Mystery of Vanishing iTunes Credit Shows No Sign of Fading

← Back to Stories (view on slashdot.org)

Mystery of Vanishing iTunes Credit Shows No Sign of Fading

Posted by timothy on Saturday September 10, 2011 @04:37AM from the sounds-like-the-fraud-department-at-amex dept.

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

125 of 195 comments (clear)

Min score:

Reason:

Sort:

Great by Antisyzygy · 2011-09-10 04:39 · Score: 2, Insightful

Apple should really look into this more, rather than just passing off the blame. Typical.

--
That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
1. Re:Great by DurendalMac · 2011-09-10 04:45 · Score: 4, Insightful
  
  We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.
2. Re:Great by iamhassi · 2011-09-10 05:00 · Score: 5, Interesting
  
  A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?
  
  If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.
  
  Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases
  
  --
  my karma will be here long after I'm gone
3. Re:Great by AmiMoJo · 2011-09-10 05:04 · Score: 1
  
  This is just a rumor so make of it what you will, but some sources claim that it is an attack on credit voucher serial numbers. After all why buy random apps if you can't use them? The will be tied to the owners phone.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Great by entoke · 2011-09-10 05:04 · Score: 1
  
  I get email receipts when I buy apps on my iphone, pretty sure I didn't have to change any setting for it to work that way.
5. Re:Great by shoehornjob · 2011-09-10 05:13 · Score: 2
  
  Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.
  Thank you. They need to enforce better password standards.
  
  --
  "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
6. Re:Great by brusk · 2011-09-10 05:16 · Score: 5, Interesting
  
  After all why buy random apps if you can't use them? The will be tied to the owners phone.
  No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.
  
  --
  .sig withheld by request
7. Re:Great by Colonel+Korn · 2011-09-10 05:19 · Score: 1
  
  And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.
  I'd bet the actual number is much higher.
  This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
8. Re:Great by UnknowingFool · 2011-09-10 05:36 · Score: 1
  
  That does little for stolen passwords or phishing attacks. I know people who used the same email (username) and password for different accounts. Once one of them gets hacked, then those people have multiple accounts hacked.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
9. Re:Great by CharlyFoxtrot · 2011-09-10 05:50 · Score: 2
  
  Why don't the customer get email receipts when the transaction happens?
  You do get a receipt normally, however since the accounts were compromised and personal detail altered (according to the thread) that confirmation could've been sent elsewhere. Some people report do getting receipts and being informed that way something was going on. This is all on the first page of the linked Apple support discussion.
  
  And why can't Apple figure out which device downloaded the app to provide that information to law enforcement?
  You want Apple to track their customers ? Yeah, that'll go over great with the paranoid Slashdot crowd.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
10. Re:Great by CharlyFoxtrot · 2011-09-10 06:01 · Score: 1, Funny
  
  A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?
  
  A few hundred = a not even that sucessfull phishing expedition. Even a few thousand would be a drop in the bucket.
  
  Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases
  They could ask him but they don't have enough to block him. Someone also bought Monkey Island 2, does that mean Apple should block Lucasarts ?
  Apple should issue refunds, just because it's good business but the problem here in all likelihood is on the client side.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
11. Re:Great by guruevi · 2011-09-10 06:06 · Score: 2
  
  Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
12. Re:Great by LordSnooty · 2011-09-10 06:11 · Score: 1
  
  Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.
13. Re:Great by gnasher719 · 2011-09-10 06:16 · Score: 2
  
  Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.
  Combine something that is easy to remember with a random sequence that you have to write down and pin to your monitor. Remote attack fails because of the random sequence, looking at the paper fails because the person looking is not an experienced hacker and doesn't know the "easy to remember" bit.
  
  And even if an experienced hacker knew the random sequence, at least attacks using rainbow tables would now fail.
14. Re:Great by zippthorne · 2011-09-10 06:21 · Score: 2
  
  They do, but they have a stupid definition of "minimum security":
  it's some small number of characters, at least one of which must be a number.
  This is not a terribly onerous policy*, but iPods' screen keyboards do not have a number row. You have to switch to another page to input numbers, so people with iPods are going to tend to pick a specific subset of passwords with numbers - ones where all the numbers are together at either the beginning or the end.
  I think that this may result in passwords that are actually less secure than the same length of just letters, even....
  *although, until you start getting into 20+ char passwords, it turns out that adding one more character to the minimum length improves security by more than adding 10 more glyphs to the character pool....
  What they should do is enforce a minimum password *strength*, and generate several passwords for using pre-defined rules which you can pick from (and which have been researched, so assuming random generation, their strength can be calculated), rather like the keychain works, actually...
  
  --
  Can you be Even More Awesome?!
15. Re:Great by Anonymous Coward · 2011-09-10 06:22 · Score: 1
  
  Or so you say. The same reason why they can't go after Hongbin is the same reason you can't make such outrageous claims that it's user side. How many times do you actually need to enter in your account information outside of your i device? Once for your install of the bloatware on your desktop, and once (if enabled) upon installing an application. There are no other reasons to put in your password (let alone your username *AND* password at the same time). And of course, these desktops (since they have a fruit logo on them) can't possibly be hacked / trojaned / keylogged, right?
  And it's nice for scammers. Apparently as long as criminals remain under a few hundred dollars, you're ok with them not being stopped since it's "not successful" -- at least according to you. Next time someone breaks into your house and steals JUST your computer or JUST your TV (small in comparison with the worth of your entire house, just like one gift card in comparison to how much money they spent) and the insurance company says "FU. IT'S UR FAULT. U GETS NO MONAYS", let me know how you feel.
16. Re:Great by CharlyFoxtrot · 2011-09-10 06:25 · Score: 1
  
  This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.
  That's a pretty impressive number you just pulled out of your ass, this must be a serious problem.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
17. Re:Great by hedwards · 2011-09-10 06:26 · Score: 1
  
