how, but the most likely possibility is shared or weak passwords. When you're talking less than 500 compromised accounts over 150,000,000 accounts, it seems possible these could just be the "password" accounts or something.

I expect Apple will refund all these purchases, but whoever has the account names and passwords will still have them. The only solution is for those users to change their passwords. Though Apple SHOULD be disabling those accounts and requiring users to use the password recovery tools to re-enable them.

Re:Approved apps?

And if a rogue developer does something with a Linux distro, that proves how superior OSS is, because it was noticed and fixed within only a few months.

Identity Theft

[ShopMgr]

Yeah, there is an app for that...

4568 apps?

[HockeyPuck]

From the article:

One example is Brighthouse Labs with 4568 Apps, all virtually worthless.

How does apple approve of 4578 apps from one developer? I thought each app was audited? Or is some of the auditing done through heavy automation. Such that if you got Pacman approved whereby each dot you ate gave you one point, then you could make another pacman that each dot gave you 2points, and the second version was automatically approved.

Re:4568 apps?

[Bing+Tsher+E]

The apps from that 'developer' are things like 'xxx Quotes' where there are quotes collections for many many different people. And slider puzzles where there are many different pictures. And recipie books.

Basically the kind of 'stuff' where the actual codebase is a small container re-released over and over and over with different content.

That's part of the problem in general with the 'little Apps' model Apple has developed. There are separate 'Web Radio Players' for each radio station, leading to thousands of different radio 'apps.'

Re:4568 apps?

[JAlexoi]

How else would they "have an app for that"?

This is a security issue; but who's at fault?

[rsborg]

How can a compromised developer account contain iTunes login information?

Are the people who got hacked also developers on the App Store?

How many accounts are known (publicly) to be hacked?

Without more information, it's hard to take any of this as a serious breach... all of these actions could easily have been had by PC malware or Jailbroken phone malware, via the information black market.

Re:Mitigate the problem

[shadowrat]

the app store never reveals credit card information. if you know a user's log in and password, you can make app store and itunes purchases from any device. you can't, however, get their credit card.

unfortunately it's trivially easy to get the login information. All a developer has to do is make an app that asks for credentials. It can be very legit so as to make it through apple's approval process. Really, all apple cares about is if the app is reasonably stable, doesn't duplicate their functionality, and isn't using private api's. Maybe you have a high score system, or simply say the user needs an account to read the book in the app. Hell, you could probably just make an app with 2 text fields for username and password that does nothing and apple will approve it. You will probably end up with a database where > 50% of the username / password combos are actually appleIds and passwords ready to buy stuff on the app store.

i'm not sure what apple can do to combat this social engineering. i don't use my appleId within apps or any other login really. It would be nice however if i could whitelist some deviceid's that i say can make purchases from my account. maybe make that hardware identifier work for me for a change.

Apple Slashdot Attention

[helix2301]

I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.

Re:Apple Slashdot Attention

[Aphoxema]

I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.

News for Apples, Stuff that Apples.

Must be

There is obviously magical properties in use here in a game changing manner.

simple: add photo of purchaser

[LiquidCoooled]

upload a photo of the person purchasing the item at the point of sale.

chances are, there will be a little kid (mine makes calls on my n900) or the owner.

meme wars

[jDeepbeep]

But am I the only one that finds a quote from Princess Leia just sounds stupid?

If we added a car analogy, we're looking at at least a 4-funny.

Re:Another Apple Story?

[BlueBoxSW.com]

What's next:

"Apple Admits to Typo in iPhone Manual"

"Is Steve Jobs Related to Hitler?"

"Apple Blocks Anti-Apple App from Store"

"Apple Customer Server Fails to Answer Phone in 2 Rings"

"Non-Apple Owners Who Complain About Apple Products, Largest Growing Demographic on Web"

Where is Apple's due diligence?

[dammy]

One has to wonder why Apple's policies allowed the situation to get to this point. Why are any apps being approved before Apple has preformed due diligence on them? No background checks on the coders? Apple is making more then enough money to make things right and come out looking to be the champion for iTune users but it doesn't look like it will be so.

Re:Where is Apple's due diligence?

