Apple responds on iTunes fraud, vaguely confirms said fraud (update)
By Joshua Topolsky 
posted July 6th 2010 9:08PM
posted July 6th 2010 9:08PM
So it looks like even the walled garden isn't impervious to attacks -- here's hoping the problems were limited to a small group of people. Have any of you guys noticed strange charges on your account? Double check it right now!The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.
Developers do not receive any iTunes confidential customer data when an app is downloaded.
If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.
Update: Apple pinged our old buddy Clayton Morris with the damage report and claims it's fairly low -- roughly 400 iTunes users were hit, all told. While that's a pretty small percentage of the reported 150 million Apple serves daily, the company said new security measures are in place anyhow: according to Morris, iTunes will ask for the verification code on the back of your credit card "a little more often" from now on.
Apple seems to vaguely confirm a lot of things these days.
@greyseal
Yeah. It would be a lot more helpful to consumers if some details were given. Were passwords stolen? Was credit card info stolen? What exactly was the nature of the breach.
But then again, the consumer doesn't seem to be Apple's "Job 1" these days.
@NHAnimator
The last thing Apple wants is its user base thinking for themselves. They just want you to sit back, relax, and let them take care of whatever might have gone wrong. Until the issue is on their end, then they will deny that there was a problem at all.
@greyseal I see as well (from the comment) that Apple is not taking any responsibility for the possibility of stolen information by saying, "If your credit card or iTunes password is stolen..." "IF" basically, (nothing was stolen from us so act as you would in any situation if you're card was stolen)... generic, generic, generic.
So, either something was or was not... but the overall scare might make those already worried flood their financial services with contacts. I feel bad for the banks that have to handle Apples lack of information.
Might have been better to advise that either "nothing was stolen" or those in groups a, b, and c were stolen. At least it's honest and more organized.
@NHAnimator
It was most likely a keylogger virus, or fake site that was stealing itunes usernames/passwords.
If itunes user data could be stolen don't you think the person would rather take and run with the thousands of credit cards rather then purchasing his app?
@NHAnimator
The consumer has never been Apple's #1 concern, the consumers' money has been.
Nothing new here.
@greyseal : There were strange charges on my account, but they were made by me. :)
@tikigawd
You mean like every company out there gunning for profit?
@Sled
If you steal someone's iTunes user name and password, you don't instantly have access to their credit card number. When you log into your iTunes account, iTunes will only show you the last four digits of the credit card. Even if you try to edit the credit card information, they don't show you the whole credit card number.
So the only real thing damaging thing you can do is buy stuff from Apple. God, it's depressing how many people on this site don't actually know how the technology in question works.
@NHAnimator
makes me wonder if they are Apple's "Job 5" instead.
@QwaF
Sure, but at least some companies accept responsibility when info is stolen.
Apple? Not so much.
@QwaF
Also, some companies at least make an effort to relate to the customer, and it shows when things go wrong.
Apple? Not so much.
Almost everyone has been happy with Apple because things have been good for the most part. But their true colors are showing now to a wider range of people. They burned me years ago and lost me as a customer as a result. Hopefully the recent issues will either get them to wake up out of their arrogance, or help in their demise.
@greyseal I'm waiting for the retracting statement.
@Sled Not really, just buying an app instead of running off to spend houndreds of dollars per card reduces the risk of the owner notising that they're being "tapped".
@NHAnimator
>But then again, the consumer doesn't seem to be Apple's "Job 1" these days.
Really? Apple sure made a lot of people happy with the latest iPhone.
@greyseal Is there a single Apple article on this site that isn't written by the ultimate Apple fanboy known as Joshua Topolsky?
@greyseal
Hey Steve Jobs "you're holding my credit card information wrong"
@greyseal
Why is there any ambiguity? Isn't it really one of two issues?
1. The developer was able to gain the system by getting his products ranked higher - thus making them potentially more enticing to customers. If this is the case, Apple's response is appropriate. No harm to actual consumers (unless someone bought a book based off the rankings).
2. The developer was able to purchase his content through different iTunes accounts. In this case, the consumer's account was compromised and money went from their credit card to Apple. If this happened then all Apple has to do is notify the impacted accounts, reverse charges for fraudulent purchases, and fix whatever happened that allowed this to occur in the first place. I'm a little unclear how a hacker could obtain your credit card information since it isn't viewable in your iTunes account. They should have been able to only purchase stuff through iTunes in that case.
