Apple responds on iTunes fraud, vaguely confirms said fraud (update)
By Joshua Topolsky 
posted July 6th 2010 9:08PM
posted July 6th 2010 9:08PM
So it looks like even the walled garden isn't impervious to attacks -- here's hoping the problems were limited to a small group of people. Have any of you guys noticed strange charges on your account? Double check it right now!The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.
Developers do not receive any iTunes confidential customer data when an app is downloaded.
If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.
Update: Apple pinged our old buddy Clayton Morris with the damage report and claims it's fairly low -- roughly 400 iTunes users were hit, all told. While that's a pretty small percentage of the reported 150 million Apple serves daily, the company said new security measures are in place anyhow: according to Morris, iTunes will ask for the verification code on the back of your credit card "a little more often" from now on.
Compare this to the way Monoprice handled their situation. Talk about polar opposites.
Apple doesn't give a shit about their customers. They never have.
@jawman
Yes, which is why they're so good about replacing defective products for free.
@Jack
Have fun with that refurb.
@Jack
And everyone replaces defective products for free if you're still under warranty. You get a *brand new* refurbished phone. Yay.
This has been going on for a long time now, but it's usually in small amounts. My account was charged for single items from last Sept. until March when a $40 charge was made. I hadn't noticed before because I have an 11 year old with an iPod touch and we both buy now and then.
When I Googled it, I found that this had been happening to THOUSANDS of people and Apple does NOTHING to help. They just tell you "no refunds"!
They said I had to get Visa to contact them, but Visa said they don't investigate with the company and that I have to get Apple to give me info or file a police report and the police can subpoena the records (which is NOT going to happen-they couldn't care less!).
Visa acted like I was lying and I had to keep on them until I got a refund.
Funny thing is my purchase history had also completely disappeared from my iTunes account and Apple had no explanation for it and I made a new account and didn't put a payment method on it but my Visa number showed up on my new account all by itself!
Apple or their employees are doing something to cause this because there's no way for anyone else to access this information!
I never got emails for the fraudulent charges on my Visa either. My entire purchase history also disappeared. So no, you don't have a way to find out until they hit you with a big noticeable charge!
I love apple! but in all this time apple only care about the money the never give the reason to customers apple is making money because they never care about customer for a sample you but an iphone 4 the signal don't work apple tell you hold it the right way so you see they don't care now the they being fraud now they care because is there money the taking but if they still are money they don't care if apple care about there customer need more then there i would be happier
@ZIXTO
period?
APPLE WAS STUNNED. Steve said it was just a problem with the formula for calculating profit. They said they will make the bars bigger and the fonts for displaying your debits smaller. It's all about the visual appeal after all.
So vague usually means the worst in cases like this. Would this be an accurate translation?
It wasn't just bad, the vulnerability that lead to the exploit was abysmal so we'll just beat around the bush and see if it goes away. Then we don't have a PR nightmare on our hands in the news and the payment card industry won't force us and our QSA/ASV to pay the damages for all these compromised credit card accounts.
All I can say is THANK GOD no porn, cross-compiled Apps, or heaven forbid, some Flash enabler appeared in the app store. I can tolerate a couple hundred bucks in fraudulent charges and being duped into buying best selling Viet-Namese books. But just one slow-down in mobile Safari due to Flash Video and I'd chuck the whole Apple ecosystem right out of my household. Flash has had its day, porn - well if you had children you'd understand, but Fraud is the future - perhaps HTML5 will have hooks to enable Apple endorsed fraud without draining my battery and causing crashes!
I have been hit by the fraud and I have already called my bank and itunes and everything is up in the air right now
Apple's Summer of Lies sales event continues!
Apple is just so vague with these details. Why not tell users what happened so they can better protect themselves?
@livebriand Apple would tell you but if you didn't buy their Apple Care the call will only last for 3 minutes.
@livebriand
They won't, so I guess I will:
1) Apple was not hacked
2) The app developer put perfectly legit apps on the app store
3) The developer was able to obtain 400 accounts though various means (Phishing or keylogging), or possibly used a third party to buy them.
3.5) Phishing and keylogging for an account can happen on any platform, such as Ebay or Paypal, so it's a common problem, and will always happen. Ways to stop phishing or reduce the severity of it would be to use an updated browser, Safari, Chrome, and Firefox are good bets, as these have inbuilt detectors for them.
