Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iTunes Gift Card Key System Cracked, Exploited

kdawson posted more than 5 years ago | from the poisoning-the-currency dept.

Media (Apple) 388

moonbender writes "Fake but working iTunes gift cards are being sold on Chinese auction sites for a fraction of their value: 'The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service. Half a year ago, when they started the business, the price was around 320 RMB [about $47] for [a] $200 card, then more people went into this business and the price went all the way down to 18 RMB [about $2.60] per card, "but we make more money as the amount of customers is growing rapidly."' The people at Chinese market researcher Outdustry have apparently confirmed this by buying a coupon and transferring it into an iTunes account. Oops."

Sorry! There are no comments related to the filter you selected.

BitTorrent (5, Insightful)

MrEricSir (398214) | more than 5 years ago | (#27141693)

It's still easier to use BitTorrent.

Re:BitTorrent (0, Informative)

Anonymous Coward | more than 5 years ago | (#27141967)

Not everything on iTunes is on BitTorrent or the like.

Re:BitTorrent (5, Funny)

aliquis (678370) | more than 5 years ago | (#27142093)

No, even more is on bittorrent and the like ...

Re:BitTorrent (3, Insightful)

Colonel Korn (1258968) | more than 5 years ago | (#27142865)

And torrents tend to be of much higher quality than iTunes tracks.

Re:BitTorrent (5, Insightful)

Shakrai (717556) | more than 5 years ago | (#27142131)

It's still easier to use BitTorrent.

It's probably safer too. Bittorrent is going to be a civil matter. Exploiting a hole in Apple's POS system to get free stuff probably qualifies as fraud and would bring criminal charges.

Random thought: Reminds me of the old days when you could create credit card "numbers" that weren't actually valid but passed the checksum test and use them to create AOL accounts. Kind of surprised that Apple wouldn't know better.

Re:BitTorrent (3, Funny)

tacarat (696339) | more than 5 years ago | (#27142525)

Random thought: Reminds me of the old days when you could create credit card "numbers" that weren't actually valid but passed the checksum test and use them to create AOL accounts. Kind of surprised that Apple wouldn't know better.

But the vendor said it was foolproof!

Re:BitTorrent (3, Funny)

shemp42 (1406965) | more than 5 years ago | (#27142539)

ANyone translate for me? I need about 20 of these cards.

Re:BitTorrent (1)

DamnStupidElf (649844) | more than 5 years ago | (#27142825)

AOL caught on eventually. Compuserve never did, that I'm aware of. Free trials aplenty with a valid check digit.

Re:BitTorrent (4, Interesting)

earlymon (1116185) | more than 5 years ago | (#27142391)

It's still easier to use BitTorrent.

I have no clue, access to BitTorrent, behind the Great Firewall of China. But from what I've read (horror stories) about net activities being traced and questioned, I'd use an illegal Apple Store access rather than BitTorrent.

"Yes, Comrade Prosecutor - tell me what I did wrong ripping off the imperialists," sounds like a better defense than, "I promise I wasn't looking at porn."

Never reward Behavior A and hope for Behavior B.

And You Wonder Why Amazon MP3 Only Works in the US (5, Insightful)

eldavojohn (898314) | more than 5 years ago | (#27141705)

"but we make more money as the amount of customers is growing rapidly."

Brilliant business model there, Taobao. I used to feel bad that Amazon's MP3 Service only worked inside the United States but now it's pretty clear: I doubt Apple will have much luck prosecuting anyone in this case whereas it would have been different had it happened on American soil.

I'm sure the Chinese government will help protect Apple's ... hahahaha sorry, couldn't quite say that with a straight face. Seriously, we must look like ripe-for-the-picking rubes to places like China. They're sitting there with free copies of Vista, Adobe Suites and now cheap "legal" music. I guess it will forever remain a mystery to them why their nation isn't home to prosperous software & music industries while the status quo is free for the taking with no repurcussions.

Re:And You Wonder Why Amazon MP3 Only Works in the (4, Funny)

Anonymous Coward | more than 5 years ago | (#27141891)

The real comedy will happen when someone in China actually comes up with some IP that they want to make a buck off of. Hopefully an entire cottage industry will pop up in the rest of the world that's devoted to doing nothing but cranking out copies of whatever it is that China suddenly values, and even more hopefully that cottage industry will be named "Fuck You Chinaman, Inc.!"

Re:And You Wonder Why Amazon MP3 Only Works in the (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27142069)

Personally, I think that will become the downfall of our county.