Now - if there is a broader breach - one that compromised actual credit card numbers then Apple needs to be more clear about what happened. Did the hackers compromise the integrity of the Apple database that stores this information?
@Itchy Britches
Lol, dude you are an idiot. Obviously you can't obtain credit card info using an itunes account. People think that someone hacked itunes revealing all account details on their servers. I was saying that the hacker probably just used keyloggers that got account u/p and used those to buy items with. Similar to ebay / paypal account hijacks
@NHAnimator
Compared to who? Google?
Apple has topped every single consumer satisfaction rating, including consumer reports and JD Power. But that's just the isheep. Right?
@Sled
Well, your first comment was worded poorly, but I apologize. Thanks for clearing that up. I agree with you, if the iTunes credit card database was hacked, the guy wouldn't be using their credit cards just to buy his crappy books.
@greyseal
We believe iTunes to be the best internet media purchasing experience, which is why we were surprised when we heard some people suggest they were being defrauded. Any website is capable of being defrauded if you are not careful enough, including Google Android websites. We checked, and it turns out that there was an issue with how we inform you of financial transactions - we have now decided to use the industry standard policy of not informing you about these transactions, to be rolled out in a future iTunes software update.
@jaffreywali
"Apple has topped every single consumer satisfaction rating, including consumer reports and JD Power."
Perhaps they have in the past, however, note my use of the words "these days". It's little events like those that have occurred lately that build up and eventually tarnish a company's image. Just ask Dell, Gateway, HP...
Apple can either sit back and watch the events unfold, or take a proactive, consumer-friendly approach to issues - even if it costs them a few bucks here and there.
@NHAnimator Given the limited nature of this, I'd say we're probably looking at a trojan that steals iTunes logins/passwords.
Excuse me, but why is apple telling us to contact our bank to cancel the card and chargebacks for a hacked itunes? These are charges ultimately coming from apple. God knows they sit on checks to people for months so the hacker probably didn't actually get any money yet, can't apple just refund the money? OR maybe he did get money and the line of bs the apple is trying to feed us makes on sense.
@WKCptton
So you would like storekeepers to be able to cancel YOUR credit cards.
That would work out really well.
@tikigawd yes but the information wasnt stolen from Apple, it was stolen from the users due to their lax attention to security.
@tikigawd you're absolutely right.. this is why i hate apple's rude attitude.
@tikigawd Thats foolish to say, if that was the case I don't think Apple would be named the most admired company in the country. Do some research before you start rambling nonsense.
@greyseal
How did 400 accounts push his books to the top 50? And not just one book, but 46? Either there were tons of purchases per account or the numbers just don't jive. With a billion apps being downloaded it's hard to picture how 400 accounts could push the needle in ranking.
@bjsguess Actually this is in the iBook store not app store. I've read that due to current volume, as little as 50 purchases can move the needle.
@Sled by purchasing his own apps, the profits still goes to him, either actual money or the apps ranking, still worth it... or just want to show off that he can compromised Apple's immunity. ;-))
@greyseal
Uncle Steve said:
I miss the old time, when all apple's customers still a bunch sheep, missinformed idiots
@greyseal
as a Vietnamese user, knowing about 50 places in one city selling iTunes account, and knowing how popular they are, I know Apple lied about the number of hacked account...400, maybe they missed 2 or 3 more "0s"... they were selling like 10$ for a 200$ account...
@digitalgopher
But not multiple books at the same time.
@NHAnimator Thuat Nguyen also charged 4 invoices on my credit card on 7/3/10. Each invoice was for $44.91 and appeared to be in Vietnamese or Filipino. I waited 20 minutes for iTunes Customer Support on the phone to which they replied, we have no phone support. I asked to speak to their supervisor and they would not. They accept no responsbility for the fraudulent charges on my credit card, address and personal information being used. I called my bank (who also said to call iTunes) and ultimately had to cancel my credit card. Because iTunes has my credit card on file and I use Apple apps for my iPhone, iPad and PC/laptops, I am very concerned and upset about their lack of support and the security on their sites. It is almost impossible to find a phone number for Apple and get a Customer Service Rep on the line. How about providing some Customer Support for the millions of customers that are making you so darn profitable.
