Apple under fire as hacked iTunes complaints swell
By Stewart Mitchell
Posted on 7 Jun 2011 at 09:27
Apple is facing mounting criticism as a possible iTunes hack attack has seen customers' gift certificate accounts drained.
Several pages on Apple's forums highlight the security flaw, with dozens of users blaming a Sega app called Kingdom Conquest for removing funds – even if they have never downloaded the game. Various other apps have also been blamed for draining accounts using a similar technique.
It's unclear at this stage whether the action is the result of a widespread hack on iTunes or whether individual accounts have been hacked, but more consumers appear to be falling victim to the attack.
From the number of postings here, obviously, Apple has a big problem with either account security, in-app purchase fraud, or both
The hack changes users' billing addresses and uses games and in-app purchases to syphon money, with victims being advised to deactivate their computers and change passwords – and one post relating to the problem now runs to 24 pages on Apple's own site.
The problem appears to have been active since late last year, but the number of complaints has swelled dramatically since May, and some victims claim to have been attacked more than once.
"My wife and I had our iTunes gift card credits stolen this week by in-app purchases," posted Michael from Colorado. "Two purchases wiped out $22.98 in credit and the app had not been installed on any of our devices.
"From the number of postings here, obviously, Apple has a big problem with either account security, in-app purchase fraud, or both," he added.
What has really infuriated users, however, is that Apple appears to know about the problem, and has in many cases refunded money to victims, but has yet to address the underlying issue or explain how the attacks are taking place.
“The latest response after I filed my report? My account has been re-enabled, all computers are de-authorised, change your password/security question... again, re-authorise your current computer,” said MomawNadon78. "Nothing regarding the actual security issue. I won't be tying any cards to iTunes nor purchasing anything from iTunes if this kind of security loophole or breach is not fixed."
From customer feedback, Apple seems to be suggesting that the problem is limited to isolated attacks on individual accounts - as it has with similar attacks last year - but posters have questioned whether so many accounts could have been compromised at the same time without a wider vulnerability.
“This is the first time I have had any of my accounts hacked after more than 15 years in IT,” read another forum post.
“It seems unlikely to me with the timing on these posts that brute-force hacks just so happened to nail large numbers of accounts simultaneously - especially with the many people stating they have complex passwords.”
Apple has yet to respond to requests for information on the case, leaving users to speculate on the scale and severity of the issue, but Sega has confirmed it is investigating the reports.
“It is very likely that your iTunes account has been stolen and is being used by someone else to purchase items in this game," the company said in its forum.
"We are currently investigating this claim as well as some others, but since we have no access to any customer's iTunes account information or transaction histories we highly recommend contacting Apple directly.
“Allow me to state very clearly that Sega and Kingdom Conquest are not acting maliciously in any way. It is in no way possible for this game to charge an iTunes account without someone installing the app, logging into that iTunes account with valid credentials and then choosing to make a purchase.”
I find it ironic that there's this issue going around just as apple announced they plan to increase the use of DD and the cloud.
By tech3475 on 7 Jun 2011
So is this Microsoft's fault?
By everton2004 on 7 Jun 2011
Sony or Other?
Would be interesting to know how many of these are also customers of Sony, or other companies that have been hacked recently. With the list of emails and passwords, I'll bet there are plenty that overlap with iTunes accounts.
By MJ2010 on 7 Jun 2011
Wait till SwissMac wakes up ;>
By Josefov on 7 Jun 2011
What's the current status of this?
ApCon1: Apple deny there's a problem
ApCon2: Apple admit problem but blame users
ApCon3: Apple admit it's down to them but say it's a 'feature' and they won't be doing anything about it.
ApCon4: Apple climb down and fix the problem.
By qpw3141 on 7 Jun 2011
By sandman652001 on 7 Jun 2011
ya missed one...
ApCon5: Apple release plastic/rubbery protector that you need to put around your credit card to stop interference.....
By CraigieDD on 7 Jun 2011
Sall we lay bets as to what line SwissMac is going to take?
i reckon its his usual "I think Microsoft are worse therefore Apple's actions are perfectly OK"
By Aspicus on 7 Jun 2011
@Josefov; @qpw3141; @CraigDD; @Aspicus
I think that you are all being very mean to poor old SwissMac. He really does believe that this is all a conspiracy by Microsoft. Shame on you for trying to disillusion him. /sarcasm off.
By jontym123 on 8 Jun 2011
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords