Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mystery of Vanishing iTunes Credit Shows No Sign of Fading

timothy posted more than 2 years ago | from the sounds-like-the-fraud-department-at-amex dept.

Apple 195

E IS mC(Square) writes "Back on November 28, 2010, somebody started a thread on Apple's support forums about someone spending more than $50 of his iTunes Store credit on iPhone apps. That discussion thread has since swelled to more than 45 pages, with nearly 700 posts. 'Someone — or some group of someones — seems to be able to spend iTunes gift card credit without permission, buying apps that users don't want. And whoever's doing the hacking seems pretty good at it: Hundreds of users have seen their iTunes credit stolen, and the hack shows no signs of slowing, ten months after it was first reported.' Apple has refunded certain accounts, but not in all cases. Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."

cancel ×

195 comments

Sorry! There are no comments related to the filter you selected.

Great (2, Insightful)

Antisyzygy (1495469) | more than 2 years ago | (#37362814)

Apple should really look into this more, rather than just passing off the blame. Typical.

Re:Great (4, Insightful)

DurendalMac (736637) | more than 2 years ago | (#37362846)

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37362876)

We're looking at a few hundred accounts out of millions. If this were some big, scary security flaw, we'd see a whole lot more accounts being compromised. Apple is probably right. It's crappy passwords and phishing, something that happens with any remotely popular service.

Users are inattentive and lazy. If there are 700 posts about this, you can bet the problem is much larger than that.

It's way too early to say this is not a big, scary security flaw (or that it is, for that matter). Maybe Apple is using its own OS for its backend- we all know how secure that is in the enterprise.

Re:Great (0)

DurendalMac (736637) | more than 2 years ago | (#37362886)

700 posts != 700 users, though. A lot people are going to be posting multiple times throughout the thread.

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37362924)

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

Re:Great (1)

Colonel Korn (1258968) | more than 2 years ago | (#37363048)

And a lot of people also wont post because they dont, they're not sure if they were affected or it was only a small amount so they didn't notice or care.

I'd bet the actual number is much higher.

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

Re:Great (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363384)

This is critical. I bet the actual number of affected accounts is 100-10000x higher than the number who post about it on the forum.

That's a pretty impressive number you just pulled out of your ass, this must be a serious problem.

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37363432)

And a lot of people will post who haven't been affected will also post.

I bet the actual number is a lot lower.

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37362946)

Don't forget, only a small percentage of people affected will complain on the forum.

I just want to know how you're able to register a new device to your iTunes account without the owner of said account knowing about it. Why don't the customer get email receipts when the transaction happens? And why can't Apple figure out which device downloaded the app to provide that information to law enforcement? This is security 101 - you're dealing with money (yes, it's fake Disney dollars to get you out of currency regulations but it translates into money), you need to be able to allow your customers to know where this money is going.

Re:Great (1)

entoke (933113) | more than 2 years ago | (#37362962)

I get email receipts when I buy apps on my iphone, pretty sure I didn't have to change any setting for it to work that way.

Re:Great (2)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363182)

Why don't the customer get email receipts when the transaction happens?

You do get a receipt normally, however since the accounts were compromised and personal detail altered (according to the thread) that confirmation could've been sent elsewhere. Some people report do getting receipts and being informed that way something was going on. This is all on the first page of the linked Apple support discussion.

And why can't Apple figure out which device downloaded the app to provide that information to law enforcement?

You want Apple to track their customers ? Yeah, that'll go over great with the paranoid Slashdot crowd.

Re:Great (0)

Beelzebud (1361137) | more than 2 years ago | (#37362918)

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

Re:Great (-1)

Anonymous Coward | more than 2 years ago | (#37362994)

Says who??? Microsoft? Considering their password security approach is more trouble than its worth to the common user, what exactly are you preaching and to whom?

Re:Great (2)

shoehornjob (1632387) | more than 2 years ago | (#37363012)

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

Thank you. They need to enforce better password standards.

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37363096)

There are several problems:

hacks are more like this:
http://xkcd.com/538/

and this:
http://xkcd.com/792/

we need better passwords for regular people:
http://xkcd.com/936/
http://preshing.com/20110811/xkcd-password-generator

Considering most users should only be putting the password into Apple devices and not even independent web browsers for most services, I can see how Apple isn't jumping on it. Apple iPhone, iPods, and TVs all have dedicated popups for signing in. iTunes users sign in only through iTunes. So that only leaves the places the Apple ID is used somewhere else.... meaning somebody is pretending to be one of Apple's websites like Developer Center or Mobile Me... that's a pretty small list even compared to Yahoo or Google, and it's the "social hacker" problem more than a technical one.

Re:Great (1)

North Korea (2457866) | more than 2 years ago | (#37364162)

It doesn't even need to be some kind of hacking. Most people use the same password for all services. It just needs one of those services with an abusive admin, or break-in into those, to get lots of passwords. Since iTunes is so popular, it should be easy to find lots of same user account information there. Also don't forget that there's also been numerous occasions when someone has leaked email, username and password lists to the internet as a result of some hack.

