New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated July 31st (exclusive coupons)
 


Thursday, February 09, 2012, 08:50 pm PT (11:50 pm ET)

iTunes customers facing mysterious account hacks, disappearing gift card money

Scattered reports from customers suggest that Apple continues to have a difficult time combating hackers who are draining iTunes account balances and changing account information.

Earlier this week, The Global Mail called attention (via CNet) to an Apple Support Community thread with more than 70 pages of responses dating as far back as Nov. 2010.

According to the thread and others like it, numerous iTunes customers were victims of fraudulent app purchases that drained gift card credits from their accounts. Others reported charges to their PayPal or credit card accounts and changes to their account information.

Given that the issue has persisted intermittently for over a year, some customers have begun to speculate that Apple has kept the problem under wraps despite not having fully resolved it. "It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it," forum user "glight" wrote.

When contacted by the publication, Apple responded with a generic statement assuring the security of its ecommerce transactions.

"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the company said.

Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked. In 2009, iTunes gift vouchers surfaced on Chinese websites for pennies on the dollar after hackers allegedly discovered a way to generate codes.

Another method has been described on forums as early as 2010. Sellers on TaoBao, the Chinese equivalent of eBay, have in the past offered a service that temporarily hijacked legitimate users' account to allow buyers to download batches of apps until eventually being locked out. The sellers would allegedly monitor compromised accounts and then change their information to a dummy address upon finding a customer.

Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.

Kingdom Conquest reviews

"Kingdom Conquest" has attracted negative reviews as customers report being the victim of fraudulent purchases or hijacked accounts.


Ty Miller, chief technology officer at security firm Pure Hacking, speculated that Apple has decided that refunding fraudulent transactions is more cost effective than fixing the system.

"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller said.