Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

More Trouble In Apple's App Store

kdawson posted more than 4 years ago | from the phish-travel-in-squools dept.

Crime 186

quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.

Sorry! There are no comments related to the filter you selected.

I read it too quickly (-1, Offtopic)

bugs2squash (1132591) | more than 4 years ago | (#32816026)

and thought of uncle milton

You're holding it wrong (0)

Anonymous Coward | more than 4 years ago | (#32816264)

Maybe if people would just hold their phones the right way this wouldn't have happened.

It must be important (0)

Anonymous Coward | more than 4 years ago | (#32816034)

The title bar was red!

"problems go far deeper than Apple is admitting" (3, Insightful)

bradgoodman (964302) | more than 4 years ago | (#32816040)

...oh, like the antenna issue?!

Re:"problems go far deeper than Apple is admitting (5, Funny)

phonewebcam (446772) | more than 4 years ago | (#32816446)

Speaking of which, there's a demotivational poster [motivatedphotos.com] for that.

arrogant apple (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32816048)

Serves that arrogant company right.

Next thing you know a plague of viruses will affect their silly phones.

Incoming incessant soppsa trolling. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32816060)

Sopssa is a fucking worthless troll. Remember it moderators.

Peace out!

But they were approved! (5, Insightful)

Kohenkatz (1166461) | more than 4 years ago | (#32816072)

Wait, wasn't this the whole reason Apple wanted to approve apps - so they could keep the garbage out?!

Re:But they were approved! (4, Insightful)

emag (4640) | more than 4 years ago | (#32816302)

No, the apps that compete with theirs. Otherwise, there'd never be all the fart apps and such...

Re:But they were approved! (1, Interesting)

natehoy (1608657) | more than 4 years ago | (#32816430)

Yeah, reality's a bitch, ain't it?

Seriously, though, this should not come as a surprise. The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly. And, just as importantly, it's unlikely this particular miscreant will be able to exploit the app store again. The "walled garden" approach doesn't mean you won't have problems, and when you have so many developers signing up for accounts it's basically impossible to ensure that none of them will ever misbehave. The problems that do occur stand a good chance of being contained and eliminated quickly, however.

I don't think anyone in their right mind with any concept of security would expect Apple to keep each and every rogue developer out 100% of the time. Maybe that's what Apple's marketing division wants you to think, but Apple's security division knows better. Make the security as good as you can make it, then set up a system to catch those who manage to circumvent it, because there will always be people who can manage to circumvent it.

The walls aren't enough. You also need gardeners. Apple just proved they have gardeners on the job for when the walls get breached.

It appears that the system worked about as well as could be realistically expected.

I'm still not a proponent of the walled garden - I don't like giving up control. The only Apple device I own is an iPod I won in a contest and it doesn't see a lot of use. But for those who prefer it for their protection this should be good news.

The second layer of defense kicked in, precisely as it should, the crack in the wall was patched, and life in the walled garden moves on.

Re:But they were approved! (4, Insightful)

Mark19960 (539856) | more than 4 years ago | (#32816502)

Apple did not catch him, the users did... when they lost their money and had no choice but to go to their banks to get it back.
Perhaps they should not approve apps that have no purpose?
Can a developer REALLY put together almost 5,000 apps?
That is to the point of being obvious as hell that your gaming the system, yet was allowed to.

All Apple proved here was the gardeners were inept.

Re:But they were approved! (1)

Kitkoan (1719118) | more than 4 years ago | (#32816808)

Can a developer REALLY put together almost 5,000 apps?

Sure they can, make them mini-apps for things like money, exp, items, ect.... for an online game like FarmVille and whatnot. Like buying gift cards though the AppStore

Re:But they were approved! (5, Informative)

ergo98 (9391) | more than 4 years ago | (#32816706)

The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly.

Apple didn't catch him. The "apps" in question were absolute trash (along with the 300+ iFart apps), making a mockery of any illusions that it's a curated garden.

However just to be clear, we already know that the Android market can do precisely the same thing, forcefully reaching out and removing rogue content. Instead of any ridiculous notions of curation, however, Android relies upon a permissions system that makes a user aware of the potential reach of any given application. It is far from perfect, yet despite some ignorant criticism directed at it recently it beats the hell out of anything on the iPhone.

Not really sure why we're talking about the phones though. The exploit in this case didn't necessarily have much to do with the actual handsets themselves.

Re:But they were approved! (3, Insightful)

socz (1057222) | more than 4 years ago | (#32816838)

Eh, the system didn't work. Last night on TV, some dude on the "tech spot" for the local news said that up to $10,000 were spent from a single account!

The whole bit was REALLY lame. They explained it like this:

There's a warehouse, and 1 dude in there shouting "books, books" with no one buying because they can't hear his voice from the many other. So then, somehow he rigs it (hacks) so that he goes into peoples accounts and buys his own book. Then apple is like, o`rly? Why is this lowly book #1 beating out ze twinkle series? And so they noticed and are like arrrrg! We've been piz0wn0red, right And they recall the app and remove it from the store.

