Something similar happened to me a while back. I noticed that several smiley face/emoticon applications had been downloaded using my account. They removed my credit card from my account and drained my iTunes gift card.
Apple caught the problem and e-mailed me to ask if it was me. I told them no. They disabled my account, refunded the gift card money, and asked me to write them once I was satisfied that my computer was secure (just in case it was key-logged [I was not].)
I wrote them back the next day and told them everything was good to go. They enabled my account and I signed in and changed my password.
I didn't lose any of my purchased items and I could have had the account back the same day had I chosen to.
I recall a while back that there were quite a few iTunes accounts that had been compromised. I used a very non-trivial password, too, so I'm rather surprised that mine was one of the compromised accounts. I'm still curious as to how it happened.
Passwords in general are horribly broken. They're the worst conceivable way to authenticate, except for all the others. Solve this problem and you'll be the next Verisign, if not the next Microsoft.
I've only made multi-item purchases from iTunes a few times, but every time I've gotten a call from my credit card company within a couple hours. The last time they said that it's become so common for fraudulent activity on a card to start with a "run on iTunes", then move on to other online sites if the card still works.
The only thing I would recommend to Scott Hansleman is to drop PayPal. They can be easier for small donations online, but with how far behind the curve they are in consumer fraud protection I refuse to make purchases with paypal anymore.
There's a difference between someone using your creditcard to buy stuff on iTunes with a different iTunes account* and someone using your iTunes account to buy apps. In your case I'm guessing they did the first thing.
* = possibly not their own; they might own the apps that you're buying or make money through affiliate networks. And of course they could buy gift cards with your cards and sell them on eBay through another payment account.
Not to be un-empathetic here, but I'm more intrigued by the exploit vector than Apple's initial response to an individual. It's interesting that your account is getting exploited without the password being hacked. Does anyone have more details?
I don't know why he is blaming apple for the security measure. It could be apple's fault that he was hacked, it could be otherwise. Still apple only knew there was a new device using his account, legit or not it didn't know for sure. I have at least 9 iDevices hooked up to my account as of late, on average 3 more each year. And I don't think apple can do much more to validate each and every one of them without being intrusive and annoying.
* the fact they "allow the purchase first" and "warn later."
* their warning email has no fraud or dispute mechanism
* I've never purchased a game like this so they my usage pattern should be a red flag
Apple should have fraud systems as powerful and convenient as VISAs.
I have a problem with most these arguments. You're suggesting that they should not have allowed the purchase. I would be highly annoyed if Apple didn't allow me to purchase from a different device. I see no reason for Apple to outright refuse this.
The same goes for purchasing something like you've never purchased before. Hell, one of the commercial strengths of the App Store/iTunes concept is that it gets people to do exactly that. There's nothing particularly suspicious about that.
We don't implement such paranoid measures either in other web-services or in real live, so I find it rather overblown to demand Apple does this.
The one thing I agree with is that there should be a better fraud reporting mechanism.
What's utterly silly about not having a "purchase first, warn later" system in Apple's case is that that of unlike credit cards, Apple can literally undo the purchase. Apple has done a great job of making the App Store's FairPlay DRM invisible to users, but in the case of a fraudulent purchase, I would imagine it trivial to make that DRM quite plainly visible to the fraudulent purchaser.
We don't implement such paranoid measures either in other web-services
Yes "we" do. Steam doesn't let you authenticate, let alone buy stuff, from a new computer without entering a code that they'll email to you. Takes all of ten seconds--start up Steam, go to my email client, paste the code in, done.
Steam is the only service that I've tried to use that won't accept any of my credit card... I'm not in a common situation living in China with a French credit card registered with my chinese address but still, I only could pay two times successfully (after a lot of tries) and now I can't anymore (and one would think that it should have become easier since they didn't get any chargebacks when I did buy)
So, in a world where customers can easily chargeback fraudulent charges, I think having security measures that are too paranoid is a great way to lose customers for no real advantages to the customer security.
Oh man, I've tried numerous time to buy something using Steam and was never able. If you have a card issued in a country and you are traveling abroad, good luck making a purchase. Even if you change the billing address registered with the credit card to the same country you're traveling to and making a purchase from, it won't go through.