Re:Great (1)

UnknowingFool (672806) | more than 2 years ago | (#37363118)

That does little for stolen passwords or phishing attacks. I know people who used the same email (username) and password for different accounts. Once one of them gets hacked, then those people have multiple accounts hacked.

Re:Great (2)

guruevi (827432) | more than 2 years ago | (#37363276)

Did you ever enforce minimum security standard passwords? First if you just add some complexity (eg. require digits or mixed case), they'll just use the same password and change or add 1 character to satisfy your needs. Once they get complicated enough, people start writing them down or keeping them in plain text files on their desktop or worse, on sticky notes or digital sticky notes that are always open.

Re:Great (1)

LordSnooty (853791) | more than 2 years ago | (#37363308)

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Re:Great (2)

gnasher719 (869701) | more than 2 years ago | (#37363342)

Making them complex and writing them down on a piece of paper is probably one of the most secure method in these days of remote attacks. I'm starting to wonder why we told users to reject this method. Keep them different across important accounts and the only worry you have is a burglar.

Combine something that is easy to remember with a random sequence that you have to write down and pin to your monitor. Remote attack fails because of the random sequence, looking at the paper fails because the person looking is not an experienced hacker and doesn't know the "easy to remember" bit.

And even if an experienced hacker knew the random sequence, at least attacks using rainbow tables would now fail.

Re:Great (1)

hedwards (940851) | more than 2 years ago | (#37363400)

I've got my parents to somewhat strengthen their passwords by using a pass phrase with substitutions. It's not great, but if you then abbreviate some of the words, you get something close to a proper password. Ultimately, there are dictionary attacks that handle it, but even that is significantly stronger than just a word and a number. Hopefully, they'll just move on down to the next account when they don't come up with anything the first time through.

Ultimately, no matter how many times you tell users that if the account gets cracked because of a weak password that they're not going to get their money back, they don't listen because that's something that only happens to other people. And ultimately, with a weak password it's tough to prove that it wasn't the password that was the cause of the losses which can result in being awarded nothing in court.

Re:Great (1)

guruevi (827432) | more than 2 years ago | (#37363856)

We told user to reject the password because of Kevin Mitnick. He used social engineering very well to get somewhere. Just impersonate someone and say "read me the modem numbers" or "the number on that sticky note" and you're in.

It also doesn't help against phishing attacks. What we need is a 3rd token (not something you know but something you have or are) for financial transactions. Could easily be handled with distributed authentication - you use a provider that gives you the right amount of security you want (or want to pay for) or you can do it yourself if you're paranoid.

Re:Great (2)

zippthorne (748122) | more than 2 years ago | (#37363370)

They do, but they have a stupid definition of "minimum security":

it's some small number of characters, at least one of which must be a number.

This is not a terribly onerous policy*, but iPods' screen keyboards do not have a number row. You have to switch to another page to input numbers, so people with iPods are going to tend to pick a specific subset of passwords with numbers - ones where all the numbers are together at either the beginning or the end.

I think that this may result in passwords that are actually less secure than the same length of just letters, even....

*although, until you start getting into 20+ char passwords, it turns out that adding one more character [wolframalpha.com] to the minimum length improves security by more than adding 10 more glyphs to the character pool....

What they should do is enforce a minimum password *strength*, and generate several passwords for using pre-defined rules which you can pick from (and which have been researched, so assuming random generation, their strength can be calculated), rather like the keychain works, actually...

Re:Great (1)

hedwards (940851) | more than 2 years ago | (#37363390)

Unless this is a series of cracks purely for lulz, there really ought to be someway of tracking things efficiently. If the apps being bought are sold by scammers, then that's one thing, otherwise, I'm curious as to how this would result in profit for the people doing the cracks.

Find and prosecute whomever it is that is profiting and the problem should be solved. Ultimately, that's Apple's responsibility. This isn't like Android where Google has little say over what users load on their Android devices.

Re:Great (3, Insightful)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363398)

Anyone who runs a remotely popular service should enforce a minimum security standard on passwords, and have a system in place to keep outside parties from hijacking people's accounts. Stop making excuses for a multi-billion dollar company. They really don't need people to carry water for them.

This is the password policy [apple.com] , pretty standard stuff :

"When changing your password, your new Apple ID password should:

Be at least eight characters.
Contain at least one number (0-9).
Contain at least one uppercase letter (A-Z).
Contain at least one lowercase letter (a-z).
Not contain three consecutive identical characters.
Not have been used in the past year.
Not be the same as your Apple ID username."

That's also what is shown when trying to change your iTunes password (just tried it.) I know for fact though that it hasn't always been this strict because my password (that I've had for years now) doesn't conform to the policy.