Our main products that we're making here are things that can be easily recreated at no cost. Sure, we've got laws that attempt to stop it, but many places don't.

We've shipped most of our jobs making actual products overseas. And we wonder why China is becoming so powerful? They're making physical goods, and freely recreating our virtual goods.

Re:And You Wonder Why Amazon MP3 Only Works in the (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#27142211)

Americans and Europeans contribute to the economic downfall of Western Civilization every time they purchase a product made in the third world.

Re:And You Wonder Why Amazon MP3 Only Works in the (0)

Anonymous Coward | more than 5 years ago | (#27142309)

Honestly though, what other choice do you have in most situations? Even many of the high end products now are made in third world countries. Many parts for American cars are built in other countries, even many of the cars are assembled in Mexico now. Japanese cars are often made here, but are assembled using parts made in a foreign country. It's the same situation for almost all electronics.

Re:And You Wonder Why Amazon MP3 Only Works in the (0, Flamebait)

Colonel Korn (1258968) | more than 5 years ago | (#27142883)

Honestly though, what other choice do you have in most situations? Even many of the high end products now are made in third world countries. Many parts for American cars are built in other countries, even many of the cars are assembled in Mexico now. Japanese cars are often made here, but are assembled using parts made in a foreign country. It's the same situation for almost all electronics.

In a lot of cases, with research, you can actually choose where your goods are made. Sometimes it means they're of much higher quality, too. Other times (LCD televisions, for example) it means you get a mid-range product instead of the more fully featured version made in Korea.

Re:And You Wonder Why Amazon MP3 Only Works in the (2, Insightful)

complete loony (663508) | more than 5 years ago | (#27142355)

Why prosecute? If you can identify the illegitimate cards, you can revoke the license to all the downloaded music. Isn't this what DRM is for?

DRM free itunes. (2, Insightful)

Capt.DrumkenBum (1173011) | more than 5 years ago | (#27142481)

I believe itunes is DRM free as of Jan 6/09
http://apple.slashdot.org/article.pl?sid=09/01/06/1840225 [slashdot.org]

Re:DRM free itunes. (0)

Anonymous Coward | more than 5 years ago | (#27142609)

joy. Now the RIAA can point at this and say: This is why we need DRM!!!1

capcha: Bondage

Re:And You Wonder Why Amazon MP3 Only Works in the (2, Interesting)

Cajun Hell (725246) | more than 5 years ago | (#27142575)

If you can identify the illegitimate cards

..then you can just make them not good for payment, instead of dealing with it at the DRM level.

"No tunes for you!" is better than "Broken tunes for you!"

Re:And You Wonder Why Amazon MP3 Only Works in the (5, Informative)

tacarat (696339) | more than 5 years ago | (#27142639)

You can't identify the illegitimate cards. Each individual card isn't kept track of. The bar code on each of them is more like the answer to a math problem. If you know how to solve the problem, you get in, no questions asked. The only thing they can do is change the math problem and eventually get rid of the old one as a valid question to answer.

Re:And You Wonder Why Amazon MP3 Only Works in the (2, Interesting)

neil-ngc (1019290) | more than 5 years ago | (#27142383)

I guess it probably depends on how valuable Apple's manufacturing business is to China. I'm willing to bet that iPods, laptops and pretty every other physical item in Apple's line is significant enough for them to pay attention. Some people might get disappeared.

But really, maybe Apple has learned a lesson here. Don't just validate cards using an algorithm. Keep track of which numbers you've sold, same as a credit card issuer.

Re:And You Wonder Why Amazon MP3 Only Works in the (3, Informative)

SectoidRandom (87023) | more than 5 years ago | (#27142597)

When it comes to international copyright it is no surprise to me that across borders people are far less inclined to respect copyright laws of another country.

It reminds me of something that I read once that stated that back in the 19th century before the US had established it's own home-grown authors and publishing industry, it was common place for Americans to simply copy and republish without consent the work of European authors and publishers. That was of course despite the constant complaints of European publishers and governments.

Of course eventually the US publishers had grown to a position where they themselves realized that they needed copyright in order to continue growing with the now booming local literature scene, hence the "true" birth of enforced US copyright.

(History repeating itself. Hmm, now how often does *that* ever happen - sarcasm)

Unfortunately I have no original sources to this 'tale', I would appreciate if anyone can either confirm or deny this with some evidence, as it is such a compelling story I would like to believe that it is true!

Re:And You Wonder Why Amazon MP3 Only Works in the (3, Informative)

mean pun (717227) | more than 5 years ago | (#27142679)

Isabella Bird, in her book The Englishwoman in America (1856) mention this copying causally, as something everyone knows.

