@MattsZ the fact that accounts got fished through the proprietary web-pages that are only supposed to work in the iTunes store is rather frightening (since your can't see the URLs for a phishing check) regardless of how large or small scale it was.
@hvakrg An iTunes account is just like your email account or any other account protected by a username and password. No matter how good or bad the encryption is on the server-side, it's only protected by a password and you, the user. How safe you keep said password depends on you and your internet habbits. *That is, when it comes to phishing attacks*
Getting users to enter their login credentials into spoofed/dummy websites has become a huge trend on how to hijacks accounts nowadays, especially in the gaming community (ie World of Warcraft). We may just be seeing the first big use of phishing in this case. Like so many other sites (ie. your bank website?), companies can only tell you to /not/ put your damn password in an untrusted site so many ways.
Be safer, people; and blame the responsible parties. In this situation, I believe the responsible parties are the end-users not being safer with their sensitive information.
In my 12-13 years online, I've used /and/ protected my logins for social networking sites, home banking, gaming, work and personal email, Paypal, eBay, website ownership and management and yes iTunes... Never once have I ever had a single account of mine hijacked.
Use an unbrute-forceable (for lack of better terms) password (use special characters like !@#$, numbers and non-English words) and only enter your login credentials on trusted sites (check the domain url!). I've gotten dozens of spoofed email phishing attempts from people trying to get eBay and Paypal logins, I just never fall for them.
I think most of the people here on this site can relate to my experiences, being internet security educated individuals I'm sure you all are. So who do you guys think is at fault in this situation?
@SirNoDroin I'm not saying you're wrong, but where do you see that information -- that accounts were phished thru "the proprietary web-pages that are only supposed to work in the iTunes store" ?
I reckon it was more like some kinda email spam thing -- "Click here to claim your free 25$ iTunes store gift certificate" or something like that, with a fake redirect site designed to look authentic...but again, since Apple isn't saying the WHOLE story, we don't know for sure (unless there's a source I'm missing on this?)
You don't seem to understand how "phishing" works. No one has to exploit Apple's web site. They could just set up a bogus web site promising free iPods and tell you to put in your iTunes account name and password and then use your iTunes account to buy anything they want.
The amount of purchases necessary to push all of those apps to the top of the list would not be an insignificant amount. Either they hacked the system, or they had thousands of phished accounts; both do not seem minor in any way.
Having hundreds of dollars charged to your credit card fraudulently is a lot more serious than a hacked World of Warcraft account, and yet Blizzard has implemented a secure key token system and Apple for iTunes and most of the financial industry has not for their online account access. I for one would welcome measures for increased security.
Not defending Apple regardless of if it was a phishing scam or not. Seriously, I wish Apple would do something about account security, not just vaguely mention it in a passing blog post.
@SirNoDroin My banking website goes one step worse, it doesn't allow you to use special characters in your password (%$%#, etc). My credit card company did the same thing. Using non-English words and a number is usually sufficient when special characters are not allowed.
I would argue that there are a vast amount of websites out there much worse than Apple when it comes to password/account security. At least they allow the user to choose if they want a simple of complex password.
@hvakrg Not sure why it's not being reported here (it's being reported on various other sites) but the developer whose "books" rose to occupy most of the top 50 spots has had a free app (World War) which was making then purchasing the developers "books", unbeknownst to the owner.
All of that developers apps have been pulled not just their "books" (which from whats been reported where little more than illegal, copyrighted materials written in Korean).
Far easier to write an app to take advantage of iTunes and the app store loopholes and collect 70% from each sale than to go and use stolen credit cards. Wouldn't take much work for a dev to find out what the cutoff time is for purchased applications to make it on a billing invoice. They would also know when they receive their payment for apps/books sold.
Write a script hidden in a free app to wait until X date and Y time. Then start purchasing your other cheap app(s)/book(s). By the time anyone notices whats going on, payments already been sent and you've got more than enough time to move and/or withdraw the funds.
@gfxsmith My iTunes was hijacked recently and I had a very strong password and am very safe online. This is not brute force hacking it is some other security breach that Apple has open and is refusing to fix for some reason. A quick google search will show this has been a problem since 2007 and that it is a growing problem, especially in the last few months. Our accounts get sold on Chinese version of eBay, thousands each day. Search Twitter for "itunes hacked" and see how many people have tweeted about it recently. Apple needs to fix this security hole!
so the fact that others are doing something wrong (allowing easily hackable passwords) makes apple less wrong for allowing it as well?
I have beef with all companies (including apple) that do not force (or at the very least inform) people that they are using an easily hackable password, especially when it has a "verificationless" charging system.
