Hackers Invade iTunes Store for Nearly a Year -- Apple Still Unresponsive

[Charles Hansen]

With millions of users, iTunes has become a target for hackers trying to steal money. The first reports came last June from a Vietnamese hacker that hacked user accounts to purchase his own apps. The practice spread quickly so that the Apps Store was filled with rogue apps. Some of these apps do more than drain your iTunes Store account -- they can steal your credit card information to make other purchases.

 

The problem has been reported widely, yet most computer users remain unaware. You can read about the problems at multiple places:

 

PC World

MS-NBC

USA Today

Kapersky Security Newsletter

 

In fact, if you type "itunes account hacked" into an internet search engine, you will get over 3 million hits to choose from!

 

Apple remains completely unresponsive. They will make one refund, and after that you are on your own. They are apparently taking no steps to correct the problem. The bottom line -- use the Apple iTunes Store at your own risk.

 

 

 

 

 

 

 

 

 

[davidR]

This is crazy. Sadly it doesn't surprise me concerning Apple. They released an expensive phone that does everything but make calls properly, the simple purpose and essence of what a phone is, it is not. Thanks for posting this Charles.

 

[Paul R]

Is this in reaction to the Texas Hold'em gift card scam going on? It's pretty despicable of course, but... I am not sure you can really blame Apple, any more than it turned out Apple was to blame for the PayPal mess last year.

 

People who buy gift cards from E-Bay, which is where these compromised buggers seem to be coming from (the gift card codes were pre-scanned before they were sold) are not exactly the sharpest tools in the shed.

 

Last year folks left iTunes accounts linked to PayPal, which isn't all that smart a thing to do anyway. Link iTunes accounts to a credit card. A real credit card, not a Visa or Mastercard branded debit card. That way you at least get some protection.

 

-Paul

 

P.S. - I would not take that 3 million hits all that seriously, the vast majority of them are bound to be only loosely related at best. Googling "Ayre Acoustics account hacked" gets 2,500 results, none of which are probably even relevant.

 

-Paul

 

[Joebah]

I followed up on the links you posted because your post concerned me. However, the very links you provided seem to indicate that Apple has in fact responded, and that the prevailing theory is that the folks who have had their accounts "hacked" probably used weak passwords.

 

I have always had nothing but the best customer service from Apple, almost no questions asked, with their hardware, software, and yes, iTunes. Any problems I have ever experienced with iTunes have been appropriately responded to and/or resolved within 24 hours.

 

Is there any absolutely safe place to make online transactions? Probably not. But if you take simple precautions like using strong passwords, checking your statements, and following up, you should be OK.

 

PS: Google "computer audiophile" and "hacked" and you get 8,670 hits...

 

[BobH]

if you google 'google' you get 6,420,000,000 results. Not including the population of the United States of America, (oh, sweet irony!), that's one google for every man, woman and child on the planet!

 

Based on the fact that there is only one google each, can I suggest that we try and use each one as wisely as possible? Internet fraud is well known, well documented and well annoyin', innit.

 

But not really worth wasting your precious google on, imho.

 

Ps - No googles were wasted in the creation of this public information message.

 

[Charles Hansen]

I received an e-mail receipt from Apple for an app I did not purchase. I sent an e-mail expecting a prompt refund. They said, "Sorry, no refunds. We make one exception and you used yours up a year ago." (A similar thing had happened, but they refunded my money and didn't think much of it. I did change my password as they had recommended.)

 

My password was not particularly strong. Was that it? I don't know. I have lots of accounts at lots of places without super-strong passwords and have never been hacked. It might help if Apple would say what was going on, but they are stonewalling it.

 

Some people say to use only credit cards so that you can dispute the charges. Other people say only to use gift cards purchased at local retail locations so as to limit your possible loss. Apple isn't talking.

 

Kapersky's article on security was the best one. They analyzed it the most thoroughly. The latest wave seems to be targeted on people with gift cards. Apple does not treat you like a credit card company does. Despite the fact that they make 10x as much (30% versus 3%), they won't cover losses after the first "incident".