Accounts were phished, we really can't point fingers here without more info seeing as how it isn't as widespread as it seemed
@MattsZ
+ 1 before this thread gets out of hands.
Anyway, like @N900 said, hopefully people can get back their money, if stolen, and their accounts can go back to normal.
AKBlade13
@MattsZ Sure, phishing was the root, but Apples Itunes was the tool used to move money from the victims account.
@MattsZ the fact that accounts got fished through the proprietary web-pages that are only supposed to work in the iTunes store is rather frightening (since your can't see the URLs for a phishing check) regardless of how large or small scale it was.
if it can be done once, it can be done again.
@MattsZ
+1
Of course that won't prevent the Apple Haters from making this a whole 200+ comment thread.
Hopefully Apple finds the one responsible, punishes them, and improves security for all of us iPhone/iTunes users.
@hvakrg An iTunes account is just like your email account or any other account protected by a username and password. No matter how good or bad the encryption is on the server-side, it's only protected by a password and you, the user. How safe you keep said password depends on you and your internet habbits. *That is, when it comes to phishing attacks*
Getting users to enter their login credentials into spoofed/dummy websites has become a huge trend on how to hijacks accounts nowadays, especially in the gaming community (ie World of Warcraft). We may just be seeing the first big use of phishing in this case. Like so many other sites (ie. your bank website?), companies can only tell you to /not/ put your damn password in an untrusted site so many ways.
Be safer, people; and blame the responsible parties. In this situation, I believe the responsible parties are the end-users not being safer with their sensitive information.
In my 12-13 years online, I've used /and/ protected my logins for social networking sites, home banking, gaming, work and personal email, Paypal, eBay, website ownership and management and yes iTunes... Never once have I ever had a single account of mine hijacked.
Use an unbrute-forceable (for lack of better terms) password (use special characters like !@#$, numbers and non-English words) and only enter your login credentials on trusted sites (check the domain url!). I've gotten dozens of spoofed email phishing attempts from people trying to get eBay and Paypal logins, I just never fall for them.
I think most of the people here on this site can relate to my experiences, being internet security educated individuals I'm sure you all are. So who do you guys think is at fault in this situation?
@SirNoDroin
I'm not saying you're wrong, but where do you see that information -- that accounts were phished thru "the proprietary web-pages that are only supposed to work in the iTunes store" ?
I reckon it was more like some kinda email spam thing -- "Click here to claim your free 25$ iTunes store gift certificate" or something like that, with a fake redirect site designed to look authentic...but again, since Apple isn't saying the WHOLE story, we don't know for sure (unless there's a source I'm missing on this?)
@SirNoDroin
You don't seem to understand how "phishing" works. No one has to exploit Apple's web site. They could just set up a bogus web site promising free iPods and tell you to put in your iTunes account name and password and then use your iTunes account to buy anything they want.
That has nothing to do with Apple.
@MattsZ
The amount of purchases necessary to push all of those apps to the top of the list would not be an insignificant amount. Either they hacked the system, or they had thousands of phished accounts; both do not seem minor in any way.
Having hundreds of dollars charged to your credit card fraudulently is a lot more serious than a hacked World of Warcraft account, and yet Blizzard has implemented a secure key token system and Apple for iTunes and most of the financial industry has not for their online account access. I for one would welcome measures for increased security.
@gfxsmith
Yo numnuts. Stop defending Apple, and shut the hell up about Phishing scam!
There is Zero evidence of Phishing scam!
@MattsZ
Yet you point fingers at customers and phishing scamers??
Good job tool bag.
@KGB
Not defending Apple regardless of if it was a phishing scam or not.
Seriously, I wish Apple would do something about account security, not just vaguely mention it in a passing blog post.
@MattsZ
85% of itunes users use a english word with a number for password
50% use their last name
the fact apple allows this is an issue.
@SirNoDroin My banking website goes one step worse, it doesn't allow you to use special characters in your password (%$%#, etc). My credit card company did the same thing. Using non-English words and a number is usually sufficient when special characters are not allowed.
I would argue that there are a vast amount of websites out there much worse than Apple when it comes to password/account security. At least they allow the user to choose if they want a simple of complex password.