@blampright Well I can safely say on the internet today, pretty much nothing is 'unhackable'. There's always a way, but I bet you that if we were able to see the ratio of phishing breaches vs ACTUAL hacking through some sort of security exploit... it would probably be 10 to 1, or somewhere in that ballpark.
I played WoW for years and you'd hear and read about hundreds and thousands of people getting their accounts hacked and sold on eBay just as you describe. 9 times out of 10 it was through a phishing scam, a spoofed website that is made to look identical to the official sites. The other times, there actually WERE legitimate security exploits in many different situations of the game and the official sites. One was used through the Blizzard Authenticator which was created as an extra level of protection on your account.
Point being, Blizzard is a multi-million dollar company just like Apple. There will always be security holes and exploits no matter how big the company is, that's just the age we live in now. Best thing we can do as the consumer is protect ourselves as best as possible.
This is what's scaring me so much about social networks and their API's. There are dozens upon dozens of Twitter clients out there and they all require you to enter your credentials, but is their any foolproof way to tell if the client belongs to phishers? Right.
@blampright Just a general observation and not a direct comment on yours, but I like how the proverbial "they say" has been replaced with "a quick Google search will show". :-)
No matter how secure your passwords are they are no protection if a keylogger is reporting on your activities from your computer OR if you enter that information into a phishing site.
No hacks have occurred on my iTunes account I get emails detailing my purchases, I use https://www.grc.com/passwords.htm this site to generate passwords which I keep in an encrypted "safe" type program.
I change my Internet banking password EVERY time I log on.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
Accounts were phished, we really can't point fingers here without more info seeing as how it isn't as widespread as it seemed
@MattsZ
+ 1 before this thread gets out of hands.
Anyway, like @N900 said, hopefully people can get back their money, if stolen, and their accounts can go back to normal.
AKBlade13
@MattsZ Sure, phishing was the root, but Apples Itunes was the tool used to move money from the victims account.
@MattsZ the fact that accounts got fished through the proprietary web-pages that are only supposed to work in the iTunes store is rather frightening (since your can't see the URLs for a phishing check) regardless of how large or small scale it was.
if it can be done once, it can be done again.
@MattsZ
+1
Of course that won't prevent the Apple Haters from making this a whole 200+ comment thread.
Hopefully Apple finds the one responsible, punishes them, and improves security for all of us iPhone/iTunes users.
@hvakrg An iTunes account is just like your email account or any other account protected by a username and password. No matter how good or bad the encryption is on the server-side, it's only protected by a password and you, the user. How safe you keep said password depends on you and your internet habbits. *That is, when it comes to phishing attacks*
Getting users to enter their login credentials into spoofed/dummy websites has become a huge trend on how to hijacks accounts nowadays, especially in the gaming community (ie World of Warcraft). We may just be seeing the first big use of phishing in this case. Like so many other sites (ie. your bank website?), companies can only tell you to /not/ put your damn password in an untrusted site so many ways.
Be safer, people; and blame the responsible parties. In this situation, I believe the responsible parties are the end-users not being safer with their sensitive information.
In my 12-13 years online, I've used /and/ protected my logins for social networking sites, home banking, gaming, work and personal email, Paypal, eBay, website ownership and management and yes iTunes... Never once have I ever had a single account of mine hijacked.
Use an unbrute-forceable (for lack of better terms) password (use special characters like !@#$, numbers and non-English words) and only enter your login credentials on trusted sites (check the domain url!). I've gotten dozens of spoofed email phishing attempts from people trying to get eBay and Paypal logins, I just never fall for them.
I think most of the people here on this site can relate to my experiences, being internet security educated individuals I'm sure you all are. So who do you guys think is at fault in this situation?
@SirNoDroin
I'm not saying you're wrong, but where do you see that information -- that accounts were phished thru "the proprietary web-pages that are only supposed to work in the iTunes store" ?
I reckon it was more like some kinda email spam thing -- "Click here to claim your free 25$ iTunes store gift certificate" or something like that, with a fake redirect site designed to look authentic...but again, since Apple isn't saying the WHOLE story, we don't know for sure (unless there's a source I'm missing on this?)
@SirNoDroin
You don't seem to understand how "phishing" works. No one has to exploit Apple's web site. They could just set up a bogus web site promising free iPods and tell you to put in your iTunes account name and password and then use your iTunes account to buy anything they want.
That has nothing to do with Apple.
@MattsZ
The amount of purchases necessary to push all of those apps to the top of the list would not be an insignificant amount. Either they hacked the system, or they had thousands of phished accounts; both do not seem minor in any way.