Re:Great (5, Interesting)

iamhassi (659463) | more than 2 years ago | (#37362936)

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

If you read the article every user had their info changed to the same address, Towson, MD 21286-7840. Obviously this is the work of the same group of hackers since they're changing info to the same address, and they're smart enough not to use credit cards, only iTunes gift cards, since credit cards would definitely get the police involved.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]

Re:Great (1, Funny)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363244)

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

A few hundred = a not even that sucessfull phishing expedition. Even a few thousand would be a drop in the bucket.

Apple should do more than just issue refunds, by ignoring this it only encourages them to become more bold, and they might want to ask app seller Hongbin Suo why his name keeps showing up in the unauthorized purchases [apple.com]

They could ask him but they don't have enough to block him. Someone also bought Monkey Island 2, does that mean Apple should block Lucasarts ?
Apple should issue refunds, just because it's good business but the problem here in all likelihood is on the client side.

Re:Great (1)

Anonymous Coward | more than 2 years ago | (#37363378)

Or so you say. The same reason why they can't go after Hongbin is the same reason you can't make such outrageous claims that it's user side. How many times do you actually need to enter in your account information outside of your i device? Once for your install of the bloatware on your desktop, and once (if enabled) upon installing an application. There are no other reasons to put in your password (let alone your username *AND* password at the same time). And of course, these desktops (since they have a fruit logo on them) can't possibly be hacked / trojaned / keylogged, right?

And it's nice for scammers. Apparently as long as criminals remain under a few hundred dollars, you're ok with them not being stopped since it's "not successful" -- at least according to you. Next time someone breaks into your house and steals JUST your computer or JUST your TV (small in comparison with the worth of your entire house, just like one gift card in comparison to how much money they spent) and the insurance company says "FU. IT'S UR FAULT. U GETS NO MONAYS", let me know how you feel.

Re:Great (1)

Anonymous Coward | more than 2 years ago | (#37363438)

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

Re:Great (5, Insightful)

iamhassi (659463) | more than 2 years ago | (#37364254)

A few hundred? That seems significant to me, and you have to remember those are the few hundred that managed to find that forum post, imagine how many people this might have happened to that blamed their kids/husband/wife/etc or didn't even notice or didn't even find the forum?

Apples says that there are 200,000,000 registered iTunes accounts (with credit card information). A few hundred seems insignificant to me as a percentage.

I have sympathy for the people who are having the problem with their accounts, but even a few thousand or tens of thousands would be insignificant.

How many before it becomes "significant"? 1%? So that's 2 million people out of 200 million, 2 million people being scammed out of ~$50 each, which is $100 milllion dollars.... wow, but hey the other 99% are fine, right? Maybe 0.1%, reducing it only to 200,000, making it *only* a $10 million dollar scam, but the other 99.9% is fine, 0.1% really is insignificant.... right?

Re:Great (0)

Anonymous Coward | more than 2 years ago | (#37364280)

Few hundred people is ~0.0001% of itunes users.

Re:Great (1)

AmiMoJo (196126) | more than 2 years ago | (#37362958)

This is just a rumor so make of it what you will, but some sources claim that it is an attack on credit voucher serial numbers. After all why buy random apps if you can't use them? The will be tied to the owners phone.

Re:Great (5, Interesting)

brusk (135896) | more than 2 years ago | (#37363030)

After all why buy random apps if you can't use them? The will be tied to the owners phone.

No idea if it applies in this case, but crooked developers could make money this way, by receiving the proceeds of fake sales of their apps.

Re:Great (1)

hedwards (940851) | more than 2 years ago | (#37363412)

That's one possibility, a couple more are that it's for lulz or that it's revenge by some developer that's pissed because of Apple's ridiculous policies for being granted access to the App store.

Re:Great (2)

zill (1690130) | more than 2 years ago | (#37364102)

We're looking at a few million people out of billions. If this were some big, scary zombie outbreak, we'd see a whole lot more cities being cannibalized. WHO and CDC are probably right. It's just people cosplaying to celebrate the upcoming release of Left 4 Dead 3, something that happens with any remotely popular game release.

This cannot be! (0)

Anonymous Coward | more than 2 years ago | (#37362824)

But Apple products make you safe against everything! I suggest that timothy get his facts straight before posting obviously fake stories like this.

Weak passwords?! (4, Insightful)

NFN_NLN (633283) | more than 2 years ago | (#37362832)

Am I missing something regarding the "easily guessable passwords" statement? Don't they own the service so can't they enforce any password schema they desire?

Impose a minimum password length requiring punctuation, numbers and/or capitals and run it against a dictionary before accepting it.

Re:Weak passwords?! (4, Funny)

Antisyzygy (1495469) | more than 2 years ago | (#37362922)

That would infringe on peoples desire to have passwords like "cats" or "1234".

