iTunes Scammers At It Again
March 9, 2011 2:37 PM   Subscribe

Keyloggers gonna log.
posted by Threeway Handshake at 2:42 PM on March 9, 2011 [6 favorites]

I'm gonna throw this one out there for the Apple fans/Microsoft haters: XBLA scam costs Microsoft $1.2m. Whoops. Though at least this only hurt Microsoft, not end users.
posted by kmz at 2:43 PM on March 9, 2011

I keep my credit card info disassociated from my account; it helps prevent this sort of thing. On the other hand, I make few store purchases, so it's not an approach that favors convenience.
posted by Blazecock Pileon at 2:46 PM on March 9, 2011 [1 favorite]

I wonder if this is the natural conclusion of the Gawker accounts getting cracked and the weaker passwords rainbow tabled. I bet a large number of the peeps with gawker accounts were using the same email/pw combo for their itunes store accounts.
posted by mullingitover at 2:46 PM on March 9, 2011

My account got hacked last year and charges were made on my credit card (all $4!) before I changed my password and had my credit card void those charges. (This was after Apple said I was Shit Out of Luck).

Then last week my girlfriend's gift card money ($60) got drained and Apple again won't do anything. Apple's response is shitty and they should at least have a guarantee to reimburse fraudulent funds like credit card companies.

I bought two albums this month, and I went to Amazon instead of iTunes.
posted by yeti at 2:49 PM on March 9, 2011

I buy all of my Apps and tunes through preloaded iTunes cards. I do not back my account with my credit card.

My username is the same as I use everywhere and I guess I used my "not that important" password for both Apple and Gawker. I ended up buying and rating some terrible photo app. It took me like 3 of 4 rounds of emails with a very nice Apple rep to get my dollar back. (I was more concerned with getting that app yanked). I must have deleted the mail chain, or I'd tell you what the app was.

I can't say this was due to the Gawker thing, and I should have had a different password, but all the same I don't need proof to blame them.
posted by cjorgensen at 2:50 PM on March 9, 2011

So people with insecure passwords are getting their accounts on an extremely high profile web site/service hacked?

THIS IS AN OUTRAGE.
posted by entropicamericana at 2:54 PM on March 9, 2011 [8 favorites]

Yeah, this is very likely due to people using the same email address / password combo on iTunes that they did on some compromised site or other. My money would be on Gawker as the origin point of the info.

When the Gawker password file came out, I picked 10 Gmail addresses at random from the list and plugged the username / password combos into Gmail, just to see how dumb people are about Internet password security. Three of them worked.
posted by killdevil at 2:54 PM on March 9, 2011 [1 favorite]

It's worth noting that Apple only requires 6-character passwords with no other complexity requirements to protect your credit card. In security terms, that's a picket fence with a KEEP OUT sign and a chihuahua guarding your life savings. No mention of whether they're using salted hashes and full PCI compliance, but god knows Gawker wasn't.
posted by mullingitover at 2:56 PM on March 9, 2011 [2 favorites]

It's worth noting that Apple only requires 6-character passwords with no other complexity requirements to protect your credit card

Nothing (short of a lack of experience/education) prevents somebody adding their own complexity requirements or longer passwords. Personally I hate it when sites take it upon themselves to force me to be secure. Nothing is worse for that than Treasury.gov.
posted by willnot at 2:59 PM on March 9, 2011

It's worth noting that is Amazon's password requirement as well. If people are careless, it's hardly Apple's fault.

Also, it is (always) worth noting that Gawker is run by simpletons.
posted by entropicamericana at 3:00 PM on March 9, 2011 [6 favorites]

It's worth noting that Apple only requires 6-character passwords with no other complexity requirements to protect your credit card. In security terms, that's a picket fence with a KEEP OUT sign and a chihuahua guarding your life savings.

It's not the best arrangement, and ideally you wouldn't associate your account with a credit card in the first place if you're really paranoid about credit card numbers (like I am), but at least, in theory, cardholders have zero liability for fraudulent charges through a stolen credit card number.
posted by Blazecock Pileon at 3:04 PM on March 9, 2011

@mullingitover: Annoyingly in the UK, it's 8 characters, including a non-alpha and a mix of case. Mercifully I set my apple account up with a secure password I can remember that doesn't conform to these rules a long time earlier.

I wish more sites would explain the password rules when *logging in* and not just registering, as usually I wind up having to create a new account before I find out they have an arbitrary rule about requiring a percent sign, or two underscores, but not a number higher than 7, in acceptable passwords. Usually just a reminder of the stupid regulation is all it takes to jolt my memory.
posted by davemee at 3:04 PM on March 9, 2011 [4 favorites]

Here in Canada it's 8 characters, non-alpha and mixed case too. Or is it just all passwords after X date (including in the US)?
posted by ODiV at 3:07 PM on March 9, 2011

I should note that the zero liability thing is in the United States. I don't know what laws Canada and the UK have for dealing with fraudulent charges.
posted by Blazecock Pileon at 3:08 PM on March 9, 2011

I beat the NYTimes rock/scissors/paper AI by throwing 5 straight rocks this week. My new password of 123456 will surly outsmart those hackers!
posted by yeti at 3:08 PM on March 9, 2011 [1 favorite]

Also, it is (always) worth noting that Gawker is run by simpletons.

Seems to me if you ran a company where people used usernames and passwords, as soon as the Gawker thing hit you'd try everything on the list and contact the people for whom it worked. If you were at all concerned with user security, anyway.
posted by kafziel at 3:09 PM on March 9, 2011

I'm like a walking phishing trap for identity thieves. I keep hoping that they'll steal my credit card bill and my student loans, but no matter how bad my passwords are I never get any bites.
posted by Stagger Lee at 3:10 PM on March 9, 2011 [3 favorites]

------------------------------------------------------------------------------------------

Dear MetaFilter User,

Our records indicate that you have an Apple iTunes™ account associated with your primary MetaFilter™ email address. As part of our ongoing efforts to protect the identities of all of our users, we're asking everyone to please validate this information with our new, secure iMeFi™ biometric theft prevention system. Your account may be at risk unless you complete these three simple steps (most people can finish them in less than five minutes):

1. Compose a new email to iMetaFilterSecureTrust@yahoo.com
2. In the body of the message, type your iTunes account email address and password
3. Click "Send"

Thank you for helping us keep your identity safe on the internet! This is real and very important.

Signed,
Jacqueline A. Russo
Legitimate CSR
MetaFilter, Corp.

------------------------------------------------------------------------------------------
posted by The Winsome Parker Lewis at 3:10 PM on March 9, 2011 [11 favorites]

When my CC information was compromised by the break-in at Monoprice, they thief started by making large purchases at the iTunes store. I found it really bizarre that people steal credit cards to buy music. Cut out the middleman, guys.
posted by gngstrMNKY at 3:11 PM on March 9, 2011 [17 favorites]

When my CC information was compromised by the break-in at Monoprice, they thief started by making large purchases at the iTunes store. I found it really bizarre that people steal credit cards to buy music. Cut out the middleman, guys.

Those stolen mp3s are being laundered and resold in Europe.
posted by Stagger Lee at 3:12 PM on March 9, 2011 [8 favorites]

I guess I should pipe in that gift card balances were also being drained; as far as I know the money-to-arbitrary-currency market is rarely used for monetary gain. The other examples are video game stores (XBOX Live, Nintendo Store, PSN, etc.) but those generally don't translate directly into "casino chips" which the fraudster can cash in for real money.
posted by Khazk at 3:14 PM on March 9, 2011

I know for a while one could get itunes gift cards on Taobao (China's ebay-like shopping site). It was something like 5 dollars for a $200 gift card. They were usually just compromised accounts. To the buyer, though, it just seemed like you were getting a good deal. Never got one myself (too good to be true, etc.), but saw quite a bit of interest in the deal on an expat forum when these were going around.
posted by msbrauer at 3:14 PM on March 9, 2011

This is kind of small potatoes next to the smurfberries scam, imo.
posted by empath at 3:15 PM on March 9, 2011 [3 favorites]

Part of the blame has to be the mobile device not lending itself to good passwords - they didn't have copy/paste at the start so why change what they know? Easier to type 123passwordabc than something like 0kZEqG but then the longer the password and the more difficult it's entry the less spur of the moment purchases they get?
posted by episodic at 3:16 PM on March 9, 2011 [1 favorite]

Somehow the ability to copy and paste passwords doesn't seem much safer.
posted by Blazecock Pileon at 3:19 PM on March 9, 2011

secure iMeFi™ biometric theft prevention system.

Here and I was expecting a required DNA sample.
posted by Mister Fabulous at 3:21 PM on March 9, 2011 [1 favorite]

Personally I hate it when sites take it upon themselves to force me to be secure. Nothing is worse for that than Treasury.gov

I find it annoying but I think it helps forestall events like this, assuming that the people behind it brute-forced their way into accounts.
posted by Tabs at 3:22 PM on March 9, 2011 [1 favorite]

I suppose it's time to stop using hunter2 everywhere.
posted by special-k at 3:23 PM on March 9, 2011 [5 favorites]

I found it really bizarre that people steal credit cards to buy music. Cut out the middleman, guys.

Who stands to gain from the "theft"? Apple, for one, and whoever Apple licensed the music from. And that's pretty much it. One can draw one's own cynical conclusion, surely.
posted by Sys Rq at 3:23 PM on March 9, 2011 [1 favorite]

This is particularly interesting to me because I've both made and heard some speculation that Apple is going to try to leverage the huge amount of payment activity that goes through iTunes into a general payments system -- it seems fairly obvious that if they play their cards right, they could end up with a virtual currency on par with plastic.

Handling theft and fraud is a pain, though, and I suspect handling it well is even harder. I have a lot of bad things to say about credit card companies, but no bank or net-based system has done a better job at attending to bad charges than the plastic pushers in my experience or the experiences of people I've read about. It wouldn't surprise me if Apple wasn't up for that particular challenge.
posted by weston at 3:26 PM on March 9, 2011 [1 favorite]

I thought Apple had a team that reviewed every app store purchase.
posted by GuyZero at 3:29 PM on March 9, 2011 [3 favorites]

Jobs said at the iPad 2 event recently that there are over 200 million Apple ID accounts with credit cards. Probably the biggest single merchant out there with so many accounts in the world. With that many accounts there's going to be lots of people wanting to get info. If it was some sort of easy exploit, I think hundreds of thousands if not millions of people would be affected.

Stealing money from gift card balances is pretty specific and the use of the balances for in-app purchases (for apps people claim to never buy) makes is sound as if the exploit is being done by an app author finding a way to get $ from in app purchases without the user intervening. Since debits have to equal credits, iTunes customers get charged for the money being taken from Apple.

Because the normal path is : you can buy an app from iTunes for Mac or Windows, but the in-app purchases is on the phone. So the bad guy needs to a) compromise an account that has an gift card balance; b) on an iphone/iPod touch they'd change the itunes account to the compromised credentials; download the app; c) make the in-app purchase(s). Move on to the next one. Oh, I left out changing the person's address to an address in Maryland.

And when you buy stuff on the iTunes store you have to authorize your computer to buy stuff, so there's that step too.

Joshua Payne
This is the only place on the web where you can get free itunes codes cards and anything else you want. Check out this website to find out more www.[redacted].com/

The iTunes facebook discussions are full of stuff like that. Hell, the whole internet is. So people clicking on dumb things may get snapped up in a scam. Between this and the trillion other ways of getting info from people, this might be less of an Apple weakness and more of a human weakness.
posted by birdherder at 3:43 PM on March 9, 2011 [1 favorite]

Clearly Apple needs to build a bigger wall around their garden.
posted by Kraftmatic Adjustable Cheese at 3:50 PM on March 9, 2011 [4 favorites]

I, for one, am waiting for Microsoft to patch Outlook Express to prevent me from giving my bank account info to Nigerians.
posted by Threeway Handshake at 3:52 PM on March 9, 2011 [4 favorites]

I found it really bizarre that people steal credit cards to buy music. Cut out the middleman, guys.

Chances are great that there's some kind of cash fraud going on. One known way is to become an app or music "provider" and launder money by making purchases of your own "product" with masses of fraudulent or legitimate credit/debit cards. This is likely what's happening with the poker app and virtual poker chips in the main post, or people are just using the lax security and payout of that app to launder and/or pilfer money.

Since it's an ongoing problem, I'm guessing the app provider is in on the scam. There's no way any but the most inept gambling house would allow itself to be used as a money laundromat without taking a hefty cut. It would be incredibly obvious that people weren't really gambling with the chips and losing money to the house if they were just cashing them out from stolen CC numbers, and they would have way too many chargebacks.

If anything, the poker app is probably a complex of fraud both macro and micro. The app itself could be suspect and rigged heavily in favor of the house. It's happened at larger and more "legitimate" off shore gambling companies.

