Mystery of Vanishing iTunes Credit Shows No Sign of Fading

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

Great

[Antisyzygy]

Apple should really look into this more, rather than just passing off the blame. Typical.

Re:Great

[DurendalMac]

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Re:Great

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Users are inattentive and lazy. If there are 700 posts about this, you can bet the problem is much larger than that.

It's way too early to say this is not a big, scary security flaw (or that it is, for that matter). Maybe Apple is using its own OS for its backend- we all know how secure that is in the enterprise.

Re:Great

[DurendalMac]

700 posts != 700 users, though. A lot people are going to be posting multiple times throughout the thread.

Re:Great

[Beelzebud]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

Re:Great

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

Re:Great

[iamhassi]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases

Re:Great

Don't forget, only a small percentage of people affected will complain on the forum.

I just want to know how you're able to register a new device to your iTunes account without the owner of said account knowing about it. Why don't the customer get email receipts when the transaction happens? And why can't Apple figure out which device downloaded the app to provide that information to law enforcement? This is security 101 - you're dealing with money (yes, it's fake Disney dollars to get you out of currency regulations but it translates into money), you need to be able to allow your customers to know where this money is going.

Re:Great

[AmiMoJo]

This is just a rumor so make of it what you will, but some sources claim that it is an attack on credit voucher serial numbers. After all why buy random apps if you can't use them? The will be tied to the owners phone.

Re:Great

[entoke]

I get email receipts when I buy apps on my iphone, pretty sure I didn't have to change any setting for it to work that way.

Re:Great

[shoehornjob]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

Thank you. They need to enforce better password standards.

Re:Great

[brusk]

After all why buy random apps if you can't use them? The will be tied to the owners phone.

No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.

Re:Great

[Colonel+Korn]

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

Re:Great

There are several problems:

hacks are more like this:
http://xkcd.com/538/

and this:
http://xkcd.com/792/

we need better passwords for regular people:
http://xkcd.com/936/
http://preshing.com/20110811/xkcd-password-generator

Considering most users should only be putting the password into Apple devices and not even independent web browsers for most services, I can see how Apple isn't jumping on it. Apple iPhone, iPods, and TVs all have dedicated popups for signing in. iTunes users sign in only through iTunes. So that only leaves the places the Apple ID is used somewhere else.... meaning somebody is pretending to be one of Apple's websites like Developer Center or Mobile Me... that's a pretty small list even compared to Yahoo or Google, and it's the "social hacker" problem more than a technical one.

Re:Great

[UnknowingFool]

That does little for stolen passwords or phishing attacks. I know people who used the same email (username) and password for different accounts. Once one of them gets hacked, then those people have multiple accounts hacked.

Re:Great

[CharlyFoxtrot]

Why don't the customer get email receipts when the transaction happens?

You do get a receipt normally, however since the accounts were compromised and personal detail altered (according to the thread) that confirmation could've been sent elsewhere. Some people report do getting receipts and being informed that way something was going on. This is all on the first page of the linked Apple support discussion.

And why can't Apple figure out which device downloaded the app to provide that information to law enforcement?

You want Apple to track their customers ? Yeah, that'll go over great with the paranoid Slashdot crowd.

Re:Great

[CharlyFoxtrot]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

A few hundred = a not even that sucessfull phishing expedition. Even a few thousand would be a drop in the bucket.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases

They could ask him but they don't have enough to block him. Someone also bought Monkey Island 2, does that mean Apple should block Lucasarts ?
Apple should issue refunds, just because it's good business but the problem here in all likelihood is on the client side.

Re:Great

[guruevi]

Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

Re:Great

[LordSnooty]

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Re:Great

[gnasher719]

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Combine something that is easy to remember with a random sequence that you have to write down and pin to your monitor. Remote attack fails because of the random sequence, looking at the paper fails because the person looking is not an experienced hacker and doesn't know the "easy to remember" bit.

And even if an experienced hacker knew the random sequence, at least attacks using rainbow tables would now fail.

Re:Great

[zippthorne]

They do, but they have a stupid definition of "minimum security":

it's some small number of characters, at least one of which must be a number.

This is not a terribly onerous policy*, but iPods' screen keyboards do not have a number row. You have to switch to another page to input numbers, so people with iPods are going to tend to pick a specific subset of passwords with numbers - ones where all the numbers are together at either the beginning or the end.

I think that this may result in passwords that are actually less secure than the same length of just letters, even....

*although, until you start getting into 20+ char passwords, it turns out that adding one more character to the minimum length improves security by more than adding 10 more glyphs to the character pool....

What they should do is enforce a minimum password *strength*, and generate several passwords for using pre-defined rules which you can pick from (and which have been researched, so assuming random generation, their strength can be calculated), rather like the keychain works, actually...

Re:Great

Or so you say. The same reason why they can't go after Hongbin is the same reason you can't make such outrageous claims that it's user side. How many times do you actually need to enter in your account information outside of your i device? Once for your install of the bloatware on your desktop, and once (if enabled) upon installing an application. There are no other reasons to put in your password (let alone your username *AND* password at the same time). And of course, these desktops (since they have a fruit logo on them) can't possibly be hacked / trojaned / keylogged, right?

And it's nice for scammers. Apparently as long as criminals remain under a few hundred dollars, you're ok with them not being stopped since it's "not successful" -- at least according to you. Next time someone breaks into your house and steals JUST your computer or JUST your TV (small in comparison with the worth of your entire house, just like one gift card in comparison to how much money they spent) and the insurance company says "FU. IT'S UR FAULT. U GETS NO MONAYS", let me know how you feel.

Re:Great

[CharlyFoxtrot]

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

That's a pretty impressive number you just pulled out of your ass, this must be a serious problem.

Re:Great

[hedwards]

Unless this is a series of cracks purely for lulz, there really ought to be someway of tracking things efficiently. If the apps being bought are sold by scammers, then that's one thing, otherwise, I'm curious as to how this would result in profit for the people doing the cracks.

Find and prosecute whomever it is that is profiting and the problem should be solved. Ultimately, that's Apple's responsibility. This isn't like Android where Google has little say over what users load on their Android devices.

Re:Great

[CharlyFoxtrot]

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

This is the password policy, pretty standard stuff :

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9).
Contain at least one uppercase letter (A-Z).
Contain at least one lowercase letter (a-z).
Not contain three consecutive identical characters.
Not have been used in the past year.
Not be the same as your Apple ID username."

That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.

Re:Great

[hedwards]

I've got my parents to somewhat strengthen their passwords by using a pass phrase with substitutions. It's not great, but if you then abbreviate some of the words, you get something close to a proper password. Ultimately, there are dictionary attacks that handle it, but even that is significantly stronger than just a word and a number. Hopefully, they'll just move on down to the next account when they don't come up with anything the first time through.