4) The developer used these accounts to buy the applications, projecting him up to the top of that category. It did not take many bought applications due to the relatively small size of the category.
5) He got banned.
What to take away from this? Phishing is a common problem and will occur no matter what. People will always want accounts with access to money for their own personal gain. Use a browser with inbuilt phishing detection.
I suspect you made a mistake in your article:
You wrote: "Additionally, while they don't explicitly say fraud occurred..."
Then quote their statement which says this:
"The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including FRAUDULENT PURCHASE PATTERNS." (caps on applicable section)
That to me seems an indication of fraud...
Best,
Robert
sounds like Apple needs Tripwire installed on there servers..
I am not sure I understand - Apple is saying that WE ARE NOT GOING TO DO ANYTHING TO HELP YOU TO RECLAIM THE STOLEN MONEY AND YOU ARE ON YOUR OWN ALTHOUGH YOU BOUGHT FROM US? I mean, the "fake goods" are on their shelf, even IF Apple has nothing to do with the passwords being stolen, they should still be partially responsible for the incident and they should stop charging and refund their clients for the bogus items. Did I get it wrong or something else?
@Geo you're absolutely right, but getting apple's refund is as difficult as pulling the meat out of the mouth of a crocodile.
@matthewchen umm.. you call your bank and reverse the charge. no apple refund. apple doesn't get money when the charge is reversed. i just experienced this same thing first hand recently with PayPal. had to do literally the exact same thing they are saying to do here.
Fall 2010 : Introducing the iFob 1.0 security device to secure your iTunes account. Buy now for 89.99 from the Apple store.
Dumb bastards.
@Amusednow
1 in 375,000 accounts hacked.... seems like an epidemic...
You'll know if you've had the fraud happen to you, as you won't be able to log in to itunes. This happened to me about a month ago. first it was a 99 cent charge, which I thought nothing of, figuring, okay, my husband purchased a song. Then there was a $41 charge. That's when I tried to see what was purchased, and couldn't log in. I cancelled the paypal authorization, contacted paypal, my bank, and apple. I had to give apple a bunch of information in order to get my account back, but I got it back (also getting to the point where I could email them was ridiculously difficult). Paypal refunded the difference, and all was good. Apple removed the charge for the items that were fraudulently purchased after I had removed the paypal authorization.
The interesting thing is, the Apple ID and password combo I had, I've never, ever entered into anything but itunes, or on my ipod, in itunes. So it must have been farmed using a keylogger of some form, or something. My husband doesn't even know the information (it's saved on his computer) so I know it wasn't him, either.
It's easier if you use paypal with itunes, all you have to do is remove the authorization. Really if you don't purchase things frequently, after you make a purchase, and it successfully hits paypal, remove the authorization. This will prevent anyone from buying anything from your account.
So, how long would it have taken Apple to find the hack, if the books hadn't been bumped onto the top 50?
For folks using itunes and are not in China, search in the Chinese auction site "taobao", you will find thousands of itunes account for sell at approx US$2 a pop and they guarantee you for a 12 hr free download ( I guess at your expenses), so please beware as itunes account seems easy to hack into.
search for this "itunes 账号", which means itunes account in English..
hope it helps win your case.:)
Well folks, I woke up this morning to alerts from my banking company and a ton of itunes transactions for what appears to be phone cards!! Why did I have to be one of the 400, (out of 150 million)?? :-( I wish I had luck like this in lotteries. What really troubles me is that it's been over a year since I downloaded a comic book reader app from itunes....but over the last few days I DID try a couple of readers from online sources...and then threw a handful of CBZ files on top of it...I wonder where I picked up the hack??
Here's the deal:
1. 400 of the 150 million iTunes users were affected.
2. That is less than 0.0003% of iTunes users.
3. The iTunes servers were not compromised in any way.
Mountains out of molehills, people.
you know - apple bashing is getting old. here's some facts. any credit card company, credit reporting bureau, e-commerce site, so on and so forth can and have been hacked. the fact that this was 400 out of millions is not really that bad. every major company out there is after your dollars. every major company out there is not interested in being BFFs or hanging out after work. google isn't going to go buy you a puppy if you broke your arm at summer camp. has apple done some stupid shit lately? sure. do they need to step up their game? absolutely. have they handled things the best ways they could have? nope. but.. they are hardly the first and wont be the last. it has and will happen to every single major tech company. it happened with microsoft, its happening to apple and it will happen with google when they gain more market share.
