Has iTunes Been Hacked? 191
An anonymous reader writes "Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."
Reminds Me of Something the Sony CEO Said ... (Score:4, Interesting)
"This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."
At first I thought this was just to spread generalized fear, take a cheap swipe at their competition or even shift attention to something else, but it appears we'll get to see how pervasive this becomes. Perhaps he wasn't completely full of lies ...
Re: (Score:2)
Dear Apple users,
enjoy.
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Funny)
can't be: there are no viruses on Apple. Go ask your local Genius !
Re: (Score:2)
Re: (Score:2)
can't be: there are no viruses on Apple. Go ask your local Genius !
So I guess only iTunes users running Windows have to worry about that scenario?
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Funny)
However Apple's users are certainly prone to social engineering.
Of course I'm prone to social engineering. Why else would I have an iMac. And a MacBook. Two iPods. One iPhone (and two iPods and an iPhone for my kid.)
Re: (Score:2)
Being a tool and being prone to social engineering are not mutually exclusive. In fact, I would say they tend to go hand in hand.
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Interesting)
Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn. But it was still a hack. And it went unreported. It was detemrined that there was no value in reporting the hack since it would affect stock value.
I am betting that the VAST majority of hack never get reported for this exact reason.
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Interesting)
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Funny)
So you closed the vulnerability and kept the stash?
Close the vulnerability? Don't be daft man! That sounds like the kind of automatic update that is best left enabled.
Re: (Score:3)
No, he accepted more porn as payment for their services.
Re: (Score:2)
Posting to destroy a mod gone wrong... my bad.
(stupid 2.0...)
Comment removed (Score:5, Interesting)
Re: (Score:2)
Why does
Re: (Score:2)
Half a dozen years ago, I worked at a company that got hacked due to a web vulnerability. The hackers simply used our storage to store geman porn.
Please excuse my ignorance, but... what's geman porn?
Re: (Score:2)
Please excuse my ignorance, but... what's geman porn?
I am guessing it involves recordings of carnal acts performed by government bureaucrats wearing g-strings.
Re: (Score:2)
Please excuse my ignorance, but... what's geman porn?
I am guessing it involves recordings of carnal acts performed by government bureaucrats wearing g-strings.
Eeewwwwwwww..... No wonder they didn't want to be caught with such filthy stuff on their own hard drives!
Re:Reminds Me of Something the Sony CEO Said ... (Score:5, Insightful)
I've worked in IT security for a long time and for banks... The sheer number of unreported hacks at banks and at retail stores would blow your mind. People mistakenly get angry at the hackers (which is how the media has trained most everyone to think) when in reality it is almost always gross negligence on the hack-ee side and they deserve the ire.
Re:Reminds Me of Something the Sony CEO Said ... (Score:4, Interesting)
Seriously, "mistakenly", "trained"?
Sorry, no.
Sure, the companies deserve ire and disdain if they don't take care of our information securely. They even deserve some real civil liability -- a lot more then they're getting now.
But asshat little fuckheads who go around breaking into said company deserve ire, irregardless of any other ire given.
Cracking into networks and systems and grabbing data, damaging systems, anything of the sort-- even if they aren't properly secured-- is not noble.
It its worthy of ire, scorn, and jail time.
Now, its not worth as much jail time as is being handed out often these days, nor silly, inflammatory words like "terrorism" being thrown around to make it all worse -- and adolescents who are frankly incapable of understanding that being an idiot even though its a rush or fun is dangerous and has real consequences, should be treated like the kids they are, not adults.
But, no. Its not a mistake to give them all kinds of ire.
I pretty much hate Sony, for instance. But what the cracker-jackass groups are doing is pretty sociopathic.
There's no Greater Good involved, thats self-delusion at best. There could have been a way to go about it that may have been ethical, in a vigilante, internet-patriot sort of way. But these data dumps of real, personal information (including usernames and password hashes) is not at all it.