Re:Weak passwords?! (1)

Nerdfest (867930) | more than 2 years ago | (#37363348)

Apple generally doesn't care much about infringing on people's desire to do certain things. This might be one of the few times when their control-freakery would be well placed.

Re:Weak passwords?! (0)

Anonymous Coward | more than 2 years ago | (#37362970)

http://xkcd.com/936/

Longer passwords are more secure than passwords with fancy characters, and also easier to remember.

Also, avoiding password re-use works wonders. Of course, given the high number of sites that require unique accounts, you will probably need to invent some sort of mnemonic system to keep track of it all (unless you just want to write them all down, which is of course stupid).

We continue to change the world in ways that require ever greater intelligence in order to succeed. To smart people, password strength and hygiene are obvious; they need no instruction. The rest will eventually get hacked; there is only so much the businesses can do to protect them from their own stupidity.

If this acts as selective pressure on our species which favors intelligence, then I am all for it .

Re:Weak passwords?! (1)

broken_chaos (1188549) | more than 2 years ago | (#37363228)

Longer passwords are more secure than passwords with fancy characters

This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.

While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.

Re:Weak passwords?! (1)

TC Wilcox (954812) | more than 2 years ago | (#37363458)

This depends on the length and randomness of the fancy character password. If you take a truly random ASCII-only password, you only need 7 characters to match the strength of that supposed 44-bit equivalent password.

While it's not viable to memorize a hundred logins with truly random passwords, that's the same issue you'd run into with correcthorsebatterystaple ("Now, Slashdot... Was that the horse and the battery, or the fruitfly and the baked beans?"), and is the one password managers should solve.

Even then, I'd think trying to keep horse with batteries or fruit flies with baked beans would be easier than trying to remember !a$%jb9 vs y48*y+=. Which would you rather remember?

Re:Weak passwords?! (5, Informative)

Anonymous Coward | more than 2 years ago | (#37362980)

There are already restrictions like that in place. From my iPhone when I go to edit my password on my account:

Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter. Don't use spaces, the same character 3 times in a row, your apple ID, or a password you've used in the last year.

The only thing missing from that is a punctuation mark, but as you can see, they already have quite a few requirements on what you need to have for a password.

Re:Weak passwords?! (0)

Anonymous Coward | more than 2 years ago | (#37363070)

My alternate US account (the one that I used to redeem my promo codes that wouldn't work in Canada) has a password that is nothing but lowercase letters. It's multiple words, strung together with no spaces, but it's just plain old lowercase all the way.

Re:Weak passwords?! (1)

hedwards (940851) | more than 2 years ago | (#37363418)

8 characters is a joke. Even a decade ago 8 characters was a joke. Even if you include a punctuation mark, it's still pretty ridiculous.

Re:Weak passwords?! (1)

Roogna (9643) | more than 2 years ago | (#37363920)

8 characters isn't all that bad, considering it's unlikely even the best methods will find the match in the first 3 guesses. Apple does lock accounts after 3 failed attempts and force a password change through the e-mail on file. This of course does -nothing- against phishing, but neither does the most secure password on the planet if it's typed into a false site. Of course if they hacked these peoples e-mail then they can reset the password to whatever they want... but this should just teach everyone that security is not about -one- account, it's about -all- your accounts being connected.

8 characters is absolutely -pathetic- when used in any situation like encrypted files where it's possible to get an infinite amount of attempts with no real delay.

Now of course, as others on this article have commented, given even just common dictionary attacks, there's probably a good chance you can take a random e-mail discovered however, enter it as an Apple ID, and then spend your 3 attempts trying the top 3 passwords that meet the criteria, and probably get in to a percentage of the accounts.

Re:Weak passwords?! (1)

Anonymous Coward | more than 2 years ago | (#37363708)

So what you're saying is that big red is claiming that "weak passwords" is lying because their own policies make weak passwords unlikely or impossible?

Have you tried just entering "password" as a password?

Re:Weak passwords?! (1)

moderatorrater (1095745) | more than 2 years ago | (#37363026)

They don't allow spaces in their passwords and every password needs to be able to be typed into a touch device like the iPhone or iPad. They could definitely do more in this area.

Re:Weak passwords?! (1)

interval1066 (668936) | more than 2 years ago | (#37363066)

Trivially installed policy, and used by more than one web site I frequent. As much as I don't care for apple, and they should install such a policy, some of the blame does fall on the users. Having a contract with several web sites for tech support and not having access to their databases directly I have an occasion to ask users for their passwords to trouble shoot, and the amount of "abc123" or "qwerty" passwords is astounding.

Re:Weak passwords?! (1)

ArsenneLupin (766289) | more than 2 years ago | (#37363694)

... and the amount of people just blurting out their password to you without wondering about your lack of database access is even more astounding...

Re:Weak passwords?! (1)

interval1066 (668936) | more than 2 years ago | (#37363870)

Well, in some cases its necessary, its not always convenient to gain access to a clients database directly. That most users don't give it a second thought isn't that extraordinary to me.

