Hacked iTunes Store Accounts: Apple's Problem That Won't Go Away

/ Source: SecurityNewsDaily


Apple's iTunes Store is a fantastic success, with billions of songs and apps sold and, as Steve Jobs said in March, more than 200 million registered accounts.

What Jobs and Apple don't like to see publicized is the fact that hundreds, perhaps thousands of iTunes accounts have been getting hacked for the better part of a year — and that Apple doesn't seem to be able to stop it.

On Apple's discussion boards, there are some 27 pages of complaints about account fraud, with some posts dating back to November.

[ Sega Game Linked to Theft From iTunes Accounts ]

Users tell stories of logging into their iTunes accounts to find mysterious purchases, or getting locked out because someone else tried to access their accounts too often.

Interestingly, no credit cards seem to have been hit; the money has been taken from those who use prepaid gift cards or PayPal accounts for app or music purchases.

Kingdom, conquered

Craig Williams' case is typical. The Portland, Ore., resident discovered someone had installed the free "Kingdom Conquest" role-playing game via his iTunes account, and then bought in-game items, which can quickly rack up costs.

Williams was paying for his iTunes purchases via PayPal, rather than with his credit card.

"I'm surprised they stopped at $90 in my PayPal account," he said.

Most people in the discussion forum reported that Apple had refunded their money, if reluctantly. But the company has not said what — if anything — it can or will do to stop the fraud.

Apple has not commented on the issue so far, and calls and emails to several spokespeople were not returned.

The hacking highlights the problem of balancing security and convenience, especially considering that Apple has just rolled out its iCloud service and hopes to persuade millions of people to store their data on the Internet. Attacks such as these iTunes Store hacks do not help to build confidence in such services.

"I was intrigued about the iCloud service, but who knows now," said a Washington, D.C.-based attorney who spoke on the condition of anonymity. "With what has recently happened, I am going to feel better about having all my 'stuff' on my computer where I feel like I have some semblance of control over it."

The attorney lost $23 after he redeemed a gift card on iTunes and a hacker bought in-game items for multiple copies of "Kingdom Conquest."

One password to rule them all

One aspect of the iTunes/App Store systems is that a single username and its associated password — the Apple ID — accesses not only the iTunes Store, but also a user's MobileMe accounts, iChat, Ping and FaceTime. It also logs him into Apple's discussion boards.

Anyone who gets another user's Apple ID and password has access to every account connected to that user's devices — iPhone and iPad included.

The methods used to take over an iTunes account are probably relatively simple, security experts said. A malicious developer could write a perfectly innocent-seeming app that asks for a user's Apple ID and password and then sends them to someone else.

Apple tests each app it sells or gives away in the App Store for functionality and suspicious behavior, but it does not examine the code. Rogue apps, such as some that secretly allow laptops to use the phone's cellular data connection, have sneaked through.

An attacker could also use a fraudulent website or email address to obtain the passwords to the account and buy an app (which may in itself be perfectly harmless), funneling money to the hacker.

It's also possible for hackers to install keylogging software on users' PCs that capture passwords as they're typed in, or to use a "brute force" attack to guess passwords. (The fact that some users in the discussion forum reported being temporarily locked out of their accounts indicates the latter was happening.)

Breach not at system level

The hackers do not seem to have accessed the servers Apple uses to store credit-card data and other user information, said David Scheutz, a consultant at the Intrepidus Group, a New York company that provides advice on network security.

The thefts have been for relatively small amounts, usually less than $100. They also have been spread out over time.

In the massive breach into Sony's PlayStation Network servers in April, 102 million records were compromised in the space of a few days. The number of users hit in the latest iTunes scams might number in the tens of thousands at most — even assuming only a small percentage of hacked users are willing to vent on the discussion boards.

The fraud is unlikely to make a difference in Apple's results for the quarter (which ends this month).

"It would have to be a lot more credit card numbers compromised," said Kevin Dede, an analyst at Brigantine Advisors in New York.

Apple said it beefed up security last year after just such a fraud case. A Vietnamese developer hacked some 400 iTunes accounts in order to use their credit card details to boost sales of his comic book apps. Apple banned the developer and gave users the power to limit in-app purchases.

Mandeep Khera, chief marketing officer of Cenzic, an online security firm in Campbell, Calif., noted ways in which Apple might improve iTunes Store security.

For example, some banks ask clients to log in with "virtual keyboards," on-screen keyboards in which keys are "tapped" using mouse clicks. That would stop keyloggers.

Khera also suggested Apple could check apps to see if they request passwords and send data. An automated system could see which of the hundreds of thousands of existing apps request passwords. Out of those, humans could determine if any transmit them. (Google's Android Store notifies users of such app permissions during the installation process.)

Khera said that while Apple can't vet every developer, there are methods of checking to see if purchases are questionable. Credit card companies watch for odd patterns of purchases, and often call customers if they suspect anything. Apple could do something similar, given the massive amount of customer data it has.

Scheutz agreed, though he said the algorithm for fraud detection would have to be more sophisticated because iTunes purchases will all look the same.

But until Apple installs such a system, both Khera and Scheutz noted the only thing most users can do is to change their passwords often, to not leave credit card information on the system and to use strong passwords that aren't used to log into other online accounts.

Scheutz said iTunes Store hacking isn't likely to stop, given how popular iTunes has become. New viruses and password-stealing malware are in a constant arms race with anti-virus software, with the malware writers often several steps ahead.

"This could be a long-term game," he said.