Re:Reminds Me of Something the Sony CEO Said ... (Score:4, Insightful)
irregardless of any other ire given
Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
Re: (Score:2)
irregardless of any other ire given
Irregardless is not a word. You may have a point, but your use of a non-word makes me wonder.
If enough people use it and accept it as valid then it's a perfectly cromulent word, just like all the other words that weren't words 100 years ago. If you want a definition then this [wiktionary.org] might assist you broadening your vocabulary (even though the entry itself state's that it isn't generally accepted as a word :)
Re: (Score:2)
(even though the entry itself state's that...
Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
(*checks and double-checks before submitting*)
Re: (Score:2)
It's OK, I've seen state's on the internet before - here is the justification. [slashdot.org]
Re: (Score:2)
(even though the entry itself state's that...
Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
(*checks and double-checks before submitting*)
I think Alanis Morissette starts playing from your computer when this happens.
Followed by pedants arguing about that word.
Re: (Score:2)
I think Alanis Morissette starts playing from your computer when this happens.
Damn it!
Re: (Score:2)
Oh dear, is there a rule of some sort that if you're correcting someone else's grammar/spelling/(mis-)use of words, you'll get something wrong on your own post?
There is, it's called Muphry's Law [wikipedia.org]. (For bonus points, if you bring it up in an argument on the Internet, there's about a 50-50 chance that you'll be incorrectly accused of misspelling its name.)
Re: (Score:3)
Apparently this word goes back to at least 1874 http://dictionary.reference.com/browse/Irregardless [reference.com]
Re: (Score:2)
Re: (Score:2)
irregardless About 1,390,000 results [google.com.au]
gashblanab Your search - gashblanab - did not match any documents. [google.com.au]
You have a bit of catching up to do before your exciting new word falls into anything close to common usage. Until then, everyone who uses it is a gashblanab.
Re: (Score:2)
Slashdot is the last place I'd expect someone to argue that a popularity contest is the correct way to decide anything. Huh. I guess you learn something every half hemidemisemifortnight* or so.
*Yes. 1/16th of 14 diurnal cycles. So I learn something new every 7/8ths of a day. I'm a quick learner.
Re: (Score:2)
Sometimes the best way to figure out if something is in common usage or not is to determine if it's in common usage or not...
Re: (Score:2)
Must be right [google.com.au]
Yep. They're definitely all words in common usage.
Re: (Score:2)
Got any evidence that you're not a pack of fucking retards?
Our retards don't fuck enough, we have to import more.
Re: (Score:2)
No, the meaning is not clear. The prefix "ir" in English words means "not". So to people who actually understand the rules of the English language, "irregardless" means "not regardless".
If I say "Irregardless of the snow, I'm going outside," it means that I'm only going outside, but only if it doesn't snow. This is the exact opposite of what people who say this made up word actually mean by it.
Frankly, I find the use of "irregardless" to be confusing as h***.
Re: (Score:3)
Re: (Score:2)
Many banks (at least in the UK) still use a variant of username+password authentication to access online banking (susceptible to things like keyloggers in the user's machine and phishing, not to mention cryptographical attacks against SSL in old browsers) instead of the much safer challenge-response method using an external pin-device (like this [barclays.co.uk]) + banking-card where no kind of password ever gets typed into an unsafe device (a general use, personal PC, used by somebody with little or no IT security training
Re: (Score:3)
Someone getting access to your account is NOT necessarily a "breach".
Re:Reminds Me of Something the Sony CEO Said ... (Score:4, Insightful)
Or, quite possibly, we're starting to see the impact of the Sony hacks themselves. I'd bet money that the affected people were using the same login information on each service, especially since both services use the same "username": the player's e-mail address. If you're not using unique passwords for each of your services (and especially the for the e-mail account that unifies them all), you're doing it wrong.
Re: (Score:2)
if someone hacked Apple/iTunes.. I doubt they'd keep it quiet.
with 200 MILLION credit cards, a hell of a lot more people would have seen this if it were a hack.