  Unless this is a series of cracks purely for lulz, there really ought to be someway of tracking things efficiently. If the apps being bought are sold by scammers, then that's one thing, otherwise, I'm curious as to how this would result in profit for the people doing the cracks.
  Find and prosecute whomever it is that is profiting and the problem should be solved. Ultimately, that's Apple's responsibility. This isn't like Android where Google has little say over what users load on their Android devices.
18. Re:Great by CharlyFoxtrot · 2011-09-10 06:30 · Score: 3, Insightful
  
  Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.
  This is the password policy, pretty standard stuff :
  "When changing your password, your new Apple ID password should:
  Be at least eight characters.
  Contain at least one number (0-9).
  Contain at least one uppercase letter (A-Z).
  Contain at least one lowercase letter (a-z).
  Not contain three consecutive identical characters.
  Not have been used in the past year.
  Not be the same as your Apple ID username."
  That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
19. Re:Great by hedwards · 2011-09-10 06:30 · Score: 1
  
  I've got my parents to somewhat strengthen their passwords by using a pass phrase with substitutions. It's not great, but if you then abbreviate some of the words, you get something close to a proper password. Ultimately, there are dictionary attacks that handle it, but even that is significantly stronger than just a word and a number. Hopefully, they'll just move on down to the next account when they don't come up with anything the first time through.
  Ultimately, no matter how many times you tell users that if the account gets cracked because of a weak password that they're not going to get their money back, they don't listen because that's something that only happens to other people. And ultimately, with a weak password it's tough to prove that it wasn't the password that was the cause of the losses which can result in being awarded nothing in court.
20. Re:Great by hedwards · 2011-09-10 06:33 · Score: 1
  
  That's one possibility, a couple more are that it's for lulz or that it's revenge by some developer that's pissed because of Apple's ridiculous policies for being granted access to the App store.
21. Re:Great by Anonymous Coward · 2011-09-10 06:40 · Score: 1
  
  A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?
  Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.
  I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.
22. Re:Great by guruevi · 2011-09-10 07:51 · Score: 1
  
  We told user to reject the password because of Kevin Mitnick. He used social engineering very well to get somewhere. Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.
  It also doesn't help against phishing attacks. What we need is a 3rd token (not something you know but something you have or are) for financial transactions. Could easily be handled with distributed authentication - you use a provider that gives you the right amount of security you want (or want to pay for) or you can do it yourself if you're paranoid.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
23. Re:Great by zill · 2011-09-10 08:41 · Score: 2
  
  We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.
24. Re:Great by North+Korea · 2011-09-10 08:58 · Score: 1
  
  It doesn't even need to be some kind of hacking. Most people use the same password for all services. It just needs one of those services with an abusive admin, or break-in into those, to get lots of passwords. Since iTunes is so popular, it should be easy to find lots of same user account information there. Also don't forget that there's also been numerous occasions when someone has leaked email, username and password lists to the internet as a result of some hack.
25. Re:Great by iamhassi · 2011-09-10 09:19 · Score: 5, Insightful
  
  A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?
  Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.
  I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.
  How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?
  
  --
  my karma will be here long after I'm gone
26. Re:Great by Anonymous Coward · 2011-09-10 09:55 · Score: 1
  
  That's flawed -- we're looking at "few hundred accounts out of millions" that bothered to post on that same thread.
  And yeah, it's quite possibly all down to crappy passwords and phishing, it's just when you've got a few hundred people noticing and talking about it on the same thread, there's a whole hell of a lot more than a few hundred people affected.
  And even if it's only crappy passwords and phishing, that's still a major problem Apple has to solve. They're the User Interface people - their UI is flawed because it's allowing this simple problem to be commonplace.
  Their whole deal is about making tough technical things easy and slick to use. Now they need to do it for the password problem to be complete. This is the challenge and opportunity here.
27. Re:Great by Belial6 · 2011-09-10 09:59 · Score: 1
  
  When the customer explicit asks you to? Yes. There is a big difference between tracking a customers movements via GPS and looking up the deviceID and IP address accessed from when the customer specifically asks for it.
28. Re:Great by Belial6 · 2011-09-10 10:08 · Score: 2
  
  That's actually a pretty good solution. It still doesn't solve the problem of having dozens of passwords though. I know that I have at least a hundred different passwords. I used to use a "Doesn't matter", "low security", "high security", "REALLY high security" set so that I could remember my 4 passwords, and didn't have to worry that the video game forum I posted to one time a couple of years ago wasn't going to have an admin that was going to clean out my bank account.
  
  The problem is that once enough sites and services had enforced enough different name requirements on me that I couldn't remember all of my passwords, I had no choice but to write them down. Since I sometimes need them when I am out and about, I had to keep them in a digital form. This seems like a bigger risk than my previous method.
29. Re:Great by shutdown+-p+now · 2011-09-10 10:18 · Score: 1
  
  One problem with receipts you get from App Store is that they seem to come in quite a bit later - and I mean not just hours, but days later - after the purchase.
30. Re:Great by ShanghaiBill · 2011-09-10 11:08 · Score: 1
  
  they'll just use the same password and change or add 1 character to satisfy your needs.
  Then mission accomplished, since adding one additional character makes the password two orders of magnitude more difficult to guess.
31. Re:Great by guruevi · 2011-09-10 11:13 · Score: 1
  
  For a brute force attack, not for a dictionary attack. The passwords used in these compromised accounts seem to be simple dictionary attacks. These days dictionary attacks do include variations of numbers and characters on common passwords.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
32. Re:Great by alteran · 2011-09-10 11:43 · Score: 1
  
  I don't get why you're complaining. It's clear that the users were holding their iTunes accounts wrong.
  