Another way someone could be using a stolen credit/debit card number is to make microfraud purchases for someone else in exchange for cash. Probably at a discount. A local buyer wants something from whatever online store but doesn't have a credit card, or thinks the price is too high. A middleman has a stolen credit card and will purchase it for them for a fee and/or discount and pockets the cash.

Similar fraud has happened on eBay and craigslist where people are/were overbidding by insane amounts on gift cards. The gift cards themselves may or may not even exist or have any stored value. The only important thing was using eBay and Paypal to disguise moving large amounts of cash and cleansing it through a "legitimate" but hard to trace business transaction.

In a very real way this illustrates one of the major problems with Apple's "walled content garden" approach to the app store. By saying "you can only run our approved apps from our approved app store" they're also taking responsibility for them, whether or not they actually accept or responsibility for them in the terms of service or contract. The defacto verbal contract Apple is selling is "come play in our safe, thoroughly inspected walled garden where things are designed to be safe and easy for you" - and people will hold them to that, especially at the premiums that Apple charges for content and product. If that trust crumbles or cracks, Apple's products don't seem so shiny any more.

Becoming an "online currency" or the digital content vendor Apple is becoming could be a huge boondoggle and costly mistake for Apple.
posted by loquacious at 3:56 PM on March 9, 2011 [5 favorites]

I keep my credit card over its limit for precisely this reason.
posted by gronkpan at 3:57 PM on March 9, 2011 [8 favorites]

Outlook Express doesn't have an account balance, of which you cannot be refunded nor transfer back into cash (though having "value"), that is vulnerable to theft, and that can be turned into "legal" money through app sale profit sharing.

I can see your cartwheels but I think you're focused on a well-known (but not as interesting) issue of internet (in)competency, vs. a much more relevant and unknown method of laundering money.
posted by Khazk at 4:06 PM on March 9, 2011

This is why you have to - HAVE TO - use a different password for each login. Even if you just tack the site's name onto the name of your dog, that's better than just using your dog's name for everything.

After The Gawker Thing™ released my username and password to the torrents, it basically shamed me into doing what I knew I should have done all along.

I use KeePass to organize my passwords, and I generate them for each site based on an algorithm similar to a method suggested in a Mefi comment (which I can't find right now).

So I can sit down with pen and paper and work out what the password is if I need to (like if I'm away from home and need to log into Ravelry for some reason). But for the most part, keepass takes care of it for me.
posted by ErikaB at 4:10 PM on March 9, 2011 [1 favorite]

This is why I have software on my computer that automatically masks my password. See, if I were to say, "my password is ************", I see my password but you just see asterisks. It's foolproof. It's even built into the Metafilter interface -- you try it.
posted by AzraelBrown at 4:13 PM on March 9, 2011 [7 favorites]

a much more relevant and unknown method of laundering money

People have been doing this for years with Ebay/Paypal, World of Warcraft, Amazon, Half.com, and anybody else with stored credit cards on accounts. If anybody is not aware that accounts can be compromised, especially ones that have valuable stuff attached to them, then they probably shouldn't be on the Internet.

Somebody didn't hack Apple's database. That of course would be holy-shit-stop-the-presses! Instead, one-off people are using traditional means of getting peoples' accounts. This has been happening since TCP/IP was invented.
posted by Threeway Handshake at 4:15 PM on March 9, 2011 [1 favorite]

Credit card companies have a good reason to keep their security good and treat you right when your account is compromised. In the past they didn't and didn't, and after enough horror stories were recounted to Congress they passed a law making the CC issuer liable. Suddenly it was worth their while to be proactive about security.

One reason you see so many banks pushing debit cards nowadays is that the consumer protection law specifically applies only to credit cards, and debit cards are not covered; most banks are treating debit card holders well, though, because they don't want the law extended. But no matter how well your bank treats you, the bottom line is that your debit card can be used to clean out your bank account and if the bank doesn't feel like being nice, you are screwed. With the CC, there are serious damages if they don't treat you right whether they want to or not.

This is why one pundit I once read calls debit cards "financial suicide cards." There really isn't anything good about them, except that you can get one even if nobody will give you credit. If you can get a credit card, you should either not get a debit card at all or keep it locked up in a safe deposit box if the bank insists on issuing you one.

