Reports of 'App Store Hacked' Greatly Exaggerated

Some of you guys sure are cynical.

My iTunes account was compromised...

My password is not dictionary-list crackable. I'm on a Mac, not PC. I know a phishing attempt when I see one. No, there is no keylogger on my Mac. No, a friend did not use my computer to buy $50 worth of iTunes apps at 4am in the morning.

I'm not perfect, and I'm not saying iTunes was "hacked." Just adding my story to the mix.

My account was hacked in April. First my password stopped working, then withApple's help, I discovered that several Chinese apps had been purchased and my settings changed.

hypoh said:

Some of you guys sure are cynical.

My iTunes account was compromised...

My password is not dictionary-list crackable. I'm on a Mac, not PC. I know a phishing attempt when I see one. No, there is no keylogger on my Mac. No, a friend did not use my computer to buy $50 worth of iTunes apps at 4am in the morning.

I'm not perfect, and I'm not saying iTunes was "hacked." Just adding my story to the mix.

Click to expand...

This, too, can happen with anything. My uncle told me that his PayPal account was hacked despite the fact he always uses Macs, he had no keyloggers, no phishing, nothing. And he works with Macs and does IT for a living, he knows what he's talking about when it comes to computers.

Something must have happened but it is weird, I give you that.

angryshortguy said:

My account took a hit when $65 was drained.
This is a much bigger problem then Apple refuses to acknowledge. I won't use iTunes anymore. I use Amazon for my book purchases and will jailbreak my iPad for any apps I need. Apple refuses to correct my loss with any kind of refund.
All apps purchased with my hacked account were Chinese apps.

Click to expand...

TacticalSS said:

If Apple truly does refuse to refund call your bank and declare it as fraud. They better figure out a way to refund me my $1,400 otherwise I smell a lawsuit coming.

Click to expand...

They don't need to refund you anything. If your credit card is stolen and purchases are made at Target do you demand Target refund you? NO. You contact the bank. Apple isn't responsible to refund you anything and the proper means of getting your credit fraud resolved is to contact your credit card.

Good thing my password is in a different language that is quickly about to become extinct, is at least 14 characters and uses numbers and cymbals. I check my account regularly and nothing suspicious here.

tkingart said:

whatever the number of people that were affected, this is what concerns me:

- Apple didn't catch it right away.
- There is an obvious flaw in a system when it allows volume purchases of something and/or allowing purchases of a suspicious nature.
- Our iTunes accounts are not safe as we have been led to believe.

I certainly hope it's greatly exaggerated, and that it leads to something put in place to protect consumers from it.

What does all this mean then (at the place you quoted your source from):
http://thenextweb.com/apple/2010/07/04/appstore-hack-itunes/

Edit:

I do think that "hacked" is the wrong word, it should read "compromised".

Click to expand...

See my posts numbered 51 and 59.
iTunes accounts are safe at iTunes. They are not safe at peoples PC and Mac. People are lazy and use weak passwords, they also use combination of words in a dictionary, these are preditable passwords.

To top it off there are tojans and keyloggers and there are botnets.

Heck they can make your PC a zombi, and have it start iTunes and start buying what ever they want. That way the purchase came from your computer, your ISP is regestering your MAC address, the IP address is recorded by Apple, and all of a sudden THERE IS NO DETECTABLE DIFFERENCE BETWEEN YOU BUYING SOMETHING AND THE HACKER FORCING YOUR COMPUTER TO BUY SOMETHING.

The only way of detecting is to look at the your normal habits and also looking at what other people are purchasing and that still is only a guide or clue that something maybe wrong.

Could Apple have detected the issue earlier? - Maybe but not a sure thing.
SHould they have attempted to stop it? - They did but maybe they should not have. It is ones responsability to guard our credentials and not have them stolen. Apple responsability is to protect the actual account, credit card stored and the web site, all of which reside at their site. Helping you out after someone credentials are stolen is not the law and it is done as a favor and within their ability to detect anomalies.

Anomaly detection is done by credit cards all the time, I am sure Apple has something in place but how good it maybe hard to say.

The stock market has the same issue as I stated in my previous posts and they trade a lot more money than Apple. If the hack is on the workstation, there is little that Apple or the Stock market can do to prevent it.

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7)

Seems there has been too much exaggerated and overblown reporting as of late.

JQW said:

Could it be a money laundering scam?

There was a case in the UK a year or two ago where money launderers were using the iTunes store to convert cash into a bank account via iTunes vouchers. The vouchers were being used to purchase particular albums back then.

It's possible that the very same is happening here.

Click to expand...

Yes it is highly possible that that was one of the intended results:
1) They pad their rating by buying their own app with someone lese money.
2) Apple sends them a check for 70% of the money others spend purchasing their app. Legit earnings from a legit company.

That is money laundering, and it has a great return. Most money laundering operations pay 20 to 50 cents on the dollar to "launder". This one pays 70%.

I do think that the iTunes servers were probably not attacked directly, but, as many stated already, the credentials were spied out/phished/sniffed from individual computers beforehand.