Ultimately, no matter how many times you tell users that if the account gets cracked because of a weak password that they're not going to get their money back, they don't listen because that's something that only happens to other people. And ultimately, with a weak password it's tough to prove that it wasn't the password that was the cause of the losses which can result in being awarded nothing in court.

Re:Great

[hedwards]

That's one possibility, a couple more are that it's for lulz or that it's revenge by some developer that's pissed because of Apple's ridiculous policies for being granted access to the App store.

Re:Great

And a lot of people will post who haven't been affected will also post.

I bet the actual number is a lot lower.

Re:Great

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

Re:Great

[guruevi]

We told user to reject the password because of Kevin Mitnick. He used social engineering very well to get somewhere. Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.

It also doesn't help against phishing attacks. What we need is a 3rd token (not something you know but something you have or are) for financial transactions. Could easily be handled with distributed authentication - you use a provider that gives you the right amount of security you want (or want to pay for) or you can do it yourself if you're paranoid.

Re:Great

[zill]

We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.

Re:Great

[North+Korea]

It doesn't even need to be some kind of hacking. Most people use the same password for all services. It just needs one of those services with an abusive admin, or break-in into those, to get lots of passwords. Since iTunes is so popular, it should be easy to find lots of same user account information there. Also don't forget that there's also been numerous occasions when someone has leaked email, username and password lists to the internet as a result of some hack.

Re:Great

[iamhassi]

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?

Re:Great

Few hundred people is ~0.0001% of itunes users.

Re:Great

[Khyber]

Ah, the idiot forgets about the rule of the 'vocal minority'

Re:Great

No no no no.... This is not hacking or hijacking, it is all part of the 'magical' experience Apple provides you, hence it is called a feature.

Re:Great

Most of these people are Mac users, they're immune to malware and phishing.

Re:Great

That's flawed -- we're looking at "few hundred accounts out of millions" that bothered to post on that same thread.

And yeah, it's quite possibly all down to crappy passwords and phishing, it's just when you've got a few hundred people noticing and talking about it on the same thread, there's a whole hell of a lot more than a few hundred people affected.

And even if it's only crappy passwords and phishing, that's still a major problem Apple has to solve. They're the User Interface people - their UI is flawed because it's allowing this simple problem to be commonplace.

Their whole deal is about making tough technical things easy and slick to use. Now they need to do it for the password problem to be complete. This is the challenge and opportunity here.

Re:Great

[Belial6]

When the customer explicit asks you to? Yes. There is a big difference between tracking a customers movements via GPS and looking up the deviceID and IP address accessed from when the customer specifically asks for it.

Re:Great

[Belial6]

That's actually a pretty good solution. It still doesn't solve the problem of having dozens of passwords though. I know that I have at least a hundred different passwords. I used to use a "Doesn't matter", "low security", "high security", "REALLY high security" set so that I could remember my 4 passwords, and didn't have to worry that the video game forum I posted to one time a couple of years ago wasn't going to have an admin that was going to clean out my bank account.

The problem is that once enough sites and services had enforced enough different name requirements on me that I couldn't remember all of my passwords, I had no choice but to write them down. Since I sometimes need them when I am out and about, I had to keep them in a digital form. This seems like a bigger risk than my previous method.

Re:Great

[shutdown+-p+now]

One problem with receipts you get from App Store is that they seem to come in quite a bit later - and I mean not just hours, but days later - after the purchase.

Re:Great

My account was compromised just the other week and I had a good password that was unique to itunes. I didn't even know this thread existed. so a few hundred d disgruntled people who found the thread and felt the need to post is significant. Ads get removed from complaints numbering in the teens so why aren't complaints in the hundreds isn't significant?
The biggest bit of crap was I even received 3 emails from apple telling me I've bought from new devices and if it's not a problem then ignore it the email otherwise go to the site and contact apple. Finding the correct complaint form was a pita. And why did apple allow the purchases?

Re:Great

So the customer gives apple permission to track the hardware of another person's phone, and of course they will also have the forethought to do this before the the crime occurs so that the logs are available afterwards...

Re:Great

Sorry for posting as AC. But:
Why should a password containing 3 consecutive identical characters be disallowed. Surely it ruins any dictionary attacks? The old chestnut P@ssword1 passes most password rules, but would Naaarlaquin (My /. nick, adjusted for 3 identical chars) be less guessable than that?
Also: I've forgotten my /. pw, am drunk and can't be bothered spending 30 seconds reseting it right now. Can any dotters tell me who I am and where the blue bejazuz am I right now? Email will do, if I'm that obvious. :-)

Re:Great

[ShanghaiBill]

they'll just use the same password and change or add 1 character to satisfy your needs.

Then mission accomplished, since adding one additional character makes the password two orders of magnitude more difficult to guess.

Re:Great

When changing your password, your new Apple ID password should:

and that's basically where apple stops caring
because if apple actually forced users into their guidelines and the service still gets hacked, it's apple's fault
so by making it non-compulsory, apple can just say it's the users fault for having a stupid password

Re:Great

[guruevi]

For a brute force attack, not for a dictionary attack. The passwords used in these compromised accounts seem to be simple dictionary attacks. These days dictionary attacks do include variations of numbers and characters on common passwords.

Re:Great

My password, only a few months old, doesn't conform to that policy. either.

Re:Great

[alteran]

I don't get why you're complaining. It's clear that the users were holding their iTunes accounts wrong.

Re:Great

[CharlyFoxtrot]

That's true. Maybe they do this to avoid sending you an email every time you buy a track/app which could get annoying if you buy a lot of single track songs for example ? I don't know, it should probably be a user definable option.

Re:Great

Ridiculous policies – like the similar ridiculous policies used by Steam or many other application download service to verify the quality of submitted apps?

Why does no one complain about other services that require review of submitted binaries? I know for a fact that Steam was a hell of a lot harder to get into than the App Store, with a lot more rejection and resubmission.

Re:Great

[Taty'sEyes]

You can bet that if Hongbin Suo in Towson MD had an unreleased iPhone in his house the Apple Police would be right there. But in this case, it's just a few hundred of their faceless customers...

Re:Great

[Antisyzygy]

Who says I am complaining? I am merely stating facts. Passing off the blame on users for a known issue before addressing it in full is never a good way to handle business, asshole.

Re:Great

Actually, no. The reason you can't go after Hongbin is not the same reason you can't make "outrageous claims that its user side" .. And indeed, you go on to hurt your argument by sarcasticly referring to being hacked, trojaned, and keylogged ... which are by far more likely to be user failures rather than vendor failures.

The fact that you need enter your account information quite infrequently is a useless point to bring up. Phishing is, pretty much always, getting users to enter their information needlessly. Its .. sorta the point of phishing. A phishing success is so because the .. ahem .. user failed to know the difference. Which is pretty difficult to pin on the vendor.