Having hundreds of dollars charged to your credit card fraudulently is a lot more serious than a hacked World of Warcraft account, and yet Blizzard has implemented a secure key token system and Apple for iTunes and most of the financial industry has not for their online account access. I for one would welcome measures for increased security.
@gfxsmith
Yo numnuts. Stop defending Apple, and shut the hell up about Phishing scam!
There is Zero evidence of Phishing scam!
@MattsZ
Yet you point fingers at customers and phishing scamers??
Good job tool bag.
@KGB
Not defending Apple regardless of if it was a phishing scam or not.
Seriously, I wish Apple would do something about account security, not just vaguely mention it in a passing blog post.
@MattsZ
85% of itunes users use a english word with a number for password
50% use their last name
the fact apple allows this is an issue.
@SirNoDroin My banking website goes one step worse, it doesn't allow you to use special characters in your password (%$%#, etc). My credit card company did the same thing. Using non-English words and a number is usually sufficient when special characters are not allowed.
I would argue that there are a vast amount of websites out there much worse than Apple when it comes to password/account security. At least they allow the user to choose if they want a simple of complex password.
@hvakrg
Not sure why it's not being reported here (it's being reported on various other sites) but the developer whose "books" rose to occupy most of the top 50 spots has had a free app (World War) which was making then purchasing the developers "books", unbeknownst to the owner.
All of that developers apps have been pulled not just their "books" (which from whats been reported where little more than illegal, copyrighted materials written in Korean).
Far easier to write an app to take advantage of iTunes and the app store loopholes and collect 70% from each sale than to go and use stolen credit cards. Wouldn't take much work for a dev to find out what the cutoff time is for purchased applications to make it on a billing invoice. They would also know when they receive their payment for apps/books sold.
Write a script hidden in a free app to wait until X date and Y time. Then start purchasing your other cheap app(s)/book(s). By the time anyone notices whats going on, payments already been sent and you've got more than enough time to move and/or withdraw the funds.
@gfxsmith My iTunes was hijacked recently and I had a very strong password and am very safe online. This is not brute force hacking it is some other security breach that Apple has open and is refusing to fix for some reason. A quick google search will show this has been a problem since 2007 and that it is a growing problem, especially in the last few months. Our accounts get sold on Chinese version of eBay, thousands each day. Search Twitter for "itunes hacked" and see how many people have tweeted about it recently.
Apple needs to fix this security hole!
Thank You Engadget for calling attention to this!
@MattsZ
so the fact that others are doing something wrong (allowing easily hackable passwords) makes apple less wrong for allowing it as well?
I have beef with all companies (including apple) that do not force (or at the very least inform) people that they are using an easily hackable password, especially when it has a "verificationless" charging system.
@blampright Well I can safely say on the internet today, pretty much nothing is 'unhackable'. There's always a way, but I bet you that if we were able to see the ratio of phishing breaches vs ACTUAL hacking through some sort of security exploit... it would probably be 10 to 1, or somewhere in that ballpark.
I played WoW for years and you'd hear and read about hundreds and thousands of people getting their accounts hacked and sold on eBay just as you describe. 9 times out of 10 it was through a phishing scam, a spoofed website that is made to look identical to the official sites. The other times, there actually WERE legitimate security exploits in many different situations of the game and the official sites. One was used through the Blizzard Authenticator which was created as an extra level of protection on your account.
Point being, Blizzard is a multi-million dollar company just like Apple. There will always be security holes and exploits no matter how big the company is, that's just the age we live in now. Best thing we can do as the consumer is protect ourselves as best as possible.
@MattsZ
This is what's scaring me so much about social networks and their API's. There are dozens upon dozens of Twitter clients out there and they all require you to enter your credentials, but is their any foolproof way to tell if the client belongs to phishers? Right.
@BrookLynnsFinest
yeah, well... you know, that's just, like... your opinion, man....
@blampright Just a general observation and not a direct comment on yours, but I like how the proverbial "they say" has been replaced with "a quick Google search will show". :-)
@gfxsmith Even non-english words are vulnerable to dictionary attacks, friend.
@blampright Are you using windows or a Mac.
Do you check your system for rootkits?
No matter how secure your passwords are they are no protection if a keylogger is reporting on your activities from your computer OR if you enter that information into a phishing site.
No hacks have occurred on my iTunes account I get emails detailing my purchases, I use https://www.grc.com/passwords.htm this site to generate passwords which I keep in an encrypted "safe" type program.
I change my Internet banking password EVERY time I log on.
Security is 99% common sense.
@SirNoDroin Interesting stats. Proof of this?
@Velmeran Dude, with that explanation, I'm pretty sure your name is Thuat Nguyen...