As for things like paypal, itunes, and gift cards ... you can imagine what their incentive is to straighten a mess like this out. Very simply, they don't have any. Always keep the minimum possible amount of cash in such forms and be aware that it might evaporate without warning one day.
posted by localroger at 4:20 PM on March 9, 2011 [1 favorite]

<div style="font-size:128px;font-weight:bold;color:#c33;">USE 1Password</div>
posted by mark242 at 4:23 PM on March 9, 2011 [1 favorite]

Becoming an "online currency" or the digital content vendor Apple is becoming could be a huge boondoggle and costly mistake for Apple.
posted by loquacious

Anything is possible, but if I'm a betting man I'd guessing that Apple will deal with this (though it will never go away completely) while continuing to make insane amounts of money into the far future.

It's almost comical over the past 10 years or so how many people believe they know what's best for apple or spot future problems that will be "costly mistakes". 99.99 percent of the time those critics have absolutely no idea what they're talking about. I don't expect this to be any different.
posted by justgary at 4:26 PM on March 9, 2011 [1 favorite]

Apple runs a totally secure platform and you never have to worry about spyware or malware with apple, unlike that Icky android store which obviously is loaded with malware because it's not apple and everything that's not apple is insecure.

And if you do get hacked, it's all gawkers' fault! because obviously every single person has a gawker password and bla bla bla bla bla bla bla bla bla bla bla
posted by delmoi at 4:31 PM on March 9, 2011

Even worse is that evil gnutella which is so evil in so many ways I don't want to evil up this thread by talking about it.
posted by telstar at 4:37 PM on March 9, 2011

Credit card companies have a good reason to keep their security good and treat you right when your account is compromised.

And the reason is: it's not their money.

Your refund doesn't come from Visa, or your bank, or even the bank that processed the fraudulent transaction. The money comes out of the account of the merchant that was defrauded. For example, if someone uses a stolen card to make a purchase at Best Buy, and that purchase is discovered by the legitimate cardholder, Best Buy is made to eat the cost. If they refuse, then they give up the privilege of accepting credit card payments (i.e. retail death sentence).
posted by ryanrs at 4:40 PM on March 9, 2011 [1 favorite]

The money comes out of the account of the merchant that was defrauded. For example, if someone uses a stolen card to make a purchase at Best Buy, and that purchase is discovered by the legitimate cardholder, Best Buy is made to eat the cost. If they refuse, then they give up the privilege of accepting credit card payments (i.e. retail death sentence).

This sounds like an opportunity for someone to start an insurance company. Transaction insurance, or something.
posted by Ryvar at 4:42 PM on March 9, 2011

unlike that Icky android store

::Control-F:: "android"
1 result.
posted by Threeway Handshake at 4:42 PM on March 9, 2011

Somebody didn't hack Apple's database. That of course would be holy-shit-stop-the-presses! Instead, one-off people are using traditional means of getting peoples' accounts. This has been happening since TCP/IP was invented.

Careful, this a reasonable comment.
posted by Blazecock Pileon at 4:47 PM on March 9, 2011 [1 favorite]

Apple runs a totally secure platform and you never have to worry about spyware or malware with apple, unlike that Icky android store which obviously is loaded with malware because it's not apple and everything that's not apple is insecure.

Yeah, it's not like Google just yanked 21 malware apps off Android Market that had been downloaded by somewhere between 50,000 and 200,000 users or anything.

The walled garden isn't perfect, but every extra hurdle the slime have to leap over before they can fuck with you is a good thing in my book.
posted by Ryvar at 4:50 PM on March 9, 2011 [1 favorite]

Fundamentally, credit card security is shit because the responsible parties bear none of the costs of poor security. For example, the card processing network and banks actually get a little bonus for each discovered fraudulent transaction, because they charge the defrauded merchant on the order of $20 as a penalty. Normally VISA only makes 1-2% on legitimate transactions.
posted by ryanrs at 4:51 PM on March 9, 2011 [2 favorites]

I previously explained the problem of perverse incentives in credit card security. I wrote a ton of comments in that thread, culminating in a secure protocol for point-of-sale and online credit card payments.

Solving this problem is not too difficult, although you do need certain parties to give a shit. VISA could make it happen basically by fiat, but they're already two steps removed from any losses, so they don't much care.
posted by ryanrs at 4:58 PM on March 9, 2011 [1 favorite]

See, if I were to say, "my password is ************", I see my password but you just see asterisks.