Lastly.. you're the only one speaking of people being okay with them not being stopped. There are only so many resources in the world. Some of them get apportioned to things like law enforcement. From that partial allocation, we must further divide them to cover the many different injustices described by law. It is not at all unreasonable to be unwilling to devote significant security resources for problems that are demonstrably minor and which are likely solvable only by securing the account from the account owner as well as everyone else. Because thats pretty much the only functional way to secure an account from the poor security behavior of the account owner.

PS.. if some douchebag keys my car, I'm almost certainly better off paying for the repair myself or just living with some scratched up finish rather than making a claim against my insurer, assuming I have no good evidence against the actual dumbfuck that did it. That doesn't mean I'm okay with things. It just means it'll cost me less money.

Re:Great

This is almost always caused by people changing email addresses and not moving their Apple IDs to their new email address. Then when their email address gets recycled, the new person goes to setup and Apple ID to see that they already have one, so the use Email authentication to reset the password. This has happened to me before. Get new email address, someone else has already registered and apple ID on it, and never moved it on their new email account. My only option is to not use my Apple ID on my email address or reset theirs.

PEBKAC error.

Re:Great

Whooosh

Re:Great

[abhi_beckert]

Combine something that is easy to remember with a random sequence that...

What I've quoted is about as far as your suggestion will sink in, for a typical iTunes customer.

Apple should make each of these users go through some fairly painful steps to get their money refunded, and at the end give them good advice how to avoid such things in future.

The only solution is user training, and you can't train them without finding some motivation first.

Re:Great

[abhi_beckert]

"significant" is subjective, but 0.0005% of iTunes customers is insignificant by anyone's standards.

And apple has only said "we think this is what's going on". They have not said "we aren't going to do anything about it". They never tell anyone what they're going to do until after they've done it.

Re:Great

[Ja'Achan]

Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.

Which means you have to actually know about them and call them, instead of just running some spammer botnet or spreading a virus. Sticky notes don't work against targeted attacks, but it's good enough for thwarting most distributed attacks.

Re:Great

[w0mprat]

Obviously, one of the random apps purchased will belong to the crooked developer/hacker. But if they've bought apps from multiple developers it would hide their fraud amongst random transactions. Steal $100 million to get $1 million? Probably worth it, if also untraceable.

Re:Great

Says who??? Microsoft?

oh no, someone is criticizing apple, direct attention to microsoft!

Re:Great

[exomondo]

we need better passwords for regular people:
http://xkcd.com/936/
http://preshing.com/20110811/xkcd-password-generator

But that's not going to help, that method is easily defeated by brute forcing from the most rudimentary dictionary.

Re:Great

[Kalriath]

It's because the email is technically a tax invoice, and they only send it when they actually charge you. They wait up to about 3 days to charge you as it minimizes their transaction fees (since they only have to charge you one $3.96 charge rather than four $0.99 charges - and therefore only pay transaction fees once).

Re:Great

[Kalriath]

It is compulsory, despite the word "should". Passwords not conforming to the regime are rejected. They only say "should" because Apple doesn't like using the imperative.

Re:Great

[tehcyder]

Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

That is only a security issue if the thief has physical access to your written notes or computer you stick your notes to, in which case you're fucked anyway.

Re:Great

[One+Monkey]

According to the discussion underneath the second link... apparently not. I was surprised too.

Re:Great

[tehcyder]

Yes, whenever something happens to Apple customers, it's their fault, not Apple's.

Whereas with Microsoft, Sony, Google, Facebook or whoever it's always teh evil company's fault.

Re:Great

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

So how many are we talking about? 5,000,000? (Don't even pretend that each of the 700 posts was by one unique victim). There are 200 Million iTunes accounts. Even with your inflated numbers that's 1 out of 40 accounts "hacked". With real hacks its 1 out of 1.

Re:Great

[justsayin]

Yep, I've setup Itunes accounts for people to get their Iphones running. I have had folks insist that their password simply must be 123456. Then when the Apple site wont take that they simply must have ABC123456. Dumb asses. It's right about then that I start making them pay up front.

Re:Great

[justsayin]

XKCD got it right. CorrectHorseBatteryStaple
http://xkcd.com/936/

Re:Great

For a brute force attack, not for a dictionary attack. The passwords used in these compromised accounts seem to be simple dictionary attacks. These days dictionary attacks do include variations of numbers and characters on common passwords.

Yeah, you are right - this only increases the size of the dictionary by a factor of (# of possible chars) x (avg. word length+1). Much better than a full order of magnitude.

Re:Great

[Quirkz]

I'm all for writing them down, and agree with you. I'd still suggest, at minimum, NOT taping it directly to your monitor, though (like one former dean of Engineering did at the university I worked at). Also, if your password is just your initials and the year of your birth, do you REALLY need to write it down? (Looking at that same dean of Engineering, again).

This cannot be!

But Apple products make you safe against everything! I suggest that timothy get his facts straight before posting obviously fake stories like this.

Weak passwords?!

[NFN_NLN]

Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

Re:Weak passwords?!

[Antisyzygy]

That would infringe on peoples desire to have passwords like "cats" or "1234".

Re:Weak passwords?!

http://xkcd.com/936/

Longer passwords are more secure than passwords with fancy characters, and also easier to remember.

Also, avoiding password re-use works wonders. Of course, given the high number of sites that require unique accounts, you will probably need to invent some sort of mnemonic system to keep track of it all (unless you just want to write them all down, which is of course stupid).

We continue to change the world in ways that require ever greater intelligence in order to succeed. To smart people, password strength and hygiene are obvious; they need no instruction. The rest will eventually get hacked; there is only so much the businesses can do to protect them from their own stupidity.

If this acts as selective pressure on our species which favors intelligence, then I am all for it .

Re:Weak passwords?!

There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:

Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.

The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.

Re:Weak passwords?!

[moderatorrater]

They don't allow spaces in their passwords and every password needs to be able to be typed into a touch device like the iPhone or iPad. They could definitely do more in this area.

Re:Weak passwords?!

[interval1066]

Trivially installed policy, and used by more than one web site I frequent. As much as I don't care for apple, and they should install such a policy, some of the blame does fall on the users. Having a contract with several web sites for tech support and not having access to their databases directly I have an occasion to ask users for their passwords to trouble shoot, and the amount of "abc123" or "qwerty" passwords is astounding.

Re:Weak passwords?!

My alternate US account (the one that I used to redeem my promo codes that wouldn't work in Canada) has a password that is nothing but lowercase letters. It's multiple words, strung together with no spaces, but it's just plain old lowercase all the way.

Re:Weak passwords?!

[Kenja]

That's like saying they could have an option to simply not store your credit card number. Insanity!

Re:Weak passwords?!

They do require capitals and numbers in it.