Re:And You Wonder Why Amazon MP3 Only Works in the (2, Interesting)

Zerth (26112) | more than 5 years ago | (#27142769)

The US only recognized domestic copyrights until 1891. Prior to that, foreign works were considered public domain. Mark Twain became a US citizen to protect his writings and lobbied for the International Copright Act.

http://en.wikipedia.org/wiki/International_Copyright_Act_of_1891 [wikipedia.org]

Re:And You Wonder Why Amazon MP3 Only Works in the (5, Interesting)

porges (58715) | more than 5 years ago | (#27142821)

Gilbert and Sullivan had a big problem with this; people would come to their London openings, write down as much of the words and music as they could, take the boat to America, and put on knock-off productions. For this reason, The Pirates (!) of Penzance premiered in New York, not London.

China: One big Black Hole (3, Informative)

NineNine (235196) | more than 5 years ago | (#27142709)

If the Chinese government doesn't start some kind of law enforcement, China is going to be a giant Black Hole. Blacklisting IP blocks from Chinese ISPs is the best thing I've ever done in terms of spam and malware control.

Re:And You Wonder Why Amazon MP3 Only Works in the (2, Interesting)

citizenr (871508) | more than 5 years ago | (#27143025)

I guess it will forever remain a mystery to them why their nation isn't home to prosperous software

WHAT?
Guess who wrote code that runs on your Digital Picture Frame, your Camcorder, mp3 player, or your big screen LCD TV.
Maybe you missed the story about 'Shanzai'?
http://hardware.slashdot.org/article.pl?sid=09/02/27/049245&from=rss [slashdot.org]

Wanna know how Chinese are able to go from design on a napkin to working product ready to ship in ONE month? They share, rip, mash-up, copy.
Here is one of the sites used by Chinese Engineers/Developers to share brainpower
http://www.pudn.com/ [pudn.com]

There is no value in producing IP without a product, IP alone is worth zero. Chinese recognized it long ago.

hmmm (2, Funny)

Em Emalb (452530) | more than 5 years ago | (#27141725)

use safari on your iPhone to buy the fake iTunes card.

It's like curb stomping apple after you kick them in the nuts.

More seriously, there's a good chance that if Apple does decide to change their key system that a lot of legitimate iTunes cards are gonna be rendered worthless.

And that would suck.

Heh (5, Funny)

Jon.Laslow (809215) | more than 5 years ago | (#27141795)

No, kicking Apple in the nuts would be buying a fake iTunes card using MyFox on a jailbroken, unlocked iPhone 3G using a different carrier than the one the phone was sold from/for.

Re:Heh (5, Funny)

Em Emalb (452530) | more than 5 years ago | (#27141841)

Nah, that would be feeding them to pigs after cutting them up with a chainsaw after paper cutting them to death after making them watch Mike Tyson eat their children. :-D

Re:Heh (5, Funny)

Mordok-DestroyerOfWo (1000167) | more than 5 years ago | (#27141943)

I can't find the +1 "Dear Lord please don't let me have nightmares about that tonight!" mod.

Re:Heh (3, Insightful)

Henriok (6762) | more than 5 years ago | (#27142367)

Apple would probably still make money since you a) bought an iPhone and b) solidified Apple's hold on music distribution online. Apple probably just laughed all the way to the bank, the same way Microsoft, Adobe and Autodesk are laughing all the way to the bank when their software gets distributed mer or less for free in thesemarkets. Some markets are unreachable with western prices, so if you still want to be present on them, adjust your price. Close to free, is good enough.

Re:Heh (0)

Anonymous Coward | more than 5 years ago | (#27142453)

What part of "fake iTunes cards" didnt you get?
The word "fake"?

Re:Heh (0)

Anonymous Coward | more than 5 years ago | (#27142889)

Nope, because they still got your iphone money. You need to steal the phone from an Apple store.

Re:hmmm (1)

Golddess (1361003) | more than 5 years ago | (#27142121)

More seriously, there's a good chance that if Apple does decide to change their key system that a lot of legitimate iTunes cards are gonna be rendered worthless.

Why did they even go with a system where the value of the card is written right on the card itself (even if it is encrypted), rather than one that everyone else seems to use? That is, a system where on one of Apple's servers somewhere, there resides a database with the giftcard ID and the balance of the card. Just guessing at exactly how it's done, but given that a Best Buy giftcard can be loaded up with any amount, and can be used without a magnetic reader, I think it's safe to say that the balance is not written on the card in any way, shape, or form.

