Home / News / Portable Audio News / Apple Confirms iTunes Account Hacks, Beefs Up Security

Apple Confirms iTunes Account Hacks, Beefs Up Security

Gordon Kelly

by

Apple Confirms iTunes Account Hacks, Beefs Up Security

I mentioned in our Apple Finally Admits iPhone 4 Antenna Problem story (wow, those comments just keep on coming) that there had also been widespread reports iTunes accounts had been hacked. This caused some alarm to you guys, so thankfully Apple has stepped forward with a clarification.

Speaking to the New York Times (yes, why put such news on your official site?!) Apple spokesperson Trudy Muller confirmed there had indeed been a successful hack on iTunes accounts, but that only 400 users had been affected. She declined to elaborate on how the accounts were compromised, but said Apple servers holding credit card data were not attacked. "There was no hack into iTunes" she added.

The incident began when Vietnam-based developer Thuat Hguyen broke into user accounts to in order to make them buy his apps. Consequently 42 of his apps appeared in the top 50 of Apple's book category which suggests either these 400 accounts were taken to the cleaners or Apple's book category isn't very popular yet.

Given the incident is likely only to encourage other unscrupulous types to have a go, Muller confirmed Apple will boost its iTunes security with users required to enter their credit card security code more frequently. Apple will not be refunding affected customers, instead saying the fraud is to be dealt with by their card companies – harsh, but in character. The incident isn't the first in iTunes' history with voucher codes compromised early last year.

Expect copycat attempts to hack the likes of Android Marketplace and Nokia's Ovi store – actually there's probably little point in going after the latter right now

In related news ars technica has found Android 2.2 to "demolish" iOS 4 in browser JavaScript performance with scoring 5,795.2 to iOS 4's 10,902.1 (lower is better) in SunSpider and 67 to 287 in V8 (higher is better). Android 2.2 and iOS 4 are both major improvements on their predecessors, but mobile Safari certainly hasn't had much love and attention recently. Then again, the same could be said of Android's media player.

Source: New York Times

Keithe6e

July 7, 2010, 6:48 pm

Ok, before @Jay, @LetsGo and company jump in.





"Apple will not be refunding affected customers"


No, I don't agree with Apple here, there you go I said it.

DrDark

July 7, 2010, 7:14 pm

@Keith: Hey, how come I don't get an exclusive mention and am relegated to "company"?!

Jay4d0

July 7, 2010, 7:44 pm

your attitude stinks keith, grow up I am NOT an apple hater and never said I was, although I do dislike apples big headed statements like calling a device magical and saying that they invented video calling. even though I will not be buying the iphone as other phones are far more functional to me, I am an avid lover of the iPod line and now the ipod touch as it brings the best of the iphone and all the apps, then as a byproduct I have the best of multiple platforms/appstores and greater access to the internet.








as for apple not refunding technically you do claim it from your credit card company (they refund you) and then they take the effort to claim the money from apple, I dont know what happens to debit cards as I personally would (and recommend to everyone) to only use a better protected cradit card on the internet, and in the case of itunes only use a gift card if only for the fact that a £20 card can be had for £15 from reliable shops (not ebay)

Ala Miah

July 7, 2010, 8:05 pm

Apple should be refunding those customers, not banks.





It's not like the hacker stole credit card info and bought a bunch of stuff from amazon or play.com. He hacked into thier iTunes account which has thier credit card info stored. He did not access or see any credit card information. It is totally Apple's responsiblity because the hack exploited vulnerability in thier software.

Andy Vandervell

July 7, 2010, 8:07 pm

Try and keep it civil chaps, thank you.

Keithe6e

July 7, 2010, 8:27 pm

@Jay: your attitude stinks keith,





I've now been called a lire, I stink, Fanboy & then you tell me to grow up. I'll make a deal, stop assuming I'm a fanboy, and I'll stop assuming your an AppleHater. Deal?





@drdark: @Keith: Hey, how come I don't get an exclusive mention and am relegated to "company"?!





Sorry. I'll make up for it some other day, kisses.. xxx

Chris

July 7, 2010, 8:29 pm

"Vietnam-based developer Thuat Hguyen broke into user accounts"





Surely this is the first thing Apple should be fixing, never mind a CVC check? That and, as Ala Miah points out, some of the responsibility should fall to Apple here...

Chris

July 7, 2010, 8:32 pm

"...our 'Apple Finally Admits iPhone 4 Antenna Problem' story (wow, those comments just keep on coming)"





Sure, but the last 20 comments have degraded to a flamewar...





I'm staying out of this.

smc8788

July 7, 2010, 8:45 pm

Stupidest hacker ever? A strong contender, I feel.

Jones

July 7, 2010, 9:10 pm

A mate of mine's other half was ripped off via iTunes recently, maybe 6 or 7 weeks ago. Some Korean managed to hack her iTunes account, purchase some app or something that costs the £ equivalent to approx £700 (no joke! 1 app - must be some sort of con?) and then bought another £100 or so of apps. This was all on a debit card, rather than credit.





A few days later she realised what had happened and immediately phoned Apple who were useless by all accounts. They refused to acknowledge how any of this was her fault and actually suggested that she may have bought them while either on some phantom holiday Apple dreamed up or a holiday she was planning to take!





So, she tried her bank who, while not obliged to bearing in mind it is a debit card, accepted the circumstances, refunded her the money she lost and stated they would be taking it up with Apple themselves.





In short, two examples of polar opposites to customer service. I still havent learned my lesson and use a debit card - but then I only ever seem to have peanuts in my account anyway!!!

Jones

July 7, 2010, 9:12 pm

I should really have read the story better! Obviously my pals story and this vietnamese (spelling?) are linked rather than Korean!

gagagaga

July 7, 2010, 9:20 pm

Are Apple PCI/DSS compliant? Cos this doesn't sound liek they are protecting the credit card info sufficiently ...

Gordon394

July 7, 2010, 9:25 pm

@smc8788 - gotta be right up there!

Chris

July 7, 2010, 9:46 pm

@gagagaga: By the sounds of it, no credit card numbers were compromised, just the iTunes accounts linked to them. All of these purchases were made through the iTunes accounts.





These credit card numbers are one of Apple's greatest assets. The iTunes/App/Book store wouldn't work if users had to type in their details for every 49p purchase, often the customer just wouldn't bother.

Keithe6e

July 7, 2010, 10:33 pm

@smc8788: Surely depends on how much money he made :)





@Chris: Yes, don't think I'd like typing CC details in every time, maybe Apple could have a checkbox that you could check to say you understand what phishing is, and your no sucker to them!!

Sunny 1

July 7, 2010, 11:51 pm

OK! let me get this right!





the iTunes account got hack right? because these users (400 of them)brought this app from some Vietnamese dev right?





even with Apple's restriction on app types and strict check on developer criteria this can happen when they have billions of app developer for millions of customer.





but isn't the issue a bit more serious than just some random account hack.





because when those user choose to install that one app (which in turn, brought the other apps) did the user gave up all the detail like the log-in details to the dev?





or the app was a spyware or trojan horse in itself and collected the data to send it to the dev once the app installed and run?





if I'm getting the story right what went on was:





"I (the user) installed an app from Appstore on my iPhone (obviously! how many people buy their apps sitting on a desktop PC). Offcourse I had to type my password to authorise the purchase (did it got stolen then and there? highly unlikely).





After the purchase well I use the app (that's why I got it in first place). When I use this app it either opens an access port to the device for backdoor com or became a key logger to copy my Appstore login detail.





or did it say it will need me to type in my Appstore login to get authorisation.





Either way the app got my detail then send it off to the dev, without any kind of authorisation from user to communicate with the dev!?





then the dev used my login credential to log himself in and use my account to buy loads of his apps."





Do anyone see the problem here?





This means that there is a major flaw in iOS which enable the dev to have access at you detail without user knowledge or backdoor communication to send info to dev.





Or maybe I'm overacting to a small pice on news on "New York Times" which I din't even undestand properly.