10 bucks says this guy has a common username and password.
Most likely not a "hack" (Score:3, Insightful)
Re:Most likely not a "hack" (Score:5, Interesting)
Yep. My bank recently called and canceled my CC. The trigger? The number was attempted to be used for a small ITMS purchase. The fraud department at the bank said that buying a 99c song at ITMS is quick way to verify if they have the right info or not. In my case they used the incorrect pin digits from the back of the card and the bank denied the charge, but it must work some of the time.
Re: (Score:2)
A 3 digit security code is 1 in 1,000. With a couple of possible tries to get it right for each card before locking it out, your chances are now 1 in 250. With enough compromised account numbers you can find enough valid card combinations to make large purchases at a retailer other than iTunes. Most fraud is for software IP as many merchants won't ship somewhere other than the billing address for the card.
Re: (Score:2)
Cancelling it is a bit extreme. My CC company has frozen my CC a few times for small purchases like that. But, cancelling it outright would be extreme.
Re:Most likely not a "hack" (Score:5, Informative)
In my case they used the incorrect pin digits from the back of the card and the bank denied the charge, but it must work some of the time.
Sorry for being pedantic but the card security code (also known as CSC, CVV, CVV2, etc.) is not a PIN code.
The PIN for Mastercard or VISA cards is a code you as the user must remember, here in Europe it is used pretty much every time you use your card instead of a signature.
Re: (Score:2)
Re: (Score:2)
Well, to be honest I've only ever spent a few hours in Germany. But in those countries I've lived in it is common to use the PIN for both credit and debit cards when buying things in stores or withdrawing from an ATM.
In my experience (anecdotal of course) the use of signatures is a typically American thing, here in Sweden they're only ever used when the store loses its connection to the payment processor or the bank is having some kind of problem and is unable to verify transactions.
I've been shocked a few
Re: (Score:2)
Billing glitch? (Score:4)
Re: (Score:2)
Re: (Score:2)
However, from the hacker's perspective, to be able to boast about hacking into Apple is big karma amongst the hacker community - it doesn't necessarily need to be a huge world-changing hack like Sony suffered to garner that notoriety.
So has somebody claimed to have hacked Apple yet?
Very unlikely that iTunes was hacked... (Score:2)
It's highly unlikely this was a hack. If it was reports would be in the hundreds or thousands, not "dozens". Also there would a variety of purchases, not just for one game.
The most likely answer is a keylogger trojan, social engineering or a reused password from a true hacked site (like Sony or PBS). I find it odd that everyone who suggests that in TFA is thumbed down into oblivion as that's the most likely answer.
Also iTunes doesn't bill in real time, so those purchases that "just happened" were likely
Re: (Score:3)
Also there would a variety of purchases, not just for one game.
It's not just for one game...
Since Betanews' original report last Wednesday, dozens of readers have e-mailed their own reports of account issues, most dealing with Sega's Kingdom Conquest.
Additionally...
Nearly every victim had a gift card balance on their account, and some have reported that their credit card and/or payment information had been removed from their account. This indicates that Apple likely is aware of the attacks, and is actively trying to protect its users.
In all cases, whether they're admitting the hack is occurring or not, users are having little trouble getting their money refunded to them.
Re:Very unlikely that iTunes was hacked... (Score:5, Interesting)
This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.
Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.
Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.
Re: (Score:2)
Re: (Score:2)
RSA two factor authentication. It would be a very good solution but RSA is still milking the enterprise and government cows with that so it will be years before something like that becomes a commodity service. What ever came of the RSA security breach a few months back?
Badness. [boingboing.net]
Re: (Score:2)
Keep in mind that the the story is almost entirely speculation. Something happened at Lockheed. That's all we know.
The real badness is that RSA has not been very forthcoming about the incident. This opens up the kind of speculation we're now seeing with LM, L-3, and even Northrup / Grumman (though they say they jumped off SecurID shortly after the RSA compromise).
