Network News

X My Profile
View More Activity

Apple bans iPhone developer for 'app farm' iTunes hack

Over the weekend, Apple evicted an obscure developer from its iTunes App Store after a suspicious spike in his releases' popularity.

Romanian iPhone developer Alexandru Brie was among the first to wonder how Thuat Nguyen's Vietnamese-language comic books had come to occupy 41 of the top 50 spots in the App Store's paid books category (in the process, booting Brie's own app from its usual top-20 perch). In a blog post, Brie put together such evidence as Nguyen's poor showing in the store's Vietnamese categories and multiple reviews of his titles alleging fraud to suggest one explanation:

app_store_icon_vignette.jpg

The issue is that it seems people's iTunes accounts have been hacked, with mass purchases of one developer's apps being made using their accounts.

Other sites picked up the news and added details; for instance, Apple Insider passed on a tip from a reader about a Chinese cottage industry in iTunes Store account hacking.

Tuesday morning, Apple spokeswoman Trudy Muller e-mailed that Apple had resolved the situation:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.

Muller added that developers, fraudulent or otherwise, "do not receive any iTunes confidential customer data" when somebody downloads one of their apps. She suggested that anybody who sees fraudulent purchases on their iTunes account should have their credit card issuer cancel the stolen number and issue a chargeback for the unauthorized purchases.

Muller, however, did not answer follow-up questions about how Nguyen might have scammed the system or whether other developers had engaged in similar practices. And Apple's PR site has yet to acknowledge the issue -- in keeping with the company's habit of clamming up.

The simplest answer to the first question is that App Store scammers have used the usual tricks to compromise customer accounts one at a time -- viruses, phishing scams or other trickery.

Apple's safeguards against account compromise are not that extensive. Resetting somebody's iTunes password requires knowing their e-mail address (you can't set a distinct username), birthday and the answer to a designated secret question. But it can be easy to guess this data for somebody else -- a point Apple developer and iTunes customer Joe Streno made when describing a compromise of his account on his blog last year.

(In an e-mail this afternoon, Streno ruled out viruses or phishing as a cause and noted that Apple once had a stricter, more complicated password-reset procedure for its accounts.)

Apple doesn't do its customers any favors by not notifying them of possible attempts to break into their accounts. When I went through the password-reset procedure for my own iTunes ID on a separate computer I've never used for iTunes access, logging back into my iTunes account on my home Mac did not yield any warning about what should have fit the profile for a hijacking attempt.

As for the second half of this iTunes mystery, you should bet on more such cases coming to light -- see this post on The Next Web for a list of possible offenders. The iTunes Store is a sufficiently large market to attract crooks. And while Apple's curatorial control of its App Store may result in the occasional legitimate application being rejected for illogical and unfair reasons, it does not also keep all the bad guys out -- even when they're as obviously sketchy as Nguyen, who listed his company name as "mycompany" and cited "home.com" as his Web address.

Have you seen any purchases you didn't make show up in your iTunes account? Are you sure nobody else has accessed it lately? Share your experiences -- and any tips you have about not getting burned -- in the comments.

7/7, 10:10 a.m.: Late yesterday, Apple told Fox anchor and tech blogger Clayton Morris that only 400 iTunes accounts were compromised, and that it will add more credit-card security checks (i.e., requiring users to type in their three- or four-digit "CCV" code more often). Alex Brie responded earlier today with a follow-up post rejecting Apple's claim: "To do this using only 400 such compromised accounts is impossible." Do you share his skepticism?

By Rob Pegoraro  |  July 6, 2010; 5:01 PM ET
Categories:  E-books , Mobile , Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Prince only the latest rock star to confess Internet cluelessness
Next: Notes on testing Clear's 4G WiMax service

Comments

Simple solution -- don't use Apple products.

No iPhone, no iTunes, no problems.

Posted by: rmlwj1 | July 6, 2010 5:44 PM | Report abuse

My Mac-using friends always like to tell me that Apple never has any security issues....

Posted by: tomtildrum | July 6, 2010 5:47 PM | Report abuse

I had my iTunes account hacked - about a month ago, I noticed some fraudulent charges on a credit card. It happened twice. I canceled the card, put a fraud alert on my accounts on the credit reporting bureaus, and shut down my iTunes account. At first, I thought maybe I bought some apps and songs and forgot, or one of the kids made some (unauthorized) purchases. But, when I saw what had been bought, I knew it wasn't us - it was all Vietnamese songs and games - not what we usually buy. So, I guess I was victimized by this guy. Itunes was only a little helpful – they let the second charge go through after I had contacted them about the first. I have not reactivated my account yet, and am debating whether to do it at all, but I do love iTunes - after reading this post, I'm concerned that this may happen again. Sigh...

Posted by: plantlady1 | July 6, 2010 6:31 PM | Report abuse

@ rmlwj1 & tomtildrum: Get your own lives.