I think that, regardless of how bad they portrayed what happened, the damage is done. All the arguments the smug iPhonies have made of "well macs don't get viruses...(implying security)" "it's good that there is so much control because it makes it safer..." are now??? But, thankfully for apple, many of their fans will just turn their heads and look the other way.

So I guess only time will tell but I'm guessing those with that white veil over their eyes won't let this problem affect them. As one windows to mac user said "I just got tired of windows... and macs just work!"

Re:But they were approved! (1)

erroneus (253617) | more than 4 years ago | (#32816930)

Nice attempt at spin, but that's not how it went down.

Apple was able to respond to the situation, TRUE. Apple did not discover the situation, but they did CREATE it and ENABLE it. How this might be different from other internet based purchasing methods is a bit technical, but it comes down to most web based e-commerce enables the user to protect transactions with other forms of identity confirmation and gives the user the opportunity to not store this critical information.

To Apple's credit, they maintain the ability to erase apps from people's devices... most people actually don't like that. But in the event that another genie gets out of the bottle [they created] they can shut things down again.

Over all, the concept of an app store is nice but look at the way people have managed to turn it against the users?

Re:But they were approved! (2, Informative)

tibit (1762298) | more than 4 years ago | (#32817494)

Methinks that stupid/useless apps are not an issue. There's a lot of crappy books in every bookstore, and I have no problem with that. But the issue is that people's iTunes credentials got stolen, and I don't think it was Apple's fault unless the exploits were running on OS X...

Where is Apple's due diligence? (2, Interesting)

dammy (131759) | more than 4 years ago | (#32817658)

One has to wonder why Apple's policies allowed the situation to get to this point. Why are any apps being approved before Apple has preformed due diligence on them? No background checks on the coders? Apple is making more then enough money to make things right and come out looking to be the champion for iTune users but it doesn't look like it will be so.

Re:But they were approved! (-1, Flamebait)

DJRumpy (1345787) | more than 4 years ago | (#32817878)

So a total of 48 apps out of 200,000+ [slashdot.org] were bad 'Apples', and suddenly the entire App store is a 'dismal failure' I think someone above put it. Unlike the 'banking app' in the droid market that just took bank account usernames and passwords? Does that make the entire Android Market a failure? Not at all. I think the claim here is that Apple failed in it's drive to protect users where I see at least an effort to protect, rather than a free for all that you get with the Android Market. These weren't bad Apps in the same sense as the banking fraud app in the Android Market. They were just crap apps that the designer purchased (which he also happened to write), as part of his scam. They were for crap anime books of questionable content and copyright.

It doesn't matter if these apps 'DO' anything as far as this scam goes. They were book apps. This person or persons would hack into someone's iTunes account, and then he would turn around and purchase his own app. This had the net effect of moving it up in the rankings, and netted him some cash as well via the purchase. Apparently this is a common practice in China where you go into a certain channel, purchase someone's account, and you typically have 24 hours give or take before either Apple, or your credit card company cuts the person off (Yes, Apple will flag your account for suspicious activity as well).

http://support.apple.com/kb/TS2446 [apple.com]

This is no different than someone stealing someone's credit card number, or hacking ANY online account where you store card information.

I saw someone yesterday complaining that they had to call their credit card company to get the charges reversed, discounting the fact that your credit card company is the proper place to stop credit card fraud. The App store is a vendor, and they will be more than happy to sell you whatever you want to buy, just as it happens in the Droid Market, Amazon, etc.

My bank, however, will stop charges before they get out of control, flag the account, and call me for suspicious activity. I would imagine most banks have similar fraud departments. In addition, identity theft typically limits your responsibility and getting a charge reversed is as simple as calling your bank.

Lastly, preventing this is as simple as setting the Payment Option in iTunes to 'None', and/or using a proper password rather than '12345' or some other easily guess-able password. It always amuses me that people are so quick to store credit card information online and then feign surprise when someone hacks their account with a common dictionary password.

Re:But they were approved! (1)

DJRumpy (1345787) | more than 4 years ago | (#32817984)

One additional note. You can also just use a PayPal account, and fund it with whatever amount you need, as needed.

Re:But they were approved! (2, Informative)

Missing.Matter (1845576) | more than 4 years ago | (#32816594)

I'd say over 75% of the apps on the app store are either cookie cutter, functionally useless, don't work as advertised or completely ignore Apples HIG. Apple doesn't mind this, however, because they enjoy putting out press releases touting they now however many hundreds of thousands of apps in the App Store.

Re:But they were approved! (1)

TheKidWho (705796) | more than 4 years ago | (#32816692)

Can you point to some of them? I'd like to recreate them as innovative, functionally useful, applications that work as advertised while following Apple's HIG.

Re:But they were approved! (4, Funny)

Dragoniz3r (992309) | more than 4 years ago | (#32817340)

They'd never make it through the approval process.

Re:But they were approved! (1)

KarmaKhameleon (1843244) | more than 4 years ago | (#32817570)

I Agree - I woke up this morning and Lady GaGa was downloaded to my iPhone - and I sure as hell never did such a thing.