I would not give Steam as an example of a successful payment system implementation.
I don't seen the downside to verifying your account on a new device before being able to use it. If you have access to the appstore then you have access to Gmail and one simple email to say "Yeah, go ahead and let my friend's iPad buy this app on my account for 24 hours/7days/forever" is all it takes to prevent this sort of thing.
> We don't implement such paranoid measures either in other web-services or in real live, so I find it rather overblown to demand Apple does this.
Google Two-Factor Authentication, Facebook emails you when someone logs on using an unknown computer, Steam does the same, and I'm sure there are more examples.
As I mentioned in another comment, you don't have to go as far as verifying before usage (although in some cases you should), but at the very least alert the user of any new device, just like Facebook does.
I can sympathize with you. But even suspect credit fraud is also "purchase first" "warn later". Refusing to let a new device purchase anything without a thorough check is a ridiculous idea.
But I do agree that as the iTunes store grows, the anti-fraud mechanism should be vastly improved along the way. IIRC Apple just began to send those emails out to remind costumers of suspicious activity due to rampant credit card theft. Clearly Apple hasn't done enough to minimize users effort and loss. I'm skeptical of utilizing usage pattern though, App Store genius recommendation is laughable.
even suspect credit fraud is also "purchase first" "warn later"
Not necessarily. My credit card was refused just two days ago because the purchase seemed unfamiliar to Chase. And it's common (and often annoying) for cards to be blocked when you travel abroad.
I think it'd be fair for a new device from a different location to be blocked. Not a thorough check, but an email would work. But in that domain you can never find a compromise that works with everyone.
I can sympathize with you. But even suspect credit fraud is also "purchase first" "warn later". Refusing to let a new device purchase anything without a thorough check is a ridiculous idea.
They could always do something like what Steam does - the first time you try to buy something with a new device, you must enable it by typing in a code that is emailed to you.
Apple's new-device-detection algorithm doesn't seem to be perfect - I was vacationing and bought an app, and it was flagged as a new device (I got the mail for my purchase), despite it being the same one I've been using for a few years.
> Apple's new-device-detection algorithm doesn't seem to be perfect - I was vacationing and bought an app, and it was flagged as a new device (I got the mail for my purchase), despite it being the same one I've been using for a few years.
I have had this happen with Steam countless times, it's made me hate the Steam Guard system. I have a long complex password for Steam and I don't play online so my account isn't high risk at all.
However I use a number of different browsers on different machines and reset them frequently. As a result, almost every purchase I've made through a browser from Steam since that system was implemented has required me re-authenticating the "new device".
Personally, I'm not a fan. I'm positive it would get an even worse reception from the general public, too. Steam users aren't necessarily savvy but they are typically willing to jump through technical hoops for a particular endgame. I wouldn't say the same for iOS users, by and large.
This is a tricky one. Increasing security without adding complexity or alienating users that have grown used to the current system is very difficult. I'm not ready to jump all over Apple for this, it's not a problem with an obvious & popular solution that they are just choosing to ignore, this is something every company in the world is struggling with right now and they all have a different way of combatting it, each with their own unique pros and cons.
Fraudulent charges happen all the time on credit cards. The only difference here is that you can call up your CC company and get the charges refunded immediately.
Put differently, purchase first, warn later IS the way VISA and credit cards in general work. Step 2 after warning is telling the card company those aren't your purchases, and then they void them out.
Preferably my Google Apps account, for which I have two factor auth enabled. Or perhaps my SmartCard enabled work email. Or even my SMS 2-factor Facebook email.
Back when there was all the controversy about really stupid and occasionally offensive App Store rejections, Gruber took the rare approach of actually criticizing Apple on his blog. So Apple VP Phil Schiller personally responded to Gruber's latest post and Apple began making some sweeping changes to their review processes.
> In Hanselman’s case, though, he admits he was using PayPal,
> not a credit card. Perhaps it’s therefore safer to use a
> credit card instead of PayPal for iTunes Store payments?
I don't see how that makes a difference if your iTunes account is compromised. Or perhaps it's because your creditcard company is more likely than Paypal to alert you to suspicious activity?