  --
  Who is RTFM and when will he help me with Unix?
33. Re:Great by CharlyFoxtrot · 2011-09-10 12:10 · Score: 1
  
  That's true. Maybe they do this to avoid sending you an email every time you buy a track/app which could get annoying if you buy a lot of single track songs for example ? I don't know, it should probably be a user definable option.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
34. Re:Great by Taty'sEyes · 2011-09-10 12:39 · Score: 1
  
  You can bet that if Hongbin Suo in Towson MD had an unreleased iPhone in his house the Apple Police would be right there. But in this case, it's just a few hundred of their faceless customers...
  
  --
  We show geeks how to get their dream girl at EyesOfOdessa.com
35. Re:Great by Antisyzygy · 2011-09-10 12:46 · Score: 1
  
  Who says I am complaining? I am merely stating facts. Passing off the blame on users for a known issue before addressing it in full is never a good way to handle business, asshole.
  
  --
  That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
36. Re:Great by abhi_beckert · 2011-09-10 14:50 · Score: 1
  
  Combine something that is easy to remember with a random sequence that...
  What I've quoted is about as far as your suggestion will sink in, for a typical iTunes customer.
  Apple should make each of these users go through some fairly painful steps to get their money refunded, and at the end give them good advice how to avoid such things in future.
  The only solution is user training, and you can't train them without finding some motivation first.
37. Re:Great by abhi_beckert · 2011-09-10 14:55 · Score: 1
  
  "significant" is subjective, but 0.0005% of iTunes customers is insignificant by anyone's standards.
  And apple has only said "we think this is what's going on". They have not said "we aren't going to do anything about it". They never tell anyone what they're going to do until after they've done it.
38. Re:Great by Ja'Achan · 2011-09-10 19:20 · Score: 1
  
  Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.
  Which means you have to actually know about them and call them, instead of just running some spammer botnet or spreading a virus. Sticky notes don't work against targeted attacks, but it's good enough for thwarting most distributed attacks.
39. Re:Great by w0mprat · 2011-09-11 09:56 · Score: 1
  
  Obviously, one of the random apps purchased will belong to the crooked developer/hacker. But if they've bought apps from multiple developers it would hide their fraud amongst random transactions. Steal $100 million to get $1 million? Probably worth it, if also untraceable.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
40. Re:Great by exomondo · 2011-09-11 10:59 · Score: 1
  
  we need better passwords for regular people:
  http://xkcd.com/936/
  http://preshing.com/20110811/xkcd-password-generator
  But that's not going to help, that method is easily defeated by brute forcing from the most rudimentary dictionary.
41. Re:Great by Kalriath · 2011-09-11 11:07 · Score: 1
  
  It's because the email is technically a tax invoice, and they only send it when they actually charge you. They wait up to about 3 days to charge you as it minimizes their transaction fees (since they only have to charge you one $3.96 charge rather than four $0.99 charges - and therefore only pay transaction fees once).
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
42. Re:Great by Kalriath · 2011-09-11 11:21 · Score: 1
  
  It is compulsory, despite the word "should". Passwords not conforming to the regime are rejected. They only say "should" because Apple doesn't like using the imperative.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
43. Re:Great by tehcyder · 2011-09-11 20:41 · Score: 1
  
  Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.
  That is only a security issue if the thief has physical access to your written notes or computer you stick your notes to, in which case you're fucked anyway.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
44. Re:Great by One+Monkey · 2011-09-11 21:54 · Score: 1
  
  According to the discussion underneath the second link... apparently not. I was surprised too.
  
  --
  www.nodicerpg.com - Some RP stuff for free, some not so for free, but still cheap.
45. Re:Great by tehcyder · 2011-09-11 21:56 · Score: 1
  
  Yes, whenever something happens to Apple customers, it's their fault, not Apple's.
  
  Whereas with Microsoft, Sony, Google, Facebook or whoever it's always teh evil company's fault.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
46. Re:Great by justsayin · 2011-09-11 23:51 · Score: 1
  
  Yep, I've setup Itunes accounts for people to get their Iphones running. I have had folks insist that their password simply must be 123456. Then when the Apple site wont take that they simply must have ABC123456. Dumb asses. It's right about then that I start making them pay up front.
47. Re:Great by justsayin · 2011-09-11 23:56 · Score: 1
  
  XKCD got it right. CorrectHorseBatteryStaple
  http://xkcd.com/936/
48. Re:Great by Quirkz · 2011-09-12 03:38 · Score: 1
  
  I'm all for writing them down, and agree with you. I'd still suggest, at minimum, NOT taping it directly to your monitor, though (like one former dean of Engineering did at the university I worked at). Also, if your password is just your initials and the year of your birth, do you REALLY need to write it down? (Looking at that same dean of Engineering, again).
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Weak passwords?! by NFN_NLN · 2011-09-10 04:44 · Score: 4, Insightful

Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?
Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.
1. Re:Weak passwords?! by Antisyzygy · 2011-09-10 04:59 · Score: 4, Funny
  
  That would infringe on peoples desire to have passwords like "cats" or "1234".
  
  --
  That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
2. Re:Weak passwords?! by Anonymous Coward · 2011-09-10 05:08 · Score: 5, Informative
  
  There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:
  Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.
  The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.
3. Re:Weak passwords?! by moderatorrater · 2011-09-10 05:15 · Score: 1
  
  They don't allow spaces in their passwords and every password needs to be able to be typed into a touch device like the iPhone or iPad. They could definitely do more in this area.
4. Re:Weak passwords?! by interval1066 · 2011-09-10 05:23 · Score: 1
  
  Trivially installed policy, and used by more than one web site I frequent. As much as I don't care for apple, and they should install such a policy, some of the blame does fall on the users. Having a contract with several web sites for tech support and not having access to their databases directly I have an occasion to ask users for their passwords to trouble shoot, and the amount of "abc123" or "qwerty" passwords is astounding.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
5. Re:Weak passwords?! by Kenja · 2011-09-10 05:31 · Score: 1
  
  That's like saying they could have an option to simply not store your credit card number. Insanity!
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
6. Re:Weak passwords?! by broken_chaos · 2011-09-10 05:58 · Score: 1
  
  Longer passwords are more secure than passwords with fancy characters
  This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.
  While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.
7. Re:Weak passwords?! by CharlyFoxtrot · 2011-09-10 06:15 · Score: 1
  
  Because having a complicated password will prevent users from losing it in phishing scams ?
  
  --
  If all else fails, immortality can always be assured by spectacular error.
8. Re:Weak passwords?! by Nerdfest · 2011-09-10 06:18 · Score: 1
  
  Apple generally doesn't care much about infringing on people's desire to do certain things. This might be one of the few times when their control-freakery would be well placed.
9. Re:Weak passwords?! by hedwards · 2011-09-10 06:34 · Score: 1
  
  8 characters is a joke. Even a decade ago 8 characters was a joke. Even if you include a punctuation mark, it's still pretty ridiculous.
10. Re:Weak passwords?! by Anubis+IV · 2011-09-10 06:37 · Score: 1
  
  ^^^ This.
  It doesn't matter how complicated it is if it's being compromised through social engineering. Were this a brute force attack, it wouldn't be drawn out. They'd have the data, they'd compute as many passwords as they could from the hashes for all 200M+ accounts, and they'd do as much damage as possible before anyone could respond appropriately (e.g. PS3 debacle). The pattern instead suggests this is an ongoing set of social engineering attacks which are yielding suckers on a regular basis over an extended period of time.
11. Re:Weak passwords?! by TC+Wilcox · 2011-09-10 06:44 · Score: 1
  
  This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.
  While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.
  Even then, I'd think trying to keep horse with batteries or fruit flies with baked beans would be easier than trying to remember !a$%jb9 vs y48*y+=. Which would you rather remember?
12. Re:Weak passwords?! by gnasher719 · 2011-09-10 07:02 · Score: 1
  
  I think AppleIDs are reasonably easy to find. Mostly they are email addresses. Haven't tried if trying to login with a random email address and a random password gives any indication that the email address is an Apple ID; you would hope not. However, if hackers manage to read your emails, then they can read any purchase confirmation emails, and from these emails you can find the Apple ID.
  
  Now if they know many Apple IDs, they can just randomly try to login with valid Apple ID and a random weak password, and will have some successes. If 100 weak passwords are used by just 2 percent of all users, then one in 5,000 attempts will break an account.
13. Re:Weak passwords?! by ArsenneLupin · 2011-09-10 07:27 · Score: 1
  
  ... and the amount of people just blurting out their password to you without wondering about your lack of database access is even more astounding...
14. Re:Weak passwords?! by Anonymous Coward · 2011-09-10 07:30 · Score: 1
  
  So what you're saying is that big red is claiming that "weak passwords" is lying because their own policies make weak passwords unlikely or impossible?
  Have you tried just entering "password" as a password?
15. Re:Weak passwords?! by interval1066 · 2011-09-10 07:52 · Score: 1
  
  Well, in some cases its necessary, its not always convenient to gain access to a clients database directly. That most users don't give it a second thought isn't that extraordinary to me.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
16. Re:Weak passwords?! by Roogna · 2011-09-10 08:02 · Score: 1
  
  8 characters isn't all that bad, considering it's unlikely even the best methods will find the match in the first 3 guesses. Apple does lock accounts after 3 failed attempts and force a password change through the e-mail on file. This of course does -nothing- against phishing, but neither does the most secure password on the planet if it's typed into a false site. Of course if they hacked these peoples e-mail then they can reset the password to whatever they want... but this should just teach everyone that security is not about -one- account, it's about -all- your accounts being connected.
  8 characters is absolutely -pathetic- when used in any situation like encrypted files where it's possible to get an infinite amount of attempts with no real delay.
  Now of course, as others on this article have commented, given even just common dictionary attacks, there's probably a good chance you can take a random e-mail discovered however, enter it as an Apple ID, and then spend your 3 attempts trying the top 3 passwords that meet the criteria, and probably get in to a percentage of the accounts.
17. Re:Weak passwords?! by Duradin · 2011-09-10 10:09 · Score: 1
  
  After a few password failures the iTunes account clears your CC security code (ie can't purchase anything), so 8 characters is more than enough.
  I've never used stored credit so I don't know what happens when there's too many failed attempts.
18. Re:Weak passwords?! by boreddotter · 2011-09-10 11:43 · Score: 1
  
  They do have a very strict policy, and it was stated above by CharlyFoxtrot but here it is again:
  "When changing your password, your new Apple ID password should:
  Be at least eight characters.
  Contain at least one number (0-9).
  Contain at least one uppercase letter (A-Z).
  Contain at least one lowercase letter (a-z).
  Not contain three consecutive identical characters.
  Not have been used in the past year.
  Not be the same as your Apple ID username."
  it was never this strict though, but this is at least a few a years old.
19. Re:Weak passwords?! by abhi_beckert · 2011-09-10 14:58 · Score: 1
  
  They do have some policies to enforce strong passwords, and it looks like those policies have been getting stricter recently (because of this?).
  But "easily guessable" could just mean a password I use for some other service which was hacked. Apple has no way of verifying that your password is unique.
20. Re:Weak passwords?! by abhi_beckert · 2011-09-10 15:03 · Score: 1
  