 

It was extremely frustrating because I provided them with enough information that they removed the app from the Apps Store. But they didn't refund my money. I told them to just look up my IP address, the IP address of the guy who published the app, and the IP address from where the purchase was made. Pretty simple stuff, really. I'm just a dumb analog hardware designer. They are a computer company. They could figure it out if they wanted to. But apparently they don't want to.

 

That's when I decided to see if anybody else was having a similar problem. It turns out that there is probably something in either the tens of thousands or possibly the hundreds of thousands who have been scammed. My loss was only a few dollars, but it seemed like the average loss was more like a hundred dollars. We are potentially talking about tens of millions of dollars.

 

But apparently Apple doesn't care -- they get 30% whether the transaction is legitimate or not. And when I read the stories and the way Apple has been treating people, it did not make me feel good about using it or recommending it.

 

Nothing is risk-free, that's for sure. But if there are scammers out there hacking iTunes accounts, Apple should be proactive. They should be alerting their customers to change and/or strengthen their passwords. They should screen the apps before they are posted to make sure that they are not trojans that "harvest" passwords. (Apparently that is another way that accounts are being hacked.)

 

Apple is acting like they don't know anything about computers and have no idea how to deal with the problem. Instead, they are only interested in quarterly profits and keeping the stock price up. When it happens to you, you'll get a good taste of how callous their customer service really is.

 

[Erwin S]

That PS3 network my son is (was) on all day long is now down for like two weeks after hackers stole millions of user's data... What a disaster!

 

Makes you think twice before uploading all your music to the "cloud" huh? I will continue to grasp & rip all the CD's containing good music now they are cheaper than ever. I just don't trust those networks.

 

[Paul R]

You can escalate that you know, since you probably got a stock reply. Once you get through to someone more than four genes removed from an trained monkey, you won't have any trouble. Be sure to use the words "fraud" and "interstate commerce" in the same sentence.

 

As for Apple making 30% - well, that is gross of course. After you take out the cut for the CC companies (2.5-3% + transaction fees), the cost of maintaining all the servers and networking, and all the salaries, I would be surprised if Apple makes more than one or two percent net from sales on the App Store. That's even using little hacks like grouping CC transactions together to save transaction costs.

 

But seriously, aggravating as it is to deal with, keep going back at them and demand they take care of this issue. Everytime someone says no, tell them you need to talk to their superior.

 

-Paul

 

 

[Charles Hansen]

Here is an interesting analysis of the Sony disaster:

 

http://www.cringely.com/2011/04/sony-may-be-clueless-in-psn-hack/

 

After reading it, I think that Apple is in exactly the same boat -- clueless about what happened or how to fix it, and desperately trying to save face.

 

[Charles Hansen]

Paul, thanks for the tips. I was losing interest in arguing with a spam-bot, but I like your tips. I'm going to give them a try.

 

[Charles Hansen]

Wow, Paul! I took your advice and it worked. I don't know if it was the phrase "interstate commerce fraud" or the request that my case be transferred to a supervisor, but BOOM! I got an e-mail with a refund.

 

Thank you so much for your advice. Extremely helpful and right on the mark. I went from three or four e-mail with zero substantive replies to a full refund in one e-mail. I'll try to pass the word on to other victims. Thanks again.

 

Just out of curiosity, how did you figure out the key to success???

 

[Akapod]

As it appears Charles' password may have been hacked, I strongly recommend 1Password for creating and managing very strong, randomly generated passwords. The programs run on Windows, Mac, iOS and Android.

 

No affiliation --just a happy customer with a slew of really long and complicated passwords.

 

[Paul R]

I honestly don't remember where I picked up that trick with Apple, but it was a result of being very very hardheaded. (grin)

 

Yours,

-Paul

 

 

[flatmap]

I'm noting Paul's method for future use. Thanks!

 

Akapod's suggestion is also very good. I use 1Password and now all of my accounts have hard-to-crack passwords. It's not a complete solution but is a protective step. There are other applications that do this as well.

 

[wgscott]

Charles, contact your State Attorney General's consumer fraud division, and explain all of this.