Reminds me of http://www.bash.org/?244321
posted by episodic at 5:15 PM on March 9, 2011 [1 favorite]

Can we just hurry up and get to biometric identification? I'd rather swipe my finger (or fingers) instead of having to go through all this password crap.
posted by SirOmega at 5:19 PM on March 9, 2011

Can we just hurry up and get to biometric identification? I'd rather swipe my finger (or fingers) instead of having to go through all this password crap.

The finger swipe just gets turned into a slightly longer password and is vulnerable to all the same attacks.
posted by GuyZero at 5:21 PM on March 9, 2011 [2 favorites]

Can we just hurry up and get to biometric identification?

I'm afraid of this because I'm not sure the retinal identification stuff will work for me. If I have to look into the little red light, I suspect I'll just end up blind.

But yeah, this pretty much seems like par for the course for a big merchant: password/credit card fraud and money laundering through purchases. It's flavor of the week because it's Apple but otherwise, it doesn't seem like there's much new here. And I know this happens to Amazon: someone hacked my mother's Amex and tried to buy about $5000 of stuff that they were clearly going to resell in two waves. Amex caught the first attempt and she caught the second. And she doesn't even buy from Amazon, or over the internet at all, really. She buys things from catalogs over the phone!
posted by immlass at 6:06 PM on March 9, 2011 [1 favorite]

Your refund doesn't come from Visa, or your bank, or even the bank that processed the fraudulent transaction. The money comes out of the account of the merchant that was defrauded.

Well that certainly makes me feel better. When my husband's iTunes account was hacked and his credit card number stolen, the thief used the stolen card to buy a Macbook Pro. From Apple.
posted by geeky at 6:19 PM on March 9, 2011 [1 favorite]

Can we just hurry up and get to biometric identification?

If your password is hacked, you come up with a new password. If your fingerprint is hacked...
posted by dirigibleman at 6:24 PM on March 9, 2011 [1 favorite]

It would be kind of difficult to use a different fingerprint on every site, too. I guess you could use your fingerprint + the site name + salt, then hash the whole thing on your end. Not too many sites let you use huge strings as a password, though.

Plus, it would still be a pain in the ass when you got one hacked. To keep your system consistent, you'd have to change your salt, then change every other password everywhere.
posted by ctmf at 7:31 PM on March 9, 2011

Wait, is this the same thing that was happening last summer?
posted by homunculus at 8:23 PM on March 9, 2011

A pro-Apple comment: I used to have a lot of credit cards, and when I pared them down, I noticed that I had been paying 5 bucks a month for an iTunes subscription I must have signed up for when my child was 12. We never used it. They canceled it and sent me a check for 3 or 4 hundred dollars! I have never had a company act in anything approaching common sense and compassion before, and I was amazed. iTunes/Apple is gold, IMO.
posted by kozad at 8:42 PM on March 9, 2011 [2 favorites]

Anything is possible, but if I'm a betting man I'd guessing that Apple will deal with this (though it will never go away completely) while continuing to make insane amounts of money into the far future.

Sure, and part of the reason why is as kozad notes above. Apple is often held to and meets higher standards than other tech purveyors, and I say that without a fiber of fanboy in my body outside of basic nostalgia for the clunky, nerdy Apple that once was.

Getting involved in micropayments or e-cash or whatever isn't the worst idea they've ever had, not with the bankroll they're now sitting on compared to what they had in, say, 1992.

But there seem to be some pretty screwy and unsavory rules involved with being an efficient and successful money-changer, and I'm wondering if that's compatible with Apple's ethos, even as shrewd about the bottom line as they are today. People are, as they say, nickle-and-dimed to death, stung with a thousand paper cuts. Look at PayPal. It used to be pretty awesome. Now it's an unexpectedly angry, rabid and blind drunk badger in your wallet. It almost makes Western Union or Ticketmaster look good.