Just to muddy the waters a bit more... LM is re-issuing SecurID devices.
Re: (Score:2)
What ever came of the RSA security breach a few months back?
It turned into a Lockheed-Martin security issue recently.
Re: (Score:2)
That's pretty much the whole idea behind OpenID; have a single, trusted party handle sign-on. FWIW, if you don't trust anybody, you can easily host your own OpenID service, running on a server or even your own computer (but that requires your computer be adressable from the internet).
Re: (Score:2)
FWIW, if you don't trust anybody, you can easily host your own OpenID service, running on a server or even your own computer (but that requires your computer be adressable from the internet).
It also requires that you're better at keeping a server secure than the admins at Google or whatever OpenID provider you could be using.
Re: (Score:2)
trash, no mention of phishing or trojans (Score:4, Interesting)
No mention of keylogging trojans or phishing combined with ridiculous uneducated guessing makes these authors' ramblings pure trash. Apparently all the links are from Betanews, too; I'd like to see Betanews stick to talking about iThings and not security. Choice quotes interspersed with my reactions:
"Apple's iTunes user logs themselves may have been compromised."
All I can think of on this one is the time I had someone tell me that my router had "lost its ARP table".
"... several of the victims that reported into Betanews on their experience are employed in IT -- obviously understanding the risks of improperly secured personal data."
I'd hope these same IT employees someday understand the risks of improperly secured personal data by not browsing the web on their own PCs (no Windows implied).
Hacking? Easier answers... (Score:4, Insightful)
Considering we've seen a story about how everyone is using the same password everywhere [slashdot.org], and how Sony got hacked again [slashdot.org], exposing even more passwords, is it any surprise that a number of people are having their iTunes and PayPal accounts attacked and drained to buy game gold?
iTunes and PayPal are pretty huge targets, but who'd attack a single game if they had access to the back end?
Re: (Score:2, Redundant)
Quite likely actually. It seems these reports surface every few months.
Heck, last year we've [macrumors.com] had [macrumors.com] many [slashdot.org] reports [slashdot.org] of hacked accounts being used to buy in-app purchases or raise rankings of apps.
So, the options are either a very lowlevel iTunes hack that only seems to steal a few hundred accounts at a time (iTunes has over 250M accounts according to today's keynote), a very big breach of iTunes that someone only seems to be using a few hundred accounts at a time, or, a bunch of people got phished or used the sam
Re: (Score:2)
Re: (Score:2)
Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.
Re: (Score:2)
Do you mean to say that the fact that some people may use the millions of passwords that are out in the street if more far fetched than believing the system has been hacked?
I'd say it is debatable at best. As for your advice, since there are no evidence yet, I'd advise you to actually follow it.
I have no issue with the assertion that many people use the same password and id in various places. I do take issue in the automatic association of two hacks when no evidence or reason is known to think there is a connection. Perhaps if every single person reporting fraud says "yes I was a PS3 PSN account holder", the evidence might at least be circumstantial but at present it's just weak conjecture. It certainly doesn't make much sense to believe someone who might have stolen millions of accounts would use
Re: (Score:2)
It is the same with WoW accounts. They hack into poorly secured forums and use the same password and username to log into the game.
Happened to Me, in much the same way (Score:5, Interesting)
I very recently had the same situation that is described in the articles happen to my iTtunes Account. I received 2 emails for gift cards purchased through the iTunes store. As I was on vacation with no PC and thus no iTunes access, and not buying gift cards, I knew something was up. At first, I was thinking they were actually spam/phishing emails, as they listed the last 4 digits of a Credit Card that didn't match any of my Credit cards. Without iTunes, all I could do was access my Apple ID account through the web on my phone, and when logged into my account, I saw that my billing information had been changed.
