Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mystery of Vanishing iTunes Credit Shows No Sign of Fading

Posted by timothy on from the sounds-like-the-fraud-department-at-amex dept.

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

25 of 195 comments (clear)

  1. Great by Antisyzygy · · Score: 2, Insightful

    Apple should really look into this more, rather than just passing off the blame. Typical.

    --
    That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    1. Re:Great by DurendalMac · · Score: 4, Insightful

      We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

    2. Re:Great by iamhassi · · Score: 5, Interesting

      A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

      If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.

      Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases

      --
      my karma will be here long after I'm gone
    3. Re:Great by shoehornjob · · Score: 2

      Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

      Thank you. They need to enforce better password standards.

      --
      "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
    4. Re:Great by brusk · · Score: 5, Interesting

      After all why buy random apps if you can't use them? The will be tied to the owners phone.

      No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.

      --
      .sig withheld by request
    5. Re:Great by CharlyFoxtrot · · Score: 2

      Why don't the customer get email receipts when the transaction happens?

      You do get a receipt normally, however since the accounts were compromised and personal detail altered (according to the thread) that confirmation could've been sent elsewhere. Some people report do getting receipts and being informed that way something was going on. This is all on the first page of the linked Apple support discussion.

      And why can't Apple figure out which device downloaded the app to provide that information to law enforcement?

      You want Apple to track their customers ? Yeah, that'll go over great with the paranoid Slashdot crowd.

      --
      If all else fails, immortality can always be assured by spectacular error.
    6. Re:Great by guruevi · · Score: 2

      Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    7. Re:Great by gnasher719 · · Score: 2

      Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

      Combine something that is easy to remember with a random sequence that you have to write down and pin to your monitor. Remote attack fails because of the random sequence, looking at the paper fails because the person looking is not an experienced hacker and doesn't know the "easy to remember" bit.

      And even if an experienced hacker knew the random sequence, at least attacks using rainbow tables would now fail.

    8. Re:Great by zippthorne · · Score: 2

      They do, but they have a stupid definition of "minimum security":

      it's some small number of characters, at least one of which must be a number.

      This is not a terribly onerous policy*, but iPods' screen keyboards do not have a number row. You have to switch to another page to input numbers, so people with iPods are going to tend to pick a specific subset of passwords with numbers - ones where all the numbers are together at either the beginning or the end.

      I think that this may result in passwords that are actually less secure than the same length of just letters, even....

      *although, until you start getting into 20+ char passwords, it turns out that adding one more character to the minimum length improves security by more than adding 10 more glyphs to the character pool....

      What they should do is enforce a minimum password *strength*, and generate several passwords for using pre-defined rules which you can pick from (and which have been researched, so assuming random generation, their strength can be calculated), rather like the keychain works, actually...

      --
      Can you be Even More Awesome?!
    9. Re:Great by CharlyFoxtrot · · Score: 3, Insightful

      Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

      This is the password policy, pretty standard stuff :

      "When changing your password, your new Apple ID password should:

      Be at least eight characters.
      Contain at least one number (0-9).
      Contain at least one uppercase letter (A-Z).
      Contain at least one lowercase letter (a-z).
      Not contain three consecutive identical characters.
      Not have been used in the past year.
      Not be the same as your Apple ID username."

      That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.

      --
      If all else fails, immortality can always be assured by spectacular error.
    10. Re:Great by zill · · Score: 2

      We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.

    11. Re:Great by iamhassi · · Score: 5, Insightful

      A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

      Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

      I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

      How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?

      --
      my karma will be here long after I'm gone
    12. Re:Great by Belial6 · · Score: 2

      That's actually a pretty good solution. It still doesn't solve the problem of having dozens of passwords though. I know that I have at least a hundred different passwords. I used to use a "Doesn't matter", "low security", "high security", "REALLY high security" set so that I could remember my 4 passwords, and didn't have to worry that the video game forum I posted to one time a couple of years ago wasn't going to have an admin that was going to clean out my bank account.

      The problem is that once enough sites and services had enforced enough different name requirements on me that I couldn't remember all of my passwords, I had no choice but to write them down. Since I sometimes need them when I am out and about, I had to keep them in a digital form. This seems like a bigger risk than my previous method.

