Massive iTunes hacking/stolen money underway at this time

[nick101]

Quote:

Originally Posted by HarryT

More information is emerging about the recent iTunes App Store issues. This article by The Register suggests that around 400 accounts were compromised, and that logon credentials were obtained by a phishing attack; the iTunes Store itself was not hacked.

It's interesting. The Reg article is based on Apple's response. TNW, which has been aggressively pursuing the story, seems to be taking a line that the problem may be far worse than Apple claims, Apple's not really responding well enough etc.

The interesting part to me is that it's very hard for your ordinary punter to get a clear feel for the real state of the issue over the noise of axes being ground.

[HarryT]

Logon credentials being obtained by phishing is a much more plausible idea than the security system of the iTunes Store being broken.

[nick101]

Unless you're TNW, in which case it's yet more evidence of Apple's abject failure to protect its customers, because obviously this points to a systemic flaw in iTunes security.

As opposed to someone taking advantage of careless password/login management to break your credentials.

Note as well that TNW conveniently doesn't highlight the built-in delay before the app supplier gets paid, which means claims of users losing hundreds of dollars are pretty unlikely.

My point is, to ordinary folk, the mixture of reporting and editorialising obscures the reality.

[nick101]

This is what I mean

http://thenextweb.com/apple/2010/07/...publisher-main

[HarryT]

Dear me. A touch of paranoia there?

[vaughnmr]

Quote:

Originally Posted by HarryT

More information is emerging about the recent iTunes App Store issues. This article by The Register suggests that around 400 accounts were compromised, and that logon credentials were obtained by a phishing attack; the iTunes Store itself was not hacked.

Before you get too far with the "cover" story you're making:

- there were +/- 400 accounts from one developer that were hacked, but during the holiday there were multiple developers hacking iTunes.
- no one said it was a phishing attack. There were accounts of people who hadn't used iTunes in months or years having their accounts compromised. Also the one youtube video about someone touting how secure his system was, until the bank called him.

I suspect it's too early to write this off as a "minor thing" as Apple would like you to believe.

[nick101]

Quote:

Originally Posted by vaughnmr

Before you get too far with the "cover" story you're making:

- there were +/- 400 accounts from one developer that were hacked, but during the holiday there were multiple developers hacking iTunes.
- no one said it was a phishing attack. There were accounts of people who hadn't used iTunes in months or years having their accounts compromised. Also the one youtube video about someone touting how secure his system was, until the bank called him.

I suspect it's too early to write this off as a "minor thing" as Apple would like you to believe.

Evidence please.

Since this story first broke on Sunday, I've followed up every instance I can find. As I said in my first post in this thread, there are few verifiable facts. I am not 'writing it off' and, as I said, it's very serious for those affected. But all the evidence I can find suggests that this is indeed limited to a few hundred accounts.

There's no evidence out there either way as to whether this results from phishing or not.

And "Apple says it so it can't be true' isn't evidence - it's prejudice.

[Fotoman]

So it only takes 400 purchases to take unknown Vietnamese (it was cyrilic-titled books in the Canadian store) book apps from total obscurity to he top of the charts? And since several iTune stores in different country showed remarkably similar behavior on the 4th, were these 400 accounts spread around the world making the total # of sales required to move from obscurity to the top even smaller than 400?

I didn't realize that sales were that slow...

There is obviously a lot of speculation and no plausible details coming from the only people who truly know--Apple. I've read all the same reports but also used my head... There is no frigging way it was only 400. That is spin that is being happily gobbled up and repeated by those more susceptible to Apple's charm.

[HarryT]

Quote:

Originally Posted by Fotoman

So it only takes 400 purchases to take unknown Vietnamese (it was cyrilic-titled books in the Canadian store) book apps from total obscurity to he top of the charts?

I believe it was only top of the charts in that application category. Given that the category is a rather obscure one, it really doesn't take that many sales to promote something up the "chart".