Or have they done it that way, and these companies are just selling giftcards that could have potentially already been used?

Re:hmmm (0, Insightful)

Anonymous Coward | more than 5 years ago | (#27142849)

because apple servers are made to look pretty, not do calculation or real work

Ouch. (4, Insightful)

russotto (537200) | more than 5 years ago | (#27141737)

I'd be interested to know what algorithm was being used for the keycards. Did Apple use a weak scheme, did someone leak the secret, or (most interestingly) has someone managed to crack a good encryption algorithm.

(Alas, I'd guess it's probably a weak scheme. As recently as two years ago I noticed a bike products retailer was actually using sequential codes for its gift cards)

Re:Ouch. (4, Informative)

teh moges (875080) | more than 5 years ago | (#27141787)

I actually didn't think this would be possible.
In Australia, when you buy mobile phone recharge (extra credit to make calls), you buy a coupon which is only activated after its brought from an authorized dealer. Once the code is used, that code is useless.
It does mean that each retailer has to have some connectivity to base office, but it stomps out generating new keys as much as you want.

Re:Ouch. (2, Insightful)

cowscows (103644) | more than 5 years ago | (#27142169)

No kidding. The way this is explained makes it sound like if I pulled a stack of iTMS cards off the rack at walmart or whatever and walked out with them in my pocket, they'd all be valid and would work. I have a hard time believing that to be the case. There are hundreds of stores (both online and physical) that sell gift cards at other stores, I have a hard time believing that it doesn't generally work more like you describe, and I also have a hard time believing that Apple would have done it differently.

Unless maybe the people generating the card numbers has found a way to falsely activate them? Although if that were the case, I'd imagine that'd be a much easier fix.

Re:Ouch. (3, Informative)

bluefoxlucid (723572) | more than 5 years ago | (#27142943)

They work right off the truck. No activation.

Re:Ouch. (4, Informative)

smellsofbikes (890263) | more than 5 years ago | (#27142199)

>but it stomps out generating new keys as much as you want.

Sort of. As the previous poster was alluding to, if the card numbers are generated sequentially and stored on the card, all you need to do is know your number, add about 100, put that number on your card, and wait for it to be activated so you can use it. You don't have to access the main server: you just wait for your number to show up.
There was a neato scam running a while back where people would steal piles of seemingly useless blank gift cards, record the number off the card into a database, put them back in stores, wait a month, then try and use the number. If the card had been activated but not used (a gift card sitting in a present or a wallet somewhere) they bought what they could as fast as they could.
I assume companies now sell entirely blank cards, that are programmed at time of sale, rather than pre-enumerated cards merely being scanned for activation.

Re:Ouch. (2, Informative)

Lehk228 (705449) | more than 5 years ago | (#27142393)

no they still use the pre numbered cards. now they have a foil covered pin on the back but who would notice if it was missing.

Re:Ouch. (1)

Hyppy (74366) | more than 5 years ago | (#27141789)

Picking nits here, but this kind of key generation is generally not considered encryption.

The algorithm is known as MSH-MLYLT (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27141793)

me so horny, me love you long time

boom boom long time

Re:The algorithm is known as MSH-MLYLT (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#27142129)

I lol'd

Re:The algorithm is known as MSH-MLYLT (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27142137)

me so horny, me love you long time

boom boom long time

Don't mind Steve Jobs, he's a just little loopy from all the chemo.

Occam's razor (5, Interesting)

YesIAmAScript (886271) | more than 5 years ago | (#27141755)

Possibility 1:
Apple doesn't use a database for cards, they use a hash even though that would be stupid.
That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer.
Someone is generating and selling cards using that hash.

Possibility 2:
Someone is simply buying the largest email iTMS gift certificate allowed (I checked) with fake or stolen credit card numbers.

Possibility 1 is possible but unlikely.
Possibility 2 is very common, very easy and very likely.

Occam's Razor says people likely people are jumping to an unwarranted conclusion here.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27141955)

So then surely we can assume that soon all of the fraudulent gift cards will be deactivated as soon as the banks report to Apple that the cards used to purchase them were stolen, right? Wouldn't Apple have a comment on that situation, instead of the "no comment" about the current situation?