Re:Weak passwords?!

but that's useless for regular joes.... we need a better solution!

like this:
http://xkcd.com/936/

or better!
http://arstechnica.com/old/content/2006/04/6554.ars
http://thepcspy.com/kittenauth/

more importantly we need Rule 34 on this right away
http://xkcd.com/305/

Or we could combine the authentication... determine whether good sex or bad sex is in each picture. Then ask the user to pick different kinds of sex... beautiful, artistic, shock, wild....

Re:Weak passwords?!

That's soooo 1999.
Obligatory xkcd

Re:Weak passwords?!

[broken_chaos]

Longer passwords are more secure than passwords with fancy characters

This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.

While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.

Re:Weak passwords?!

[CharlyFoxtrot]

Because having a complicated password will prevent users from losing it in phishing scams ?

Re:Weak passwords?!

[Nerdfest]

Apple generally doesn't care much about infringing on people's desire to do certain things. This might be one of the few times when their control-freakery would be well placed.

Re:Weak passwords?!

[hedwards]

8 characters is a joke. Even a decade ago 8 characters was a joke. Even if you include a punctuation mark, it's still pretty ridiculous.

Re:Weak passwords?!

[Anubis+IV]

^^^ This.

It doesn't matter how complicated it is if it's being compromised through social engineering. Were this a brute force attack, it wouldn't be drawn out. They'd have the data, they'd compute as many passwords as they could from the hashes for all 200M+ accounts, and they'd do as much damage as possible before anyone could respond appropriately (e.g. PS3 debacle). The pattern instead suggests this is an ongoing set of social engineering attacks which are yielding suckers on a regular basis over an extended period of time.

Re:Weak passwords?!

[TC+Wilcox]

This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.

While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.

Even then, I'd think trying to keep horse with batteries or fruit flies with baked beans would be easier than trying to remember !a$%jb9 vs y48*y+=. Which would you rather remember?

Re:Weak passwords?!

[gnasher719]

I think AppleIDs are reasonably easy to find. Mostly they are email addresses. Haven't tried if trying to login with a random email address and a random password gives any indication that the email address is an Apple ID; you would hope not. However, if hackers manage to read your emails, then they can read any purchase confirmation emails, and from these emails you can find the Apple ID.

Now if they know many Apple IDs, they can just randomly try to login with valid Apple ID and a random weak password, and will have some successes. If 100 weak passwords are used by just 2 percent of all users, then one in 5,000 attempts will break an account.

Re:Weak passwords?!

[ArsenneLupin]

... and the amount of people just blurting out their password to you without wondering about your lack of database access is even more astounding...

Re:Weak passwords?!

So what you're saying is that big red is claiming that "weak passwords" is lying because their own policies make weak passwords unlikely or impossible?

Have you tried just entering "password" as a password?

Re:Weak passwords?!

[interval1066]

Well, in some cases its necessary, its not always convenient to gain access to a clients database directly. That most users don't give it a second thought isn't that extraordinary to me.

Re:Weak passwords?!

[Roogna]

8 characters isn't all that bad, considering it's unlikely even the best methods will find the match in the first 3 guesses. Apple does lock accounts after 3 failed attempts and force a password change through the e-mail on file. This of course does -nothing- against phishing, but neither does the most secure password on the planet if it's typed into a false site. Of course if they hacked these peoples e-mail then they can reset the password to whatever they want... but this should just teach everyone that security is not about -one- account, it's about -all- your accounts being connected.

8 characters is absolutely -pathetic- when used in any situation like encrypted files where it's possible to get an infinite amount of attempts with no real delay.

Now of course, as others on this article have commented, given even just common dictionary attacks, there's probably a good chance you can take a random e-mail discovered however, enter it as an Apple ID, and then spend your 3 attempts trying the top 3 passwords that meet the criteria, and probably get in to a percentage of the accounts.

Re:Weak passwords?!

[Duradin]

After a few password failures the iTunes account clears your CC security code (ie can't purchase anything), so 8 characters is more than enough.

I've never used stored credit so I don't know what happens when there's too many failed attempts.

Re:Weak passwords?!

[boreddotter]

They do have a very strict policy, and it was stated above by CharlyFoxtrot but here it is again:

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9).
Contain at least one uppercase letter (A-Z).
Contain at least one lowercase letter (a-z).
Not contain three consecutive identical characters.
Not have been used in the past year.
Not be the same as your Apple ID username."

it was never this strict though, but this is at least a few a years old.

Re:Weak passwords?!

[abhi_beckert]

They do have some policies to enforce strong passwords, and it looks like those policies have been getting stricter recently (because of this?).

But "easily guessable" could just mean a password I use for some other service which was hacked. Apple has no way of verifying that your password is unique.

Re:Weak passwords?!

[abhi_beckert]

8 characters is a joke. Even a decade ago 8 characters was a joke.

8 mixed case alphanumeric characters is 281474976710656 passwords to brute force. Assuming there is no way to achieve an offline attack (which is likely in this case), that means you would have to hit apple's server that many times with an incorrect password before finding the correct one.

Lets say you have a really fast internet connection, and can attempt to log into apple's servers at a rate of, oh, a million times per second... that means it would take you almost TEN YEARS to guess the correct password.

There is no way you can hit apple's servers that hard for more than about 20 minutes, before their sysadmin's investigate WTF is going on, and suspend the iTunes account you're trying to attack.

Re:Weak passwords?!

Everybody I know who uses longer than 8 letter passwords use something like September2011 or MyPassword01, those are more than 8 does it mean they are harder to guess than an 8 character password like 1.3$LS_Z?

Re:Weak passwords?!

[NFN_NLN]

They do have a very strict policy, and it was stated above by CharlyFoxtrot but here it is again:

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9). ...

These threads aren't sorted by chronological order dipsh*t.

by CharlyFoxtrot (1607527) Alter Relationship on Saturday September 10, @02:30PM (#37363398)

by NFN_NLN (633283) on Saturday September 10, @12:44PM (#37362832)

It is difficult to respond to a post ~2 hours in the future.

Re:Weak passwords?!

[boreddotter]

Well... there's no need to be rude sir, I apologise if I offended you, I only mention it was posted above because I literally copied and pasted I was just citing where I got the info, TBH I didn't look at the times of the different posts, but would you have read CharlyFoxtrot's post if I hadn't mentioned it? What would've been the right thing to do? Assume you read it? What about other people who might read your post and miss Charly's?

A civilised response would've been nice...

Re:Weak passwords?!

[Man+Eating+Duck]

Don't use spaces

Why not? If it's not all spaces (prohibited by the three-chars-in-a-row requirement) you're good to go. I can't find it now, but I read an article a while ago that endorsed passwords containing spaces. They're apparently a lot more secure against dictionary attacks since very few people use them. On a side note my telco disallows *any* special characters, I have no idea why this is a part of any password policy.