[Kolenka]

Quote:

Originally Posted by Fotoman

So it only takes 400 purchases to take unknown Vietnamese (it was cyrilic-titled books in the Canadian store) book apps from total obscurity to he top of the charts? And since several iTune stores in different country showed remarkably similar behavior on the 4th, were these 400 accounts spread around the world making the total # of sales required to move from obscurity to the top even smaller than 400?

I didn't realize that sales were that slow...

There is obviously a lot of speculation and no plausible details coming from the only people who truly know--Apple. I've read all the same reports but also used my head... There is no frigging way it was only 400. That is spin that is being happily gobbled up and repeated by those more susceptible to Apple's charm.

There's a difference between the "Books" section of the app store (which are filled with tons of garbage one-off apps and only a handful of really nice apps like an interactive Alice in Wonderland, for example), and the iBook store. The books section of the store is extremely slow.

Posting up apps and then using hacked accounts to funnel money to themselves has been going on for awhile. It's news now because this was a larger effort done all in one weekend. The accounts themselves were probably cracked awhile back and the passwords kept around for a single attack.

Doing this and attacking on a Saturday that is part of an extended holiday weekend just means it takes that much longer in order for the owner of the account to regain control of it. It's the same tactic gold sellers are using in WoW right now. A big chunk of accounts get taken over every holiday weekend as they get 3 days to exploit the accounts before they get returned to their owners instead of 2. They'll save up quite a few accounts to make that extra day worth it.

I'm not terribly surprised this is happening. Zombie networks make brute forcing weaker passwords feasible, and there's profit in selling these accounts to others. In the end, the guys running the botnets to get these passwords are the ones making the real profit, while scammers like this one pay for the passwords and then get caught trying to use them.

[murraypaul]

Quote:

Originally Posted by Fotoman

There is obviously a lot of speculation and no plausible details coming from

... you, at the moment.
As others have said, but you don't seem to have bothered to check first, the apps were amongst the top sellers in a very low selling part of the app store, not the entire store.

[Fotoman]

Quote:

Originally Posted by murraypaul

... you, at the moment.
As others have said, but you don't seem to have bothered to check first, the apps were amongst the top sellers in a very low selling part of the app store, not the entire store.

And I suppose you're going to be sharing the statistics that prove just how low selling that part of the store is with us...in all countries, since accounts are country-specific.

The Elements, Cat in the Hat, Toy Story 2 (and 3) read along, Dr Seus' abcs... I realize most, if not all the popular apps in that section are educational and/or kid's apps and most readers of this forum are adults... Although...never mind...

I'm not as certain as some of you seem to be that 400 accounts worldwide were enough to knock those apps off the top. But I do know that repeating the same assumption 4 times in a thread is not a substitute for facts.

I'll need to see the numbersn before I'll believe that 400 hacks was is enough to affect several countries' iTune stores in the manner they were affected. Until I see that, I prefer the theory that this is just spin for damage control.

There are a lot of iTunes customers with very little computer or technical knowledge and there is a lot of money at stake here that depends on trusting that iTunes is safe and that this was a tiny aberration.

[ThomasMc]

Quote:

Originally Posted by nick101

Unfortunately, all those adverbs are commonly used in the media as euphemisms for 'we have no real idea if this is actually true and we can't be bothered to check, so we'll just run with it anyway'.

Such is the state of modern "journalism." Pathetic, really. It's become the profession for those who couldn't possibly do anything useful. Every time I listen to a gaggle of reporters asking someone questions, I just want to vomit at the utter stupidity.

[tompe]

Quote:

Originally Posted by HarryT

Logon credentials being obtained by phishing is a much more plausible idea than the security system of the iTunes Store being broken.

Why?

Apples response to use the security code on the backside of a card has no effect if it was phishing. Why is phishing more plausible than more conventionally stolen credit card numbers?

I would say that if something happens involvin a lot of customers a broken security system seems more plausible. That is because you have knowledge that the thing has happened.

Or, I do not see why your guess about what happened is better than other guesses.

[HarryT]

Why? Simply because almost all computer security breaches are carried out via "social engineering", rather than technically "hacking" the system.