However iTunes system as a whole is somewhat compromised or at least was attacked. It is an integral part of the simplicity of shopping in iTunes that they have all the information to handle the payment securely. If that trust becomes attacked, the whole system is under attack. And while I don't see any immediate danger for Apple, I think they will work hard to keep that customer trust in place.

Which is also why I do believe Apple will refund all the customers (after all it is only digital goods purchased and they themselfs will not pay the developers). Apple has in the past always been extremely helpful when it came to refunds or redownloads for everything I purchased from iTunes, I don't see why that would not be the case here.

T.

PS: Without any reliable numbers it is somewhat difficult to claim that the story was "blown up by the media". There at least seem to be a good number of people hit, if it is enough to mess up the top sales lists for an entire section.

charlituna said:

Add to it that there's no proof that even one person was affected and you have what could amount to a non story.

yeah, a couple of folks said in the reviews they were hacked but perhaps they were part of this 'padding' ring. We really don't know. Perhaps as someone suggested this was done by someone pissed at the developer who wanted to get him tossed out. So they pad his numbers using a bunch of fake accounts, toss in a couple of 'i was hacked' messages to up the alleged dirty moves and sit back and see what happens

We simply don't know.

And even if they were "hacked" how do we know that it was some major spree and they weren't victims of letting a boy/girlfriend use their computer where the password was saved in the system bypassing manual entry each time. Or that they didn't use some idiot simple password, etc

There's very little proof of anything other than a momentarily surge in one guys sales that didn't even last more than a couple of hours

Click to expand...

Then I must be the one proof positive that my account was hacked.. I have the emails to prove it..

I'm using a Mac, not a PC.. so squash the Macs are invincible theory..

And I also never download to my Mac, I download 99% from my phone...

To me it sounds more like an attack on accounts in the back-end, rather than a key-logging scenario.

To those blowing this off, would it really hurt to check your accounts just in case?

Just sayin...

it's your money after all..

chris200x9 said:

+1 either they got a trojan on their mac, or a rogue app got their info. Funny how android got a rogue app and everybody here was like "ZOMG!!!111"

Click to expand...

Pretty sure they were phished through email.

Nice try though.

Warbrain said:

They don't need to refund you anything. If your credit card is stolen and purchases are made at Target do you demand Target refund you? NO. You contact the bank. Apple isn't responsible to refund you anything and the proper means of getting your credit fraud resolved is to contact your credit card.

Click to expand...

I don't usually agree with this Warbrain fellow, but in this case he is 100% correct.

NO merchant gives a good goddam if you claim you didn't make a given purchase. How would they know? If they give you a "refund", they might as well close up shop since every scammer on the planet will then buy stuff, say they didn't, get refunded and then sell the item.

It was credit card fraud, and you need to talk to the card company.

Seriously, stop and think for two seconds before you bray like sheep. Jesus.

Nord said:

I doubt that, why would websites recommend long passwords if they're just as inefficient as shorter ones as you claim ? In that case, who cares about long passwords ?
That simply isn't true. I'm no expert of course, but I know that with 20 characters, there are quadrillions of combinations (I don't make the maths, I'll let you do it if it bothers you), making it impossible to crack, even for a machine and a life time isn't enough to crack it, and even if it was, finding another way to enter would take less time than find it.

Length is much more secure than "complexity" (adding $ and otehr &, %) onto a short password, it's good, but not enough and won't be as efficient than using normal alphabet, random at best, with a 20+ long password.

Click to expand...

Thank you for saying what I just said

Apple's responsibility

Apple designed iTunes; it's Apple's responsibility to make it as secure as practicable. And, yeah, phishing and botnets and keylogging and trojans exist and have for years. Apple can't avoid its responsibility (as some people here are suggesting) by simply claiming "user error" and washing their hands of the situation. There are several things that Apple could do to make iTunes more secure, none of which are at all complicated.

1. The first thing that Apple should do is have some sort of daily transaction limit (with an opt-out, of course) of, say, $50. This would not only help limit your losses, but would also protect you if you accidentally clicked "buy" on a $1000 app.

2. Apple should have some sort of computer authentication program like banks use.

3. Apple should have some sort of anti-phishing program in the iTunes store, also like banks use.

I'm sure none of these are impervious to hacking, etc. But they would go some way towards making iTunes more secure.

As a temporary measure, though, I like using gift cards to limit losses.

gceo said:

Pretty sure they were phished through email.

Nice try though.

Click to expand...

Pretty sure you are not sure. That is unless you were either the one that did it, or have information on the investigation.

alskdj said:

Vietnam isn't part of China btw. Why the random rant? Ah, saw your location status. Makes sense now

Click to expand...

Random rant?!? China DOES have a horrendous human right record, they ARE a cybercrime power, and they DO function as a copyright free zone.

China's leadership is one of the most transparently evil governments on the planet.

But this is a "random rant?" where are you posting from, Bejing?

coleridge78 said:

I don't usually agree with this Warbrain fellow, but in this case he is 100% correct.