Re:Occam's razor (4, Insightful)

Locke2005 (849178) | more than 5 years ago | (#27142011)

They HAVE to keep a database for the cards anyway, to keep track of every code that has already been used (can't have you using the same gift card twice now, can they?) How much harder could it be to keep track of every code that has actually been sold? But even then, there is a window of opportunity: if someone can guess your code between the time it is activated and the time you use it, then they've got your gift certificate and you don't. (This really IS stealing.) My advice to anyone who gets a gift certificate would be to use it as soon as possible. Personally, I feel gift certificates are stupid anyway -- why give somebody the equivalent of cash that can only be used at one store and which becomes worthless if that store declares bankruptcy, when you could just as easily give them cash, or a money order, or a check, or any number of other instruments that could be redeemed anywhere. I once received a gift certificate in a Christmas card that was delivered accidentally to my address, and I was able to go ahead and use it. Couldn't have done that with a check or money order, could I?

Re:Occam's razor (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27142107)

I once received a gift certificate in a Christmas card that was delivered accidentally to my address, and I was able to go ahead and use it.

You just admitted to comitting a Federal crime, son, and a Felony at that. If I were you, I'd shut the hell up and never mention your this "freebie" to anybody.

Re:Occam's razor (1)

jimicus (737525) | more than 5 years ago | (#27142109)

why give somebody the equivalent of cash that can only be used at one store and which becomes worthless if that store declares bankruptcy

I think a lot of people are asking the same question over here in the UK right now. Over the Christmas/new year period, a number of companies which operated gift vouchers went out of business.

Re:Occam's razor (1)

shird (566377) | more than 5 years ago | (#27142147)

They don't have to keep a database of those used. They can just keep a counter, and allocate out ranges to other stores etc. Just like MAC addresses - all addresses are valid, but there is no central db and nobody keeping a db of all allocated, just a db of ranges and a counter. They would only need to track the use of a card on its first use.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27143063)

They don't have to keep a database of those used. They can just keep a counter, and allocate out ranges to other stores etc. Just like MAC addresses - all addresses are valid, but there is no central db and nobody keeping a db of all allocated, just a db of ranges and a counter. They would only need to track the use of a card on its first use.

And how would they "track" it without a database?

Re:Occam's razor (3, Funny)

joebok (457904) | more than 5 years ago | (#27142303)

... I once received a gift certificate in a Christmas card that was delivered accidentally to my address, and I was able to go ahead and use it. ...

I think that is a crime. If not, it certainly makes you a jerk.

As my dad once said... (1)

Winckle (870180) | more than 5 years ago | (#27143113)

At least you can't spend it on drink...

Re:Occam's razor (1, Insightful)

denzacar (181829) | more than 5 years ago | (#27142059)

Possibility 2 would in no way be profitable - they are selling $200 gift certificates for 11 yuan. About $1.61.
200:1 money laundering scheme? I don't think so.

On the other hand, human stupidity implied in the possibility 1 is always a plausible solution to any case involving humans.

Re:Occam's razor (1)

pluther (647209) | more than 5 years ago | (#27142397)

You're overlooking the first step: steal the credit card number to buy the iTunes card with.

That makes it 100% profit, with a quick and easy way to get money off the credit card. Who cares if you throw away 99% of the value of the original credit card? It's not their money they're wasting.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27142491)

You're overlooking the first step: steal the credit card number to buy the iTunes card with.

Umm, no he didn't. That is exactly what money laundering is for, covering the tracks of stolen money. It would be ridiculous for them to lose so much of the money in the process when there are many other ways they could be laundering that would allow them to retain a much larger percentage.

Most likely they have simply figured out a way to generate keys. Crackers do this all of the time with various software, so I doubt it's as complicated as the OP claims.

Re:Occam's razor (1)

denzacar (181829) | more than 5 years ago | (#27142557)

Who cares if you throw away 99% of the value of the original credit card? It's not their money they're wasting.

Anyone who could buy jewelry on Amazon instead for full money value? Or anything else on ebay?

You know, criminals may be superstitious and cowardly lot (according to Batman) but they are not THAT stupid to throw away 99.5% of the profit away.

Re:Occam's razor (1)

LandDolphin (1202876) | more than 5 years ago | (#27142561)

I'm sure there would be better things they could purchase and resell for more then a 1% return.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27142497)

Who said it would be money laundering?, nobody said they are using their own illegally earned money.

They could be simply buy those gift cards with STOLEN credit cards, so plainly they would be stealing money, not cleaning it.

Also consider there is no cost if they spend their time hacking poorly configured customer databases. It wouldn't be a $199 loss in every card purchase, it would be a $1.61 dollar net profit.

-linyera

FYI... (1)

denzacar (181829) | more than 5 years ago | (#27142691)

When you buy goods (gift certificates) with stolen funds (credit cards) so you would sell those goods to a third party and thereby make a profit - THAT IS money laundering.

