Apple must act now over its ‘iTunes hack’

by , Technology Editor Technology 27 July 2011
VN:F [1.9.22_1171]
6 - 0
avatar

The success of Apple’s App Store could soon hit a bump. iPhone users are allegedly in danger of a scam that’s cost them dear. The worst bit? Not only is Apple aware of this, it doesn’t seem willing to take direct action.

Bitten Apples

The result? Apple is keeping an app on its famed App Store that’s chalked up complaints from people accusing it of fraudulently emptying their iTunes accounts. And the victims are understandably frustrated with Apple’s inaction to stop what appears to be systematic theft.

The fact that that app – Sega’s Kingdom Conquest on the iPhone – is still on the App Store following a catalogue of complaints is, frankly, astonishing.

The reviews on the app say it all:

‘So many people like my six year old have had their accounts wiped by this. No support from Apple.’

‘This app took £55 from my iTunes account even though I have not downloaded it, viewed it or even known about it.’

‘Like others never heard of this app until I got a receipt for purchasing it. Complete scam, made even worse by Apple knowing about it. Shameful Apple, very shameful.’

‘Sent four emails to iTunes/Apple yet no progress, despite a store manager emailing them also. How this app is still on the App Store is beyond belief.’

Beyond belief is bang on. Why is Apple, despite complaints, doing nothing? Sadly, only Apple knows. Yet each day Apple sits on its hands, more unwary iPod, iPhone and iPad customers are falling victim to the problem. And that simply isn’t good enough.

Apple’s response to complaints

For the record, the app’s maker – Sega – insists the problem isn’t with the app. If that’s the case, then Apple has to take responsibility for every consumer that ends up out of pocket, and admit to what could be a real problem with a possible hacking of the iTunes system.

I alerted Apple to the problem, directly asking them why they haven’t taken any action. Apple responded by saying:

‘We’re always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about any unauthorized purchases, and be sure to change your iTunes account password right away. For tips on protecting your iTunes account security visit www.apple.com/support/itunes.’

It is a response – but it’ll be small comfort to those seemingly a victim of fraud. Plus, at the time of writing, the app is still available.

Apple’s iTunes and App Store is a great service – but is the company effectively hiding a hacking issue so as not to tarnish the App Store’s image?

With nearly half-a-million apps and 225m iTunes accounts, news of an iTunes hack wouldn’t be great for a company that last year reeled from the iPhone 4 antenna scandal (you know, the one Apple didn’t even acknowledge until faced with an overwhelming volume of noise from the world’s media).

Here’s what Apple needs to do:

1. If consumers are falling foul of an iTunes hacking scam, and it’s linked to this app, then it makes sense for Apple to remove it immediately to stop more consumers falling victim to a possible scam.

2. Apple should listen to its customers, and admit publicly to any iTunes account issue.

3. Apple must take immediate steps to protect customers from getting their accounts compromised and refund immediately anyone affected.

I’m betting Apple’s customers will continue to meet a wall of silence on this. But allowing them to get ripped off? In Apple’s case, it seems there’s an app for that.

16 comments

Add your comments

avatar

Pamela Briggs

I got my son an IPOD TOUCH for christmas from a COMET store and with know knowledge whatsoever of apple was told you just down loaded it onto your computer. No one told me that after that my son didn’t need the computer to download songs or nothing, first thing we knew was when we received emails telling us certain amounts of monies had gone out of our account. Call my husband and i stupid but we’d no idea he could do this we thought he had to link the IPOD up to the computer to download them. Anyhow with a quick phone call for avice from which who emailed us back with advice on what to do we sorted it but i was very disappointed with the store we bought it from they should have told us that this could happen surely. It’s locked of now my son can only use it for songs at present like a glorified tape recorder cos we can’t afford all the fifty pounds worths of music he was putting on. He has special needs too so didn’t realise what he was doing. Please parents be careful what you’re doing cos the shops aren’t bothered how much you’re kids make out of you.

avatar

Julian

I’m sorry Comet didn’t explain that it was possible to download songs and other content via just the iPod touch itself, and although this does require you enter the password for the iTunes account that it was set up with originally, I’m guessing your son either knew it, or figured it out.

Although I’m a bit unsure as to what you mean by “It’s locked of now my son can only use it for songs at present”, I’m hoping what you meant is that whoever you called for advice directed you to the Restrictions feature within the iPod’s settings app, as it allows you to restrict what a device allows, like whether or not you can purchase music etc., quite easily, securing it with a special passcode.

This article from Apple’s support website explains how it works and how to set it up: http://support.apple.com/kb/ht4213 (If you hadn’t found the parental controls within iTunes itself, this one covers them http://support.apple.com/kb/ht1904)

avatar

Julian

I’m sorry, but this article is massively misleading and appears to have been written with no real regard for the facts.