Re:Weak passwords?! (1)

Kenja (541830) | more than 2 years ago | (#37363090)

That's like saying they could have an option to simply not store your credit card number. Insanity!

Re:Weak passwords?! (0)

Anonymous Coward | more than 2 years ago | (#37363100)

They do require capitals and numbers in it.

Re:Weak passwords?! (0)

Anonymous Coward | more than 2 years ago | (#37363142)

but that's useless for regular joes.... we need a better solution!

like this:
http://xkcd.com/936/

or better!
http://arstechnica.com/old/content/2006/04/6554.ars
http://thepcspy.com/kittenauth/

more importantly we need Rule 34 on this right away
http://xkcd.com/305/

Or we could combine the authentication... determine whether good sex or bad sex is in each picture. Then ask the user to pick different kinds of sex... beautiful, artistic, shock, wild....

Re:Weak passwords?! (0)

Anonymous Coward | more than 2 years ago | (#37363198)

That's soooo 1999.
Obligatory xkcd [xkcd.com]

Re:Weak passwords?! (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363336)

Because having a complicated password will prevent users from losing it in phishing scams ?

Re:Weak passwords?! (1)

Anubis IV (1279820) | more than 2 years ago | (#37363428)

^^^ This.

It doesn't matter how complicated it is if it's being compromised through social engineering. Were this a brute force attack, it wouldn't be drawn out. They'd have the data, they'd compute as many passwords as they could from the hashes for all 200M+ accounts, and they'd do as much damage as possible before anyone could respond appropriately (e.g. PS3 debacle). The pattern instead suggests this is an ongoing set of social engineering attacks which are yielding suckers on a regular basis over an extended period of time.

Re:Weak passwords?! (1)

gnasher719 (869701) | more than 2 years ago | (#37363550)

I think AppleIDs are reasonably easy to find. Mostly they are email addresses. Haven't tried if trying to login with a random email address and a random password gives any indication that the email address is an Apple ID; you would hope not. However, if hackers manage to read your emails, then they can read any purchase confirmation emails, and from these emails you can find the Apple ID.

Now if they know many Apple IDs, they can just randomly try to login with valid Apple ID and a random weak password, and will have some successes. If 100 weak passwords are used by just 2 percent of all users, then one in 5,000 attempts will break an account.

is this unusual? (0)

Anonymous Coward | more than 2 years ago | (#37362838)

some amount of phishing is presumably normal in such a vast credit organisation. Online banks, shops etc all have this sor of problem. Interesting that the number of complaints is small, so maybe it is one person. cool.

There you have it, macfags (-1)

Anonymous Coward | more than 2 years ago | (#37362842)

IT JUST WERKS

Poorly written summary (0)

Anonymous Coward | more than 2 years ago | (#37362866)

I'll be honest, the summary was sorta hard to understand-its not entirely clear what is going on without clicking the links. Better English please.

Same details changed in peoples accounts (0)

Anonymous Coward | more than 2 years ago | (#37362888)

Its notable that each persons contact details were changed to the same city state and zip code, Towson, MD, 21286-7840 (is that a real zip code?).

It seems unrelated to this earlier problem with rogue developers. http://thenextweb.com/apple/2010/07/04/appstore-hack-itunes/

Re:Same details changed in peoples accounts (1)

Shoe Puppet (1557239) | more than 2 years ago | (#37363160)

Towson, MD, 21286-7840 (is that a real zip code?).

Apparently, yes [google.de]

Did they have a WoW account? (0)

Anonymous Coward | more than 2 years ago | (#37362902)

This happened to my boss. His World of Warcraft account got hacked, and he used the same email/password on iTunes, where the hackers cleaned out his $15 gift card balance.

If not WoW, substitute any other website with identical credentials.

Re:Did they have a WoW account? (1)

meerling (1487879) | more than 2 years ago | (#37363006)

And they always blame the victim, but I know of at least one time it was one of their employees looting accounts that hadn't been logged into for a while so hopefully the users wouldn't notice. Of course when he finally got caught, they kept it quiet and continued to blame the users.

I'm not saying this is an inside job, but it's a definite possibility. (If someone was running a dictionary attack on Itunes, it would noticed if they have even halfway competent security. And although phishing occurs, it's never a complete answer and can usually be avoided with reasonable vigilance. After all, it's not like they don't know which ip or iphone it's going to.)

Easy to prevent (1)

mehrotra.akash (1539473) | more than 2 years ago | (#37362914)

SMS based verification?

Re:Easy to prevent (1)

brusk (135896) | more than 2 years ago | (#37363034)

What if you buy the app for an iPod touch or wifi-only iPad? Or you buy it for an iPhone over wifi and are out of cellular range?