Another contributing problem is that an email receipt for an iTunes store purchase can take a day or so.

Posted by: Germantowner | July 6, 2010 6:33 PM | Report abuse

My wife's debit card cut shut off this weekend after $1,150 in charges to iTunes appeared. It was over the course of 2 days from 49.99 to 149.99. I checked her iTunes account and she hasn't made a purchase since October 2009. Something is afoot but the no one seems to know what was bought etc...

Posted by: snoopyjy | July 6, 2010 6:35 PM | Report abuse

@rmlwj1: Can you give me a login for this magical "no problems" Internet you just described? It sounds quite pleasant.

@snoopyjy, @plantlady1: I'd like to know more. Can you two e-mail me with the particulars of your situation? (As Germantowner notes, iTunes documentation of purchases often lags the transaction.)

- RP

Posted by: Rob Pegoraro | July 6, 2010 7:15 PM | Report abuse

Glad to see this article! My iTunes acct was hacked about a month ago before this got a lot of publicity. Now I see I'm not alone.

I'm normally a big fan of Apple, but they were absolutely no help to me this time around! In fact, quite the opposite. After I had already taken steps to resolve the problem, they disabled my iTunes account so even I couldn't use it!

The most frustrating part is they refused to refund my money! It's obvious I didn't buy all those apps. 1)I've only downloaded free apps since I've owned the iPhone, and 2)some of the purchases were made for an iPad and I don't even own one! An elementary schooler could code up something to catch that!

Apple needs to implement some fraud detection algorithms and start refunding fraudulent purchases to their loyal customers!

Posted by: daiei | July 6, 2010 7:40 PM | Report abuse

as your commenters are pointing out, this isn't a problem that happened one weekend...

this isn't a problem in the iTunes store,

it is a problem with people getting their PC's hacked, and all of their info stolen... which has been a problem for many years...

there is an black market industry to sell your user info, you can literally go online and purchase iTunes accounts/passwords for about $3.50 in asia...

that is what happened this weekend, and has happened for years...

apple can not do anything about people with hacked PC's... no matter what security they put on the accounts... the hackers have ALL the info on the PC...

instead of making iTunes more secure, you should suggest that people make their PC's secure... (like that is going to happen)..

this guy this weekend simply purchased a bunch of accounts and was stupid enough to think Apple wouldn't notice while he bought his own app over and over again with stolen accounts..

again, this was not a hack of the iTunes store, it was a hack of people's PC's... as it has been for years..

you can do a little bit of research and find people from every month of every year complaining they have had their "itunes account hacked"... and what is funny is they always blame someone else... they always say "apple must be getting hacked" when in fact they are the ones that got hacked...

Posted by: honkj | July 6, 2010 8:43 PM | Report abuse

I had $229 in fraudulent app/iTunes charges show up two weeks ago. Apple's response -- once I figured out how to report the problem, which took nearly an hour -- was to dump the problem in my credit card company's lap. Even though there were no other fake charges than for iTunes, they implied the problem was entirely my fault.

Posted by: waltmguire | July 6, 2010 9:55 PM | Report abuse

Hey Honkj -- normally I would agree, but no, I've run tests and the only thing hacked was my iTunes account -- unless somebody hacked my iPhone.

Posted by: waltmguire | July 6, 2010 10:05 PM | Report abuse

@honkj.... Your theory sounds nice. Are you able to explain why this doesn't happen with sites like Amazon? Or most other reputable e-commerce sites? Seems like Apple's Itunes has an inordinant number of occurrences like this

Posted by: lingering_lead | July 6, 2010 11:10 PM | Report abuse

The reason it happens on iTunes more than Amazon is that it's far easier to monetize an iTunes hack than an Amazon hack. You build an App that is innocuous on the face of it. Then you get it accepted and sold on iTunes. Then a schmuck has in-app purchases enabled, and the app seller entices the user to register the app with an email address and password. Some number of people use the same email address and password on iTunes. Viola, bad guy logs onto iTunes and starts buying apps and collecting royalties from Apple = monetizing the hack.

Posted by: rogernebel | July 7, 2010 7:26 AM | Report abuse

No Apple, no iPhone, No iTunes?

That's your solution.

Just how is that Black and White TV working out for you?

Posted by: freddocorleone | July 7, 2010 9:08 AM | Report abuse

Rob Pegoraro wrote:

@rmlwj1: Can you give me a login for this magical "no problems" Internet you just described? It sounds quite pleasant.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

I don't think you need a magical "no problems" internet, but avoiding products/services that have value user friendliness over security is one way to minimize problems.

I have been using internet from bitnet days and rely almost entirely on electronic transactions, electronic media. But I avoided AOL and have also avoided the iPhone/iPAD craze. Partly, it is I am cheap and would rather pay $10 for unlimited data access on Sprint rather than the $100 on AT&T. But the other part is security, which seems sorely lacking in the Apple world.