@system22
lolz sure.
Denial, it isn't just a river in Egypt.
@A25i ummm...
http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1079408743242_24/?hub=TopStories
http://www.governmentsecurity.org/latest-security-news/news-nearly-2500-companies-hacked.html
i guess whatever bubble you live in doesn't allow much information to get thru.. further evidenced by using the tired old spell shit with a "z" thing. yeah, man - you're early 2000's l33t. fyi - if you buy ANYTHING online youre at risk. im sure somehow thats apples fault though. fuck - 9/11 was prly apples fault too.
@system22
ur momz f@gboi. go suck jobs' dick. cuz fyo my bbf is deepdickin ur sister
There goes the last leg you fanbois had to stand on.
Fraud in jobs world = HAX in real life.
lololzolzozlzolzllol
Fart app - $.99
Having your credit card info stolen on whats supposed to be as secure as a cats ass on a cold day - Fucking priceless for everyone with sense.
@A25i oh yeah... one more. forgot this one.
http://www.wired.com/threatlevel/2010/01/operation-aurora/
jobs must have been working at google and microsoft when this happened a few months ago.
@system22
they dont claim to be magically unhackable noobzor
Thuat Nguyen also charged 4 invoices on my credit card on 7/3/10. Each invoice was for $44.91 and appeared to be in Vietnamese or Filipino. I waited 20 minutes for iTunes Customer Support on the phone to which they replied, we have no phone support. I asked to speak to their supervisor and they would not. They accept no responsbility for the fraudulent charges on my credit card, address and personal information being used. I called my bank (who also said to call iTunes) and ultimately had to cancel my credit card. Because iTunes has my credit card on file and I use Apple apps for my iPhone, iPad and PC/laptops, I am very concerned and upset about their lack of support and the security on their sites. It is almost impossible to find a phone number for Apple and get a Customer Service Rep on the line. How about providing some Customer Support for the millions of customers that are making you so darn profitable
Thuat Nguyen also charged 4 invoices on my credit card on 7/3/10. Each invoice was for $44.91 and appeared to be in Vietnamese or Filipino. I waited 20 minutes for iTunes Customer Support on the phone to which they replied, we have no phone support. I asked to speak to their supervisor and they would not. They accept no responsbility for the fraudulent charges on my credit card, address and personal information being used. I called my bank (who also said to call iTunes) and ultimately had to cancel my credit card. Because iTunes has my credit card on file and I use Apple apps for my iPhone, iPad and PC/laptops, I am very concerned and upset about their lack of support and the security on their sites. It is almost impossible to find a phone number for Apple and get a Customer Service Rep on the line. How about providing some Customer Support for the millions of customers that are making you so darn profitable
@Disgruntled I had the EXACT same experience as you. My Bank of America account is now overdrawn to the tune of $160. I checked my email this afternoon and had four invoices, all totaling between $42 and $48. A fifth invoice came in later for $6.96. I think the only reason the last one was so low is because after the first four invoices, I removed my payment information from my iTunes account and changed my password.
I called Bank of America, who told me to call iTunes. I finally found what seemed like a good number on the iTunes support site, and the lady on the phone told me to send an email. So I did. I submitted the form and got a response saying I'd receive an email response confirming that they received my email. I got no such thing. So I called Bank of America back. They cancelled my debit card and told me to watch to see when the charges actually clear (they are still pending now) and to call them back so that they can file a claim and reverse the charges.
I'd always heard that Apple had awesome customer support. I suppose that only applies if you've purchased one of their overpriced computers. It definitely does NOT apply to iTunes.
Glad to see I wasn't the only one. I just hope I get my $168 back. Still waiting, and the charges occurred 6/29.
I've been hit with $2500 in fraudulent charges for in-app purchases of "street cred" in "Original Gangstaz." I'm disputing the charges with my bank, credit card, and paypal now. Apple needs to announce that accounts have been breached and that people should disassociate their payment information.