  2. Weak passwords?! by NFN_NLN · · Score: 4, Insightful

    Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

    Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

    1. Re:Weak passwords?! by Antisyzygy · · Score: 4, Funny

      That would infringe on peoples desire to have passwords like "cats" or "1234".

      --
      That brings me to an interesting point, / . is just "the ramblings of socially-inept, technology-literate news-mongers".
    2. Re:Weak passwords?! by Anonymous Coward · · Score: 5, Informative

      There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:

      Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.

      The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.

  3. that's interesting, but this is different by YesIAmAScript · · Score: 4, Informative

    First, iTunes cards have the number hidden on the cards in the store, you have to scratch off a coating.

    Second, with an iTunes card, you transfer the card balance into your account all at once, after that the card is completely useless. So if you can complete the transfer, the card was valid and not compromised and after you transfer the card, it doesn't matter if it was compromised, because the value is gone from the card and is in your account now. You cannot use the card to spend the value on apps, you have to have access to the account you transferred the credit into.

    What people are complaining about here is that they have a credit on their account (perhaps from one of these cards) and it is being spent out of their account. This can't be done with any kind of compromise of the gift cards themselves.

    These people's accounts have been compromised. It's unclear how that happened.

    --
    http://lkml.org/lkml/2005/8/20/95
  4. You're holding it wrong... by quetwo · · Score: 3, Funny

    Obligotory "You're holding it wrong" post.

  5. My wife was bit by oDDmON+oUT · · Score: 4, Interesting

                She had a Paypal account tied to her iTunes account emptied of over $400.

                Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.

                Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.

                I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.

                For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

    --
    Some days it's just not worth
    chewing through my restraints.
    1. Re:My wife was bit by phantomfive · · Score: 2

      Hard to say for sure, but if she used the same password on any other service that was compromised, whether she knows it or not, then it is no longer a secure password even if it's a 64 character randomly generated code. Those passwords go into a database that hackers use in brute force attacks. This could be Apple's fault, but there are other explanations for the scenarios you describe.

      --
      "First they came for the slanderers and i said nothing."
  6. Happened to me by vitaflo · · Score: 5, Interesting

    I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).

    I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.

    It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.

    1. Re:Happened to me by tlhIngan · · Score: 2

      A few months ago, there was an impressively done phishing email done. I believe it was something like "Adobe Photoshop CS at the Apple Store" - it really looked legit.

      Of course, it presented you immediately with a fake Apple ID login in order to view the "special offer". It was a really-well done phishing email by someone with skill.

      There are other phishing attacks as well.

      And there are those who re-use passwords - I wonder if those complaining ever checked those online lists of accounts that were recovered by Anon or Lulzsec. Heck, perhaps it's a few accounts from the Sony PSN hack as well.

      Perhaps instead of password reminder apps and such, we should have an app that takes the site name, username and hashes it with some master password to generate a site-specific password. Passwords won't be reused because they're salted with the site name and username.

  7. Not. A. Hack. by Anubis+IV · · Score: 2

    This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.

  8. Possible Solution by AmberBlackCat · · Score: 2

    I'm thinking they could make this a much smaller problem if all apps have a refund policy. If you notice an app has been purchased that you didn't want, you have time to notice the problem, undo the purchase, and change your password if you suspect the purchase was made without your permission. Of course the 15 minutes you get from the Android market would be inadequate. But a real refund policy, such as a 30-day policy, would do the job. Anybody who actually pays attention to their bank account probably looks at it at least once per month.

  9. I think it's stupid people by Nyder · · Score: 2

    I have this friend, and he is, well stupid like most people.

    So, we are going to do some Free 2 Play games, and one of the websites wants (which is becoming very popular), your email address as your login name.

    So when it comes to password, he says to me, why do they want my email address password?

    I'm like, "WTF? No, they want you to make a new password for this account that is using your email address as your login name.

    Needless to say, it took me like 5 mins to explain it to him. And he's not that computer stupid (though close).

    So no, it doesn't surprise me that people use weak passwords, or will put in the wrong type of info (like your itunes account password) on websites that isn't iTunes.

    --
    Be seeing you...