Earlier this week, The Global Mail called attention (via CNet) to an Apple Support Community thread with more than 70 pages of responses dating as far back as Nov. 2010.
According to the thread and others like it, numerous iTunes customers were victims of fraudulent app purchases that drained gift card credits from their accounts. Others reported charges to their PayPal or credit card accounts and changes to their account information.
Given that the issue has persisted intermittently for over a year, some customers have begun to speculate that Apple has kept the problem under wraps despite not having fully resolved it. "It is very apparent that Apple iTunes has a big problem on their hands, and they are keeping quiet about it," forum user "glight" wrote.
When contacted by the publication, Apple responded with a generic statement assuring the security of its ecommerce transactions.
"Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected," the company said.
Though Apple has yet to confirm the reasons behind the account hacks, one possible explanation is that the company's iTunes gift card algorithm has been cracked. In 2009, iTunes gift vouchers surfaced on Chinese websites for pennies on the dollar after hackers allegedly discovered a way to generate codes.
Another method has been described on forums as early as 2010. Sellers on TaoBao, the Chinese equivalent of eBay, have in the past offered a service that temporarily hijacked legitimate users' account to allow buyers to download batches of apps until eventually being locked out. The sellers would allegedly monitor compromised accounts and then change their information to a dummy address upon finding a customer.
Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.
"Kingdom Conquest" has attracted negative reviews as customers report being the victim of fraudulent purchases or hijacked accounts.
Ty Miller, chief technology officer at security firm Pure Hacking, speculated that Apple has decided that refunding fraudulent transactions is more cost effective than fixing the system.
"Either Apple has accepted the risk of the fraudulent transactions and they're happy to reimburse the money because it may cost a lot more to fix then they're actually losing. [Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works," Miller said.
67 Comments
Some apps have also been flagged as frequent targets for fraudulent purchases. For instance, multiple Apple Support Community posts have listed unauthorized in-app purchases from within the "Kingdom Conquest" app.
You scared me there for a moment! The name "Kingdom Conquest" sounded real familiar to me and I remember buying a game recently which I've been playing a bit and I just quickly checked it on my iPad and the game which I'd been playing is called "Kingdom Rush", which happens to be a pretty good Tower Defense game.
Phew. I dealt with some telephone scammers awhile ago, and even had the FBI involved. I don't need to be dealing with any app scammers too.
These people need to be behind bars and molested at least four times a week. That'll teach them not to scam people.
Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.
If iTunes servers have been hacked — which I doubt — then this could be a problem for adding NFC to the iPhone which i think Apple will tie into their iTS account ecosystem.
PS: Anyone that is concerned can go into the iTunes Store, click on their email address in the upper-right hand corner to access their Acccount Information, click See All under Purchase History and make sure that all purchases are accurate.
Gift card fraud happened to my daughter. It took many communications, and 2 months or more to resolve this, and the card was purchased directly from Apple, not from some third party vendor.
The speculations in the article may be correct, but I suggested to Apple, given what happened to me, that our scenario sounded like an inside job. I don't know how the iTunes gift card process works and whether Apple is actually handling iTunes, or they have contracted this process to others (which I suspect, given the international flavor of iTunes gift cards). So "inside-job" might refer to Apple's gift card vendors.
Having your account hacked isn't a big deal for Apple but having iTunes servers hacked is. Apple can take precautions to get users to create decent passwords and not give out personal information but they are not responsible for blatant user error.
This seems to be more about compromised gift cards than hacked personal passwords and the like. Luckily for me, I've never used or purchased any Apple gift card, and I don't plan on doing it in the future either.
they are not responsible for blatant user error.
That's a cop out.
It's Apple's responsibility to ensure it is easy for its users to secure their accounts.
For example I should be able to limit my account to authenticated devices and/or use a two-step logon process with iMessage on my iPhone.