Wait, hang on - oh right, I was drunk.

Never mind.

Re:But they were approved! (1)

speculatrix (678524) | more than 4 years ago | (#32818132)

I wonder if you graphed app store purchases against localtime + local bar/pub closing times you'd see a big correlation

Steve Jobs = Emmanuel Goldstein? (4, Insightful)

WankersRevenge (452399) | more than 4 years ago | (#32816128)

Problems or not, these apple stories are starting to feel like the slashdot version of Orwell's two minutes of hate [wikipedia.org] .

Re:Steve Jobs = Emmanuel Goldstein? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32816378)

Apple gets tons of coverage when they do something good, so they will likewise get tons of coverage when they do something bad.

You can't have your cake (pervasive marketing and mindshare) and eat it too (bad stories swept under the rug).

Re:Steve Jobs = Emmanuel Goldstein? (2, Insightful)

h4rr4r (612664) | more than 4 years ago | (#32816590)

So slashdot should stop reporting on them?

I think slashdot has done a good job avoiding that on the main page, or else they would have more stories about the antenna issues and supposed fix.

Re:Steve Jobs = Emmanuel Goldstein? (5, Insightful)

WankersRevenge (452399) | more than 4 years ago | (#32816766)

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

My point: Fuck apple ... I don't care about their rep ... it's this blind parroting that makes for a shitty discussion. If I wanted that ... I'd head over to Digg.

Re:Steve Jobs = Emmanuel Goldstein? (1)

shutdown -p now (807394) | more than 4 years ago | (#32817466)

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

When you get your moment of fame, be prepared for a pie in the face - these things always go hand in hand.

Similarly, I think that the sheer scale of those attacks is good news for Apple in a sense that it is a great testament to their success in the market. This kind of fraud primarily targets platforms with large overall user count, most of whom don't have a clue as to how the tech actually works - like, you know, Windows. Looks like iOS has joined that club.

Re:Steve Jobs = Emmanuel Goldstein? (0)

Anonymous Coward | more than 4 years ago | (#32817982)

I completely agree with you, how could this possibly be not viewed as positive, other than by perhaps a brainwashed minion

Re:Steve Jobs = Emmanuel Goldstein? (0)

Anonymous Coward | more than 4 years ago | (#32817668)

That is the discussion, the anger comes from the 'fanatical' loyal following of apple users despite reason or logic.
This brainwashing doesn't happen with most companies, and it's frankly a little scary. To many it is a company that can do no wrong, and that in itself is wrong.
Apple customers act as spokes people and defense attorneys for apple and its freaky.

Re:Steve Jobs = Emmanuel Goldstein? (4, Insightful)

Elbereth (58257) | more than 4 years ago | (#32817692)

I think you're actually on to something here, and you've hit the nail on the head as to why I can't stand reading slashdot for an extended period of time.

If I ever needed to raise up an army of brainwashed minions who think they're impervious to brainwashing, I'd use slashdot.

Re:Steve Jobs = Emmanuel Goldstein? (1)

mean pun (717227) | more than 4 years ago | (#32817920)

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

And that's not even the worst:

The painful torture of logic reasoning: Apple are evil because they are arrogant because they don't admit there is a serious problem which is serious because at least ten bloggers have said there is a problem. Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications. Oh, and curating doesn't work because it doesn't block each and every app that Joe Blogger thinks shouldn't be in the store.

The armchair expertise: Gigahertz antenna design is a black art, but obviously Apple designers are far less competent than Joe Blogger. Apple could easily have foreseen each and every abuse of the store because, ehm, well, they just could. (Because Steve Jobs is god, perhaps?). Oh, and if they sell millions a week of something, and there is a shortage, that shortage is obviously artificial, because they should have known that they would sell millions. It is obviously only part of the hype they are creating.

The demand for a fix NOW, NOW, NOW: If Apple doesn't respond for a week, they obviously don't want to admit there is a problem, and they don't care, and they are incompetent, and they have really gone downhill and they only sell to sheeple in the first place. Oh and have I said already that I want a fix for this problem NOW, NOW, NOW?

Re:Steve Jobs = Emmanuel Goldstein? (1)

phonewebcam (446772) | more than 4 years ago | (#32818026)

You're right, especially as it's really easy now to make the iPhones most popular app [stashbox.org]

Re:Steve Jobs = Emmanuel Goldstein? (4, Insightful)

something_wicked_thi (918168) | more than 4 years ago | (#32816770)

Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.

Let's count the ways that Apple is just like Emmanuel Goldstein.

Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.

Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.

Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.

Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.

Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.

Re:Steve Jobs = Emmanuel Goldstein? (2, Insightful)

yuriyg (926419) | more than 4 years ago | (#32816900)

More like O'Brien [wikipedia.org] . At first glance, he's an anti-establishment agent, determined to break down the oppressive system. But once he lures you in, you'll experience psychological pressure like never before and you will be assimilated!