  8 characters is a joke. Even a decade ago 8 characters was a joke.
  8 mixed case alphanumeric characters is 281474976710656 passwords to brute force. Assuming there is no way to achieve an offline attack (which is likely in this case), that means you would have to hit apple's server that many times with an incorrect password before finding the correct one.
  Lets say you have a really fast internet connection, and can attempt to log into apple's servers at a rate of, oh, a million times per second... that means it would take you almost TEN YEARS to guess the correct password.
  There is no way you can hit apple's servers that hard for more than about 20 minutes, before their sysadmin's investigate WTF is going on, and suspend the iTunes account you're trying to attack.
21. Re:Weak passwords?! by NFN_NLN · 2011-09-10 17:20 · Score: 1
  
  They do have a very strict policy, and it was stated above by CharlyFoxtrot but here it is again:
  "When changing your password, your new Apple ID password should:
  Be at least eight characters.
  Contain at least one number (0-9). ...
  These threads aren't sorted by chronological order dipsh*t.
  by CharlyFoxtrot (1607527) Alter Relationship on Saturday September 10, @02:30PM (#37363398)
  by NFN_NLN (633283) on Saturday September 10, @12:44PM (#37362832)
  It is difficult to respond to a post ~2 hours in the future.
22. Re:Weak passwords?! by boreddotter · 2011-09-10 21:20 · Score: 1
  
  Well... there's no need to be rude sir, I apologise if I offended you, I only mention it was posted above because I literally copied and pasted I was just citing where I got the info, TBH I didn't look at the times of the different posts, but would you have read CharlyFoxtrot's post if I hadn't mentioned it? What would've been the right thing to do? Assume you read it? What about other people who might read your post and miss Charly's?
  A civilised response would've been nice...
23. Re:Weak passwords?! by Man+Eating+Duck · 2011-09-11 02:12 · Score: 1
  
  Don't use spaces
  Why not? If it's not all spaces (prohibited by the three-chars-in-a-row requirement) you're good to go. I can't find it now, but I read an article a while ago that endorsed passwords containing spaces. They're apparently a lot more secure against dictionary attacks since very few people use them. On a side note my telco disallows *any* special characters, I have no idea why this is a part of any password policy.
  
  --
  Are you a grammar Nazi? I'm trying to improve my English; please correct my errors! :)
24. Re:Weak passwords?! by w0mprat · 2011-09-11 10:04 · Score: 1
  
  Judging by that, Password123 fits Apples definition of a 'secure' password. So does something like S3cur1tyP355w0rd which is the kind of thing I've seen set by allegedly qualified administrators to highly critical systems.
  
  Ultimately including numbers, mixed case and punctuation invites easy-to-remember common substitutions and number combinations, which is what will happen 90% of the time, this doesn't significantly draw out a brute force attack attempt. A few random lowercase letters has more possible combinations than anything containing a dictionary word, and a few numbers.
  
  Users tend to use the same or similar passwords across systems. If you could somehow get the user to sign up for something else, then what percentage of those who are also iTunes users will use the same password for iTunes? I wouldn't be surprised if it was 10% 20% or more?
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Easy to prevent by mehrotra.akash · 2011-09-10 04:57 · Score: 1

SMS based verification?
1. Re:Easy to prevent by brusk · 2011-09-10 05:17 · Score: 1
  
  What if you buy the app for an iPod touch or wifi-only iPad? Or you buy it for an iPhone over wifi and are out of cellular range?
  
  --
  .sig withheld by request
2. Re:Easy to prevent by mehrotra.akash · 2011-09-10 19:12 · Score: 1
  
  Why do you need a text messaging plan to receive texts?
3. Re:Easy to prevent by tepples · 2011-09-11 12:48 · Score: 1
  
  A device with no SIM has no phone number at which to receive text messages.
4. Re:Easy to prevent by PipsqueakOnAP133 · 2011-09-22 12:09 · Score: 1
  
  Because text messages cost money, so I know some people who have incoming texts blocked on their accounts by choice.
The users are just as much to blame... by Anonymous Coward · 2011-09-10 05:04 · Score: 1

Disclaimer: Used to work for AppleCare CPU, and then iTunes Store Support
Honestly, theres three reasons this happens.
1) People letting their kids use their device. Conversation goes like this:
Parent: "Son, did you waste $50 on iFart Pro?"
Kid: "No......"
Parent: "SINCE MY KID WOULD NEVER LIE APPLE STOLE MY MONEY GIVE IT BACK RIGHT NOW"
What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.
2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.
3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back, you call your bank. Same applies to the iTunes Store.
As far as passwords go, the requirements are a capital, a number, and more than eight digits long. 12345678, etc ARE kicked out. If you haven't changed your password in 10 years, its probably grandfathered to be shorter, just change it. Theres no maximum length...As usual, Where the login is based on a email, and password, idiots who use the same password for everything get taken advantage of when Gawker, Sony, etc, etc gets hacked.
1. Re:The users are just as much to blame... by UnknowingFool · 2011-09-10 05:41 · Score: 1
  
  Frankly if he worked at Amazon, PayPal, whatever, I suspect his story would still have been the same.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:The users are just as much to blame... by Culture20 · 2011-09-10 06:02 · Score: 1
  
  What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.
  Or if malware on your iPhone bought it?
  
  2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.
  WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.
  
  3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back
  No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).
  
  As far as passwords go, the requirements are a capital, a number, and more than eight digits long.
  Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.
  
  Theres no maximum length.
  Can I use spaces?
3. Re:The users are just as much to blame... by UnknowingFool · 2011-09-10 07:33 · Score: 1
  
  WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.
  I think the OP is referring to using to a phishing attack on the username and password. For example johnsmith@yahoo.com was compromised and the Mr. Smith used the same username/password for his iTunes account (that can be reset as the attacker has his email password now).
  
  No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).
  Yes because someone who forges a credit card has no idea how to get forged ID cards. Forged ID cards are quite rare thesedays. Also grocery stores these days have automated check out lines where they do not check IDs.
  
  Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.
  And you are sure about that how? 16 characters is much better but my opinion is that 24 with biometrics is much better. I can be as arbitrary as well in my opinion as well.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
4. Re:The users are just as much to blame... by That+Guy+From+Mrktng · 2011-09-10 07:57 · Score: 1
  
  OP Here
  
  What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.
  Or if malware on your iPhone bought it?
  Because there's so much malware on iPhones buying apps...
  How do we know thats not that case? How can You be so sure? Imagine this, some App developer found a vulnerability that would grant him access to the compromised information we are talking about, he keeps the vulnerability for himself and from time to time he checks if still working, buying some apps from him and his buddies. That way they manage to go low profile and they avoid tarnishing the "Apple Security Holiness" that would affect their core business. Yes I know Apple reviews every single app submitted, do they analyze each and everyone with the same anal retentive that we have come to associate with them? I don't know but you just can't rule out and insider either.
  Apple may be cool and whatever, but they still employ humans, carriers of that condition called "human nature" you're not going to tell people that because someone work for Apple he or she is automagically cleaned of any mischief, criminal or antisocial traits.
  Truth is people are still having their money taken from their wallets and while your password politics seem right, people would like to see Apple caring a bit more because is not about the "volume" of people affected it's because it can be something more serious than a simple dictionary attack or simple password recycling.
5. Re:The users are just as much to blame... by Kalriath · 2011-09-11 11:45 · Score: 1
  
  No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).
  The grocery store is not permitted to request your ID. The credit card company told them they aren't allowed to ask. So no, you blast your credit card company for hamstringing merchants to prevent them keeping you safe from fraud.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Re:Did they have a WoW account? by meerling · 2011-09-10 05:12 · Score: 1

And they always blame the victim, but I know of at least one time it was one of their employees looting accounts that hadn't been logged into for a while so hopefully the users wouldn't notice. Of course when he finally got caught, they kept it quiet and continued to blame the users.

I'm not saying this is an inside job, but it's a definite possibility. (If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security. And although phishing occurs, it's never a complete answer and can usually be avoided with reasonable vigilance. After all, it's not like they don't know which ip or iphone it's going to.)
Not all machines running iTunes Store have SMS by tepples · 2011-09-10 05:19 · Score: 1

What you recommend will work only for iPhone and iPad 3G. It won't work for a Mac computer, a PC running Windows OS, an iPod touch, or an iPad with Wi-Fi, none of which can receive SMS.
1. Re:Not all machines running iTunes Store have SMS by Viceice · 2011-09-10 05:24 · Score: 1
  
  Build an OTP function (Ala Google/Blizzard authenticator) into each iDevice that is ONLY eyeball readable into iTunes. The user only needs to read the field above and duplicate it in the field below as he confirms his purchase.
  
  --
  Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
2. Re:Not all machines running iTunes Store have SMS by CharlyFoxtrot · 2011-09-10 06:40 · Score: 1
  
  Why make things difficult for me because of a few hundred dumbasses ? Apple should just eat the (relatively low) cost, refund people and turn over any relevant information to the authorities.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
3. Re:Not all machines running iTunes Store have SMS by Kalriath · 2011-09-11 11:31 · Score: 1
  
  The iPad (3G) can't receive SMS either.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
that's interesting, but this is different by YesIAmAScript · 2011-09-10 05:19 · Score: 4, Informative

First, iTunes cards have the number hidden on the cards in the store, you have to scratch off a coating.
Second, with an iTunes card, you transfer the card balance into your account all at once, after that the card is completely useless. So if you can complete the transfer, the card was valid and not compromised and after you transfer the card, it doesn't matter if it was compromised, because the value is gone from the card and is in your account now. You cannot use the card to spend the value on apps, you have to have access to the account you transferred the credit into.
What people are complaining about here is that they have a credit on their account (perhaps from one of these cards) and it is being spent out of their account. This can't be done with any kind of compromise of the gift cards themselves.
These people's accounts have been compromised. It's unclear how that happened.

--
http://lkml.org/lkml/2005/8/20/95
You're holding it wrong... by quetwo · 2011-09-10 05:22 · Score: 3, Funny

Obligotory "You're holding it wrong" post.
Towson Hack by Anonymous Coward · 2011-09-10 05:38 · Score: 1

It's called the Towson Hack just google it to find out just how widespread this scam is and what Apple is doing about it... not much.
Re:Same details changed in peoples accounts by Shoe+Puppet · 2011-09-10 05:44 · Score: 1

Towson, MD, 21286-7840 (is that a real zip code?).
Apparently, yes

--
(+1, Disagree)
A mystery? Really? by santiagodraco · 2011-09-10 06:13 · Score: 1

Is this really a mystery? I'm pretty sure Apple hit the nail on the head.
For one thing every account that was hacked should have "registered" devices. Simply track the IPs of where those devices were registered and apps downloaded and you have a means to determine fraud from naught.
My wife was bit by oDDmON+oUT · 2011-09-10 06:15 · Score: 4, Interesting

She had a Paypal account tied to her iTunes account emptied of over $400.
Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.
Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.
I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.
For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

--
Some days it's just not worth
chewing through my restraints.
1. Re:My wife was bit by DogDude · 2011-09-10 07:00 · Score: 1
  
  It very well could have been PayPal's fault. I don't know if you've heard, but about 10 years ago, most reasonable people came to the understanding that PayPal is not a reputable company, operating as a bank, but completely unregulated.
  