NO merchant gives a good goddam if you claim you didn't make a given purchase. How would they know? If they give you a "refund", they might as well close up shop since every scammer on the planet will then buy stuff, say they didn't, get refunded and then sell the item.

It was credit card fraud, and you need to talk to the card company.

Seriously, stop and think for two seconds before you bray like sheep. Jesus.

Click to expand...

Actually, then it depends on whether the merchant was PCI compliant... If not, then the bank comes after them for the money anyway.

So yeah, the merchant DOES care, cause they may have to pay for it. IF they weren't compliant.

Safe harbor is a lot harder to get these days...

RobertMartens said:

Man, how stupid can you be? You just told everyone at MacRumors your password. I'm going to log in to your account now and delete this post.

Don't let this happen again. Lou's leaps sink sheeps.

Click to expand...

man, someone must take this serious..

Dear SBlue1,

Your account on Mac Forums has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 129.173.67.111

Click to expand...

Of course my password is NOT 123456... jesus!

muziq said:

Then I must be the one proof positive that my account was hacked.. I have the emails to prove it..

I'm using a Mac, not a PC.. so squash the Macs are invincible theory..

And I also never download to my Mac, I download 99% from my phone...

To me it sounds more like an attack on accounts in the back-end, rather than a key-logging scenario.

To those blowing this off, would it really hurt to check your accounts just in case?

Just sayin...

it's your money after all..

Click to expand...

My account is fine, no charges.

You use your phone to do downloading, Is your iPhone hacked / Cracked / Freed in any way? Are you running a pristine (factory) iPhone?

Ok so now can someone please let me know then what is up with those cellphone tracker apps that appear out of nowhere in the top 10 of the iPhone app store. People aren't that stupid that a new version is released from some dev and it zooms up the charts. Or that mirror app that did nothing but display frames around the iPhone screen and had about 500 one star ratings all saying DONOT BUY and WTF but the app store showed a 4 star rating. After they reach a zenith of complaints they disappear and reappear a few months later. Watch. We're due for a cell phone tracker scam app to appear out of no where any day now. Something is being hacked.

muskratboy said:

Actually, then it depends on whether the merchant was PCI compliant... If not, then the bank comes after them for the money anyway.

So yeah, the merchant DOES care, cause they may have to pay for it. IF they weren't compliant.

Safe harbor is a lot harder to get these days...

Click to expand...

That makes the merchant care about "securing" their own systems. It is totally irrelevant to the question of whether the merchant makes a habit of giving a refund to every unverified "fraud!" claim.

-signed, the guy who used to write x.509 cert software and read the PCI docs to stay employed.

muskratboy said:

Random rant?!? China DOES have a horrendous human right record, they ARE a cybercrime power, and they DO function as a copyright free zone.

China's leadership is one of the most transparently evil governments on the planet.

But this is a "random rant?" where are you posting from, Bejing?

Click to expand...

Yes, China does have a horrendous human rights record etc. But this is not the place, not even the right thread for it. Unless you think Vietnam is part of China, it is a random rant.

Oh, and just to clarify for you, New Zealand isn't part of China either

RangerXML said:

Yes, because in the order of 50-250 accounts being hacked

Click to expand...

prove they hacked 50-250 accounts and didn't hack maybe 10 and the rest were a team of folks with a stack of gift cards paid in cash and a bunch of fresh gmail address to create users to make the buys.

coleridge78 said:

I don't usually agree with this Warbrain fellow, but in this case he is 100% correct.

NO merchant gives a good goddam if you claim you didn't make a given purchase. How would they know? If they give you a "refund", they might as well close up shop since every scammer on the planet will then buy stuff, say they didn't, get refunded and then sell the item.

It was credit card fraud, and you need to talk to the card company.

Seriously, stop and think for two seconds before you bray like sheep. Jesus.

Click to expand...

Itunes responded to me really quick. Wiped a pending $20 charge and said that since I had already disputed with my card carrier that they would not argue any charge back.....that they would be happy to give me my $80 back.

I am actually quite surprised how quick and personable the response was. I only have to respond to one person. She even gave me her schedule for the next 2 weeks in case I had any further questions. She disabled the 4 ( I only have one mac ) machines attached to my iTunes, erased my card number and disabled the account. All within 24 hours. She also said they were having a big influx of emails and that is why it took them so long to get back to me.

Also, it wasn't just books or whatever that were bought, it was all kinds of games, apps and some music.

I also protect all my stuff with strong passwords and try to browse safely......if it was a Keylogger or whatever, why not buy stuff from amazon or paypal where they could get more stuff....more usable stuff than just apps?

Warbrain said:

They don't need to refund you anything. If your credit card is stolen and purchases are made at Target do you demand Target refund you? NO. You contact the bank. Apple isn't responsible to refund you anything and the proper means of getting your credit fraud resolved is to contact your credit card.

Click to expand...

You fill out a reverse charges form and if your bank is a good bank, request an investigation. I don't know about MasterCard, but Visa has a form of buyers insurance that comes with membership.