Network News

X My Profile
View More Activity

Hacking iTunes Gift Cards, and an iTunes Update

Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards.

But a blog post published today by one of the security industry's most prominent researchers suggests that the real hack here is far simpler: The crooks are merely using stolen credit cards to purchase and resell the iTunes gift cards.

Joe Stewart, director of malware research at SecureWorks writes:

This would be a pretty clever hack if it were true -- however, something just isn't quite right here. Nowhere in these articles does it explain one simple thing - how do they manage to generate activated iTunes gift voucher codes? When you purchase an iTunes gift card, it has to be activated before it will work, otherwise you will get an inactive code message from the iTunes store when attempting to redeem it. If this were not the case, anyone could simply walk into any of the numerous retail outlets that stock iTunes cards, grab a hook-full and run out of the door with hundreds to thousands of dollars in iTunes money. This would be a shoplifter's dream! But, much to the dismay of those who have already tried this, the cards are simply worthless plastic until they are activated at the point-of-sale. Since this system works well and doesn't require a "secure" algorithm to generate the numbers, it stands to reason that the same system would be used for the online gift certificate vouchers.

But, third-party reports have confirmed that the voucher codes being sold by the Chinese hackers are in fact redeemable in iTunes (not sure how they verified this without exposing themselves to criminal charges however). So what is actually happening here? I see two likely scenarios: either the Chinese hackers have managed to penetrate Apple's internal network and/or iTunes gift card database and are directly stealing activated numbers before they can be used, or they are simply using stolen credit card numbers to purchase the cards.

Rather, Stewart said, it is more likely that hackers in this case are using stolen credit card numbers to purchase the gift voucher codes from iTunes and then reselling them. After all, shipping another eBay user a voucher code only takes a single e-mail and can be done instantly.

What boggles my mind is how many people actually bid the price of an iTunes gift card well beyond what it's worth.

Since we're on the subject, I should probably mention that Apple on Wednesday released a new version of iTunes to fix at least two security flaws in the software. The latest version, iTunes 8.1, is available from this link here, for both OS X and Windows systems.

Finally, a shameless plug: Please join us tomorrow morning at 11 a.m. ET for a Security Fix Live online chat. I won't start answering questions until then, but please feel free to drop a question or comment in the queue as soon as you'd like. You can review archived Security Fix Live discussions, here. Thanks, and see you tomorrow!

Update, Mar. 13, 2:15 p.m. ET: As it happens, new fraud data on the ground as reported to the FBI supports Stewart's assertion. I heard from Craig Butterworth, spokesman for the National White Collar Crime Center, which works with the FBI and the Internet Crime Complaint Center to field reports of Internet fraud. Butterworth said the center has received a total of nine complaints about credit card fraud related to unauthorized purchases on iTunes. All of the complaints came in during the last 13 days, and some of the charges were for as much as $1,600.

"This does give credence to the argument that hackers are simply purchasing gift cards with stolen credit cards and laundering the money using the ruse 'We cracked the iTunes algorithm,'" Butterworth said.

By Brian Krebs  |  March 12, 2009; 4:30 PM ET
Categories:  Fraud , From the Bunker  | Tags: credit card fraud, ebay, gift card, itunes, joe stewart  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs Eight Windows Security Holes
Next: Massive Profits Fueling Rogue Antivirus Market


It is interesting that Apple has not been speaking out against people selling iTunes gift cards at such deep discounts. Just visit eBay and you will find tons of them. The question is how are these people obtaining these cards? Is Apple selling deeply discounted cards at third party sites behind the scene? For more on this, see my blog post at -

Posted by: Giftcardblogger | March 13, 2009 12:32 AM | Report abuse

Well I'd like to read this story...but, using Firefox, the entire top left half of it is completely covered by a grey Cisco advertising box.

Not very impressive...

Posted by: fi85511 | March 13, 2009 8:08 AM | Report abuse

I had $200 in fraudulent charges to iTunes on my VISA bill last month, in $50 and $100 increments, and suspect that this is exactly what is going on.