  --
  I don't respond to AC's.
2. Re:My wife was bit by shutdown+-p+now · 2011-09-10 10:27 · Score: 1
  
  She had a Paypal account tied to her iTunes account
  
  That sounds like a very bad idea regardless of any issues with Apple's security.
3. Re:My wife was bit by phantomfive · 2011-09-10 14:08 · Score: 2
  
  Hard to say for sure, but if she used the same password on any other service that was compromised, whether she knows it or not, then it is no longer a secure password even if it's a 64 character randomly generated code. Those passwords go into a database that hackers use in brute force attacks. This could be Apple's fault, but there are other explanations for the scenarios you describe.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:My wife was bit by oDDmON+oUT · 2011-09-12 18:39 · Score: 1
  
  Agreed. But there again, she didn't ask me. :^D
  
  --
  Some days it's just not worth
  chewing through my restraints.
5. Re:My wife was bit by oDDmON+oUT · 2011-09-12 18:42 · Score: 1
  
  Thanks for the 411, I'll recommend she look to change things up (though I can hear the weeping, wailing and gnashing of teeth starting in the background).
  
  --
  Some days it's just not worth
  chewing through my restraints.
Happened to me by vitaflo · 2011-09-10 06:18 · Score: 5, Interesting

I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).
I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.
It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.
1. Re:Happened to me by tlhIngan · 2011-09-10 17:35 · Score: 2
  
  A few months ago, there was an impressively done phishing email done. I believe it was something like "Adobe Photoshop CS at the Apple Store" - it really looked legit.
  Of course, it presented you immediately with a fake Apple ID login in order to view the "special offer". It was a really-well done phishing email by someone with skill.
  There are other phishing attacks as well.
  And there are those who re-use passwords - I wonder if those complaining ever checked those online lists of accounts that were recovered by Anon or Lulzsec. Heck, perhaps it's a few accounts from the Sony PSN hack as well.
  Perhaps instead of password reminder apps and such, we should have an app that takes the site name, username and hashes it with some master password to generate a site-specific password. Passwords won't be reused because they're salted with the site name and username.
This happened to me by ShanghaiBill · 2011-09-10 06:21 · Score: 1

This happened to me. There were a lot of mysterious charges for apps the neither I nor my wife purchased. I turns out that my wife forgot that she had given the password to our teenage daughter.
Credit card info changed by gnasher719 · 2011-09-10 06:27 · Score: 1

Here's a weird thing: Some people posted that their credit card info has been changed. So I think the following could happen: Crook hacks into my iTunes account. Crook also has a stolen credit card. He changes the credit card info to the stolen credit card. He then uses my account with the stolen credit card to buy stuff; the money probably goes to some associate of the crook. I don't notice unless I check my iTunes account because _my_ credit card is not affected. Still bizarre.
Not. A. Hack. by Anubis+IV · 2011-09-10 06:31 · Score: 2

This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.
Hate passwords! by rueger · 2011-09-10 06:43 · Score: 1
The biggest challenge to getting people to use longer/better passwords is that no two site have the same requirements. Off the top of my head my various log ons require:
- six characters or more
- eight characters or more
- No more than eight characters
- at least one number
- any combination of numbers of letters
- at least one special character
- no special characters
- at least one uppercase character
- at least one uppercase character, one number, and one special character
- none of the above
- all of the above
- random questions about the name of my first pet
All of this drives me mad - I can't imagine what it does to Joe User. I basically try random variations on passwords I know I've used, then click on "Forgot Password."

This whole system is seriously broken.
--
Three Squirrels
1. Re:Hate passwords! by rueger · 2011-09-10 10:12 · Score: 1
  More to the point, when we had one or two log-ins to remember passwords made sense, but today I have log-ins for:
  
  - cel phone
  - home phone
  - desktop
  - lap top
  - bank web site
  - at least ten shopping web sites
  - at least ten sites like slashdot
  - at least ten user forums
  - ATM PINs
  - Credit Card PINS
  - PINS for three utility companies
  - Student cards #s and log-in PINs
  - Library card and PIN
  - the secret number to reset my car radio if the battery is disconnected
  And a dozen other "use them once a year and then forget them" log ins for government sites etc.
  --
  Three Squirrels
Re:apple should come out of the "no clothes" close by stewbacca · 2011-09-10 11:41 · Score: 1

I can only guess English is not your first language, or you are of the texting generation.
Re:Did they have a WoW account? by gnasher719 · 2011-09-10 11:53 · Score: 1

(If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security.

Let's say one in 10,000 users uses "123456" as their password. That means trying to login with a random Apple ID and the password "123456" has a one in 10,000 chance to succeed. Now let's say we have a list of the top 100 passwords used by idiots. A botnet could perform 10,000 login attempts per day (every time a different account, and a different one of the top 100 passwords) and crack one account per day. That would be very, very hard to notice.
Possible Solution by AmberBlackCat · 2011-09-10 11:54 · Score: 2

I'm thinking they could make this a much smaller problem if all apps have a refund policy. If you notice an app has been purchased that you didn't want, you have time to notice the problem, undo the purchase, and change your password if you suspect the purchase was made without your permission. Of course the 15 minutes you get from the Android market would be inadequate. But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.
1. Re:Possible Solution by rdnetto · 2011-09-10 16:31 · Score: 1
  
  But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.
  The problem is that a $1 app isn't going to give you even a week's worth of entertainment. The refund period has to be less than the period for which the app is useful/entertaining. A month refund period only makes sense for purchases a few orders of magnitude higher than that. Otherwise, you need a decent method of distinguishing between people who have been hacked/scammed and people who just got bored with the app. Even if the app were to phone home on installation with a device specific ID, it would be too easy for that ID to be modified on a rooted device.
  
