The Towson Hack: The mystery of disappearing iTunes credit

#1 Macworld

Story Poster

Group: MW Bot
Posts: 31,664
Joined: 30-November 07

Posted 06 September 2011 - 10:46 AM

Post your comments for The Towson Hack: The mystery of disappearing iTunes credit here

#2 frd750

Member

Group: Macworld Insiders
Posts: 106
Joined: 08-February 10

Posted 06 September 2011 - 11:31 AM

Could this be done by adding some rogue code to the gift cars?

#3 maremare

Member

Group: Members
Posts: 35
Joined: 03-May 06

Posted 06 September 2011 - 11:38 AM

I think this is just phishing. The reason they only go after store credit is that it's the only amount they can touch.
When you access your account associated with a credit card on an unknown computer or unknown device you have to enter your 3-digit credit card before you can buy anything.

#4 stuartgoldman

Newbie

Group: Members
Posts: 8
Joined: 20-April 09

Posted 06 September 2011 - 11:43 AM

Yup! Happened to me many months ago. Once the person bought a lot of apps, they then downloaded a bunch of free ones. For that reason, I will never link a credit card to the account, and only fill it with gift cards (which I buy when they are on sale).

#5 McNotMac

Newbie

Group: Members
Posts: 9
Joined: 09-August 07

Posted 06 September 2011 - 11:47 AM

Perhaps the bug is that if you type in a gift-card that's already in use, Apple's service believes that you are the person who first used the gift card ID. The ID's are probably fairly easy to guess. You could test this by having two iTunes accounts, activating a card on one, then attempting to use one a second time with another account. I imagine there's a trick to confusing the system (retry over-and-over quickly or some such), but that's probably it.

#6 jad713

Member

Group: Members
Posts: 20
Joined: 13-December 04

Posted 06 September 2011 - 11:52 AM

"As we said at the outset: This isn’t a great mystery." No, this IS a great mystery. It may not have a satisfying resolution at the moment -- gathering everyone in the parlor, shutting off the lights, and identifying the butler as the culprit kind of thing -- but you have a potential crime with few leads and much uncertainty. That is the very definition of a mystery!

#7 henryhbk

Member

Group: Members
Posts: 175
Joined: 08-October 07

Posted 06 September 2011 - 12:13 PM

I wonder if the KingdomConquest is part of a gold farming company. One could figure out that you could purchase in game resources and resell them for less? You give them your account and they purchase in game stuff for way less than sega charges for you...

#8 bastion

Power User

Group: Members
Posts: 9,095
Joined: 14-October 04

Posted 06 September 2011 - 12:28 PM

frd750, on 06 September 2011 - 11:31 AM, said:

Could this be done by adding some rogue code to the gift cars?

Gift cards don't have code. They have *a* numeric code, but that's pretty much all they are. A pregenerated sequence of numbers which when typed into your account give you a credit in some predetermined amount.

#9 cseeman

Member

Group: Members
Posts: 409
Joined: 06-December 04

Posted 06 September 2011 - 01:07 PM

A person I know had this happen WITH A CREDIT CARD. Apple is insisting NO PURCHASES were done on the account yet the credit card company has them listed and billed. Apple refuses to acknowledge, address, fix the issue.

As word spreads, the damage to the reputation of the iTunes store will hurt them unless they acknowledge and fix these issues.

#10 bastion

Power User

Group: Members
Posts: 9,095
Joined: 14-October 04

Posted 06 September 2011 - 01:15 PM

cseeman, on 06 September 2011 - 01:07 PM, said:

Then perhaps the purchases were done using that card on a different account. And there are any number of ways an unscrupulous person could get their hands on legit credit card info that have nothing to do with the security of the iTunes store. So I'm going to say what your friend had happen is not what this article is describing.

#11 flybynight

Veteran

Group: Members
Posts: 1,347
Joined: 21-July 06

Posted 06 September 2011 - 01:53 PM

stuartgoldman, on 06 September 2011 - 11:43 AM, said:

Seems to me, you weren't paying attention to the article. This is mostly happening with gift card balances, and maybe some Paypal, but not credit card accounts. By only using gift cards and not linking a credit card, you are making your account more prone to this kind of attack.
And Lex, someone else already pointed this out, but it is pretty obvious why credit card accounts are not hacked. The hacker would need the CC security code to use the CC, but that level of security is not there with a gift card balance.

#12 scottbayes

Member

Group: Members
Posts: 129
Joined: 14-August 06

Posted 06 September 2011 - 01:55 PM

Inside job. Someone at Apple has access to a system that deals with gift cards, but not credit cards. Like ba

#13 TimothyWalters

Newbie

Group: Members
Posts: 2
Joined: 04-August 09

Posted 06 September 2011 - 01:57 PM

Their store credit is being drained before PayPal because that's how iTunes works, uses your credit first. You don't have to choose credit vs. PayPal.

They aren't hacking those that use Credit Cards (VISA, MasterCard etc) because any purchase from a new device has to confirm the security number on the back of the credit card.

Thus the attack is only going after open (non credit card) accounts, possibly phishing, possibly dictionary attacks, or any other form of hacking.

#14 John

Member

Group: Members
Posts: 466
Joined: 23-September 09

Posted 06 September 2011 - 02:49 PM

There are all sorts of iTunes oddities. A couple of years ago I downloaded an Enya album on my iPhone and the next thing I know, it was transferred to my tween-age daughter's account on the family Mac. It vanished from my purchase history and showed up on hers. Apple swore up and down that it was absolutely impossible, yet it happened. Realizing that no 13 year old would be caught dead with an Enya album, Apple later gave me credit for it, so everything was resolved amicably.