I do my electronic banking with two-factor authentication and sought out provirders that gave me that. Does entering the RSA id adds one more step? Yes, but it is more secure.

Another reader pointed out Amazon and Amazon (which I have used since its very beginning) does seem lot more security oriented than the Apple world.

Posted by: DCObserver1 | July 7, 2010 9:38 AM | Report abuse

@freddocorleone:
I don't have an iPhone, iPod, or any of that Apple crap. But my TV is HD not B and W. Just because a person does not own any Steve Jobs product, it does not mean that they live in the Dark Ages.

Posted by: docchari | July 7, 2010 12:08 PM | Report abuse

The reason the receipt from iTunes is delayed is that Apple likes to see if you make more than one purchase in a short period of time so it can batch the purchases together onto one credit card charge. This spreads a per charge merchant fee over a larger purchase and saves them money.

Posted by: willmarsh3 | July 7, 2010 1:52 PM | Report abuse

Rob,

There really is a home.com domain -- but Web of Trust gives it an extremely bad rating, so I decided not to look at it from my main box. Maybe you have a sandboxed computer?

Posted by: SoloOwl | July 7, 2010 7:26 PM | Report abuse

Reality Check: Many Apple product users float in LaLa land... dream a little dream for me !

Posted by: danglingwrangler | July 8, 2010 8:32 AM | Report abuse

My account was hacked yesterday (7/8) and it had nothing to do with buying an iTunes app. Someone charged several $50 gift certificates to my account. I've put in a customer support case with Apple but have not heard back yet. And deactivated all my cards... which EVERYONE should do in iTunes. I think there is something bigger going on here.

Posted by: superkathryn | July 9, 2010 4:56 PM | Report abuse

> Simple solution -- don't use Apple
> products.
> No iPhone, no iTunes, no problems.

I had some car problems. Simple solution... never drive a car again.

Brilliant!

Posted by: alice12 | July 10, 2010 7:47 PM | Report abuse

I can see the denial among apple fans is never ending. To them, everything is a windows problem. Their leader, Steve Jobs is also the same way. Every little problem, or crash is someone else's fault. Safari crashes, well then let's just blame adobe rather than deal with the problem. I know both OS's very well. But when I'm in windows 7, ie handles those problems with flash etc. Safari just crashes and goes away. Apple chess crashes and there's a non ending rainbow ball, yet apple wrote it. Apple plugs 50 security holes in OSX.. Wait? Why were they there if it was so secure? itunes gets hacked, now, you guessed it, it must be windows users fault. Not apple. No wonder these idiots think apple has perfect security. It's everyone else's fault!

Acting like only a windows platform can get rouge apps, or phishing scams in the browser is the easy way out and denial at it's best. The cold hard reality is that Apple's itunes has major security issues right now. People are losing their money! No matter what platform you are on, it's Apple that created itunes and it's "security" is what is to blame. Using that logic they could just say, well nothings apple's fault, it's the internet that is to blame since we didn't create it. BULL! And then MS could also blame everything on the internet and flash too. Maybe they should take the Jobs approach. But it doesn't..

But either way, they are up against the same security threats that pc users are, and have proven they can do no better. Well in fact worse. If it's so bad, why hasn't Microsoft's store been hacked? Oh, wait, I hear you. It's not as popular as apple's? Which proves my point exactly, thanks.

Apple is now paying the price for popularity rather than security through obscurity. At least with itunes. Funny thing is that osx didn't get as popular as the iphones or itunes. And guess what's the first two to get hacked? That's right, itunes and iphones (which run osx btw) The same thing would happen to macs as well if it got more popular.

But it's just that itunes is so amazingly popular that there are people out there waiting to exploit it and make money off it. Or sell apps or whatever.. And when it gets to that point, watch out. Nothing is safe. There's always a way, and a sucker to fall for it out there. wake up people!

Posted by: jzjz | July 11, 2010 3:21 AM | Report abuse

by the way, I realize not all itunes users are total apple fans. Nor are all apple users fanatics... I was just talking about some of the few that think apple is so perfect and it's never their fault. And I have seen other threads on other sites, where this same notion that it's someone else's fault, and not apple's, pops up over an over. And like someone else said, there are many sites on the internet with far better security than Apple. Fact is, all sites, all companies, all computers will eventually fall prey to scammers.. Some companies just do better at security than others. Apple needs to step it up!

Posted by: jzjz | July 11, 2010 3:33 AM | Report abuse

My wife's account was hacked for about $180 2 weeks ago. Discover recognized the fraud right away and notified us before we even knew it. They cancelled my card number, issued a new number and helped me deal with all of the fall out associated in a proactive and professional manner (NO - I don't work for Discover!). My wife is switching to using low-limit gift cards going forward so that even if someone else hacks this account, there will be less fall out.

Given all of the postings here and many other places, it is very difficult for me to believe only 400 accounts were hacked.

Posted by: roseville-guy | July 13, 2010 1:06 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company