[AHuxley]

Apple Googled and made a "mistake". The offender was "Bezos'ed"
The walls of the Apple garden will be Mircosofted up with extra DRM.

too much advertising does this to you

[ILuvRamen]

Wow, what a mysterious cliffhanger at the end of the summary...just kidding, it's obvious. They never had to worry about security because nobody used their products! With a market share like that, why would any malware writer or hacker bother? But now that Apple somehow convinced so many people to buy their so-so phone, they should have known what comes with that; attempted security breaches!
Actually, it's not the least bit surprising for a company that doesn't know the first thing about security to put out an insecure product and whole related system. This is definitely not going to be the first story like this about Apple if they keep putting out products that get enough market share to get attention from bad people. As a company, they have no idea how to handle it. Think of it this way. Microsoft has had decades to stop all forms of security threats that are constantly targetted at them and still hasn't gotten it quite right. Apple is starting from nothing because they've never had to worry about security on any significant scale. So unless they suddenly pull about 15 years of developed security measures and then some out of their asses and put it into the next iPhone, they're going down in flames. This is sort of funny and entertaining really, and not just because it totally makes the outlook for Linux look better. Either Apple's products are a laughably small market share or it's a huge market share and because of that, turns into a disaster because they don't know what they're doing. So I'd like to see Mac computers get like a 30 or 40% market share so bad people start targetting them. Their OS would make XP look like Fort Knox by comparison.

Re:too much advertising does this to you

[bteed]

As much distaste as I have for Apple culturally, OSX's unix lineage wouldn't allow malware the same freedom it has on a poorly set up XP system. The exception would be PEBKAC issues that Mac users might be more vulnerable to because of their undying belief that their iDol will protect them. I've noticed that a lot in light of the recent events, actually. People in Apple forums making comments to the effect of "The real question is whether these hacked users were using PCs" and "Apple can't guarantee peoples safety unless they're using Macs".

Re:too much advertising does this to you

[Ash-Fox]

OSX's unix lineage wouldn't allow malware the same freedom it has on a poorly set up XP system.

That's not really true. The BSD subsystem provides a not very POSIX compliant interface to the kernel, and they have a few BSD usermode applications, but the XNU (X is Not Unix) kernel certainly does not use the same security scheme Unix uses.

The only fault apple has in this

[nurb432]

Is not requiring stupidly complex passwords to prevent brute force attacks on accounts. Even then however, if you give them out to a 3rd party, ITS YOUR OWN DAMNED FAULT!!

Maybe that's why they post these stories?

[Attack+DAWWG]

Visceral hatred always equals more page views.

Apple isn't arrogant?

[copponex]

Listen, when your marketing literally states that you are "changing the world" with your phone, and apparently you didn't properly engineer the antenna, your customers are going to complain bitterly. And then everyone who realizes that Apple is just Microsoft with better industrial designers and better marketing are going to laugh at the brand loyalists who got bitten again because Apple favors form over function.

It's really not more complicated than that.

Re:Apple isn't arrogant?

[mean+pun]

This is exactly the kind of content-free critique I was trying satirize, but it seems you're much better at it. In particular the 'Apple favors form over function' is classical, classical.

Re:Apple isn't arrogant?

It happens to be true. Anyone who's used OSX for more than a few minutes quickly realizes that 1) it looks really nice and 2) it doesn't work very well. Let me give you a few examples of this and other evidence Apple is more about form than function:

1) In many cases, waking up an OSX laptop takes several minutes.

2) Network timeouts can freeze the entire OS for many seconds.

3) There is no simple, one button way to right-click, even though many things require right clicking.

4) The command shell doesn't accept mouse input.

5) Locking the screen doesn't always hide the screen.

6) You have to restart the computer to update safari.

7) Many of the new UI features lately have made the OS less usable but better looking. For example, the transparency in the dock makes it harder to tell which window is active. The transparent menus make them harder to read.

8) The laptops will get annoyingly hot (so that they are painful to touch) before the fans will turn on, presumably to lower the noise level at the expense of shortening the life of the laptops.

9) The metal case of the MacBook Pro dampens wireless signals.