To be more verbose than molecule: Gruber is an Apple-focused blogger who gained a lot of influence in the Apple world over time. A lot of people interested in the Apple "world" follow his blog. So, if he were to get this problem and blog about it, Apple would make sure it'd be fixed fast…
Fair enough. I don't have any evidence either way to be honest, I was mostly explaining why he was mentioned in the post.
Though, in any case, one thing you can be sure of is that when he blogs about something, it gets significant attention in the tech sphere. You wouldn't be able to link a fix directly to him afterwards, but I think it's fair to say that his blow-horn is loud enough to have some influence.
Where on Gruber's website is his relevance to the subject made clear?
EDIT: No, seriously. If someone has no idea who Gruber is and they click through to his site, tell me where on the screen they would see information that answers the implicit question "Who is Gruber and why would him finding out about this problem aid its resolution".
I removed my credit card from iTunes a while ago when the first of the "my iTunes account has been stolen" stories was breaking. I just fill the account with iTunes gift cards instead. It's a minor inconvenience to have to keep track of how much gift card credit there is, but the cards are available everywhere in the US (gas stations, Walmart, Walgreens, CVS, etc.) If the account ever does somehow get compromised, the most I lose is the $30 or so I keep in gift card credit.
I don't have an iOS device, but I do use iTunes on my Mac and Windows desktops. About a month ago, I wanted to rent a movie on iTunes (as a test), but my iTunes balance was $0, so I tried to figure out how to tell iTunes my credit card information. I couldn't find any way to do that. Maybe it's not possible? It was frustrating but my solution was just to buy a $15 iTunes gift card when I was grocery shopping at Safeway.
After reading this story, I'm glad I couldn't give my credit card information to iTunes.
You probably are even less interested in adding your credit card, but if you want, there's a "Payment Information" section if you click on the "Account" button dropdown by your apple id in iTunes.
I just changed my password to one more unique (I was reusing it elsewhere), and finding the place to do so was surprisingly hard to find (IMO, it's harder than adding payment information).
I can see how a data lockdown would be offputting, but I read this as a story about how some algo at Apple stopped a thief from stealing as much as he could have otherwise.
One of the main gripes seems to be that Apple "let this happen" -- but enabling app commerce is what they do. Someone gets ahold of your credit line, they go buy stuff. Best Buy doesn't "let it happen", neither does Visa. After the fact they are just mandated to limit the damage to which you're responsible.
I'm not sure I could tolerate it any other way. Personally, I would not enjoy a system where some human calls me up every time I make an app purchase. I feel Apple's sin of omission is forgivable here and see it as laudable that some software algo that stopped it after $40 bucks or so. I'll be interested to read, however, whether or not Apple holds this gentleman accountable for those purchases and whether or not they fallback onto the credit card provider for damage limits.
How would Apple know about a new iOS device or Mac signing into your iTunes Store account? It learns of the device the first time you successfully login on the device. Besides doing some sort of pre-registration or requiring an iTunes Store ID to simply buy the device there's no easy way around that. They'd also have to end all used/third party sales of Apple products or require resellers to activate every iPad, iPod Touch, iPhone and Mac they're sold. It's completely unrealistic to do a default deny on new devices.
They could do something similar to what Facebook does: as soon as they detect a new device using your account, send an email.
If the new device is not in the same country as your other devices, don't allow purchases until you've clicked on that link in your email.
And don't forget to ensure that you can't change your email unless you're doing it from an authorized device. Otherwise a malicious person could just change the email address where the notification emails are going to.
I got that same email yesterday when I purchased Lion for a computer on which I'd replaced the logic board. The "change your password" suggestion and lack of a fraud reporting mechanism was strange, but I didn't have cause to tell anyone.
Also, the "do_not_reply@apple.com" seems like a strange address for an email like this. It should be "fraud@apple.com" (note: probably doesn't exist) or at least provide a link to the list of phone numbers at http://support.apple.com/kb/HE57 or the online support system at https://expresslane.apple.com/.
I think this issue is orthogonal from the one mentioned on the discussion board. My understanding is that the user on the board is complaining about someone stealing his card number and using it to buy stuff on iTunes via the hacker's own account; the OP is complaining about somebody using the OP's iTunes account (and possibly his PayPal account?) to buy things on iTunes.