And just imagine such a crazy scenario where they would spend not just $200.00 at a time, but drain the entire card to buy items such as jewelry, luxury items, or even iPhones or iPods - anywhere else on the internet.
You know... items that can be sold almost immediately if you sell it for a right price.
Or if you use ebay or amazon to sell items for "clean money" - while you pay for them with "dirty money".

Re:Occam's razor (2, Insightful)

Lehk228 (705449) | more than 5 years ago | (#27143071)

200:1 when it's not your 200 is plenty profitable

Let's consider the crypto solution (4, Interesting)

jonaskoelker (922170) | more than 5 years ago | (#27142213)

Possibility 1: Apple doesn't use a database for cards, they use a hash even though that would be stupid. That hash and algorithm for arranging the data before the hash was cracked even though all the verification is done on the server and thus there is no code out there to reverse-engineer. Someone is generating and selling cards using that hash.

Let's assume that Apple cryptographers are at least half way competent.

You could use Brand's eCash scheme in this situation. But, since Apple plays the role of both the Shop and the Bank in this scheme, you can do some simplification. So, what's the specification of this hash?

  • It should be easy for Apple (the holder of some secret key) to generate valid gift certificates, of any amount
  • It should be difficult for anyone else to generate valid certificates (of any amount)
  • It should be easy for anyone to verify the validity of a certificate.

I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.

To redeem a certificate, Apple checks that it hasn't been redeemed before, then stores in its database that it has been redeemed. For compactness using increasing integers, store that "all integers less that n have been redeemed".

Everyone knows Apple's public key and can verify the certificate. Only Apple knows the private key necessary to create certificates. Apple knows its own public key so it can verify certificates. It also knows to only accept each certificate once.

I'd guess that if I can cook this up in five minutes, Apple can afford hiring someone who can cook it up at least once during their development cycle (I'm not that leet :p).

(proof of security in the universal composability model is coming straight away; that's called proof by forward reference and it works great in the cookies)

Re:Let's consider the crypto solution (2, Informative)

Anonymous Coward | more than 5 years ago | (#27142377)

That check won't work for integers - people won't redeem cards sequentially.

Re:Let's consider the crypto solution (1)

jonaskoelker (922170) | more than 5 years ago | (#27142973)

people won't redeem cards sequentially.

I should have made it more obvious that by my design, that's just a compression hack that you can apply to the extent possible.

As an example, you'd store the list "everything less than one million; one million and five; one million, two thousand and twenty-three; ...".

It's Big Oh of whatever, but it works fine in practice ;-)

Re:Let's consider the crypto solution (1)

zindorsky (710179) | more than 5 years ago | (#27142379)

I think the simple solution is for Apple to generate unique strings (either random, or increasing integers) and sign them using some signature system, concatenating the value onto the plaintext.

But the serial number on a gift card is not nearly long enough to contain enough data to be any secure kind of public key crypto.

So smart or not, that's not what they're doing.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27142321)

The owner of the Taobao shop told us frankly that the gift card codes are created using key-generators. He also said that he paid money to use the hackers' service.

I know it's asking a lot, and I'm not new here, but feel free to read the second line in the summary.

Re:Occam's razor (0)

Anonymous Coward | more than 5 years ago | (#27142323)

Possibility 3: Kdawson post.

Possibility 3 is to ignore his posts.

Re:Occam's razor (1)

SailorSpork (1080153) | more than 5 years ago | (#27142419)

Possibility 1.5: Apple uses a database in countries where internet database connectivity isn't a problem, and hashes in countries where they perceive most stores won't have internet connectivity.

Re:Occam's razor (1)

wdavies (163941) | more than 5 years ago | (#27142441)

Third possibility:

Someone is duping the numbers, and only one person out of N will get the cheap music.

Re:Occam's razor (5, Informative)

plover (150551) | more than 5 years ago | (#27142523)

Well, I personally know that InComm [incomm.com] is an authorizer to companies that sell iTunes cards at retail, and that unactivated cards have no value. No algorithm is used for those cards, other than the non-sequential generator (to prevent my_card_number+1 fraud.)

But I also know that TFA claims that an algorithm is broken allowing for virtually unlimited generation of cards.

So either TFA is either wrong or deliberately lying (improbable, but not impossible) or both the algorithm and on-line methods are being used by iTunes (neither particularly odd nor improbable.)

It's not an XOR situation.