Re:Weak passwords?!

[w0mprat]

Judging by that, Password123 fits Apples definition of a 'secure' password. So does something like S3cur1tyP355w0rd which is the kind of thing I've seen set by allegedly qualified administrators to highly critical systems.

Ultimately including numbers, mixed case and punctuation invites easy-to-remember common substitutions and number combinations, which is what will happen 90% of the time, this doesn't significantly draw out a brute force attack attempt. A few random lowercase letters has more possible combinations than anything containing a dictionary word, and a few numbers.

Users tend to use the same or similar passwords across systems. If you could somehow get the user to sign up for something else, then what percentage of those who are also iTunes users will use the same password for iTunes? I wouldn't be surprised if it was 10% 20% or more?

Re:Weak passwords?!

Remind me to change the combination on my luggage.

Re:Weak passwords?!

They might not be as secure as you think...

relevant xkcd link

In fact, the requirements outlined above are *very* weak. *So many* of the accounts (hell, probably at least 1 in 10) are going to be of the form "capitalized english word of 7 letters" + "one numeric digit". Only a few million possibilities there. If its possible to check a few thousand passwords per second, you could probably hack accounts at the rate of one hack per hour (even if only 1 in 10 are that weak).

is this unusual?

some amount of phishing is presumably normal in such a vast credit organisation. Online banks, shops etc all have this sor of problem. Interesting that the number of complaints is small, so maybe it is one person. cool.

Poorly written summary

I'll be honest, the summary was sorta hard to understand-its not entirely clear what is going on without clicking the links. Better English please.

Same details changed in peoples accounts

Its notable that each persons contact details were changed to the same city state and zip code, Towson, MD, 21286-7840 (is that a real zip code?).

It seems unrelated to this earlier problem with rogue developers. http://thenextweb.com/apple/2010/07/04/appstore-hack-itunes/

Re:Same details changed in peoples accounts

[Shoe+Puppet]

Towson, MD, 21286-7840 (is that a real zip code?).

Apparently, yes

Did they have a WoW account?

This happened to my boss. His World of Warcraft account got hacked, and he used the same email/password on iTunes, where the hackers cleaned out his $15 gift card balance.

If not WoW, substitute any other website with identical credentials.

Re:Did they have a WoW account?

[meerling]

And they always blame the victim, but I know of at least one time it was one of their employees looting accounts that hadn't been logged into for a while so hopefully the users wouldn't notice. Of course when he finally got caught, they kept it quiet and continued to blame the users.

I'm not saying this is an inside job, but it's a definite possibility. (If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security. And although phishing occurs, it's never a complete answer and can usually be avoided with reasonable vigilance. After all, it's not like they don't know which ip or iphone it's going to.)

Re:Did they have a WoW account?

[gnasher719]

(If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security.

Let's say one in 10,000 users uses "123456" as their password. That means trying to login with a random Apple ID and the password "123456" has a one in 10,000 chance to succeed. Now let's say we have a list of the top 100 passwords used by idiots. A botnet could perform 10,000 login attempts per day (every time a different account, and a different one of the top 100 passwords) and crack one account per day. That would be very, very hard to notice.

Easy to prevent

[mehrotra.akash]

SMS based verification?

Re:Easy to prevent

[brusk]

What if you buy the app for an iPod touch or wifi-only iPad? Or you buy it for an iPhone over wifi and are out of cellular range?

Re:Easy to prevent

What about people that don't have text messing plans?

Re:Easy to prevent

[mehrotra.akash]

Why do you need a text messaging plan to receive texts?

Re:Easy to prevent

[tepples]

A device with no SIM has no phone number at which to receive text messages.

Re:Easy to prevent

[PipsqueakOnAP133]

Because text messages cost money, so I know some people who have incoming texts blocked on their accounts by choice.

Hello friend, my name is..

Prince Babooka from Nigeria. I have come to inherit 15 million dollars from my father the King, however if you send me your i-store login credentials,(as Apple do not recognize my counties laws) I would be most happy to send you a large one time payment in return.

Please send to Prince Babboka
Nigeria

Many thanks friend..

Not sure but...

Tim Hortons gift cards are on display by the dozen usually like Apple Itunes cards at places like, Home Depot etc. All you had to do was get the cards number (visible portion) and wait online for someone to activate it (purchase it) after you set up your account. Im betting thats the same thing happening to ITunes cards. I cant remember how to process worked but it did work... my old boss explained it to me one day.

Apple just realizes

anybody stupid enough to buy their products is also the most likely vector for a social engineering hack.

SSL error for https://www.macworld.com

Anyone else getting an SSL error (untrusted issuer) for the macworld.com link in the summary?

The users are just as much to blame...

Disclaimer: Used to work for AppleCare CPU, and then iTunes Store Support

Honestly, theres three reasons this happens.

1) People letting their kids use their device. Conversation goes like this:
Parent: "Son, did you waste $50 on iFart Pro?"
Kid: "No......"
Parent: "SINCE MY KID WOULD NEVER LIE APPLE STOLE MY MONEY GIVE IT BACK RIGHT NOW"

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back, you call your bank. Same applies to the iTunes Store.

As far as passwords go, the requirements are a capital, a number, and more than eight digits long. 12345678, etc ARE kicked out. If you haven't changed your password in 10 years, its probably grandfathered to be shorter, just change it. Theres no maximum length...As usual, Where the login is based on a email, and password, idiots who use the same password for everything get taken advantage of when Gawker, Sony, etc, etc gets hacked.

Re:The users are just as much to blame...

[Beelzebud]

Former Apple employee places blame on users. They trained you well, young sith lord.

Re:The users are just as much to blame...

[UnknowingFool]

Frankly if he worked at Amazon, PayPal, whatever, I suspect his story would still have been the same.

Re:The users are just as much to blame...

[Culture20]

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

As far as passwords go, the requirements are a capital, a number, and more than eight digits long.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

Theres no maximum length.

Can I use spaces?

Re:The users are just as much to blame...

OP Here

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

Because there's so much malware on iPhones buying apps...

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

They should be ashamed that they don't spend countless man-hours implementing something that -may- affect less that 0.00001% of users? You work in government?

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

Bank, CC Company, Same Diff..
Bad extrapolation on original analogy is bad... The computer is too stupid to check ID?

As far as passwords go, the requirements are a capital, a number, and more than eight digits long.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

Because that's reasonable.. How many websites have a SIXTEEN character minimum?

Here are the password requirements for changing your Apple ID password:

http://support.apple.com/kb/ht4156

The new password must be at least eight characters.
The new password must contain at least one number.
The new password must contain at least one lowercase letter.
The new password must contain at least one capital letter.
The new password must not contain three consecutive identical characters.
The new password must not have been used in the past year.
The new password must not be the same as the account name.

Can I use spaces?

Last I checked..