It sounds to me like the developer of the app purchased might be in on this - there are apparently multiple reviews saying that the same thing happened to other people. Or maybe said hacker(s) just like playing that particular game?
Edit: I completely agree that do_not_reply is the wrong address from which an email like this should be coming.
I'm confused about something here: This guy gets an email about his account being accessed illegally, and the email's got some problems with it in how it presents the info, okay, sure, Apple should get right on it.
Then we jump to some stuff about his AppleID being disabled? What?
It's interesting to look at the companies that are mentioned. Pearl-in-palm is based in Beijing and has been around for seven years [0]. They make games and this one gets great ratings on the English store [1].
But very bad ratings on the Japanese store [2], saying things Google translates as "Amount has been exploited to gain unauthorized access".
Based on this and on anto1ne's comment about Chinese "gift cards" [3], my guess is that the company is legit and that someone sells iTunes usernames passwords to individual gamers looking for extra points.
There's another company mentioned in these discussions: Kamagame Poker. In fact, if you Google "Kamagame poker chip" the first two hits are people on Apple forums complaining about unauthorized charges. Same phenoma as above: great reviews in the US store, bad reviews in the Japanse store.
Perhaps the Japanese are not interested in these two games, so a larger percentage of their downloads are scam related, while in the US the majority of downloads is legitimate?
So here's an opportunity for some automated detective work:
1 - scrape all applications with in app purchases
2 - scrape US and Japanese reviews
3 - look for rating differentials (and of course terms like 'fraud', 'charge')
Follow up with more manual labor:
1 - where are most of the customers of these apps? (China?)
2 - are these companies related? (I have no reason to suspect these two, but the bigger picture might look different)
1 - someone got their hands on Apple's private encryption keys
2 - some got their hands on a list of Apple id's or device UDID's
3 - Apple knows this, but wants to fix the problem behind the scenes and keep it under the radar.
My memory of Apple's in App Purchase system is a bit rusty, but my guess is a combination of 1 and 2 is enough to cheat it into buying products on someone else's behalf.
Then again, it could also just be a reused password.
If it was a reused password, I'm an idiot. But, I'm willing to assume I am an idiot. My point is two-fold:
1. Allowing new devices to buy stuff without two-factor auth is weak sauce.
2. The larger meta-point that when we rely on the cloud in a big way, it hurts when we are locked out.
If someone tried to buy an app "manually" using their own device and your account, they would need to know your email address and password. There's plenty websites out there that store password in plain text, some of them even email it to you so everyone can intercept it. Other sites use some encryption, but could be still be compromised.
The possibility I hinted at is that someone just "pretends" they have an iPhone and communicate with the Apple server directly. I don't know how their algoritm works, but it may be the case that they only need an Apple id and some secret key that is stored on the device. In that case asking the user for their password is just a way to protect the user when they lose their actual device. That would be pretty insecure from Apple's side. They should at least use the password to generate a key pair. (This doesn't necessarily require anyone to steal secret keys from Apple I just realize)
Given Apple's security practises are more Microsoft-2001 than Microsoft-2011, I'd hazard a guess that there's some sort of 0-day exploit hitting iOS devices themselves.
Scott's not dumb though to fly without antivirus/firewalls on his own PCs.
Your iPad/iPhone, on the other hand, are almost certainly running no antivirus and no firewall. Because who needs such inconveniences, eh?
Apple's security practices for Mac OS X could arguably be described historically as Microsoft-2006 (Lion would seem to be approaching Microsoft-2011), but to conflate that with IOS's security practices is disingenuous.
Here's a fairly recent presentation outlining some of the security practices around IOS 4:
Could you give a realistic scenario for the present case? Safari exploit that installs a keylogger on the victim's iOS device? It seems much more likely someone was hit by an exploit on their desktop machine with iTunes installed.
Well, his account was probably sold in china, it's common (at least it still was a few months ago) on taobao (the chinese ebay), they sell you "gift cards" to be used within 12h after purchase, it's in fact accounts. I guess that's why Apple started to ask CCV for purchases.
There's also a practice in China to use apps as a kind of fraud, or maybe money laundering. I've seen once a chinese wallpaper app, with each wallpaper for sale at $99, making thousands on the appstore.. when you think about it, it's easy to post an wallpaper app, set the price, and you get money through Apple, without any traces.
