/ Technology

Apple must act now over its ‘iTunes hack’

Bitten Apples

The success of Apple’s App Store could soon hit a bump. iPhone users are allegedly in danger of a scam that’s cost them dear. The worst bit? Not only is Apple aware of this, it doesn’t seem willing to take direct action.

The result? Apple is keeping an app on its famed App Store that’s chalked up complaints from people accusing it of fraudulently emptying their iTunes accounts. And the victims are understandably frustrated with Apple’s inaction to stop what appears to be systematic theft.

The fact that that app – Sega’s Kingdom Conquest on the iPhone – is still on the App Store following a catalogue of complaints is, frankly, astonishing.

The reviews on the app say it all:

‘So many people like my six year old have had their accounts wiped by this. No support from Apple.’

‘This app took £55 from my iTunes account even though I have not downloaded it, viewed it or even known about it.’

‘Like others never heard of this app until I got a receipt for purchasing it. Complete scam, made even worse by Apple knowing about it. Shameful Apple, very shameful.’

‘Sent four emails to iTunes/Apple yet no progress, despite a store manager emailing them also. How this app is still on the App Store is beyond belief.’

Beyond belief is bang on. Why is Apple, despite complaints, doing nothing? Sadly, only Apple knows. Yet each day Apple sits on its hands, more unwary iPod, iPhone and iPad customers are falling victim to the problem. And that simply isn’t good enough.

Apple’s response to complaints

For the record, the app’s maker – Sega – insists the problem isn’t with the app. If that’s the case, then Apple has to take responsibility for every consumer that ends up out of pocket, and admit to what could be a real problem with a possible hacking of the iTunes system.

I alerted Apple to the problem, directly asking them why they haven’t taken any action. Apple responded by saying:

‘We’re always working to enhance account security for iTunes users. If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about any unauthorized purchases, and be sure to change your iTunes account password right away. For tips on protecting your iTunes account security visit www.apple.com/support/itunes.’

It is a response – but it’ll be small comfort to those seemingly a victim of fraud. Plus, at the time of writing, the app is still available.

Apple’s iTunes and App Store is a great service – but is the company effectively hiding a hacking issue so as not to tarnish the App Store’s image?

With nearly half-a-million apps and 225m iTunes accounts, news of an iTunes hack wouldn’t be great for a company that last year reeled from the iPhone 4 antenna scandal (you know, the one Apple didn’t even acknowledge until faced with an overwhelming volume of noise from the world’s media).

Here’s what Apple needs to do:

1. If consumers are falling foul of an iTunes hacking scam, and it’s linked to this app, then it makes sense for Apple to remove it immediately to stop more consumers falling victim to a possible scam.

2. Apple should listen to its customers, and admit publicly to any iTunes account issue.

3. Apple must take immediate steps to protect customers from getting their accounts compromised and refund immediately anyone affected.

I’m betting Apple’s customers will continue to meet a wall of silence on this. But allowing them to get ripped off? In Apple’s case, it seems there’s an app for that.

Comments

I got my son an IPOD TOUCH for christmas from a COMET store and with know knowledge whatsoever of apple was told you just down loaded it onto your computer. No one told me that after that my son didn’t need the computer to download songs or nothing, first thing we knew was when we received emails telling us certain amounts of monies had gone out of our account. Call my husband and i stupid but we’d no idea he could do this we thought he had to link the IPOD up to the computer to download them. Anyhow with a quick phone call for avice from which who emailed us back with advice on what to do we sorted it but i was very disappointed with the store we bought it from they should have told us that this could happen surely. It’s locked of now my son can only use it for songs at present like a glorified tape recorder cos we can’t afford all the fifty pounds worths of music he was putting on. He has special needs too so didn’t realise what he was doing. Please parents be careful what you’re doing cos the shops aren’t bothered how much you’re kids make out of you.

Julian says:
28 July 2011

I’m sorry Comet didn’t explain that it was possible to download songs and other content via just the iPod touch itself, and although this does require you enter the password for the iTunes account that it was set up with originally, I’m guessing your son either knew it, or figured it out.

Although I’m a bit unsure as to what you mean by “It’s locked of now my son can only use it for songs at present”, I’m hoping what you meant is that whoever you called for advice directed you to the Restrictions feature within the iPod’s settings app, as it allows you to restrict what a device allows, like whether or not you can purchase music etc., quite easily, securing it with a special passcode.

This article from Apple’s support website explains how it works and how to set it up: http://support.apple.com/kb/ht4213 (If you hadn’t found the parental controls within iTunes itself, this one covers them http://support.apple.com/kb/ht1904)

Julian says:
28 July 2011

I’m sorry, but this article is massively misleading and appears to have been written with no real regard for the facts.

In short, there is no “iTunes hack”, the game is not a scam, and due to the way the App Store operates it’s practically impossible for any app to do what this article claims this SEGA game is doing.

As Apple’s statement indicates, what’s actually happened here is that people have either had their credit card information stolen and then used by someone else to create an account, or had the password they’ve chosen for their own iTunes Store account guessed by someone else who has then used it to download the game and buy things within it via In-App Purchase (which requires confirmation and the account password if it hasn’t been entered in the past 15 minutes).