Luckily I had moved about 3 weeks before, and updated my billing info with my credit card, and not in iTunes (or I suspect I would have had several more app/gift card purchases on my own card.) The strange part was that they didn't change my password at all, or any security related questions. It seems as all they did was change my billing info to some one else's and buy $100 worth of gift cards (Who knows what they were used for...).
I changed my iTunes Password, and contacted Apple Technical support, and all I got was a standard form letter about how I could dispute the charges on my credit card (even though I had pointed out that it *wasn't* my credit card info). They locked my account and after a short investigation they enabled it with no indication of anything other than their form letter.
I will freely admit that my password was vulnerable to a dictionary attack, as in the past, I wasn't too worried about someone buying me lots of music, but have since changed it. However, I had no indication that someone was attempting to access my account. If someone was indeed using a dictionary attack on my account, I would have hoped Apple would notice several thousand invalid logins on an account and do something about it.
I suspect there is someone named Jason in Seattle, who is wondering why they have a $100 purchase from iTunes on their MasterCard...
Re: (Score:2)
Data corruption? (Score:5, Interesting)
Re: (Score:3)
Obviously I have no idea what happened in your case, but it gave me an interesting thought. If you have thousands of stolen credit cards (or even just one) but are afraid of getting caught using them, making thousands of other people unknowingly use stolen credit cards by changing their stored data would make for some fantastic plausible deniability.
Re: (Score:2)
This is actually a well known tactic in carding circles.
After you've used and abused the 'virgin' cards, it's standard fare to spam them in IRC so they are used so much so quickly by so many that you are a needle in the haystack.
Re: (Score:2)
Some users are starting to notice they have someone else's info and are going on a buying spree. Or people are just making their normal purchases and are unknowingly charging other people's accounts, like I almost did last night.
Or somebody hacked your account and changed the billing info.
Disturbing. (Score:4, Insightful)
What worries me is they appear to have known about it for a while and are trying to clean it up as quietly as possible. If this is was a glitch one presume they would admit it in a downplayed fashion. I'd wager it is a BIG hack.
Leaving us with two possiblities:
1) iTunes has been seriously fckued over for teh lulz and profit and is trying to keep it quiet.
2) Or iTunes fraud may have been a constant (but contained) background noise for some while and this isn't much of an abberation. Apple may prefer to live with some level of fraud and patch it up the leaks quietly. Just because it's trending on
Either way, talk about reality distortion.
Re: (Score:3)
You missed out:
3) Most iTunes passwords are insecure, and are also used for other accounts like Sony
Though your option no.2 is a good description of Apple's reaction to the problem. They should probably offer another level of protection like a certificate per device for login.
Re: (Score:2)
Re: (Score:2)
There is nothing disturbing about the results so far unless it is due to a security breach of iTMS. So far it seems more likely that this is the result of people "depending on the kindness of strangers". More explicitly, that users may be using the same username and password for multiple sites. If that is the problem it is hard to imagine what any e-commerce site could do to protect a customer other than requiring credit card information to be entered for each transaction.
A company can take the reactive pos
Re: (Score:2)
That seems to be a new feature, thanks. Last time I looked at this the only way to do it was to create a new account. This after all the other crap to hookup my account for Find My iPhone.
Re: (Score:2)
I removed my card info from my iTunes account when the latest rounds of "iTunes Hacked!" news came out. Mostly as a precaution, since I really just use iTunes gift cards for purchaess. (Yes, I use gift cards - there seems to be a $5 off $25 or $10 off $50 gift card sale pretty damn often, so why pay full price?)
Tracking (Score:2)
Shouldn't this be easy to track? with the transaction ID, can't they see who bought the points in-game. Then find out if it belongs to an ipod or an iphone. If it belongs to an iphone couldn't they track that done and find out who owns it?
Re: (Score:3)
Nobody ever hacked my cassette deck.
Re: (Score:2)
I am posting this comment from Divebus' cassette deck.
A cassette deck running a browser. Cool. Did you load BSD?