So much for app review (5, Insightful)

Mark19960 (539856) | more than 4 years ago | (#32816134)

What happened there?
They won't allow flash or 'widgety' apps yet allow apps that do noting but get the developer points.
A developer with almost 5,000 apps?
So much for that 200,000 apps in the apple store.... perhaps half are fake?

Re:So much for app review (0)

Anonymous Coward | more than 4 years ago | (#32816178)

The screening process seems to be: does it use private APIs? Does it have naughty bits? Does it do one of the things that Apple/AT&T doesn't like? No? Approved!

They've never had a problem approving piles of worthless crap. That's why any claims of "curation", except in the Featured section, are laughable.

Re:So much for app review (3, Informative)

Mark19960 (539856) | more than 4 years ago | (#32816452)

I have seen 'fake' apps in the Android store so this is not isolated to just Apple.
If you see an app in the market with virtually no rating then you know to pass it by.
The one thing that the Android market lacks is filters.

Re:So much for app review (1)

socz (1057222) | more than 4 years ago | (#32816878)

I've seen those too! They can be found in the "test section" with author comments of "This is a test app"

Re:So much for app review (1)

cgenman (325138) | more than 4 years ago | (#32817150)

But the Android market is known to lack filters. You go to the android market because it lacks filters.

Apple claims that all of the ridiculous app store shenanigans over the past few years have been in order to create a family-friendly, safe Disneyland. And hopefully they will deliver on that promise. But in the mean time, buyer beware. Using iTunes to turn hijacked computers into dollars is actually kind of brilliant. Hopefully we won't see that proliferate.

Re:So much for app review (1)

shutdown -p now (807394) | more than 4 years ago | (#32817488)

If you see an app in the market with virtually no rating then you know to pass it by.

Well, the problem seems to be is that now you can see an app in the market with a 5-star rating, and you have no way of knowing that the rating was done via hacked user accounts...

Re:So much for app review (0)

Anonymous Coward | more than 4 years ago | (#32817774)

The Android market has no moderation...that is true.
I think the thing people take issue with Apple over is that they insist on the ability to approve or reject every App that is submitted to the App store, under the auspices of protecting the consumer, only to allow rogue developers with do-nothing or duplicate, overpriced apps that are being used to rip off their customers. They're selling a "walled garden" but the gates are manned by these guys [youtube.com] .

Re:So much for app review (0)

Anonymous Coward | more than 4 years ago | (#32817946)

The one thing that the Android market lacks is filters.

You mean reviewed by people manually, who, depending on their mood may reject something for no particular reason?

Re:So much for app review (1)

Dishevel (1105119) | more than 4 years ago | (#32816844)

I would like Apple to tell us how many developers have over 500 apps.

Quick anecdote (5, Interesting)

Anonymous Coward | more than 4 years ago | (#32816176)

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

Re:Quick anecdote (4, Informative)

mlts (1038732) | more than 4 years ago | (#32816508)

This is probably another quick and anonymous method of checking the validity of a stolen card. Before, credit card thieves would run cards through gas station card readers. This worked until the readers started prompting for the ZIP code of the cardholder.

My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

Re:Quick anecdote (2, Interesting)

Kitkoan (1719118) | more than 4 years ago | (#32816898)

Consider either using iTunes gift cards.

Gift cards like those worry me and I refuse to buy them for ANY company. I've seen too many people buy gift cards (that just use a number string) try to get the credit from the card after buying them to only be told that the number has already been used by someone else (they use them by using a Random Key Generator). And since it's just about impossible to prove that you were the first and only owner of it, your typically SOL.

Re:Quick anecdote (3, Interesting)

pseudorand (603231) | more than 4 years ago | (#32817448)

> My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

TFA agrees with you ("Remove your iTunes card details and consider using gift cards where possible."), but using a gift card is a really bad idea. The article also says to "try prevent any iTunes purchases from clearing." These suggestions show a misunderstanding of the legal protections afforded consumers when we use credit cards.

Under the law, you have 60 days to dispute credit card transactions. You can do this if the transaction has cleared (which is typically less than 24 hours). You can do this even if you've already paid your credit card bill. Your credit card company is required to refund the amount to your account until the dispute is resolved and help you in the dispute resolution process. The law has some antiquated restrictions about transactions occurring more than 50 miles from your home and technically gives you a liability of $50, and doesn't cover debit cards. However, both Visa and Mastercard have policies of zero liability that cover both credit and non-PIN-based debit transactions independent of how far from your home they occur. I've disputed numerous charges for various reason, including having someone make a copy of my card in Mexico (I still had the card but the bank said it was a card-present transaction). Disputes have always been resolved quickly and in my favor. In short, using a credit cards is the safest way to buy stuff. Always use a credit card for any purchase.

Think if you'd used a gift card. Gift cards are like cash. If the purchase was fraudulent, you only lose the value of the gift card, but you have no way to get it back. I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.