Regardless, it kicks you out after 5 invalid logon attempts, and forces you to reset the password. Brute Forcing wont work.

Re:The users are just as much to blame...

[UnknowingFool]

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

I think the OP is referring to using to a phishing attack on the username and password. For example johnsmith@yahoo.com was compromised and the Mr. Smith used the same username/password for his iTunes account (that can be reset as the attacker has his email password now).

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

Yes because someone who forges a credit card has no idea how to get forged ID cards. Forged ID cards are quite rare thesedays. Also grocery stores these days have automated check out lines where they do not check IDs.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

And you are sure about that how? 16 characters is much better but my opinion is that 24 with biometrics is much better. I can be as arbitrary as well in my opinion as well.

Re:The users are just as much to blame...

[That+Guy+From+Mrktng]

OP Here

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

Because there's so much malware on iPhones buying apps...

How do we know thats not that case? How can You be so sure? Imagine this, some App developer found a vulnerability that would grant him access to the compromised information we are talking about, he keeps the vulnerability for himself and from time to time he checks if still working, buying some apps from him and his buddies. That way they manage to go low profile and they avoid tarnishing the "Apple Security Holiness" that would affect their core business. Yes I know Apple reviews every single app submitted, do they analyze each and everyone with the same anal retentive that we have come to associate with them? I don't know but you just can't rule out and insider either.

Apple may be cool and whatever, but they still employ humans, carriers of that condition called "human nature" you're not going to tell people that because someone work for Apple he or she is automagically cleaned of any mischief, criminal or antisocial traits.

Truth is people are still having their money taken from their wallets and while your password politics seem right, people would like to see Apple caring a bit more because is not about the "volume" of people affected it's because it can be something more serious than a simple dictionary attack or simple password recycling.

Re:The users are just as much to blame...

[Kalriath]

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

The grocery store is not permitted to request your ID. The credit card company told them they aren't allowed to ask. So no, you blast your credit card company for hamstringing merchants to prevent them keeping you safe from fraud.

Not all machines running iTunes Store have SMS

[tepples]

What you recommend will work only for iPhone and iPad 3G. It won't work for a Mac computer, a PC running Windows OS, an iPod touch, or an iPad with Wi-Fi, none of which can receive SMS.

Re:Not all machines running iTunes Store have SMS

[Viceice]

Build an OTP function (Ala Google/Blizzard authenticator) into each iDevice that is ONLY eyeball readable into iTunes. The user only needs to read the field above and duplicate it in the field below as he confirms his purchase.

Re:Not all machines running iTunes Store have SMS

Yes, but then manually typing the code would give the user a few seconds to re-consider their purchase. We can't have security concerns interfering with their 30% cut of impulse buys...

Re:Not all machines running iTunes Store have SMS

[CharlyFoxtrot]

Why make things difficult for me because of a few hundred dumbasses ? Apple should just eat the (relatively low) cost, refund people and turn over any relevant information to the authorities.

Re:Not all machines running iTunes Store have SMS

[Kalriath]

The iPad (3G) can't receive SMS either.

that's interesting, but this is different

[YesIAmAScript]

First, iTunes cards have the number hidden on the cards in the store, you have to scratch off a coating.

Second, with an iTunes card, you transfer the card balance into your account all at once, after that the card is completely useless. So if you can complete the transfer, the card was valid and not compromised and after you transfer the card, it doesn't matter if it was compromised, because the value is gone from the card and is in your account now. You cannot use the card to spend the value on apps, you have to have access to the account you transferred the credit into.

What people are complaining about here is that they have a credit on their account (perhaps from one of these cards) and it is being spent out of their account. This can't be done with any kind of compromise of the gift cards themselves.

These people's accounts have been compromised. It's unclear how that happened.

You're holding it wrong...

[quetwo]

Obligotory "You're holding it wrong" post.

Re:You're holding it wrong...

Obligotory "You're holding it wrong" post.

Err... thanks? Pointless post.

Re:You're holding it wrong...

This isn't funny anymore.

Re:You're holding it wrong...

Damn you beat me to it :-)

You're holding your password wrong

And history repeats itself.

Towson Hack

It's called the Towson Hack just google it to find out just how widespread this scam is and what Apple is doing about it... not much.

Apple customers, what can you expect?

Do you really expect people that are gung-ho about only having one button and a shiny plastic cover to pay attention to things like verifying if the parent link looks legit or remembering a password longer than 5 characters?

A mystery? Really?

[santiagodraco]

Is this really a mystery? I'm pretty sure Apple hit the nail on the head.

For one thing every account that was hacked should have "registered" devices. Simply track the IPs of where those devices were registered and apps downloaded and you have a means to determine fraud from naught.

My wife was bit

[oDDmON+oUT]

            She had a Paypal account tied to her iTunes account emptied of over $400.

            Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.

            Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.

            I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.

            For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

Re:My wife was bit

[DogDude]

It very well could have been PayPal's fault. I don't know if you've heard, but about 10 years ago, most reasonable people came to the understanding that PayPal is not a reputable company, operating as a bank, but completely unregulated.

Re:My wife was bit

[shutdown+-p+now]

She had a Paypal account tied to her iTunes account

That sounds like a very bad idea regardless of any issues with Apple's security.

Re:My wife was bit

[phantomfive]

Hard to say for sure, but if she used the same password on any other service that was compromised, whether she knows it or not, then it is no longer a secure password even if it's a 64 character randomly generated code. Those passwords go into a database that hackers use in brute force attacks. This could be Apple's fault, but there are other explanations for the scenarios you describe.

Re:My wife was bit

[oDDmON+oUT]

Agreed. But there again, she didn't ask me. :^D

Re:My wife was bit

[oDDmON+oUT]

Thanks for the 411, I'll recommend she look to change things up (though I can hear the weeping, wailing and gnashing of teeth starting in the background).

Happened to me

[vitaflo]

I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).

I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.

It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.

Re:Happened to me

Vita,

I had the EXACT same thing happen to me a few weeks ago! Literally, word for word, but Apple didn't refund my money. I had to get it back from PayPal.

- Dave Voyles

Re:Happened to me

You'll notice that this happens to be a trend, Chinese apps also keep ending up on the "most popular" lists simple because they get added and then the hackers purchase them like crazy to get money sent to the chinese "company" developing them.

Re:Happened to me

[tlhIngan]

A few months ago, there was an impressively done phishing email done. I believe it was something like "Adobe Photoshop CS at the Apple Store" - it really looked legit.

Of course, it presented you immediately with a fake Apple ID login in order to view the "special offer". It was a really-well done phishing email by someone with skill.

There are other phishing attacks as well.

And there are those who re-use passwords - I wonder if those complaining ever checked those online lists of accounts that were recovered by Anon or Lulzsec. Heck, perhaps it's a few accounts from the Sony PSN hack as well.