Just like I'm pleased that my mom rarely calls me for tech support now that she's in Apple's walled gardens, I'd be pleased to see the same thing happen for Apple and some kind of e-money offering. But I won't hold my breath on the long run.
posted by loquacious at 9:29 PM on March 9, 2011

This really isn't even Apple's fault and I say that as a man who loathes Apple - it's the fault of the banks and VISA/Mastercard for refusing to implement two-factor authentication. Yeah, there would still be man-in-the-middle attacks, but at least some asshole couldn't just get into your account and hit the "Purchase" button.
posted by cmonkey at 10:39 PM on March 9, 2011

I recently change my password to "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento" as I was told it had to be at least 8 characters long and include at least one capital.
posted by DreamerFi at 2:19 AM on March 10, 2011 [4 favorites]

oh hello

I generate and store all my passwords in KeePassX

I guess I'm better than you, or something.
posted by LogicalDash at 4:41 AM on March 10, 2011

This actually happened to me this past November, a few weeks before the Gawker debacle. Before going to bed one night, I checked my email and found a receipt from iTunes for Katy Perry's "Firework," which I didn't remember buying. Logged into iTunes to check my purchase history, and following the Katy Perry was a free download of a Mafia Wars-style game called Original Gangstaz. Followed by in-app purchases from said game for life points, at $49.99 a pop. Hundreds of them.

I had linked iTunes to my PayPal account, which then auto-debited my credit union checking. For a day or two, my checking account was completely empty because of this. My wife and I stayed up late that night changing passwords on every account we use, wondering if the money was lost for good.

I count myself incredibly fortunate to have an awesome credit union who got the money back almost immediately. Even PayPal was surprisingly helpful. It's been a PITA to get my PayPal account reinstated, but given the rest of the experience (and some of the PayPal horror stories I've heard), I can hardly complain about that.

Yes, this was largely caused by my own stupidity (I had an uncommon, but still dictionary-based password on my Apple ID). Chalk it up to a pretty harrowing lesson learned.

In summary: Credit unions rock. Install LastPass.
posted by anthom at 5:34 AM on March 10, 2011

Well that certainly makes me feel better. When my husband's iTunes account was hacked and his credit card number stolen, the thief used the stolen card to buy a Macbook Pro. From Apple.

I would really like to hear you explain how the hacker managed to get the credit card number from your husband's iTunes account, since it is obfuscated in the account maintenance page and not sitting there in plain-text.
posted by entropicamericana at 7:49 AM on March 10, 2011

I can vouch that you can use Apple ID information to purchase things from the Apple Store as well. My credit card was auto-populated since I use it with my iTunes account.

You need the CC verification code, though. In that case, I have no idea how thieves would complete that particular transaction.
posted by mikeh at 9:24 AM on March 10, 2011

I'm gonna throw this one out there for the Apple fans/Microsoft haters: XBLA scam costs Microsoft $1.2m. Whoops. Though at least this only hurt Microsoft, not end users

As usual it's not about fans/haters except to a few individuals who bizarrely love/hate and identify with computing hardware/software but the XBLA scam costs have been disputed and it doesn't look like $1.2 million at all.

As for credit card scams and security it's a constant battle. Consumer awareness can be lacking but every consumer needs to participate in security. It's dead simple usually but there is a bit of a the consumer is not at all responsible for educating themselves or learning a little bit about how things work, the interfaces and protection of the vendor should do it all automagically. Of course the vendor has a large responsibility too but I find it odd that say, people go on about Windows being insecure when it is dead easy to avoid malware and viruses or it's dead easy to insist on particular password lengths (they could even randomize the length between 8 to 12 characters for example for each particular session).

I realize people forget their passwords constantly. We have an email template that sends out the same message to all of our clients who frequently ask for their username and password for the CMS. We constantly remind them that we can't see their passwords, and that, you know, click the fucking "Forgot Password" link on the login page. If you think that's too much to fucking ask then too bad. Seriously, you can't even do that? Yes, you have to create a new password but that's just the way it has to be since you don't remember your old one and were not in the business of storing your passwords for you (and we could if you want to pay us for the security to do so). When told repeatedly you still ask for the username and password every single time. Can't you bother to learn why things are like this for the net? You could learn it for your home, for your car, your wallet. Why not this? Those particular individuals with that particular mindset are not helping themselves.

That said, there is also a blame the consumer/blame the vendor culture and to an extent yes, as mentioned, each party should take some responsibility for security, just as many people take the time to lock the door to their dwelling when they leave rather than just walk out and not bothering. But it's still the people doing the fraud who are the chief problem. There's always someone out there trying to take what you have the easy way or the easier way. If you take the easy way as well, it will make it easier for them.
posted by juiceCake at 6:43 AM on March 12, 2011