Re:Quick anecdote (1)

networkBoy (774728) | more than 4 years ago | (#32817888)

I use a very low limit card for on-line purchases, and for travel.
Active limit is < $800, nominal limit is $10,000 if I go on-line to my bank's website and increase it.
I've had to re-issue that card number only twice, once for a lost wallet, once for on-line fraud.
-nB

Re:Quick anecdote (0)

Anonymous Coward | more than 4 years ago | (#32817484)

Another common trick to see if cards are live is to donate a small amount (~£1) to charity. This happened to a friend's card, but the bank spotted it, saying it happens often, check the transaction with my friend and then blocked the card when he said he hadn't authorised it.

Re:Quick anecdote (1)

jfoobaz (1844794) | more than 4 years ago | (#32816640)

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated.

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

Re:Quick anecdote (0)

Anonymous Coward | more than 4 years ago | (#32817000)

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

It would be imprudent of me to not post anon, and even more so to quote the source of the information. Financial companies are as touchy as "Trendy Software/Hardware Marketing Companies" when it comes to proprietary information. You have every right to not believe the anecdote, just don't whine when you're the victim of fraud and no one is sticking up for you; we tried to warn you.

And since this is Slashdot, RTFP and point out anywhere that I implied I had evidence of causation.

Re:Quick anecdote (1)

jfoobaz (1844794) | more than 4 years ago | (#32817286)

It would be imprudent of me to not post anon, and even more so to quote the source of the information. Financial companies are as touchy as "Trendy Software/Hardware Marketing Companies" when it comes to proprietary information. You have every right to not believe the anecdote, just don't whine when you're the victim of fraud and no one is sticking up for you; we tried to warn you.

I neither believe or disbelieve you. I find your statement lacking in support and indistinguishable from bullshit; this is not to say it's bullshit, merely to say it's just one assertion without sourcing. It could well be true. Of course, phrases like "Trendy Software/Hardware Marketing Companies" make it seem like you have something of an ulterior motive in posting this, but that's not necessarily indicative of bullshit.

And since this is Slashdot, RTFP and point out anywhere that I implied I had evidence of causation.

And since this is Slashdot, RTFP and point out anywhere that I said you'd implied evidence of causation. The phrase gets trotted out constantly, whether or not it's warranted.

Re:Quick anecdote (0)

Anonymous Coward | more than 4 years ago | (#32817826)

Fair enough, one bit of potential bullshit deserves another piece of potential bullshit then, eh? Is that what you're saying? Did you just stop by to point out that "people can indeed make shit up on the internet"? What a bit of insight, thank you so much for your input... Oh, or is this one of those tests, like you are saying anyone can make shit up on the internet except if people can make shit up on the internet then that means you just made that shit up about making shit up?

Do you see how quickly your line of logic leads to a pile of shit? Feel free to contribute useful information at any point, here.

Re:Quick anecdote (1)

node_chomsky (1830014) | more than 4 years ago | (#32817048)

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated.

I also know someone who works in the fraud prevention business, and they say that this correlation is non-existent. Note, that I too can make up anonymous and unsourced 3rd party quotes to support any thing I choose to say, and the credibility of said quotes is identical to yours.

Also, since this is Slashdot, it's incumbent on me to remark that correlation is not causation.

Good rhetorical dissection, the world needs more people who understand the validity of certain forms of "proof".

Re:Quick anecdote (1)

swb (14022) | more than 4 years ago | (#32817010)

Any small purchase can be used to "test" to make sure the card info is correct. For physical cards it's often a gas station, but that doesn't work when the fraud is 100% electronic (ie, no fake plastic) so any system where you can make small, but, verifiable purchases before maxing the card out on a larger purchase is desirable.

iTunes is great for that, but I've gotten calls about other small charges from my credit card company when they've flagged a questionable transaction.

Re:Quick anecdote (1)

Tharsman (1364603) | more than 4 years ago | (#32817228)

Keyloggers in the user's computers. People that manage their iTunes accounts in virus infested computers are the most likely reason for this kind of stuff.

No, you cant gift apps for other users in your iPhone, but you can phish up the iTunes account login and password so you can buy anything you want and sync it to your computer, and then to your phone.

Re:Quick anecdote (0)

Anonymous Coward | more than 4 years ago | (#32817786)

Easy fix. Stop using Windows and buy a Mac where keyloggers are not hiding behind every .js exploit around. Of course, as soon as people move to the Mac platform, some malware writer will reflash Mac keyboards to stick the keylogger code into the hardware.

Re:Quick anecdote (4, Informative)

tlhIngan (30335) | more than 4 years ago | (#32817414)

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

The iTunes thing is a credit card test.

If you think about it, if you steal a bunch of credit cards (e.g., hack a payment processor), the easiest way to test them is to run up a charage against something that has most people thinking is a normal charge.

E.g., a lot of people have iTunes accounts, so get iTunes to do run a charge and see if it goes through - you'll see this as a $0.99 billing mostly. The goal is to hide that 99 cent charge amongst hopefully other iTunes charges.

Earlier this year, a payment processor was hacked (one used by one of my favorite stores) - it's unusual because the store itself doesn't store credit card data (they can't), but a bunch of people who used that store noticed the iTunes charges, while others noticed and saw the strange charges as well (too late).

