Hackers Raid iTunes User Accounts
In news that is becoming alarmingly more frequent hackers have been raiding the online user accounts of the world’s biggest music store, iTunes, potential compromising users personal and financial details and spending up large on purchases.
According to The Global Mail, hackers have been breaking into the accounts of hundreds of iTunes users to steal their store credit and gift cards. Reports have started springing up on forums and blogs around the world over the last few days with users claiming their store credit and PayPal accounts have been fraudulently used by others.
Apple, who operate the iTunes store, are unsurprisingly remaining silent on the issue but are no doubt in crisis mode to try and avoid the potential PR disaster. Last year rival Sony was caught with their pants down when hackers compromised around 77 million accounts on their Playstation Network service.
The damage done to Sony’s brand has been so severe they have taken the extraordinary step of rebranding the service to try and distance themselves from the hacking incident. But given iTunes has over 200 million active user accounts and generated $5.4billion in net sales for Apple any damage to the iTunes brand could have wider implications for the high-profile technology giant.
Despite remaining silent Apple has responded to customer’s complaints by refunding lost money and resetting compromised accounts. But the company is telling owners of the compromised accounts that their actions are a ‘one-time exception to our sales policy’, implying that the fraudulent access is somehow the users fault.
British user Fiona McKinlay, who spoke with The Global Mail, says that In-App Purchases she didn’t make wiped out virtually all of her £25 gift cards worth. ”In December 2010 I loaded a £25 gift card, and a couple of days later ‘in app purchases’ that I didn’t make took my balance down to £1.02,” McKinlay explains.
“They were very helpful in that they disabled my account immediately, refunded my money, deauthorised all machines associated with my account and reactivated my account, but failed to acknowledge that there may be any sort of problem with their system.”
“Until one day I find something that says Apple have admitted there was a problem and have now resolved it,” she continued. “I’m going to assume the problem is still there and they’re still just trying to pretend it’s not. They used the phrase ‘Please note that this is a one-time exception to our sales policy.’ That says to me, ‘Well, we sort of think this is your fault and are just being nice,’ ” she says.
Owners of compromised accounts are concerned that Apple is trying to sweep the issue under the rug by claiming each attack is isolated and some believe there may in fact be a much larger problem than Apple will own up to. Other users are concerned about their personal data after it was discovered things like addresses were changed in their accounts by the hackers.
Ty Miller, chief technology officer at Sydney-based IT security firm Pure Hacking, says Apple appears to have chosen to reimburse hacked accounts rather than fix the problem.
“I would have expected Apple to take some sort of action by now,” Miller says. “[That they haven't] can indicate one of two things: Either Apple has accepted the risk of the fraudulent transactions and they’re happy to reimburse the money because it may cost a lot more to fix then they’re actually losing.
“[Or] there is an inherent flaw in the way they have created the gift card numbers and it would take a serious overhaul of their systems to change how that actually works,” Miller says.
“There’s free software out there that lets you generate iTunes gift card numbers and you can actually use them in the iTunes store and buy stuff,” he continued. “So it may not be that the actual accounts are being hacked, it can just be the gift card numbers being used.”
When contacted Apple declined to comment directly on the allegations but a spokesperson did send out a blanket statement saying “Apple takes precautions to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. Apple online services such as the Apple Online Store and iTunes Store use Secure Sockets Layer encryption on all web pages where personal information is collected.”
Apple also advised customers who had experienced hacking or believe their account vulnerable to change their password.