Re: (Score:2)
Probably. NetBSD runs on just about everything else....
Re: (Score:2)
I'll put 97% of my money on this. Same logins as used by the hacked Sony accounts. I'm surprised the number of compromises isn't much higher. Alright... everyone change their passwords NOW.
Re: (Score:2)
Alright... everyone change their passwords NOW.
And BOOM goes the dynamite.
Re: (Score:3)
That's great, but how does that stop someone else with your credentials logging in from a different computer and buying something?
I'm going to assume you don;t have a CC on file with Apple (if your iTunes paranoia is anything to go by) but your setup would not help anyone who does.
My suspicions are that this is due to usernames and passwords being the same across multiple services, so one big compromise (Sony), has led to ID theft on other services, like the iTunes store.
Re: (Score:2)
Yep, you have fixed the problem unless THE PERPETRATOR IS IN YOUR HOUSE!! Get out as fast as you can!
Please tell us you were joking so I can retract this harsh comment.
Re: (Score:2)
Coincidence, I wonder, that a new 63-page EULA (63 pages Apple, are you serious?) appeared today when I was prompted to update my NASA App. And that the changed terms specifically involved iTunes password expiry and in-app purchases?
Yes, Coincidence. The new EULA items were about children buying wheelbarrows of Smurfberries.
Re: (Score:3)
I tried to get them to email the new TOS, but my wifes iPhone kept trying to spell-check/correct my email address. Why the F*** does it do that to *EMAIL ADDRESSES*??????
Re: (Score:2)
That's so annoying. Blackberrys do the same thing.
When I activate Blackberrys on our BES, I have to compose an email message first so I can disable 'suretype' and enable 'multitap' or I can't make it halfway through the user's email address thanks to it autocorrecting. Almost as bad as it capitalizing the first letter of every sentance whether you want it to or not.
Re: (Score:3, Insightful)
because if this turns out to be another widespread hack like the others reccently it'd be the last time I ever buy an Apple product.
What, Steve Jobs controlling every aspect of your life wasn't enough?
Oh, please. (Score:2)
Yeah, Mac owner here, and I was about to have McDonald's for lunch, but Steve wouldn't let me - it's bad for my heart, you see. He sees all, knows all, and prevents us from sin via the control chip all Mac owners have implanted.
Or maybe, you know, Steve doesn't control every aspect of my life. Could be that, too.
Re:Watching this closely. (Score:5, Funny)
I'm watching how this develops, I purchased my wife
Was she more than $.99?
Would you buy another?
Have you seen any fraudulent wife purchases on your bill?
Re: (Score:2)
Re: (Score:2)
I purchased his wife as well, and was quite satisfied.
Would do business with again. A++.
Re: (Score:3)
It doesn't any more. Log in to your iTunes account and choose None as payment method, and no details will be kept on file. If you don't purchase regularly then it'll be no inconvenience to re-enter them.
Re: (Score:2)
Ahhh, sir, you just don't get it, or so it seems.
While maintaining the radio button on "Credit Card", there is no way of not entering a credit card number !
Apple is a bunch of thieves that will dry us all out. Blood suckers. How can people live with this ??????
Re: (Score:2)
I cringed when I discovered for myself iTunes forces you to enter and keep your credit card details, just to be able to get access to the app store to just download free stuff even.
No it doesn't. Sit closer to the monitor next time. I sure managed to setup an account without a credit card attached.
And even if you can't figure out how to not enter a CC# you aren't so dumb as to enter the number from a physical credit card, right? I hope you're at least using a time- and purchase-size-limited CC# that you generated through your bank's website...
Re: (Score:3)
It doesn't - you can open and run an iTunes account without ever using a credit card, only topping it up with iTunes gift cards. No CC ever needs to go near the account.
Re: (Score:2)
Oh,come now. There have been instructions for a long time on how to not need a credit card [apple.com] for free purchases.