I don't think there's any credit card information being stolen from Apple (no app can get at it unless it key logs - at worst they'll get your iTunes account information as your credit card isn't transmitted to Apple at all - Apple looks up your stored credit card info).

As for enabling the activity, I think it's because iTunes is quite popular - a good chunk of those doing online shopping have probably bought something from iTunes, thus the change of burying a charge is greater, and there's probably some API that was hacked in order to rapidly test credit cards. Also, Apple delays charging for a week or so (to avoid multiple 99 cent charges, they'd rather do a batch charge) but iTunes does do a reservation for each charge to ensure credit is available.

Re:Quick anecdote (1)

DdJ (10790) | more than 4 years ago | (#32817710)

Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

Yes. The purchases are just like iTunes music purchases. They require an iTunes account. They're not bound to specific devices at all, they're bound to iTunes accounts. Even if you don't have an iOS device, nothing would stop you from going out and buying an app right now. If you ever did sync an iOS device to your iTunes library, the app would then install on that device (if you haven't deleted it from your library in the intervening time). Even if it's a hardware model and OS version that didn't exist when you made your purchase, yes.

I was thinking "if this is just someone probing credit card validity via the app store, why haven't we seen it with music before"? But I think the answer is, for music, Apple is paying out to a much smaller list of payment recipients. A single individual human being can sell apps. Doing the same for music is considerably harder. I think apps are just way more open to fraud than music is, because of the difference in publisher relationships.

If that's the case, why would we see this via apps but not books? The iBooks store also lets individuals contribute without other intermediaries.

But, with iBooks you can't sell for a device that doesn't exist yet. The only purchase interface is on the devices themselves, not the web or iTunes or anything. It'll be interesting to see if similar exploits appear for iBooks books if/when there are other purchase mechanisms for them.

Re:Quick anecdote (1)

cusco (717999) | more than 4 years ago | (#32817868)

I personally think it's an Apple insider, actually. A couple of years ago anyone who had access to the store's database management tools had essentially free access to everything. People could literally dump a backup of the db to a USB hard drive and walk out the door with it. I'm sure they've tightened it up since then (well, moderately sure), so it would be interesting to see if the accounts getting attacked include new accounts or only accounts that have been around for a while.

A laid-off developer might well have run across the old db backup while looking for stuff to put on eBay to pay the rent and thought, "I'll bet someone would be interested . . ."

Re:Quick anecdote (1)

MainframeGuruDennis (1849950) | more than 4 years ago | (#32818166)

If Apple was following the PCI (Payment Card Industry) requirements, any credit card info that was associated users itunes account should have been encrypted, thereby making it difficult for anyone who hacked the site to access the credit card data. Was Apple properly encrypting stored credit card details? Another question to add to the growing list.

Apple account hacked months ago (4, Funny)

shidarin'ou (762483) | more than 4 years ago | (#32816212)

The hackers attempted to order a macbook pro. I called Apple support- who kept asking what product I was having a problem with. One insisted that I was viewing the Apple website through a Mac, so therefore the problem was actually with the Mac.

Apparently they have no technical support/hacking section for their website- account issues don't exist according to them. I was finally able to reach level 2 tech support after faking a problem with my Macbook; where the account was flagged and order canceled.

Too many eggs in one basket! (0)

Anonymous Coward | more than 4 years ago | (#32816248)

Isn't this why you don't put all of your eggs in one basket?

Would this be (3, Funny)

DevConcepts (1194347) | more than 4 years ago | (#32816268)

Apple Farming?

Re:Would this be (1)

jgagnon (1663075) | more than 4 years ago | (#32816390)

Undoubtedly there are techs at Apple that will be hitting the hard cider tonight...

Re:Would this be (2, Insightful)

Rockoon (1252108) | more than 4 years ago | (#32816400)

Farmville for Developers.

the problems go far deeper than Apple is admitting (0)

Anonymous Coward | more than 4 years ago | (#32816368)

They are saying that only 5,000 apps were pilfered a day, when really it's more like 60,000 a day. (yeah just making it up)

Apple, the new BP

New Credit Cards? (5, Interesting)

fluch (126140) | more than 4 years ago | (#32816592)

Wait, so they suggest customers to get new credit cards? Well, one thing I do not understand is this: the credit card information is with Apple, but I thought only Apple has access to this stored information. There should be no way for the bad guys to obtain my credit card information from there. If they have the credentials to my apple account they can make Apple charge my credit card without my authorisation. But in this case Apple would have to give me back this money as I did not authorise it etc. And as soon as I have changed my password ... the problem should stop (as long as they don't get my new password somehow)...

Or what am I missing here?

Re:New Credit Cards? (1)

Tharsman (1364603) | more than 4 years ago | (#32817262)

You may miss that the same virus or site or whatever method used to compromise your password may had been used to compromise your credit card information, if you ever used it in any online retailer, including theirs.

Re:New Credit Cards? (1)

fluch (126140) | more than 4 years ago | (#32817626)

Well, of course if this is the case it makes sense...

Re:New Credit Cards? (2, Interesting)

cusco (717999) | more than 4 years ago | (#32817966)

Or what am I missing here?