I could go on, but I think you get the point. In all of these examples, either function is sacrificed completely or form is chosen over function. That's not to say that this is the wrong decision. I can definitely appreciate the design of the system, even if they have to make some sacrifices in other departments to achieve that goal. However, it is very clear that Apple often sacrifices function for form. Their customers pay for a product that is better looking, more consistent, and simpler than the competition and for that, they sacrifice customizability, utility, and reliability. This is no secret and there's nothing wrong with it and there's no point making fun of either side because they have different priorities. But pretending that Apple doesn't do this is just sticking your head in the sand.

Re:Apple isn't arrogant?

You just made Elbereth's point.

Temp credit card number tied to first user

[perpenso]

Some banks / credit cards allow you to generate temporary credit card numbers with a limit that you specify. The ones I've seen in use also tie themselves to the first vendor they are used with. So if first used on iTunes by you then cloned cards will not work elsewhere.

Re:"problems go far deeper than Apple is admitting

[E+IS+mC(Square)]

Probably. Here, the problem is that they are selling it wrong.

Re:Another Apple Story?

[Darkman,+Walkin+Dude]

Is the story factually incorrect in any way, or otherwise misleading? No? Then stop whining about it and find a better company to support.

Note from (formerly) within:

I used to work inderexrly with the app store and iTunes store in general. I say indirectly because although I had no control over it's contents, I dealt with it's customers.

We use to get three different emails: help, someone stole ny money, help I accidentally clicked yes, yes, ok, agree, ok, download without seeing and or reading ant of the prompts, and help I scratched my iTunes card with a key and can't read the code.

This shows two things: ine the customers are idiots, abs 2 there are a lit of problems.. To anyone affected it was "accidental and you will get a refund. Fraud... Have fun with your bank.

Ps I wasn't fired, I left after being told to take ire time toresolve issues even if it meant putting people on hold who'll I walk across the room to char. Yeah.. Apple cares.

When will they learn?

[sharkey]

Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer

Steve ain't kidding about pr0n. Maybe if there was no fingering, the account would still be active.

Re:Another Apple Story?

[BlueBoxSW.com]

That is my point: Stop whining and find better news for nerds.

Slashdot has turned into a bunch of sissy girls.

Re:Another Apple Story?

[BlueBoxSW.com]

What's next:

"Apple Admits to Typo in iPhone Manual"

"Is Steve Jobs Related to Hitler?"

"Apple Blocks Anti-Apple App from Store"

"Apple Customer Server Fails to Answer Phone in 2 Rings"

"Non-Apple Owners Who Complain About Apple Products, Largest Growing Demographic on Web"

mac keyboard infection

For those just tuning in, parent poster is not making this up. Mac keyboards have been infected with keyloggers in the past. The mind boggles why Apple would make their keyboards re-flashable.

Re:Another Apple Story?

[Ksevio]

You could always go to slashdot settings and select that you don't want to see as many apple stories...

Re:Another Apple Story?

[BlueBoxSW.com]

I don't mind the Apple stories.

I mind that Anti-Apple-baiting.

For people who don't buy their stuff but just want to complain.

So what platform were they using for security?

[lpq]

Does this say anything about Apple security?

Re:Another Apple Story?

So I assume you have commented only on stuff you have bought?

0.00000003% of accounts accessed is not deep

[gig]

The servers weren't even hacked. 400 accounts with guessable passwords were accessed. That is why the users were asked to change their passwords, and everybody got their money back.

How much hysteria does there have to be around Apple before it's enough?

Sandboxing?

Do iphone apps run in some sort of sandbox? How hard is it to check that code isn't malicious?

Re:"problems go far deeper than Apple is admitting

[drinkypoo]

Speaking of which, there's a demotivational poster for that.

I think you mean there's a demotivational poster for that.

The attacks on Apple continue (but not from apps)

[sjonke]

This is yet another ludicrous attack on Apple. The problem here is not that "rogue apps" have stolen your itunes account and credit card number, it is that these rogue developers have stolen itunes accounts/credit cards or purchased same from some other source and are using these to purchase their apps and make money, both from the purchases and the rising up in the charts. So, please, please just stop with this. Why do you idiots want to kill Apple? If it's because they don't make a phone that you like, well, that is really f-ing pathetic.

Step 1: Create iPhone app

[Blue+Lozenge]

Step 2: Pay hacker to make fraudulent purchases for competitors' apps.
Step 3: Profit!!!!!!!