  --
  Most human behaviour can be explained in terms of identity.
2. Re:Possible Solution by AmberBlackCat · 2011-09-11 03:27 · Score: 1
  
  I see a few things going on here. One is you're saying a $1 app isn't going to be worth its price for 30 days. Others are basically saying the same thing, that people will finish or become bored within the 30-day period, and app developers would be bankrupted by returned apps.
  There are games, such as Pac-Man, Frogger, Super Mario Bros. and Tetris, that people have been playing for 20 or 30 years. If a game can't even remain fun for 30 days, I personally think the customer deserves a refund.
  Also, possibly the most popular game for any tablet or Android device is Angry Birds. It's price is $1, and people play it addictively every day. They could probably survive a 30-day return policy. The makers of Bejeweled could also survive it.
  I don't think people's ability to return apps would be a problem. I think a refund policy, that exploits people's impulse buying habits and inability to assess the value of an app in 15 minutes, is a problem.
3. Re:Possible Solution by rdnetto · 2011-09-11 21:02 · Score: 1
  
  Those games are well known specifically because they're outliers. The majority of games can't sustain that level of entertainment. This would result in a substantial decrease in the number of games available in the app store. Because the app store's revenue is a proportion of the total value (qty*cost) of apps sold, a decrease in the number of games available would reduce their revenue. Furthermore, the decrease in revenue would result in an increase in the market fees, increasing the cost of the apps.
  Additionally, if only high quality apps were available, the cost of the apps would be higher. Angry Birds sells for $1 because most of the apps sell at $1. The price most people are willing to pay is determined by the expected (average) value of an app. If you increase the average value of all apps, then the cost will also increase.
  I'm not saying that it shouldn't be the way you're saying - raising the overall quality of the app store would benefit the entire platform. I'm just saying that the reduction in purchases/revenue (caused by the increase in cost) wouldn't justify it, from Apple/Google's perspective.
  
  --
  Most human behaviour can be explained in terms of identity.
700 posts... by smash · 2011-09-10 14:02 · Score: 1

... out of the few hundred million iTunes users?
I thought more people synced iDevices to Windows than that. My bet is that it is either shitty passwords, or crappy old Windows XP machines that have been compromised.
Maybe even people who had their password compromised by the Sony hack(s) a while ago,and use the same email/password on iTunes.
Nothing to see here, move along.

--
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I think it's stupid people by Nyder · 2011-09-10 15:08 · Score: 2

I have this friend, and he is, well stupid like most people.
So, we are going to do some Free 2 Play games, and one of the websites wants (which is becoming very popular), your email address as your login name.
So when it comes to password, he says to me, why do they want my email address password?
I'm like, "WTF? No, they want you to make a new password for this account that is using your email address as your login name.
Needless to say, it took me like 5 mins to explain it to him. And he's not that computer stupid (though close).
So no, it doesn't surprise me that people use weak passwords, or will put in the wrong type of info (like your itunes account password) on websites that isn't iTunes.

--
Be seeing you...
Stop using the same password everywhere by The+Other+White+Meat · 2011-09-11 11:14 · Score: 1

If you create an account on a website, and you give them your email address, and you use the same password that you use for email, guess what you've given them access to?
Same goes for your Apple ID. If Apple ID = email, and you use the same password, you've given them access to your email AND to your Apple account. ...and probably a dozen other websites, like PayPal, eBay, etc.

--

--- Generation X: The first generation to have SIG lines inferior to their parents... ---
One thing Apple could do by gullevek · 2011-09-11 17:27 · Score: 1

Would be to confirm first purchases on a new iDevice. A confirmation mail to your email address where you have to confirm that it is really you and not someone else.

--
"Freiheit ist immer auch die Freiheit des Andersdenkenden" - Rosa Luxemburg, 1871 - 1919
1. Re:One thing Apple could do by AdrianKemp · 2011-09-12 00:19 · Score: 1
  
  First: the problem isn't new devices, it's ones that are already in use.
  Second: Apple does everything reasonable to keep the users safe. Including requiring new devices accessing an Apple ID to reconfirm credit information (by re-inputting some parts of it)
  As has been said, people are retards. When you have 200 million retards together, 700 getting screwed is LOW. The fact that the number isn't more like 7 million means Apple's system is staggeringly good.
2. Re:One thing Apple could do by gullevek · 2011-09-12 16:29 · Score: 1
  
  It is new devices. New in the sense "first time purchase from a different iDevice".
  I had a similar problem, if Apple would have let me confirm that this new device is mine, the could have avoided service hours to restore my account.
  
  --
  "Freiheit ist immer auch die Freiheit des Andersdenkenden" - Rosa Luxemburg, 1871 - 1919
Re:Windows? by konohitowa · 2011-09-12 05:39 · Score: 1

Man, that must be a little bubble if you don't know any Windows users with iPhones. Unless you're saying that not one of them used iTunes to activate their phones or that those that did immediately followed this up by uninstalling iTunes. Both are possible, but seem unlikely to me.
Re:Windows? by Osgeld · 2011-09-12 10:05 · Score: 1

I only know one iphone user, and her son set it up for her I dont know what arrangement that took. but everyone else I know with a smarphone has a android product, the little local cellphone providers out here in the sticks give them away like flip-phones (and nail you on overages)
Re:Windows? by konohitowa · 2011-09-12 11:11 · Score: 1

Wow. Okay, scratch my sarcasm. It really is a small bubble. So no iPod users on Windows either? Some of them don't mount as flash drives so you're stuck with iTunes (at least from a practical standpoint – there are workarounds but Windows users are less likely than Linux users to hunt them down).
Re:Windows? by Osgeld · 2011-09-12 12:09 · Score: 1

yes believe it or not there are people who do not have to have apple jammed up their ass for every little thing, and there are plenty of other ways to carry music outside of an ipod or itunes
why is this so difficult to comprehend?
Re:Windows? by konohitowa · 2011-09-13 03:07 · Score: 1

You know what's difficult to comprehend? Well over 200 million iPods have been sold and you're claiming that you don't know anyone that has iTunes installed on Windows. And now you're making it sound as if you don't even known anyone with an iPod. Either you really are extremely limited in your knowledge of or interactions with other people, or you were just talking smack and have gotten all pissy because you got called on it. After that "apple jammed up their ass" comment, I suspect the latter.