Apple account hijacks spread to developers Account hijackers have targeted Apple iTunes for months, but now they're hitting Apple developers as well. Reg reader Andrew McAuley discovered that his iTunes account was hijacked after 150 unauthorised transactions, each valued at $42, appeared on his debit card bill. McAuley, a Brit who lives in the US, noticed the attack …
"Karppinen said that Apple emailed a reset password to a Yahoo email address not under his control after someone sent a one-line email full of grammatical errors to support staffers via a web support form."
So anyone can contact them, give someone elses account number, claim they lost access to their old email account and have everything changed over to their new fake one.
Someone back at apple needs a good kick up the arse.
One of the nifty things that I discovered in Ireland is the 3V card. Acts like a disposable visa card, every time you buy credit you are given a new visa number. It does make one more secure when buying from unknown or untrustworthy sites.
Although its not an answer. Apple should be more secure.
yea cos when i think of online security the first thing that enters my head is apple
what does this say about a) the level of security awareness of apple staff; and b) the level of security awareness of apple users...
and what ever happened to email/https based confirmation when changing account details?
i will never use any of this retarded consumer [cr]apple tatt (does this make me a hateboi..?)
... they didn't send the old password to the crook, but instead generated a new random password and sent that.
So even though it is bad amateurish practice to gleefully surrender peoples accounts to strangers like that, we know that at least a) the crook cannot get the original password which might be used elsewhere (like net banks) and b) you know something fishy is up when the password unexpectedly changes.
Paris, because she knows the importance of controlling who has access to what.
From the article:
"McAuley didn't suffer financially because his debit card was protected by a $0 liability guarantee. He doesn't store any card details on his UK account, which isn't covered by an equivalent indemnity. In the UK, credit card holders are only liable to the first £50 of any purchase."
It's a slightly confused paragraph which doesn't make it exactly clear what the situation is here - does Mr McAuley have two iTunes accounts (a US and a UK one), and the fraud was committed against his US account??
Regardless, UK credit card holders aren't liable for any fraudulent transactions that are committed on their credit card account.
"Paris, because she knows the importance of controlling who has access to what."
Erm ... she, famously, lost the contents of her Blackberry account to the Internet, a couple of years back, illustrating that online storage of ANY sensitive information, including your address book and emails in your Blackberry account, is a not-ready-for-prime-time deal.
If it's not ONLY stored locally, there is an excellent chance your info will be compromised by those who are seeking info stored at any common location ... that includes .Mac, Blackberry, AOL and any shopping site where you told them to save your information because you absolutely MUST buy things so quickly that you can't be bothered to re-enter your information with each purchase. I know ... it's terribly inconvenient and slow to type in that credit card info, but it's one of the few things you can do to avoid situations like this.
I have a UK and a US account. The fraud was against my US account. The US account had my Visa Debit card details stored against it. The REALLY weird thing was the hacker gifted the same music track 4,500 times to lots of different gmail accounts. Perhaps a hacker fan of this particular band trying to score a chart placing?
Yep that's right. If you really want to know how they are doing this, then they have the software to do it without having to go to apples website!! Apple installs the mobile me software to all windows platforms!! Check my article out for more information!!
http://www.tech-linkblog.com/2008/07/apple-installs-software-without-your-knowledge.html/
iTunes is how *everything* from Apple gets distributed; apps, webcasts, etc. In theory, that's because every Mac has iTunes and it's easy to use the system to push out updates and such (that remain separate from the 'Software Update' under the Apple menu).
Several developers have had various gripes about the mechanism, but AFAIK it's always been seen as satisfactory - assuming Apple maintain control and adequate security. Seems that those assumptions may need a refresh.
Even though the compromised accounts seems to represent relatively small amounts, perhaps it is time to try to get some assistance obtaining Apple's attention?
The FBI has an Internet Crime Reporting site at http://www.ic3.gov/default.aspx Since we all seem to have been victims of the same crime, if enough people report their issue it might become sufficiently significant for the FBI to do something other than watch old X Files reruns, and for Apple to take some affirmative action to correct this.
It may do something, or it may do nothing, but everything tried so far seems to be totally ineffective in obtaining Apple's cooperation or notice. Maybe we could at least get them to formally acknowledge that there is a problem.
"If you use an easy to guess password to protect an important account like that then you deserve to get it stolen from you.
Wise up people and use decent passwords."
This is an exceptionally simplistic and inappropriate comment (troll?).
I use 12 character, randomly generated hex passwords and they still get compromised the same day that I change them.
Apple's systems themselves are compromised, not the individual accounts. I would have thought that this is sufficiently obvious from all the posts for any intelligent person to realize.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
