Massive iTunes hacking/stolen money underway at this time

[nick101]

[QUOTE=Fotoman;997931]And I suppose you're going to be sharing the statistics that prove just how low selling that part of the store is with us...in all countries, since accounts are country-specific.

Umm... if you could be bothered to go to the websites of the developers who first reported this (as I did) and read their own notes on volumes of sales and how much change in volume is required to cause a shift in ranking (as I did) you would get the evidence that supports the contention that it's perfectly possible for 400 hacks to make a difference because these are in a low volume category.


[QUOTE=Fotoman;997931]I'll need to see the numbersn before I'll believe that 400 hacks was is enough to affect several countries' iTune stores in the manner they were affected. Until I see that, I prefer the theory that this is just spin for damage control.


Fine - you can see them - by doing what I did and researching this properly instead of sitting on the sidelines telling everyone else that you reject their research from your position of lofty ignorance

[nick101]

Quote:

Originally Posted by HarryT

Why? Simply because almost all computer security breaches are carried out via "social engineering", rather than technically "hacking" the system.

True. It also seems to me that if you went to iTunes, it's because you got access to the iTunes account, whereas if you'd got access to credit card details, you'd have used them somewhere you could buy something high value and negotiable.

The other point is that the App Store doesn't pay out immediately so, in cases like the ones we're discussing, there's a distinct probability that the perps won't actually get the money. I suppose that if I'd got hold of credit card details that I could use anywhere, I'd use them somewhere where I get the benefit immediately, rather than somewhere where I might never see my ill-gotten gains.

On the balance of probability, this looks like someone got hold of iTunes logins rather than card details

[murraypaul]

Quote:

Originally Posted by Fotoman

I'm not as certain as some of you seem to be that 400 accounts worldwide were enough to knock those apps off the top. But I do know that repeating the same assumption 4 times in a thread is not a substitute for facts.

What you said was: "There is no frigging way it was only 400."
That is an assumption being presented as fact.
Why don't the same rules apply to you?

[murraypaul]

Quote:

Originally Posted by tompe

Quote:

Why?

Apples response to use the security code on the backside of a card has no effect if it was phishing. Why is phishing more plausible than more conventionally stolen credit card numbers?

I would say that if something happens involvin a lot of customers a broken security system seems more plausible. That is because you have knowledge that the thing has happened.

Or, I do not see why your guess about what happened is better than other guesses.

a) Nothing special about Apple or iTunes, most 'hacking' is actually either stolen passwords via phishing, or brute-force attacks to guess passwords. How many fake bank emails have you ever received? Or fake eBay/PayPal ones? It only takes a very small percentage of people to be fooled by these for the spammers to make money. Phishing is conventionally stolen credit card numbers, on the internet.
b) If someone had actually hacked into the iTunes store servers and retrieved credit card details, why is this such a small level of theft? There are millions of iTunes accounts.

[tompe]

Quote:

Originally Posted by HarryT

Why? Simply because almost all computer security breaches are carried out via "social engineering", rather than technically "hacking" the system.

For what I know that is totally wrong. Connect a computer without security updates to the net and you only have to wait a couple of minutes for the attacks to start and probably succeed.

[murraypaul]

Quote:

Originally Posted by tompe

For what I know that is totally wrong. Connect a computer without security updates to the net and you only have to wait a couple of minutes for the attacks to start and probably succeed.

It is being posited that the iTunes store itself has been hacked, and that is where the account details have been taken from. I don't think it is hosted on desktops with no security updates applied

[tompe]

Quote:

Originally Posted by murraypaul

It is being posited that the iTunes store itself has been hacked, and that is where the account details have been taken from. I don't think it is hosted on desktops with no security updates applied

Sure. But HarryT's argument was a general one about the number of successful attacks.

[HarryT]

Quote:

Originally Posted by tompe

Sure. But HarryT's argument was a general one about the number of successful attacks.

No, you have misinterpreted what I said. I was saying that, in cases where banks, e-commerce sites, etc, are "hacked", it's generally done by social engineering rather than technical means. ie the sites' security systems are not broken; logon credential are obtained by other means - phishing, fake phone calls, or whatever.

[nick101]

Quote:

Originally Posted by HarryT

No, you have misinterpreted what I said. I was saying that, in cases where banks, e-commerce sites, etc, are "hacked", it's generally done by social engineering rather than technical means. ie the sites' security systems are not broken; logon credential are obtained by other means - phishing, fake phone calls, or whatever.

I'll add to that - it pretty much has the status of a truism in the security business that the weakness is the people. Weak passwords, unchanged passwords, passwords written down in acessible locations, readiness to rpovide login information to anyone who sounds authoritative - these are the overwhelming majority of causes of breaches to system security. If nayone wants evidence for this, start reading some of the work done by people like Bruce Schneier.