In short, there is no “iTunes hack”, the game is not a scam, and due to the way the App Store operates it’s practically impossible for any app to do what this article claims this SEGA game is doing.

As Apple’s statement indicates, what’s actually happened here is that people have either had their credit card information stolen and then used by someone else to create an account, or had the password they’ve chosen for their own iTunes Store account guessed by someone else who has then used it to download the game and buy things within it via In-App Purchase (which requires confirmation and the account password if it hasn’t been entered in the past 15 minutes).

Neither of these things indicates an “iTunes hack” or that the application is a “scam” any more so than a shop that unknowingly ends up accepting a stolen credit card is part of a scam.

Hi Julian

Thanks for the comments – and happy to clarify a few things that you’ve raised.

1. I never said the app is a scam. Sega is a reputable company, and has gone on the record that the app is fine and the problem isn’t down to the app per se. So, just to be clear: the app is definitely not a scam.

2. However, lots and lots of people are clearly being caught up in an on-going scam that is emptying iTunes accounts and is seemingly linked to this particular app. Don’t believe me? A simple Google search of ‘iTunes hack Kingdom Conquest’ shows the number of consumers seemingly caught up in the issue.

3. I never said that iTunes has been hacked. I was simply questioning the silence from Apple to its consumers around this problem, and why – weeks after this problem has emerged, are consumers still having accounts emptied and specifically in relation to this app. One way to stop the problem is to remove the app for a period.

4. However, the fact that people are claiming there is a problem does suggest that something has compromised certain accounts, and that it is fairly systematic. In short, has iTunes been hacked? Consumers are saying they’ve changed passwords but to no avail, which counters the insecure password argument. Some, clearly, is amiss with iTunes here.

5. Finally – and this is an interesting point – this scam does NOT seem to be linked to credit cards, as both you and Apple suggest. A reading of the huge numbers of complaints show that it appears limited to iTunes accounts that are in credit or have been topped up with a gift voucher or funds. It does not seem to affect directly credit cards. I think Apple’s advice around credit cards, then, misses the point.

So, I take your points, but it appears that hundreds of iTunes users are suffering the exact same problem, with the exact same app. Apple’s silence and inaction around this is what I’m calling into question – and I’d expect more from Apple to protect its users.

avatar

Julian

1. I accept that you very carefully avoided directly calling it a scam yourself, you just strongly implied it and quoted others who had wrongly asserted it.

“iPhone users are allegedly in danger of a scam that’s cost them dear.” (that use of “allegedly” is practically HIGNFY-worthy)
“The fact that that app – Sega’s Kingdom Conquest on the iPhone – is still on the App Store following a catalogue of complaints is, frankly, astonishing.”
“It is a response – but it’ll be small comfort to those seemingly a victim of fraud. Plus, at the time of writing, the app is still available.”

2. While understandably infuriating to those who fall victim to it, the scam here is quite classic credit card/password theft. Although I haven’t downloaded the game myself, a quick check of its App Store listing and SEGA’s website for it shows that it’s a pretty popular game (#1 in the free RPG category in many countries) and makes extensive use of In-App Purchase.

Even aside from the ludicrousness of using Google search results as some kind of proxy for hard data, it’s quite reasonable to presume that if it’s a favourite of gamers, it’s going to be a favourite of gamers who don’t want to spend their own money, as well. Correlation doesn’t prove causation.

3. You didn’t say iTunes had been hacked? Are you kidding me with this?

Let’s see, we have “what could be a real problem with a possible hacking of the iTunes system.”, followed by “is the company effectively hiding a hacking issue”, with an added “news of an iTunes hack wouldn’t be great”, finished off with a ” If consumers are falling foul of an iTunes hacking scam”. But hey, you’re just implying it, I mean, it’s not like the *title of this article* is “Apple must act now over its ‘iTunes hack’” or anything, nope…

Anyway, the idea that by removing the app, Apple would somehow stop the problem, implies the problem here is truly related to/caused by this game in particular, which there appears to be zero evidence for. Surely if the iTunes Store had actually been hacked as you imply/assert throughout, why would people limit fraudulent purchases to just this one game?

4. Some people claiming there’s a problem, even multiple people claiming there’s a problem, doesn’t inherently mean there is one, or that it’s actually the problem they think it is. As you noted yourself, there are more than 224m iTunes store accounts, so if you wish to claim that there’s a systemic problem, surely you’d need evidence that at least a reasonable percentage of the 224m accounts out there are affected. You stated “hundreds” have been affected by this issue, 999 is the largest number that can be considered ‘in the hundreds’, which means that even presuming you’re right, this issue has affected 0.00044598% of registered accounts. Maybe it’s just me, but I figure if the iTunes Store had been hacked, it might be a little more widespread than “hundreds”.