Credit Card Ponzi Scheme (2, Interesting)

essinger (781940) | more than 5 years ago | (#27142533)

I think it may even be simpler. I went to the site and, though I couldn't understand the language, it seemed as though you had to buy the iTMS certificate with a credit card! So all they have to do is use your card (or in the more elaborate scenario a previous idiot's card) to buy your gift certificate. And they buy whatever else they want with it.

Invalidated (5, Insightful)

Norsefire (1494323) | more than 5 years ago | (#27141769)

The other side to this is that when a legitimate customer buys a card that's code has already been found using a keygen their card won't work, I hope Apple has a refund system. The joys of security through obscurity in action.

One would hope. (1)

Jon.Laslow (809215) | more than 5 years ago | (#27141863)

Even Microsoft has a process if you buy a Microsoft Points card and the code doesn't work. Given the request has to go through an approval process that normally takes several days and possibly multiple contacts to verify information. But still....

Who Cares? (0, Insightful)

Anonymous Coward | more than 5 years ago | (#27141883)

You can already get basically anything you can get off Itunes from torrent files for free. You don't have to pay for a card. If you're going to pirate material, you might as well be sensible about it.

Time to buy some of these quickly??? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27142071)

So, if one were so inclined and was not bothered by the moral ramifications, would NOW be the time to buy and redeem a bunch of these? And, since you have to use your Apple iTunes account to redeem them, could you be threatened by legal people at Apple?

Re:Time to buy some of these quickly??? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27143089)

could you be threatened by legal people at Apple?

I heard a legal person at Apple once threatened someone just for snoring too loud.

The most important thing has been left out.... (2, Funny)

Ogre332 (145645) | more than 5 years ago | (#27142127)

Where can I buy them?

Re:The most important thing has been left out.... (1)

geekoid (135745) | more than 5 years ago | (#27142447)

China.

Buy them here but . . . (2, Informative)

essinger (781940) | more than 5 years ago | (#27142601)

I would really think twice about using your credit card!

http://search1.taobao.com/browse/0/n-g,nf2hk3tfom-------2-------b--40--commend-0-all-0.htm?at_topsearch=1&ssid=e-s1

Chinks (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27142149)

Can't live with them.

Can't shoot them.

steps (1)

prozaker (1261190) | more than 5 years ago | (#27142221)

1. hire hackers 2. get keygen 3. ??? 4. profit!

Huh (1)

blhack (921171) | more than 5 years ago | (#27142223)

Any lawyers in here wanna weigh in on this?

If I were to buy some of these giftcards, apple could absolutely terminate my account, I would expect that, but am I breaking any laws? This doesn't seem to be "breaking in" to anything (although I'm sure a judge would see it that way) so is it still considered some sort of cyber-trespass?

Doesn't this fall in to the same category as "the vending machine gave me an extra candy bar. I told the maintenance guy, but he didn't care". What if you even went as far as to email steve@mac.com (or whatever his address is) to show that you tried to contact apple?

Re:Huh (0)

Anonymous Coward | more than 5 years ago | (#27142579)

Something like "Document Fraud" or "Forged Finicial Instrument" or some such would be the crime here. But IANAL.

Re:Huh (0)

Anonymous Coward | more than 5 years ago | (#27142589)

I'm sure Apple could sue you, as long as they can prove that you knew (or "should have known") that the card was fraudulent when you purchased and used it. There's not a law against being taken advantage of.

Re:Huh (0)

Anonymous Coward | more than 5 years ago | (#27142647)

Possession of stolen property seems to fit.

Re:Huh (4, Interesting)

ledow (319597) | more than 5 years ago | (#27142683)

In UK law, at least, which is what 90% of the world base their law systems on:

Very simple. It's fraud. They are *fake* cards, issued by a forger. Thus, you can be charged with fraud, or similar offences. Possibly even handling stolen/counterfeit goods, *whether you knew they were fake or not*! It's no different to faking a cheque, or a credit card. In the US, crossing state boundaries with such things can be a federal offence, so if you're not in the same state as the Apple store, it gets even worse.

If you have the *suspicion* that they are fraudulent and / or a reasonable person would suspect them to be fraudulent (by the *court's* definition of reasonable, not yours), you can quite easily be convicted for fraud, or facilitating fraud, or breach of contract (technically a bad cheque is breach of contract and by trying to pass off this card with a retailer, you are saying that it is genuine, hence the sale could be seen as a breach of contract once they find out the money doesn't actually exist - thus they can happily charge you with fraud for the transaction AND breach of contract for failing to pay for the goods another way). It would *not* be as simple as "I just got them from some website." If a reasonable person would have had suspicions, you can *easily* be convicted - it's like saying that this gentleman knocked on the door selling an expensive in-car audio system with the wires cut and dangling, for a pittance. Whether you thought he was genuine or not, you SHOULD have known that he wasn't (just by the price, if nothing else), thus you can be found complicit in the fraud.