A fundamental weakness of many supposedly secure setups is that they are predicated o the idea that login is controlled and, if you can engineer your way into the system, the door's pretty much wide open.

The second commonest cause of breaches is the copying of data from a secure system to somewhere insecure. Classic examples are the unencrypted USB stick and people copying files to work on on their home, insecure computer.

There are hack into systems, and some of them have massive ramifications - but there aren't that many.

[Fotoman]

Quote:

Originally Posted by nick101

Umm... if you could be bothered to go to the websites of the developers who first reported this (as I did) and read their own notes on volumes of sales and how much change in volume is required to cause a shift in ranking (as I did) you would get the evidence that supports the contention that it's perfectly possible for 400 hacks to make a difference because these are in a low volume category.

Since you "researched" it then it shouldn't have been much effort for you to share a link or 2 about how little it takes to shift rankings with us ignorant sideliners, but you didn't... why not?

[Fotoman]

Quote:

Originally Posted by murraypaul

What you said was: "There is no frigging way it was only 400."
That is an assumption being presented as fact.
Why don't the same rules apply to you?

You seem to be having a problem differentiating between an opinion that is forcefully expressed and attempts to characterize guesses as fact based on corporate spin... done by a company that is notorious for denying problems with any of their products... iPad wifi issues? They don't exist... iPhone 4 antenna issues? ditto... Sorry if I don't say "Oh goody, Apple says it was only 400! Nothing to worry about. I'm so relieved."

Also... I'm not sure what part of "...I prefer the theory that..." you're having problems understanding.

[nick101]

Quote:

Originally Posted by Fotoman

Since you "researched" it then it shouldn't have been much effort for you to share a link or 2 about how little it takes to shift rankings with us ignorant sideliners, but you didn't... why not?

I have, as have various other people - you could go to the app store, or you could go to the developers' sites or you could go to the TNW article whose link I posted earlier. I've done better than that - I've gone there for you and I've summarised the information to save you the effort

[Fotoman]

Quote:

Originally Posted by nick101

I have, as have various other people - you could go to the app store, or you could go to the developers' sites or you could go to the TNW article whose link I posted earlier. I've done better than that - I've gone there for you and I've summarised the information to save you the effort

You mean like this statement from TNW (14th bullet on the page which I am linking)

http://thenextweb.com/apple/2010/07/...e-hack-itunes/

Quote:

Apple now says 400 accounts were impacted, we don’t believe it.

(emphasis added.)

I see no data nor calculations there that in any way explains how 400 accounts had this much impact on the iTunes stores in several countries. All I have seen is speculation by some that 400 could have done it... which one of your sources doesn't even believe

Unless you can show me the data and calculatons that make sense, I'll have to conclude that you're just speculating like everyone else with the exception that you're are puffing up your own speculations by claiming it's derived from alledged thorough research based on data only you seem privy to.

[kjk]

Well, we still don't know for sure (and may never know), but F-Secure did weigh in on the issue:
http://www.computerworld.com/s/artic...ecurity_expert

Quote:

"Phishing seems the more likely explanation," said Sean Sullivan, a security adviser with Helsinki, Finland-based antivirus vendor F-Secure.

Sullivan was reacting to questions about scenarios that could explain Apple's claim that approximately 400 iTunes accounts were used to fraudulently purchase software from the iTunes App Store, driving up the popularity of 42 iPhone apps from a single Vietnamese developer, Thuat Nguyen.

"Standard phishing attacks," said Sullivan when asked to speculate on the most likely way Nguyen obtained access to the iTunes accounts. "That's much more likely than someone hacking the accounts or Apple's database," he added.

Interesting, my bank checks not just the IP, but the computer as well:

Quote:

F-Secure tested iTunes' permissiveness. Mikko Hypponen, the company's chief research officer who is based in Finland, successfully purchased content using the account of a U.S. colleague, with his permission. "An American account gives me access to iTunes from Finland," said Sullivan, who also lives in Helsinki. "Try that on Amazon, and it will say, 'Sorry, you're in Finland, you can't.'"

[nick101]

Quote:

Originally Posted by Fotoman

You mean like this statement from TNW (14th bullet on the page which I am linking)

http://thenextweb.com/apple/2010/07/...e-hack-itunes/

(emphasis added.)

I see no data nor calculations there that in any way explains how 400 accounts had this much impact on the iTunes stores in several countries. All I have seen is speculation by some that 400 could have done it... which one of your sources doesn't even believe

Unless you can show me the data and calculatons that make sense, I'll have to conclude that you're just speculating like everyone else with the exception that you're are puffing up your own speculations by claiming it's derived from alledged thorough research based on data only you seem privy to.

Whatever