Slashdot Mirror
Has iTunes Been Hacked?
An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."
"This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."
At first I thought this was just to spread generalized fear, take a cheap swipe at their competition or even shift attention to something else, but it appears we'll get to see how pervasive this becomes. Perhaps he wasn't completely full of lies ...
My work here is dung.
More like identity theft.
Nobody ever hacked my cassette deck.
Most of the stuff on
People being overcharged because the accounting software fucked up happens all the time. What would a hacker get out of making someone pay a few extra bucks to Sega, via Apple, compared to both dodging an accusation of faulty billing software that could sour people on microtransactions?
No mention of keylogging trojans or phishing combined with ridiculous uneducated guessing makes these authors' ramblings pure trash. Apparently all the links are from Betanews, too; I'd like to see Betanews stick to talking about iThings and not security. Choice quotes interspersed with my reactions:
"Apple's iTunes user logs themselves may have been compromised."
All I can think of on this one is the time I had someone tell me that my router had "lost its ARP table".
"... several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data."
I'd hope these same IT employees someday understand the risks of improperly secured personal data by not browsing the web on their own PCs (no Windows implied).
Also there would a variety of purchases, not just for one game.
It's not just for one game...
Since Betanews' original report last Wednesday, dozens of readers have e-mailed their own reports of account issues, most dealing with Sega's Kingdom Conquest.
Additionally...
Nearly every victim had a gift card balance on their account, and some have reported that their credit card and/or payment information had been removed from their account. This indicates that Apple likely is aware of the attacks, and is actively trying to protect its users.
In all cases, whether they're admitting the hack is occurring or not, users are having little trouble getting their money refunded to them.
Considering we've seen a story about how everyone is using the same password everywhere, and how Sony got hacked again , exposing even more passwords, is it any surprise that a number of people are having their iTunes and PayPal accounts attacked and drained to buy game gold?
iTunes and PayPal are pretty huge targets, but who'd attack a single game if they had access to the back end?
This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.
Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.
Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.
I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.
Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).
I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.
I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.
I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...
This may be unrelated, but yesterday I noticed that my iTunes account had became corrupted with someone else's data. My first name, last name, address and registered CC number became someone else's info. Had I not noticed, I would have been making charges against this other persons account. Maybe someone wrote one messed up database query and screwed up a massive amount of people's payment association. Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
That's great, but how does that stop someone else with your credentials logging in from a different computer and buying something?
I'm going to assume you don;t have a CC on file with Apple (if your iTunes paranoia is anything to go by) but your setup would not help anyone who does.
My suspicions are that this is due to usernames and passwords being the same across multiple services, so one big compromise (Sony), has led to ID theft on other services, like the iTunes store.
I tried to get them to email the new TOS, but my wifes iPhone kept trying to spell-check/correct my email address. Why the F*** does it do that to *EMAIL ADDRESSES*??????
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
From reading up on the user reports of this. It seems this has been happening in this pattern since mid to late May. Apple has inexplicably not said a damn thing (yet), but has been removing credit card details from accounts, and locking some others out. Which indicates they are aware of this issue and dealing with it. Interestingly users report they are having no problems having their balances refunded. The silence is conspicuous, no? I guess this issue getting slashdotted means Apple is going to say something.
/. != a actual real issue.
What worries me is they appear to have known about it for a while and are trying to clean it up as quietly as possible. If this is was a glitch one presume they would admit it in a downplayed fashion. I'd wager it is a BIG hack.
Leaving us with two possiblities:
1) iTunes has been seriously fckued over for teh lulz and profit and is trying to keep it quiet.
2) Or iTunes fraud may have been a constant (but contained) background noise for some while and this isn't much of an abberation. Apple may prefer to live with some level of fraud and patch it up the leaks quietly. Just because it's trending on
Either way, talk about reality distortion.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
because if this turns out to be another widespread hack like the others reccently it'd be the last time I ever buy an Apple product.
What, Steve Jobs controlling every aspect of your life wasn't enough?
Peter predicted that you would "deliberately forget" creation 2000 years ago...
I'm watching how this develops, I purchased my wife
Was she more than $.99?
Would you buy another?
Have you seen any fraudulent wife purchases on your bill?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It doesn't any more. Log in to your iTunes account and choose None as payment method, and no details will be kept on file. If you don't purchase regularly then it'll be no inconvenience to re-enter them.
It doesn't - you can open and run an iTunes account without ever using a credit card, only topping it up with iTunes gift cards. No CC ever needs to go near the account.