Stolen database backup? It's incredibly easy, and extremely embarrassing. Most companies don't want to admit, "Well, the intern that we foisted the backup jobs on gave the tapes to some guy in an Iron Mountain shirt and now we don't know where your data is." I know it's happened locally at least twice, and neither company fessed up to its customers.

Obligatory Star Wars quote (0)

boristdog (133725) | more than 4 years ago | (#32816662)

"The more you tighten your grip, Tarkin, the more star systems will slip through your fingers"

- Princess L

Re:Obligatory Star Wars quote (1)

BonquiquiShiquavius (1598579) | more than 4 years ago | (#32817182)

I know, I know...Slashdot...News for Nerds...etc. And Star Wars falls squarely into this demographic.

But am I the only one that finds a quote from Princess Leia just sounds stupid?

meme wars (2, Funny)

jDeepbeep (913892) | more than 4 years ago | (#32817566)

But am I the only one that finds a quote from Princess Leia just sounds stupid?

If we added a car analogy, we're looking at at least a 4-funny.

Re:Obligatory Star Wars quote (1)

Haffner (1349071) | more than 4 years ago | (#32817380)

This has now been quoted in back-to-back threads, both times used effectively.

Approved apps? (4, Interesting)

fluch (126140) | more than 4 years ago | (#32816694)

Just wondering: So if harm is done with apps approved by Apple ... isn't Apple then also liable for the fraud done by them?

Re:Approved apps? (5, Insightful)

billy8988 (1049032) | more than 4 years ago | (#32816918)

Nah...that's MS yardstick. If a rogue developer hijacks IE then it's a MS problem. If a rogue developer does something to Appstore then it is that damn rogue developer.

Re:Approved apps? (1)

socz (1057222) | more than 4 years ago | (#32816950)

What do their ToS for buying, downloading, and installing apps on THEIR devices say?

Re:Approved apps? (1, Insightful)

countSudoku() (1047544) | more than 4 years ago | (#32817140)

You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

BTW, who the hell is still visiting the crApp Store anyway? I froze my iTouch at 2.2.1 because I refuse to pay another $10 for the elusive Copy/Paste bug they failed to ship, or fix, in my rev. I downloaded all the free games, fart apps, tip computers, and two useful apps back in 2008 and never went back. Not all that impressed with the garden. In fact, it mostly sucks ass. Enjoy at your own peril!

Re:Approved apps? (0)

Anonymous Coward | more than 4 years ago | (#32817266)

BTW, who the hell is still visiting the crApp Store anyway?

Obviously, all the people out there who aren't nearly as clever as you are. They are so very all stupid and you are so much very smart. In fact, there is something you need to go be smart about with your clever smarts over there somewhere. Way far over there. They're way far over there because you're so much more cleverer than they are with your amazing jokes like that and how much you hate things.

(side note to us not-clever people: think that'll at least placate his ego for long enough for the rest of us to have a real discussion?)

Re:Approved apps? (1)

MobileTatsu-NJG (946591) | more than 4 years ago | (#32817376)

You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

What company with an app store wouldn't?

Re:Approved apps? (1)

nedlohs (1335013) | more than 4 years ago | (#32817490)

A bankrupt one?

Re:Approved apps? (2, Funny)

agent_vee (1801664) | more than 4 years ago | (#32817770)

Can't wait to see Steve Jobs e-mail reply to a user asking what Apple is going to do about this problem. "Just don't purchase those apps. -Steve"

Identity Theft (5, Funny)

ShopMgr (1639595) | more than 4 years ago | (#32816884)

Yeah, there is an app for that...

Mitigate the problem (1)

Barefoot Monkey (1657313) | more than 4 years ago | (#32816942)

Some e-commerce sites make the users enter their credit card numbers every time they transact. Others remember the credit card number as a convenience so that the user doesn't need to keep entering it.

The latter approach is far more convenient, but carries the risk of exposing credit card numbers of anyone who's account gets hacked. I haven't used Apple's store, but since the victims are being charged it seems that Apple chooses to remember their credit card numbers for them.

Given that account hacks are becoming an issue, Apple could mitigate the problem of fraudulent charges by using a hybrid approach: remember the credit card number as per usual, but if a user logs on from a device other than the one he usually uses to log on, then keep the card number secret. Once the user has entered the card number on a device, the card number can be visible next time the user uses it to log on.

This way, if someone hacks into your account the worst he can do without requiring further exploits is download things that you have already purchased, mess with your account settings or perhaps make purchases on your behalf using his own card, but you (the real owner of the account) should remain relatively safe from thieves draining your credit card..