That some people affected by this issue have changed their iTunes Store password and still had further unauthorised purchases made, neither counters the insecure password argument (they could have changed it to another insecure password), nor provides evidence that there’s something amiss with iTunes. Personally in those cases, my money is on the charges being made using another iTunes Store account with a stolen card, the changed password being easily guessed, or quite possibly of customers changing their password on a compromised computer (keyloggers are not your friends etc.).

5. I’m not sure how a misreading of Apple’s statement or what I said is really quite that interesting. Neither they, nor I, said this was simply a matter of credit cards, but that the basic two avenues that involve people spending your money on the iTunes Store without your consent come down to people either getting your card details and creating their own account, *or* gaining the password for your *existing, legitimate account* through either guessing it, or gaining it through other means (phishing, malware etc.).

Hi Julian

Thanks again for your reply – and you do raise some very interesting and valid points.

I do actually agree with a lot of what you say – consumers could be using insecure passwords, that the numbers aren’t huge compared to the total universe of iTunes accounts, and that in-app purchasing of a really popular game could well be the reason (in-app + popularity) for this specific game being a central player in the whole issue.

But, I want to be really clear about what I’m calling for from Apple:

1. There does seem to be some kind of a problem – and lots of consumers are experiencing some kind of scam, and it involves both Kingdom Conquest and iTunes accounts (from what I can tell, pre-credited or in-credit accounts). These bits are facts.

2. There are lots of reviews from consumers frustrated that Apple doesn’t appear to be doing anything to help. Those reviews may be wrong, misguided – or even totally accurate – but the point is Apple does have a bit of a problem in that it seems these concerns are falling on deaf ears. This too is a fact.

3. So these facts do raise a question – which is legitimate to ask – around iTunes and account security. **Something** is clearly happening. It **may** be that in-credit accounts plus in-app purchasing are prone to some type of hack-related problem. It may be that people have poor password. Whatever one, it’s a valid question to put before Apple and try to find answers to.

It would be great for Apple to actually articulate that, because I guarantee that tomorrow, someone else’s iTunes account will suffer the same problem, and it will be linked to the same app. That’s not the problem of the unfortunate consumer it happens to – it’s Apple’s problem.

Apple’s bland statement to date doesn’t really explain what might be happening.

avatar

jayfehr

This is a cut/paste of the comment I posted on Reddit, but thought I would put it here as well since not everyone visits that site.
_____

This article doesn’t even explain what the issue is. People buy an app then money disappears from their account — how? Is it in-app purchases? If so then the user has to enter the password. For each and every in-app purchase. The Smurfs issue forced Apple to do that, there is no more 15 minute window for in-app purchases. So either you told your kid the password, or it was simple enough that he/she guessed it. Oh, and you also could completely disable in-app purchases in the PARENTAL CONTROLS of the device.

The article also mentions hacking. If this was a shady app on a jailbroken device I would give that some thought. However, apps purchased through the AppStore do not have access to users account information, everything has to go through Apple’s system. In fact, as witnessed by the blowback of Apple’s 30% for subscriptions policy most people think this policy goes to far. On top of all this Sega is a reputable company as well I don’t think they would risk their entire organization to steal a few dollars from a few random people. Take advantage of their naivety? Yes. But steal? No.

This article is just FUD. People have to learn that passwords are there for a reason, and giving it to your child is akin to handing them your credit card in a candy store. They have no sense of cost, and no money management skills, yet you give them access to thousands (if not tens of thousands) of dollars.

There is still another option I hadn’t thought of. People accounts may have been stolen. Usernames/passwords compromised. But still that makes no sense either since the thieves are making in-app purchases on a game they don’t control. So all these hackers out there steal a bunch of identities to download and play a free game (to download) owned my a multi-million dollar corporation, then steal peoples money in order to buy in-game gear. I really don’t think this is what is happening, it makes zero sense. If they were stealing accounts they would place their own app on the store and keep the cash it brought in.

Hi Jayfher

Thanks for the comments – and really hope I can explain what the issue is clearly!

First, the issue is about the fact that lots of people seem to be having a problem with pre-credited iTunes accounts being emptied without permission. These accounts appear to be being used to purchase in-game credit in Sega’s app – and the issue seems to be affecting a significant number of people.

The real issue is this: Apple doesn’t appear to be listening to, or directly responding to, something that consumers are frustrated about. Consumers are claiming they are contacting Apple and being met with silence.

So, the issue is about is Apple doing enough to help communicate the problem (according to consumers, nope) and are they doing enough to safeguard or prevent this problem from continuing to occur. The fact that this problem is continuing suggests that unless Apple can take some more direct action, more consumers will face this fraud.

As for the other points you’ve raised:

1. I don’t know how the ‘scam’ is happening. That’s part of the problem. We can all make assumptions – from insecure passwords or guessed passwords and lack of parental controls being used to a hack of security flaw with pre-credited accounts. Any of them are valid guesses – but they don’t detract from the point of the post. Some *is* happening, and consumers *are* frustrated at Apple’s reponse.