Perhaps instead of password reminder apps and such, we should have an app that takes the site name, username and hashes it with some master password to generate a site-specific password. Passwords won't be reused because they're salted with the site name and username.

Re:Happened to me

I had my former iTunes account broken into a few times in a row a little less than a year ago, myself. Thankfully, I only ever used it with gift cards and so only lost iTunes store credit (which was refunded each time anyway). For reference, I use the program along with an old 5th gen. iPod video and a hand-me-down iPhone 3G, non-jailbroken.

My original password and both following passwords were unique to my iTunes account, 14 characters long, and consisted of letters (lowercase and uppercase), numbers, and symbols in no particular order.

After the first time, I thought I may have let something malicious slip into my system, so I scanned my Windows desktop with Microsoft Security Essentials, Malwarebytes, SuperAntiSpyware, and RootkitRevealer. None found anything obviously out of place other than the usual handful of tracking cookies. To be on the safe side, I decided to change all of my important passwords to various accounts - none of which had shown, or have shown since, any signs of intrusion.

The only third party applications I had on my iPhone at the time were the SomaFM Player and Zenonia, a popular adventure game/RPG. I know I hadn't responded to any phishing e-mails - the only things I ever open are from people I personally know or newsletters I know I personally signed up for (i.e. Newegg promotional stuff). I was doubly sure I hadn't entered my iTunes log in information anywhere but iTunes and my iPhone.

I figured it was a fluke, or that maybe Apple had some sort of leak somewhere, and just sucked it up and reset my password after my account was refunded. A week later it happened again. I was feeling a little paranoid, so I decided to go a bit nuts and DBAN my hard drive and reinstall Windows. I was once again refunded and changed my iTunes account password. The account was broken into yet again not long after. At that point I figured the issue had to be a security flaw on Apple's end and respectfully made it apparent to the customer support employee contacting me that I had no interest whatsoever in reopening my account, and would appreciate it if any and all information associated with it could be removed.

I, personally, do not see how it can be my fault that my account was broken into three times in a row, with a freshly wiped hard drive and in a span of time in which I am 100% sure I had never opened a single suspicious e-mail or used my iTunes account information anywhere but iTunes.

This happened to me

[ShanghaiBill]

This happened to me. There were a lot of mysterious charges for apps the neither I nor my wife purchased. I turns out that my wife forgot that she had given the password to our teenage daughter.

Credit card info changed

[gnasher719]

Here's a weird thing: Some people posted that their credit card info has been changed. So I think the following could happen: Crook hacks into my iTunes account. Crook also has a stolen credit card. He changes the credit card info to the stolen credit card. He then uses my account with the stolen credit card to buy stuff; the money probably goes to some associate of the crook. I don't notice unless I check my iTunes account because _my_ credit card is not affected. Still bizarre.

Not. A. Hack.

[Anubis+IV]

This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.

Hate passwords!

[rueger]

The biggest challenge to getting people to use longer/better passwords is that no two site have the same requirements. Off the top of my head my various log ons require:

• six characters or more
• eight characters or more
• No more than eight characters
• at least one number
• any combination of numbers of letters
• at least one special character
• no special characters
• at least one uppercase character
• at least one uppercase character, one number, and one special character
• none of the above
• all of the above
• random questions about the name of my first pet

All of this drives me mad - I can't imagine what it does to Joe User. I basically try random variations on passwords I know I've used, then click on "Forgot Password."

This whole system is seriously broken.

Re:Hate passwords!

Exactly my thoughts. Passwords get cracked, guessed, phished or brute-forced again and again, yet site owners still use them.

"Madness: doing the same thing over and over again and expecting different results."

Re:Hate passwords!

[rueger]

More to the point, when we had one or two log-ins to remember passwords made sense, but today I have log-ins for:

• - cel phone
• - home phone
• - desktop
• - lap top
• - bank web site
• - at least ten shopping web sites
• - at least ten sites like slashdot
• - at least ten user forums
• - ATM PINs
• - Credit Card PINS
• - PINS for three utility companies
• - Student cards #s and log-in PINs
• - Library card and PIN
• - the secret number to reset my car radio if the battery is disconnected

And a dozen other "use them once a year and then forget them" log ins for government sites etc.

Happened to me. A flaw with Apple.

It has nothing to do with easily guessable passwords. It has to do with Apple's shoddy customer service, terrible support, and weak protection. I had the same issue occur with me, on an app I certainly never purchased. It was a bunch of Chinese characters, so I couldn't even read it, none the less who the developer was. Of course Apple refused to give me any contact info for the developer, and had not contacted them about it. It came down to $300+ in app purchases over a 3 minute period. I asked them, "Doesn't that seem a little fishy to you?"

The e-mail chain back and forth was comical, with them literally copying and pasting the same responses from previous e-mail threads.

Apple states that is others' problem,so it is true

Hi,

"Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."
br> I am sure that this must be the case: I myself have not had any problems, nor have any of my friends. Apple rox0rs when it comes to security, and they are way better then everyone else.
br> So, when did the Slashdot powers that be break simple HTML parsing?

C'mon, guys - it's not rocket science.

itunes account without credit card

A search for those words pops this at the top: http://support.apple.com/kb/ht2534 , Creating an iTunes App Store account without a credit card

Re:apple should come out of the "no clothes" close

[stewbacca]

I can only guess English is not your first language, or you are of the texting generation.

Possible Solution

[AmberBlackCat]

I'm thinking they could make this a much smaller problem if all apps have a refund policy. If you notice an app has been purchased that you didn't want, you have time to notice the problem, undo the purchase, and change your password if you suspect the purchase was made without your permission. Of course the 15 minutes you get from the Android market would be inadequate. But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

Re:Possible Solution

[rdnetto]

But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

The problem is that a $1 app isn't going to give you even a week's worth of entertainment. The refund period has to be less than the period for which the app is useful/entertaining. A month refund period only makes sense for purchases a few orders of magnitude higher than that. Otherwise, you need a decent method of distinguishing between people who have been hacked/scammed and people who just got bored with the app. Even if the app were to phone home on installation with a device specific ID, it would be too easy for that ID to be modified on a rooted device.

Re:Possible Solution

This would decimate the app store.

People would simply buy games, beat them, then demand a refund.

Re:Possible Solution

It would absolutely be a much smaller problem with a 30 day policy. Most purchases are impulse buys that people play for 1-2 days. What would happen is the vast majority would buy games, play them and then refund the purchase. Developers would then be faced with a huge chargeback bill from Apple and rapidly go bankrupt. The supply of apps would then dry up. Nothing to purchase = no iTunes store = a not-profitable place for the phishing market.

Note that I'm not saying that everyone would act like this, but enough to make the business unsustainable.