What I really hate about all this is that Apple still force you (or make it very difficult not to) to have a CC linked to your itunes account, even though you plan to never buy anything.
No, there are no credit cards attached to my account. The commenter is mistaken. I also haven't received an emailed receipt so I suspect a larger backend hack. My systems are secure.
Depending on when this happened, keep in mind that Apple often delays receipt emails for up to a day (in my experience) and bundles the purchases of that day into one receipt.
So again, depending on when it happened, you may simply not have received the receipt yet.
Since there's no credit card associated, it couldn't have asked you to verify you via the CVV in an automated way, so perhaps it skipped this extra security step that other account holders have.
Sounds like it. When this happened to me, they removed my credit card from my account because, I assume, they couldn't get past whatever fraud mechanics were in place. That, or they like stealing gift cards but don't want to commit credit card fraud. ;)
I had a friend receive an email thanking him for his gift card purchase (that he didn't make). Even more strange, it was a different name and not on his credit card, but apparently from his account. There's a ton of iTunes Store fraud out there.
Scott is one of the rare biased, objective posters in the blogging world. He never tries to hide his love of Microsoft and its products, however he never makes unfounded, baseless accusations and always backs up his claims with real data.
LOL, seriously? Kept-blogger? That's a new one. My blog stands alone. It's been around 9 years, and years before I started at MSFT and it'll be around years after I quit.
As for the Tumblr, I created that at the suggestion of my friend Anil Dash.
You spent 4 years(?) in the developer marketing division of Microsoft (Developer and Platform 'Evangelism') whose goal is to promote the use of your companies products, AKA in normal speak 'Marketing'. I imagine you got the job in part as a successful pro-Microsoft blogger?
So, as someone in Microsoft that works in their Marketing department then I thought that was a fair question to ask (which I notice you didn't answer the question btw).
When are you running your story on 'How Microsoft ripped me off with fraudulent Xbox Charges?' or is that not just as relevant. Perhaps set-up a community tumblr site where we can share stories too?
I appreciate your concern. However, in fact, I have NEVER worked for Developer and Platform Evangelism or anywhere near that division in any capacity. I worked for the Developer Division under ScottGu when I first arrived, then moved to MSDN (the online documentation team) in Server and Tools and have recently moved into the Web Platform team as an architect. I've never been in marketing or sales. My blog is my own and my voice is my own.
I imagine he'll probably run that story when it actually happens. If reality appears to have a pro-Microsoft bias to you, I think that's your problem, not his.
I have been following Scott for 4 years now. I first saw him when he first became a member of Microsoft. His first talk as a Microsoft employee was at the paterns and practices conference in Washington. He is a honest and stand up guy. He tells it like it is. I have been Using a windows phone for about a 8 months now and moved from an iPhone. I have been asking Scott to switch to a Windows phone for a while now. He has yet to do it. So what I am saying is his story is not made up and is not a ploy to get people to stop using iPhones. @shanselman - We know your real.
Besides following him online, I've eaten Ethiopian w/ him and a bunch of nerds in NYC. Call me a fanboy! I doubt you can find a more stand up, honest, tell it like it is kind of guy. Long live @hanselman whether he is employed at @MSFT or anywhere else.
This post doesn't contribute positively to the discussion, and doesn't address the actual question raised by the parent as to the OP's motivation for creating his blog.
Okay, maybe swearing was bad on my part. I've deleted my comment. I still find the question 'offensive' because
1. Scott created the blog with the stated intent of people sharing their experience with account hacking in iTunes.
2. Mr. Pheroku question that reeks of fanboism and is downright insulting.
So you should probably downranking the question too.
Apple caught the problem and e-mailed me to ask if it was me. I told them no. They disabled my account, refunded the gift card money, and asked me to write them once I was satisfied that my computer was secure (just in case it was key-logged [I was not].)
I wrote them back the next day and told them everything was good to go. They enabled my account and I signed in and changed my password.
I didn't lose any of my purchased items and I could have had the account back the same day had I chosen to.
I recall a while back that there were quite a few iTunes accounts that had been compromised. I used a very non-trivial password, too, so I'm rather surprised that mine was one of the compromised accounts. I'm still curious as to how it happened.