Neither of these things indicates an “iTunes hack” or that the application is a “scam” any more so than a shop that unknowingly ends up accepting a stolen credit card is part of a scam.

jayfehr says:
28 July 2011

This is a cut/paste of the comment I posted on Reddit, but thought I would put it here as well since not everyone visits that site.
_____

This article doesn’t even explain what the issue is. People buy an app then money disappears from their account — how? Is it in-app purchases? If so then the user has to enter the password. For each and every in-app purchase. The Smurfs issue forced Apple to do that, there is no more 15 minute window for in-app purchases. So either you told your kid the password, or it was simple enough that he/she guessed it. Oh, and you also could completely disable in-app purchases in the PARENTAL CONTROLS of the device.

The article also mentions hacking. If this was a shady app on a jailbroken device I would give that some thought. However, apps purchased through the AppStore do not have access to users account information, everything has to go through Apple’s system. In fact, as witnessed by the blowback of Apple’s 30% for subscriptions policy most people think this policy goes to far. On top of all this Sega is a reputable company as well I don’t think they would risk their entire organization to steal a few dollars from a few random people. Take advantage of their naivety? Yes. But steal? No.

This article is just FUD. People have to learn that passwords are there for a reason, and giving it to your child is akin to handing them your credit card in a candy store. They have no sense of cost, and no money management skills, yet you give them access to thousands (if not tens of thousands) of dollars.

There is still another option I hadn’t thought of. People accounts may have been stolen. Usernames/passwords compromised. But still that makes no sense either since the thieves are making in-app purchases on a game they don’t control. So all these hackers out there steal a bunch of identities to download and play a free game (to download) owned my a multi-million dollar corporation, then steal peoples money in order to buy in-game gear. I really don’t think this is what is happening, it makes zero sense. If they were stealing accounts they would place their own app on the store and keep the cash it brought in.

Patrick says:
28 July 2011

It would be interesting to know if this was confined to PC or Mac users. iTunes on a PC is a real dog and a fine example of bloatware – it should be broken up into its various functions. Such a large piece of software that like Topsy has growed and growed with successive functions bolted on (compared with something written as one from scratch) is bound to have security holes.

iTunes is indeed large (142 MB on my Mac) but no larger than some other applications.

Interestingly, recently developed Google Chrome is more than double the size of Safari, the Apple browser which has been around for much longer.

Undoubtedly, software tends to gain features but it’s the performance, ease of use, security and price that matter.

I’ve just become a victim of this with around £25 credit taken from my itunes account. The timing was unfortunate as my laptop had to be rebuilt so I didn’t see the receipts and warning emails that purchases had been made with a device not previously associated with it (and, yes, I see the significance of this happening when my laptop was elsewhere.) Apparently I’ve purchased 3 x Pearl-in-Palm apps and a couple of tunes in either China or Japan. I’ve checked and the credit card associated with my itunes account hasn’t been used (as yet) but I’m taking steps to remove it.

Having read the previous posts it looks as though I’m going to have to take this loss on the chin. I have so far been unable to find a way of contacting itunes to report it but it sounds as though they don’t care anyway. I think I’ll go back to buying CDs.

Today 12th September 2011 my PC was not on and my Itunes Store Account has been hacked and drained my account of £25.96, which was all gift card credit. As the last comment I’ve apparently downloaded 1 x Pearl in Palm app and Kingdom Conquest both of which I’ve never heard of. I’ve emailed Apple but don’t hold out much hope and I’m currently on the phone to them.

Apple must do something

A bit of happier news. I was able to raise a case with iTunes outlining what had happened and they got in touch within 24 hours. In light of the circumstances they refunded all the money taken but it took a further week of supplying the evidence they asked for to unlock my iTunes account unlocked. I have a much stronger password now on this and other accounts. Hopefully they will refund your money too Moira.

Sololiz says:
5 February 2012

I have just had an email from Apple warning me of ‘a recent download’ and ‘a recent purchase’ related to Texas Poker, apparently purchased from the ‘App Store on a computer or device that had not previously been associated with my Apple ID’. I immediately changed my password in iTunes but too late, my account had obviously been hacked and my credit of £15 had been spent. I emailed Apple and await a response, hopefully within 24 hours as they stated.

Sololiz says:
7 February 2012

Apple responded promptly and have refunded all my credit. I was advised to change my password again and to sign out of the account when not in use. Very pleased with the no quibble customer service.

hawke777 says:
8 March 2012

I’ve just been a victim of this – iTunes account credit cleared via a transaction for Kingdom Conquest on a “…device that had not previously been associated…”. I was alerted by an email and by the time I got into my account my payment info had already been set to None, which suggests to me that Apple know there is a problem and now react quickly.

Has anyone had an explanation from Apple? I don’t buy that my password has been “guessed” – I’m aware that there are programmes that can hack accounts through trying multiple combinations of letters and numbers, but I would not expect this to be possible for iTunes purchases. I couldn’t find a phone number to discuss possible fraud with anyone at Apple but have emailed them and await their response.