Posted by: bdentre | March 13, 2009 9:45 AM | Report abuse

@Brian The link that is supposed to be to the newest itunes is actually a link to gift cards for sale on ebay.

Posted by: lostinthemiddle | March 13, 2009 10:30 AM | Report abuse

People are paying more than the certificates are worth?

This has to be money laundering.

Posted by: Georgetwoner | March 13, 2009 10:56 AM | Report abuse

People are paying more than the certificates are worth?

This has to be money laundering.

Posted by: Georgetwoner | March 13, 2009 10:56 AM

I thought the same thing. Nothing else makes sense.

Posted by: lostinthemiddle | March 13, 2009 11:06 AM | Report abuse

fi85511, your problem is not with Firefox but with popup ads from the website. Fortunately there is an easy answer: get the free Adblock Plus add-on from Firefox. Problem solved, and all your browsing will be much better.

Posted by: 5232news | March 13, 2009 1:48 PM | Report abuse

@lostinthemiddle -- sorry about that. fixed

Posted by: BTKrebs | March 13, 2009 2:01 PM | Report abuse

Another interesting blog on this addresses this issue from a different perpective:

Posted by: maddog8 | March 13, 2009 3:06 PM | Report abuse

"People are paying more than the certificates are worth?

This has to be money laundering."

There are tv shows and movies available on the US iTunes store not available elsewhere - therefore a $50 card can be sold to someone abroad for more than face value.

Posted by: JoeBlow991 | March 13, 2009 5:19 PM | Report abuse

I see your point, but I thought keeping foreigners from accessing the US store was done by checking & not allowing their ISP's.

So if someone has the wherewithal to access the US, UK, etc. store, why not just buy charge the downloads directly?

A Chinese VISA card is just as good as any other, right?

I'm not saying you're wrong, as I've never tried to access any iTunes store from abroad.

Posted by: Georgetwoner | March 13, 2009 10:09 PM | Report abuse

People are not paying more than the gift card is worth. All the bids I've seen have been 75-90% of the card value. In a few cases, the "Buy It Now" price is higher the card price, which is dumb in its own right, but that doesn't mean anyone is buying the overpriced cards.

Posted by: monkeyonkeyboard | March 13, 2009 10:43 PM | Report abuse

@monkeyonkeyboard -- If you sign in to eBay with a valid account, you can tell it to display only completed auctions. You should then have no trouble finding examples of completed itunes gift card auctions where the buyer overpaid.

Posted by: BTKrebs | March 14, 2009 12:23 AM | Report abuse

I find this all very interesting since just this past week I was contacted by my bank's fraud department inquiring about an unusual charge pending on my credit card from a foreign country - a very large transaction. The bank representative noted that there was also an iTunes $1.00 authorization/validation charge coincidental with the suspicious charge and informed that they have been seeing quite a lot of these kinds of 'related' transactions. Meaning someone had gained access to iTunes customer account data, validated my credit card as active and subsequently made an attempt to use the card elsewhere, other than iTunes. When I brought this to iTunes customer service attention all I got was the rhetorical how safe their site is along with the authorizatio/transaction protocol, none of which applied to me. They simply refused to acknowledge what I was trying to convey to them - that is: it is the opinion of one of th US largest banks that iTunes site security mechanisms are being breached. The banks know it and customers affected know it. To add insult to injury Phillip in one of their customer service responses stated: "┬┤Ultimately it is the customers responsibility to keep their details safe and secure┬┤ - Unbelievable! since iTunes is primarily an internet point of purchase entity. iTunes response could be characterized as blatant denial, and lacked concern that this event took place. Credit Card Buyers: Beware! remove all payment info from iTunes accounts! Ironically,gift cards were suggested by iTunes CS as an alternate method to access iTunes for purchases, along with a what came across as a trite "Thank You for being a loyal Apple customer. Have a nice day."

Lesson Learned - never keep payment method info on file with an internet entity - no matter how much faster, easier and more efficient the transaction or assertive the site safety assurances.

Posted by: BandonOR | March 15, 2009 1:26 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company