Notification of the breach would certainly work in your favour but isn't an automatic get-out clause. Chances are they would pass it over but ask at which point you became suspicious, where you got it from etc. and expect you to co-operate fully. Don't and those fraud charges pop up but now they know exactly who to aim them at... you.

Cyber-nothing. It's fraud, plain and simple, no better than making up credit card numbers and using them to buy things on Amazon. You're not the rightful keeper of any funds that you do manage to get authorized, so you're into theft (if someone can prove that *they* were entitled to the number on the card you used), fraud and maybe even counterfeiting if you can't point out where you got them from. Now, considering that Apple are both the issuer AND the recipient of the cards in question, they have a very good reason to prosecute. You've effectively stolen a credit card and then used it to pay your other Visa bill.

Re:Huh (0)

Anonymous Coward | more than 5 years ago | (#27142693)

IANAL, but I think receipt of stolen goods might be a legitimate charge. If I recollect correctly, buying a $200 gift card for $20 would lead a reasonable person to assume it was stolen, & wipe out the 'I thought it was legit, really I did judge!' defense.

Re:Huh (0)

Anonymous Coward | more than 5 years ago | (#27142805)

Before you delve into the subtleties of modern cyber-trespass law, let's try a simple test.

Suppose you buy one of these cards, use it, Apple complains, and you wind up in court. Let's say you take the stand in your defense (this is hypothetical!). And then someone asks you this question:

"Did you intend to commit fraud?"

Not "did you break into Apple's system?" or "did you violate section 1 paragraph 3(a) of the Apple iTunes Store card EULA?" Just a simple question about whether you were trying to cheat someone or not.

If you can say "No, of course I didn't intend fraud," while keeping a straight face, say it believably, not have Apple introduce any Slashdot posts about what you were trying to do, and not elaborate your "no" with any weaselly explanations that basically translate to "I thought I could get away with it, because it might be technically legal," then maybe your question about whether this breaks any laws, is relevant. If you intend to defraud, then it doesn't really matter much whether or not you're breaking some cyber-trespass law: they're going to nail you on good old fashioned "he totally ripped me off and knew what he was doing" fraud laws.

What's the point? (3, Insightful)

Arancaytar (966377) | more than 5 years ago | (#27142229)

If they're going to pirate, why do they bother paying $2 to a crook to get music with DRM which they could get for free from BitTorrent? The only advantage iTunes has over piracy is that it is legal - so what's the point of ripping them off with a fake gift card?

Even ethically, that way they'd at least not be supporting the criminal industry like the RIAA is (in this case accurately) claiming.

Re:What's the point? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27142385)

your stupid right? iTunes doesn't use DRM'd music anymore.

Re:What's the point? (0)

Anonymous Coward | more than 5 years ago | (#27142427)

Um, isn't iTunes DRM-free now?

what the fuck (1)

bugs2squash (1132591) | more than 5 years ago | (#27142363)

is apple doing even offering a $200 gift card. It seems to me to be an open invitation to fraud.

don't worry . . . . (2, Funny)

Veni Vidi Dormi (975178) | more than 5 years ago | (#27142451)

don't worry . . .they're buying fake Apple products.
Everyone Chinese wins!

Looks stupid to me (0)

Anonymous Coward | more than 5 years ago | (#27143005)

If I was detailing the whole gift/certificate scheme for apple, I would make sure to record every generated key before it reaches the customer - be it on a plastic card or in email. This way nobody will be able to use a code not issued by me, even if it's valid (based on the codes are really some crypto product).

However, if this is in place and we still have the Chinese selling keys - there is a serious issue with my security:
1) some broke and stole my generated numbers - very bad, I'm f0ked cause I'll have to disable all cards & recall all cards.
2) even if someone got the algorithm to generate valid numbers he's able to test huge amount of keys for validity under my radar, and only sells the one found valid. Bad stuff, customers will buy already emptied cards.

However the mentioning of keygen in the news means to me Apple does not have any means to distinguish key they really issued from a key issued by Chinese hackers - bad stuff for them in the long run.

somebodys gonna get in trouble (1)

indy_Muad'Dib (869913) | more than 5 years ago | (#27143045)

i don't want to be the guy in china who download a copy of "Chinese Democracy" off iTunes.

not cause of the govt wordfilter or anything, just because its a horrible album.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?