Re:Mitigate the problem (1)

shadowrat (1069614) | more than 4 years ago | (#32817324)

the app store never reveals credit card information. if you know a user's log in and password, you can make app store and itunes purchases from any device. you can't, however, get their credit card.

unfortunately it's trivially easy to get the login information. All a developer has to do is make an app that asks for credentials. It can be very legit so as to make it through apple's approval process. Really, all apple cares about is if the app is reasonably stable, doesn't duplicate their functionality, and isn't using private api's. Maybe you have a high score system, or simply say the user needs an account to read the book in the app. Hell, you could probably just make an app with 2 text fields for username and password that does nothing and apple will approve it. You will probably end up with a database where > 50% of the username / password combos are actually appleIds and passwords ready to buy stuff on the app store.

i'm not sure what apple can do to combat this social engineering. i don't use my appleId within apps or any other login really. It would be nice however if i could whitelist some deviceid's that i say can make purchases from my account. maybe make that hardware identifier work for me for a change.

Another Apple Story? (-1, Troll)

BlueBoxSW.com (745855) | more than 4 years ago | (#32817094)

What's next:

"Apple Admits to Typo in iPhone Manual"

"Is Steve Jobs Related to Hitler?"

"Apple Blocks Anti-Apple App from Store"

"Apple Customer Server Fails to Answer Phone in 2 Rings"

"Non-Apple Owners Who Complain About Apple Products, Largest Growing Demographic on Web"

Re:Another Apple Story? (0, Redundant)

BlueBoxSW.com (745855) | more than 4 years ago | (#32817642)

What's next:

"Apple Admits to Typo in iPhone Manual"

"Is Steve Jobs Related to Hitler?"

"Apple Blocks Anti-Apple App from Store"

"Apple Customer Server Fails to Answer Phone in 2 Rings"

"Non-Apple Owners Who Complain About Apple Products, Largest Growing Demographic on Web"

4568 apps? (1)

HockeyPuck (141947) | more than 4 years ago | (#32817194)

From the article:

One example is Brighthouse Labs with 4568 Apps, all virtually worthless.

How does apple approve of 4578 apps from one developer? I thought each app was audited? Or is some of the auditing done through heavy automation. Such that if you got Pacman approved whereby each dot you ate gave you one point, then you could make another pacman that each dot gave you 2points, and the second version was automatically approved.

Re:4568 apps? (5, Informative)

Bing Tsher E (943915) | more than 4 years ago | (#32817454)

The apps from that 'developer' are things like 'xxx Quotes' where there are quotes collections for many many different people. And slider puzzles where there are many different pictures. And recipie books.

Basically the kind of 'stuff' where the actual codebase is a small container re-released over and over and over with different content.

That's part of the problem in general with the 'little Apps' model Apple has developed. There are separate 'Web Radio Players' for each radio station, leading to thousands of different radio 'apps.'

This is a security issue; but who's at fault? (1)

rsborg (111459) | more than 4 years ago | (#32817282)

How can a compromised developer account contain iTunes login information?

Are the people who got hacked also developers on the App Store?

How many accounts are known (publicly) to be hacked?

Without more information, it's hard to take any of this as a serious breach... all of these actions could easily have been had by PC malware or Jailbroken phone malware, via the information black market.

Apple Slashdot Attention (2, Interesting)

helix2301 (1105613) | more than 4 years ago | (#32817440)

I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.

Must be (0)

Anonymous Coward | more than 4 years ago | (#32817492)

There is obviously magical properties in use here in a game changing manner.

simple: add photo of purchaser (1)

LiquidCoooled (634315) | more than 4 years ago | (#32817506)

upload a photo of the person purchasing the item at the point of sale.

chances are, there will be a little kid (mine makes calls on my n900) or the owner.

too much advertising does this to you (1, Troll)

ILuvRamen (1026668) | more than 4 years ago | (#32817740)

Wow, what a mysterious cliffhanger at the end of the summary...just kidding, it's obvious. They never had to worry about security because nobody used their products! With a market share like that, why would any malware writer or hacker bother? But now that Apple somehow convinced so many people to buy their so-so phone, they should have known what comes with that; attempted security breaches!
Actually, it's not the least bit surprising for a company that doesn't know the first thing about security to put out an insecure product and whole related system. This is definitely not going to be the first story like this about Apple if they keep putting out products that get enough market share to get attention from bad people. As a company, they have no idea how to handle it. Think of it this way. Microsoft has had decades to stop all forms of security threats that are constantly targetted at them and still hasn't gotten it quite right. Apple is starting from nothing because they've never had to worry about security on any significant scale. So unless they suddenly pull about 15 years of developed security measures and then some out of their asses and put it into the next iPhone, they're going down in flames. This is sort of funny and entertaining really, and not just because it totally makes the outlook for Linux look better. Either Apple's products are a laughably small market share or it's a huge market share and because of that, turns into a disaster because they don't know what they're doing. So I'd like to see Mac computers get like a 30 or 40% market share so bad people start targetting them. Their OS would make XP look like Fort Knox by comparison.

Another excuse for failed developers (1)

Singularity42 (1658297) | more than 4 years ago | (#32817882)

Oh, it's the flood of fraud that made my game fail. My game itself is perfect!

The only fault apple has in this (1)

nurb432 (527695) | more than 4 years ago | (#32817902)

Is not requiring stupidly complex passwords to prevent brute force attacks on accounts. Even then however, if you give them out to a 3rd party, ITS YOUR OWN DAMNED FAULT!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?