Not all machines running iTunes Store have SMS (1)

tepples (727027) | more than 2 years ago | (#37363042)

What you recommend will work only for iPhone and iPad 3G. It won't work for a Mac computer, a PC running Windows OS, an iPod touch, or an iPad with Wi-Fi, none of which can receive SMS.

Re:Not all machines running iTunes Store have SMS (1)

Viceice (462967) | more than 2 years ago | (#37363068)

Build an OTP function (Ala Google/Blizzard authenticator) into each iDevice that is ONLY eyeball readable into iTunes. The user only needs to read the field above and duplicate it in the field below as he confirms his purchase.

Re:Not all machines running iTunes Store have SMS (0)

Anonymous Coward | more than 2 years ago | (#37363088)

Yes, but then manually typing the code would give the user a few seconds to re-consider their purchase. We can't have security concerns interfering with their 30% cut of impulse buys...

Re:Not all machines running iTunes Store have SMS (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#37363434)

Why make things difficult for me because of a few hundred dumbasses ? Apple should just eat the (relatively low) cost, refund people and turn over any relevant information to the authorities.

Re:Easy to prevent (0)

Anonymous Coward | more than 2 years ago | (#37363372)

What about people that don't have text messing plans?

Hello friend, my name is.. (0)

Anonymous Coward | more than 2 years ago | (#37362920)

Prince Babooka from Nigeria. I have come to inherit 15 million dollars from my father the King, however if you send me your i-store login credentials,(as Apple do not recognize my counties laws) I would be most happy to send you a large one time payment in return.

Please send to Prince Babboka
Nigeria

Many thanks friend..

Not sure but... (0)

Anonymous Coward | more than 2 years ago | (#37362934)

Tim Hortons gift cards are on display by the dozen usually like Apple Itunes cards at places like, Home Depot etc. All you had to do was get the cards number (visible portion) and wait online for someone to activate it (purchase it) after you set up your account. Im betting thats the same thing happening to ITunes cards. I cant remember how to process worked but it did work... my old boss explained it to me one day.

that's interesting, but this is different (4, Informative)

YesIAmAScript (886271) | more than 2 years ago | (#37363050)

First, iTunes cards have the number hidden on the cards in the store, you have to scratch off a coating.

Second, with an iTunes card, you transfer the card balance into your account all at once, after that the card is completely useless. So if you can complete the transfer, the card was valid and not compromised and after you transfer the card, it doesn't matter if it was compromised, because the value is gone from the card and is in your account now. You cannot use the card to spend the value on apps, you have to have access to the account you transferred the credit into.

What people are complaining about here is that they have a credit on their account (perhaps from one of these cards) and it is being spent out of their account. This can't be done with any kind of compromise of the gift cards themselves.

These people's accounts have been compromised. It's unclear how that happened.

Apple just realizes (0)

Anonymous Coward | more than 2 years ago | (#37362940)

anybody stupid enough to buy their products is also the most likely vector for a social engineering hack.

SSL error for https://www.macworld.com (0)

Anonymous Coward | more than 2 years ago | (#37362948)

Anyone else getting an SSL error (untrusted issuer) for the macworld.com link in the summary?

The users are just as much to blame... (1)

Anonymous Coward | more than 2 years ago | (#37362960)

Disclaimer: Used to work for AppleCare CPU, and then iTunes Store Support

Honestly, theres three reasons this happens.

1) People letting their kids use their device. Conversation goes like this:
Parent: "Son, did you waste $50 on iFart Pro?"
Kid: "No......"
Parent: "SINCE MY KID WOULD NEVER LIE APPLE STOLE MY MONEY GIVE IT BACK RIGHT NOW"

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back, you call your bank. Same applies to the iTunes Store.

As far as passwords go, the requirements are a capital, a number, and more than eight digits long. 12345678, etc ARE kicked out. If you haven't changed your password in 10 years, its probably grandfathered to be shorter, just change it. Theres no maximum length...As usual, Where the login is based on a email, and password, idiots who use the same password for everything get taken advantage of when Gawker, Sony, etc, etc gets hacked.

Re:The users are just as much to blame... (0)

Beelzebud (1361137) | more than 2 years ago | (#37362990)

Former Apple employee places blame on users. They trained you well, young sith lord.

Re:The users are just as much to blame... (1)

UnknowingFool (672806) | more than 2 years ago | (#37363140)

Frankly if he worked at Amazon, PayPal, whatever, I suspect his story would still have been the same.

Re:The users are just as much to blame... (1)

Culture20 (968837) | more than 2 years ago | (#37363252)

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

As far as passwords go, the requirements are a capital, a number, and more than eight digits long.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

Theres no maximum length.

Can I use spaces?

Re:The users are just as much to blame... (0)

Anonymous Coward | more than 2 years ago | (#37363420)

OP Here

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

Because there's so much malware on iPhones buying apps...

2) Phishing: Time and time again, $50 bucks worth of crap is bought from a different machine with an IP address in China.