J4cK1505

July 8, 2010, 1:22 am

Anyone else lol at him having 42 out of the 50 most downloaded apps.... its like, what was he thinking

Keithe6e

July 8, 2010, 2:31 am

@Sunny: I din't even undestand properly.





From what I can gather it's from a phishing. In one respect I think the term Hacking is slightly misleading, it's not a security hole, or Apple servers being hacked. Basically phishing is were a pretend website that looks like Apple is set up, unsuspecting individuals are then sent to this website from a fake Email asking them to confirm there UserName/Password. Once this has happened, the scammer then uses these usernames/passwords to buy lots of his Apps from the AppStore, making him money.





It's actually a very hard thing to defend against, because if the correct username/password is used, Apple have no easy way of knowing if it's legit or not. The weakest link in the chain unfortunately is the user who has fallen for the scam :(





One way might be able to detect IP's being used for purchase, and if lots of accounts purchasing lots of Apps is detected ban that IP. Only problem here if the attacker is using a Network of compromised PC's to make the purchase's.





The best defence is educating the user, if you ever get an Email asking you log in and confirm your UserName/passwords ignore it. Or if you really believe it's to be legit, then go directly to the website and don't click the Hyperlink in the Email.

Jay4d0

July 8, 2010, 3:16 am

@keith: deal

purephase

July 8, 2010, 12:51 pm

I don't get why everyone is implying the hacker must be stupid - surely they do this stuff to get noticed and make an impact - not for financial gain. That then implies getting caught! I would think 42 out of 50 apps in the sales chart would have made him very satisfied with his work.

Chris

July 8, 2010, 4:31 pm

Just to clarify, I *think* this is what happened:





-Hacker gains usernames and passwords to 400 iTunes accounts, possibly through phishing scams or trojans. Apple are keeping mum on this one, which is understandable.


-Hacker creates 42 dummy apps and submits them to the app store, each selling for a price of $4.99


-Hacker uses his 400 compromised accounts to purchase these dummy apps, possibly multiple times for each app. The hacker does not receive any credit card details by doing this, since the purchase is a 'one-click' affair that's automated by iTunes.


-Hacker receives $100 to $1400 from each compromised account


-42 dummy apps shoot straight to the top of the 'best seller' list


-The Vietnamese hacker, Thuat Nguyen, who was trying to keep a low profile, is now Apple's most prolific book app seller and everyone knows who he is, hence he's pretty dumb.





The term 'Hacker' may even be inaccurate here, as it's possible that no true hacking was performed to achieve this.

Jones

July 8, 2010, 4:54 pm

@Chris - Quite possibly but one of the apps sold cost several hundred pounds. Perhaps my mates experiences is in relation to a seperate tale but he got stung for £700ish on one app alone!





The basic moral of the story is - don't link your debit/credit card to iTunes. Stick to the alternatives.

smc8788

July 8, 2010, 5:23 pm

Does anyone not find it a bit odd that Apple have said only 400 accounts have been hacked. I think that is either a gross underestimation or an outright lie.





I mean, the Internet is a big place and I've personally seen a few people posting that their accounts have been hacked. Also, consider the number of iPhone, iPad, and iPod Touch users out there, and it seems extremely unlikely that this hacker's apps could shoot straight to the top of the bestseller list with just 400 purchases of each. Surely there must be better selling apps out there than that?

Chris

July 8, 2010, 5:53 pm

It's possible that only 400 accounts have been attacked by this bloke, but that assumes that he purchased each app multiple times from each account. From what I've read, it sounds like there are a lot of similar scams going on.





Here's an interesting read if you're so inclined:


http://appleinsider.com/articl...

Jay4d0

July 9, 2010, 4:43 pm

@Chris: in that particular catagory the sales for ranks 10-50 were only about 250 or less products sold so to put you app in the top 50 400 accounts would be more than enough.





I also read that hacked (or phished) accounts could be used for money laundering as the criminal would get a 70% return on their app, which is aparently good the article said.





also from the millions of active itunes accounts it is a statistical fact that a minimum of 400 people would have fallen to a phishing scam, desnt explain the 'tech savy' being compromised though

comments powered by Disqus