Re:Possible Solution

My only experience with Aple and this type of thing was when kid's gift card value on iTunes simply disappeared. I dug around the site in his account for .5 hour and couldn't find any indication he had any credit available. I knew he had at least $50 so sent off an email to iTunes support asking "what am I doing wrong?"

Lo and behold, 2 days later the credit reappeared and an I received an email explaining how I was apparently incapible of reading my screen. I have no other evince than this flimsy little annecdote but Apple may only need to review its stale account policies to find how some customers money automagically becomes Apples money without notice. I'm sure Apple would never knowingly violate the Federal CARD act...

Re:Possible Solution

[AmberBlackCat]

I see a few things going on here. One is you're saying a $1 app isn't going to be worth its price for 30 days. Others are basically saying the same thing, that people will finish or become bored within the 30-day period, and app developers would be bankrupted by returned apps.

There are games, such as Pac-Man, Frogger, Super Mario Bros. and Tetris, that people have been playing for 20 or 30 years. If a game can't even remain fun for 30 days, I personally think the customer deserves a refund.

Also, possibly the most popular game for any tablet or Android device is Angry Birds. It's price is $1, and people play it addictively every day. They could probably survive a 30-day return policy. The makers of Bejeweled could also survive it.

I don't think people's ability to return apps would be a problem. I think a refund policy, that exploits people's impulse buying habits and inability to assess the value of an app in 15 minutes, is a problem.

Re:Possible Solution

[rdnetto]

Those games are well known specifically because they're outliers. The majority of games can't sustain that level of entertainment. This would result in a substantial decrease in the number of games available in the app store. Because the app store's revenue is a proportion of the total value (qty*cost) of apps sold, a decrease in the number of games available would reduce their revenue. Furthermore, the decrease in revenue would result in an increase in the market fees, increasing the cost of the apps.

Additionally, if only high quality apps were available, the cost of the apps would be higher. Angry Birds sells for $1 because most of the apps sell at $1. The price most people are willing to pay is determined by the expected (average) value of an app. If you increase the average value of all apps, then the cost will also increase.

I'm not saying that it shouldn't be the way you're saying - raising the overall quality of the app store would benefit the entire platform. I'm just saying that the reduction in purchases/revenue (caused by the increase in cost) wouldn't justify it, from Apple/Google's perspective.

Windows?

I wonder how may are using a Windows machine to connect to iTunes.
Probably a good chance they have some sort of malware recording all the details they need to access the accounts.

Re:Windows?

[Osgeld]

in my little bubble I have only seen one windows user with iTunes installed, he was a recovering mac person.. he started getting miffed when his new damn near 3 grand laptop had to go one and a half hours away to the shop every 2 weeks

Re:Windows?

[konohitowa]

Man, that must be a little bubble if you don't know any Windows users with iPhones. Unless you're saying that not one of them used iTunes to activate their phones or that those that did immediately followed this up by uninstalling iTunes. Both are possible, but seem unlikely to me.

Re:Windows?

[Osgeld]

I only know one iphone user, and her son set it up for her I dont know what arrangement that took. but everyone else I know with a smarphone has a android product, the little local cellphone providers out here in the sticks give them away like flip-phones (and nail you on overages)

Re:Windows?

[konohitowa]

Wow. Okay, scratch my sarcasm. It really is a small bubble. So no iPod users on Windows either? Some of them don't mount as flash drives so you're stuck with iTunes (at least from a practical standpoint – there are workarounds but Windows users are less likely than Linux users to hunt them down).

Re:Windows?

[Osgeld]

yes believe it or not there are people who do not have to have apple jammed up their ass for every little thing, and there are plenty of other ways to carry music outside of an ipod or itunes

why is this so difficult to comprehend?

Re:Windows?

yes believe it or not there are people who do not have to have apple jammed up their ass for every little thing

So what exactly is it you so obviously have jammed up your ass?

Re:Windows?

[konohitowa]

You know what's difficult to comprehend? Well over 200 million iPods have been sold and you're claiming that you don't know anyone that has iTunes installed on Windows. And now you're making it sound as if you don't even known anyone with an iPod. Either you really are extremely limited in your knowledge of or interactions with other people, or you were just talking smack and have gotten all pissy because you got called on it. After that "apple jammed up their ass" comment, I suspect the latter.

Keyloggers?

I wonder how many of those people also have a little spy/virus on their most likely Windows PC that snoops on their iTunes software. Even if your password generator is /dev/random and you use 32 character unique service-specific password, that would still bite you.

700 posts...

[smash]

... out of the few hundred million iTunes users?

I thought more people synced iDevices to Windows than that. My bet is that it is either shitty passwords, or crappy old Windows XP machines that have been compromised.

Maybe even people who had their password compromised by the Sony hack(s) a while ago,and use the same email/password on iTunes.

Nothing to see here, move along.

I think it's stupid people

[Nyder]

I have this friend, and he is, well stupid like most people.

So, we are going to do some Free 2 Play games, and one of the websites wants (which is becoming very popular), your email address as your login name.

So when it comes to password, he says to me, why do they want my email address password?

I'm like, "WTF? No, they want you to make a new password for this account that is using your email address as your login name.

Needless to say, it took me like 5 mins to explain it to him. And he's not that computer stupid (though close).

So no, it doesn't surprise me that people use weak passwords, or will put in the wrong type of info (like your itunes account password) on websites that isn't iTunes.

Re:I think it's stupid people

I can't believe this didn't occur to me before. That would mean that many/most passwords on sites that require your email as a login are real email passwords... Like some big vendor support sites, for example... Oracle? IBM? Jeez.

So much for...

So much for the walled garden.
It looks like it is no help at all.

Three words.

Reality. Distortion. Field.

Stop using the same password everywhere

[The+Other+White+Meat]

If you create an account on a website, and you give them your email address, and you use the same password that you use for email, guess what you've given them access to?

Same goes for your Apple ID. If Apple ID = email, and you use the same password, you've given them access to your email AND to your Apple account. ...and probably a dozen other websites, like PayPal, eBay, etc.

One thing Apple could do

[gullevek]

Would be to confirm first purchases on a new iDevice. A confirmation mail to your email address where you have to confirm that it is really you and not someone else.

Re:One thing Apple could do

[AdrianKemp]

First: the problem isn't new devices, it's ones that are already in use.

Second: Apple does everything reasonable to keep the users safe. Including requiring new devices accessing an Apple ID to reconfirm credit information (by re-inputting some parts of it)

As has been said, people are retards. When you have 200 million retards together, 700 getting screwed is LOW. The fact that the number isn't more like 7 million means Apple's system is staggeringly good.

Re:One thing Apple could do

[gullevek]

It is new devices. New in the sense "first time purchase from a different iDevice".

I had a similar problem, if Apple would have let me confirm that this new device is mine, the could have avoided service hours to restore my account.

Obligatory XKCD...

Obligatory XKCD