2. I totally agree about Sega. Excellent company, and I have purchased lots of apps for iPad and iPhone from them (my six year old adores Sega All Stars Racing). That’s why I was clear that Sega says the app isn’t at fault. I agree – but it *is* linked to the problems consumers are facing, and that needs looking at.

3. FUD? Well, as we don’t know the reality behind the issue – password failure or hacked account (your *guess* is as good as mine, here) – then I was just putting to Apple that consumers are facing an issue and Apple seems reluctant to discuss the issue. Leaving consumers with problems like this isn’t good business for the app store, and the reviews for Kingdom Conquest aren’t exactly going to help the app itself.

4. And yes, people’s accounts could have been stolen. Like Sony, which had account details hacked and was quiet about it for a week before revealling all.

So, until Apple actually tells all, then all we have are guesses as to what is happening.

That, and the fact that and increasing number of ordinary iTunes account holders are facing some kind of issue.

Thanks

Matt

avatar

Patrick

It would be interesting to know if this was confined to PC or Mac users. iTunes on a PC is a real dog and a fine example of bloatware – it should be broken up into its various functions. Such a large piece of software that like Topsy has growed and growed with successive functions bolted on (compared with something written as one from scratch) is bound to have security holes.

avatar

wavechange

iTunes is indeed large (142 MB on my Mac) but no larger than some other applications.

Interestingly, recently developed Google Chrome is more than double the size of Safari, the Apple browser which has been around for much longer.

Undoubtedly, software tends to gain features but it’s the performance, ease of use, security and price that matter.

avatar

Kay

I’ve just become a victim of this with around £25 credit taken from my itunes account. The timing was unfortunate as my laptop had to be rebuilt so I didn’t see the receipts and warning emails that purchases had been made with a device not previously associated with it (and, yes, I see the significance of this happening when my laptop was elsewhere.) Apparently I’ve purchased 3 x Pearl-in-Palm apps and a couple of tunes in either China or Japan. I’ve checked and the credit card associated with my itunes account hasn’t been used (as yet) but I’m taking steps to remove it.

Having read the previous posts it looks as though I’m going to have to take this loss on the chin. I have so far been unable to find a way of contacting itunes to report it but it sounds as though they don’t care anyway. I think I’ll go back to buying CDs.

avatar

Moira

Today 12th September 2011 my PC was not on and my Itunes Store Account has been hacked and drained my account of £25.96, which was all gift card credit. As the last comment I’ve apparently downloaded 1 x Pearl in Palm app and Kingdom Conquest both of which I’ve never heard of. I’ve emailed Apple but don’t hold out much hope and I’m currently on the phone to them.

Apple must do something

avatar

Kay

A bit of happier news. I was able to raise a case with iTunes outlining what had happened and they got in touch within 24 hours. In light of the circumstances they refunded all the money taken but it took a further week of supplying the evidence they asked for to unlock my iTunes account unlocked. I have a much stronger password now on this and other accounts. Hopefully they will refund your money too Moira.

avatar

Sololiz

I have just had an email from Apple warning me of ‘a recent download’ and ‘a recent purchase’ related to Texas Poker, apparently purchased from the ‘App Store on a computer or device that had not previously been associated with my Apple ID’. I immediately changed my password in iTunes but too late, my account had obviously been hacked and my credit of £15 had been spent. I emailed Apple and await a response, hopefully within 24 hours as they stated.

avatar

Sololiz

Apple responded promptly and have refunded all my credit. I was advised to change my password again and to sign out of the account when not in use. Very pleased with the no quibble customer service.

avatar

hawke777

I’ve just been a victim of this – iTunes account credit cleared via a transaction for Kingdom Conquest on a “…device that had not previously been associated…”. I was alerted by an email and by the time I got into my account my payment info had already been set to None, which suggests to me that Apple know there is a problem and now react quickly.

Has anyone had an explanation from Apple? I don’t buy that my password has been “guessed” – I’m aware that there are programmes that can hack accounts through trying multiple combinations of letters and numbers, but I would not expect this to be possible for iTunes purchases. I couldn’t find a phone number to discuss possible fraud with anyone at Apple but have emailed them and await their response.

Back to top

Post a Comment

Commenting guidelines

Your email is never published nor shared. Required fields are marked

Tired of typing your name and email? Why not register.

Register or Log in

Browse by Category

Consumer Rights

770 Conversations

9551 Participants

27360 Comments

Energy & Home

648 Conversations

7173 Participants

24746 Comments

Money

819 Conversations

6041 Participants

15763 Comments

Technology

776 Conversations

7530 Participants

19701 Comments

Transport & Travel

599 Conversations

4794 Participants

13470 Comments