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

They should be ashamed that they don't spend countless man-hours implementing something that -may- affect less that 0.00001% of users? You work in government?

3) Identity theft: I spent half my time dealing with purchases made on stolen credit cards. Call your bank. If someone went to a grocery store with your CC, and bought groceries, you don't get mad at the grocery store and demand your money back

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

Bank, CC Company, Same Diff..
Bad extrapolation on original analogy is bad... The computer is too stupid to check ID?

As far as passwords go, the requirements are a capital, a number, and more than eight digits long.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

Because that's reasonable.. How many websites have a SIXTEEN character minimum?

Here are the password requirements for changing your Apple ID password:

http://support.apple.com/kb/ht4156

The new password must be at least eight characters.
The new password must contain at least one number.
The new password must contain at least one lowercase letter.
The new password must contain at least one capital letter.
The new password must not contain three consecutive identical characters.
The new password must not have been used in the past year.
The new password must not be the same as the account name.

Can I use spaces?

Last I checked..

Regardless, it kicks you out after 5 invalid logon attempts, and forces you to reset the password. Brute Forcing wont work.

Re:The users are just as much to blame... (1)

That Guy From Mrktng (2274712) | more than 2 years ago | (#37363892)

OP Here

What people don't realize is Apple can see the Serial Number of the device that purchased anything. If $50 worth of crap was bought on your own phone, You're responsible. An exception to the rules may be made if it was a kid or something.

Or if malware on your iPhone bought it?

Because there's so much malware on iPhones buying apps...

How do we know thats not that case? How can You be so sure? Imagine this, some App developer found a vulnerability that would grant him access to the compromised information we are talking about, he keeps the vulnerability for himself and from time to time he checks if still working, buying some apps from him and his buddies. That way they manage to go low profile and they avoid tarnishing the "Apple Security Holiness" that would affect their core business. Yes I know Apple reviews every single app submitted, do they analyze each and everyone with the same anal retentive that we have come to associate with them? I don't know but you just can't rule out and insider either.

Apple may be cool and whatever, but they still employ humans, carriers of that condition called "human nature" you're not going to tell people that because someone work for Apple he or she is automagically cleaned of any mischief, criminal or antisocial traits.

Truth is people are still having their money taken from their wallets and while your password politics seem right, people would like to see Apple caring a bit more because is not about the "volume" of people affected it's because it can be something more serious than a simple dictionary attack or simple password recycling.

Re:The users are just as much to blame... (1)

UnknowingFool (672806) | more than 2 years ago | (#37363728)

WTF, Apple? Unless my iPhone regularly logs in to iTunes from China, temporarily pause any purchase and send me an email notifying me that an unusual IP logged into my iTunes account. Even Facebook does that. You should be ashamed.

I think the OP is referring to using to a phishing attack on the username and password. For example johnsmith@yahoo.com was compromised and the Mr. Smith used the same username/password for his iTunes account (that can be reset as the attacker has his email password now).

No, I call the credit card company and tell them to reverse the charges because the grocery store clerk is too stupid not to check ID (or was complicit with the fraud).

Yes because someone who forges a credit card has no idea how to get forged ID cards. Forged ID cards are quite rare thesedays. Also grocery stores these days have automated check out lines where they do not check IDs.

Not only are you incorrect regarding the requirements, what you list is rather pointless. A minimum of 16 characters, no limit on valid characters, is much better.

And you are sure about that how [apple.com] ? 16 characters is much better but my opinion is that 24 with biometrics is much better. I can be as arbitrary as well in my opinion as well.

You're holding it wrong... (3, Funny)

quetwo (1203948) | more than 2 years ago | (#37363064)

Obligotory "You're holding it wrong" post.

Re:You're holding it wrong... (0)

Anonymous Coward | more than 2 years ago | (#37363098)

Obligotory "You're holding it wrong" post.

Err... thanks? Pointless post.

You're holding your password wrong (0)

Anonymous Coward | more than 2 years ago | (#37363082)

And history repeats itself.

Towson Hack (1)

Anonymous Coward | more than 2 years ago | (#37363132)

It's called the Towson Hack just google it to find out just how widespread this scam is and what Apple is doing about it... not much.

Apple customers, what can you expect? (0)

Anonymous Coward | more than 2 years ago | (#37363144)

Do you really expect people that are gung-ho about only having one button and a shiny plastic cover to pay attention to things like verifying if the parent link looks legit or remembering a password longer than 5 characters?

A mystery? Really? (1)

santiagodraco (1254708) | more than 2 years ago | (#37363324)

Is this really a mystery? I'm pretty sure Apple hit the nail on the head.

For one thing every account that was hacked should have "registered" devices. Simply track the IPs of where those devices were registered and apps downloaded and you have a means to determine fraud from naught.

My wife was bit (4, Interesting)

oDDmON oUT (231200) | more than 2 years ago | (#37363338)

            She had a Paypal account tied to her iTunes account emptied of over $400.

