Apple bans iPhone developer for 'app farm' iTunes hack
Over the weekend, Apple evicted an obscure developer from its iTunes App Store after a suspicious spike in his releases' popularity.
Romanian iPhone developer Alexandru Brie was among the first to wonder how Thuat Nguyen's Vietnamese-language comic books had come to occupy 41 of the top 50 spots in the App Store's paid books category (in the process, booting Brie's own app from its usual top-20 perch). In a blog post, Brie put together such evidence as Nguyen's poor showing in the store's Vietnamese categories and multiple reviews of his titles alleging fraud to suggest one explanation:
The issue is that it seems people's iTunes accounts have been hacked, with mass purchases of one developer's apps being made using their accounts.
Other sites picked up the news and added details; for instance, Apple Insider passed on a tip from a reader about a Chinese cottage industry in iTunes Store account hacking.
Tuesday morning, Apple spokeswoman Trudy Muller e-mailed that Apple had resolved the situation:
The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.
Muller added that developers, fraudulent or otherwise, "do not receive any iTunes confidential customer data" when somebody downloads one of their apps. She suggested that anybody who sees fraudulent purchases on their iTunes account should have their credit card issuer cancel the stolen number and issue a chargeback for the unauthorized purchases.
Muller, however, did not answer follow-up questions about how Nguyen might have scammed the system or whether other developers had engaged in similar practices. And Apple's PR site has yet to acknowledge the issue -- in keeping with the company's habit of clamming up.
The simplest answer to the first question is that App Store scammers have used the usual tricks to compromise customer accounts one at a time -- viruses, phishing scams or other trickery.
Apple's safeguards against account compromise are not that extensive. Resetting somebody's iTunes password requires knowing their e-mail address (you can't set a distinct username), birthday and the answer to a designated secret question. But it can be easy to guess this data for somebody else -- a point Apple developer and iTunes customer Joe Streno made when describing a compromise of his account on his blog last year.
(In an e-mail this afternoon, Streno ruled out viruses or phishing as a cause and noted that Apple once had a stricter, more complicated password-reset procedure for its accounts.)
Apple doesn't do its customers any favors by not notifying them of possible attempts to break into their accounts. When I went through the password-reset procedure for my own iTunes ID on a separate computer I've never used for iTunes access, logging back into my iTunes account on my home Mac did not yield any warning about what should have fit the profile for a hijacking attempt.
As for the second half of this iTunes mystery, you should bet on more such cases coming to light -- see this post on The Next Web for a list of possible offenders. The iTunes Store is a sufficiently large market to attract crooks. And while Apple's curatorial control of its App Store may result in the occasional legitimate application being rejected for illogical and unfair reasons, it does not also keep all the bad guys out -- even when they're as obviously sketchy as Nguyen, who listed his company name as "mycompany" and cited "home.com" as his Web address.
Have you seen any purchases you didn't make show up in your iTunes account? Are you sure nobody else has accessed it lately? Share your experiences -- and any tips you have about not getting burned -- in the comments.
7/7, 10:10 a.m.: Late yesterday, Apple told Fox anchor and tech blogger Clayton Morris that only 400 iTunes accounts were compromised, and that it will add more credit-card security checks (i.e., requiring users to type in their three- or four-digit "CCV" code more often). Alex Brie responded earlier today with a follow-up post rejecting Apple's claim: "To do this using only 400 such compromised accounts is impossible." Do you share his skepticism?
July 6, 2010; 5:01 PM ET
Categories: E-books , Mobile , Security
Save & Share: Previous: Prince only the latest rock star to confess Internet cluelessness
Next: Notes on testing Clear's 4G WiMax service
Posted by: rmlwj1 | July 6, 2010 5:44 PM | Report abuse
Posted by: tomtildrum | July 6, 2010 5:47 PM | Report abuse
Posted by: plantlady1 | July 6, 2010 6:31 PM | Report abuse
Posted by: Germantowner | July 6, 2010 6:33 PM | Report abuse
Posted by: snoopyjy | July 6, 2010 6:35 PM | Report abuse
Posted by: Rob Pegoraro | July 6, 2010 7:15 PM | Report abuse
Posted by: daiei | July 6, 2010 7:40 PM | Report abuse
Posted by: honkj | July 6, 2010 8:43 PM | Report abuse
Posted by: waltmguire | July 6, 2010 9:55 PM | Report abuse
Posted by: waltmguire | July 6, 2010 10:05 PM | Report abuse
Posted by: lingering_lead | July 6, 2010 11:10 PM | Report abuse
Posted by: rogernebel | July 7, 2010 7:26 AM | Report abuse
Posted by: freddocorleone | July 7, 2010 9:08 AM | Report abuse
Posted by: DCObserver1 | July 7, 2010 9:38 AM | Report abuse
Posted by: docchari | July 7, 2010 12:08 PM | Report abuse
Posted by: willmarsh3 | July 7, 2010 1:52 PM | Report abuse
Posted by: SoloOwl | July 7, 2010 7:26 PM | Report abuse
Posted by: danglingwrangler | July 8, 2010 8:32 AM | Report abuse
Posted by: superkathryn | July 9, 2010 4:56 PM | Report abuse
Posted by: alice12 | July 10, 2010 7:47 PM | Report abuse
Posted by: jzjz | July 11, 2010 3:21 AM | Report abuse
Posted by: jzjz | July 11, 2010 3:33 AM | Report abuse
Posted by: roseville-guy | July 13, 2010 1:06 PM | Report abuse
The comments to this entry are closed.