            Luckily her buying habits and those of the hacker/s were wildly divergent (inspirational audio books vs. FPS shooters), so she got her refund...after nearly two months.

            Her password? It was at least eight characters, capitalization, numbers and special characters and is considered "strong" by any password assessment tool you'll find.

            I equate Apple's response to these attacks as the same Ford had to Pinto gas tanks.

            For this to have gone on as long as it has means either the changes needed to really combat it would be bad for business, or the bean counters have decided the percentages warrant the non-response.

Re:My wife was bit (1)

DogDude (805747) | more than 2 years ago | (#37363540)

It very well could have been PayPal's fault. I don't know if you've heard, but about 10 years ago, most reasonable people came to the understanding that PayPal is not a reputable company, operating as a bank, but completely unregulated.

Happened to me (5, Interesting)

vitaflo (20507) | more than 2 years ago | (#37363352)

I had this happen to me back in May. The only reason I knew is because Apple sent me a receipt to the purchase of the app in question. When I looked online to see what the app was it was already pulled from the app store, but various caches online showed it was a very badly designed "game" about chinese words with the dev being a chinese name. At that point I knew someone hacked my account and bought the app (yup it was bought with credit I had on the acct).

I brought it to the attention of Apple and they immediately disabled my account. Then asked for proof that I was who I said I was. After I did so they reenabled my account, changed my password and credited me the money.

It was more of a PITA than anything, and left me scratching my head as to how they got my login info. Which is probably a worse feeling than losing $5 on an app purchase.

This happened to me (1)

ShanghaiBill (739463) | more than 2 years ago | (#37363368)

This happened to me. There were a lot of mysterious charges for apps the neither I nor my wife purchased. I turns out that my wife forgot that she had given the password to our teenage daughter.

Credit card info changed (1)

gnasher719 (869701) | more than 2 years ago | (#37363392)

Here's a weird thing: Some people posted that their credit card info has been changed. So I think the following could happen: Crook hacks into my iTunes account. Crook also has a stolen credit card. He changes the credit card info to the stolen credit card. He then uses my account with the stolen credit card to buy stuff; the money probably goes to some associate of the crook. I don't notice unless I check my iTunes account because _my_ credit card is not affected. Still bizarre.

Not. A. Hack. (2)

Anubis IV (1279820) | more than 2 years ago | (#37363406)

This isn't a mystery or a hack. It's simple phishing and social engineering. If it were a legitimate problem, it would be FAR more widespread given the size of their user base. The Macworld article even mentions that someone reported having their Paypal account "hacked" to purchase iTunes Store credit immediately after their iTunes Store account was compromised, and though it doesn't come out and say it, we can probably guess that the user had the same password for both. When you have over 200M accounts linked to credit cards, your users will be a target.

Hate passwords! (1)

rueger (210566) | more than 2 years ago | (#37363454)

The biggest challenge to getting people to use longer/better passwords is that no two site have the same requirements. Off the top of my head my various log ons require:
  • six characters or more
  • eight characters or more
  • No more than eight characters
  • at least one number
  • any combination of numbers of letters
  • at least one special character
  • no special characters
  • at least one uppercase character
  • at least one uppercase character, one number, and one special character
  • none of the above
  • all of the above
  • random questions about the name of my first pet

All of this drives me mad - I can't imagine what it does to Joe User. I basically try random variations on passwords I know I've used, then click on "Forgot Password."

This whole system is seriously broken.

Re:Hate passwords! (0)

Anonymous Coward | more than 2 years ago | (#37363738)

Exactly my thoughts. Passwords get cracked, guessed, phished or brute-forced again and again, yet site owners still use them.

"Madness: doing the same thing over and over again and expecting different results."

Happened to me. A flaw with Apple. (0)

Anonymous Coward | more than 2 years ago | (#37363758)

It has nothing to do with easily guessable passwords. It has to do with Apple's shoddy customer service, terrible support, and weak protection. I had the same issue occur with me, on an app I certainly never purchased. It was a bunch of Chinese characters, so I couldn't even read it, none the less who the developer was. Of course Apple refused to give me any contact info for the developer, and had not contacted them about it. It came down to $300+ in app purchases over a 3 minute period. I asked them, "Doesn't that seem a little fishy to you?"

The e-mail chain back and forth was comical, with them literally copying and pasting the same responses from previous e-mail threads.

Apple states that is others' problem,so it is true (0)

Anonymous Coward | more than 2 years ago | (#37363812)

Hi,

"Apple suggests that the hack stems from weak, easily guessable passwords, and/or phishing attacks where customers are fooled into entering their passwords into hackers' forms."
br> I am sure that this must be the case: I myself have not had any problems, nor have any of my friends. Apple rox0rs when it comes to security, and they are way better then everyone else.
br> So, when did the Slashdot powers that be break simple HTML parsing?

C'mon, guys - it's not rocket science.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>