Apple criticized for minimizing iTunes hijacking

August 25th, 2010

Apple is coming under fire for sticking with a consumer online transactions system that is easily hijacked.

At issue is iTunes, the payment hub for Apple’s online sales of music, video and apps for iPods, iPhones and iPads. Turns out that hijacking an iTunes account is very straight forward. For at least the past year, iTunes hijackers have been buying stolen usernames and passwords from phishers and data thieves.

They then log on, test a few $1 purchases, and, if they clear, move on to larger transactions.  They most often purchase iTunes gift card codes, usually in $50 to $200 amounts, says Kurt Baumgartner, Senior Security Researcher, Kaspersky Lab.

They then sell the iTunes gift cards codes — which can be used like cash to buy music and videos directly from Apple — at a steep discount. Discounted iTunes gift cards are openly sold onlinie.

Updated gift card scam

These  iTunes gift card scams mirror the analogue gift-card scam made infamous by Miamians Albert Gonzalez and Irving Escobar, bit players in the TJX/Wal-Mart capers. Gonzalez, you may recall, was a key operative in the ring that hacked retail giant TJX and stole 94 million credit card transaction records. (Initially reported as only 45.7 million.)

The stolen credit card numbers were transferred to the magnetic strips on the backs of batches of counterfeit Visa cards. The faked credit cards were then distributed to street toughs, like Escobar, who used them to buy $400 Wal-Mart gift cards, en masse.

iTunes hijackers can bypass several of those steps, thanks to the way Apple has integrated gift cards into iTunes. They simply log on, buy gift-card “codes” using the default payment mechanism, then put the freshly purchased gift-card codes up for sale online.

They’ve also begun experimenting with using hijacked accounts to purchase large quantities of $5 apps sold by co-conspirators who set up and run “app farms.” Keep in mind these app farms sell  iPhone and iPad  applications approved for sale by Apple, which tightly controls such things, and profits from all sales.

Jobs’ boast spells opportunity

“The marketplace for these scams is fairly well developed – it seems that there are multiple levels of specialists at work within each scam,” says Baumgartner. “For example, most of the discounted gift cards seem to be sold by individuals that are buying them from suppliers, the same goes for the app farm scams.”

Illicit iTunes transactions accelerated this summer after Apple CEO Steve Jobs boasted at a June developers’ conference that  iTunes supports 150 million users.

“Of that number we can assume a majority have a credit card or PayPal account set up with it,” says Baumgartner. “Yes, the underground find these numbers impressive and an opportunity.”

Some iTunes users are becoming fed up. Jeremy Schwartz, a 24-year-old tech contractor from Maumee, Ohio, recently had to scramble to get his bank to reimburse $87.

Easy pickings

An intruder logged into Schwartz’s  iTunes account and used his debit card account number, stored by Apple, to buy an iTunes gift card and other items. Schwartz promptly shut down the account. He also launched this Facebook discussion page where a couple of hundred other  angry iTunes hijack victims have been venting their ire.

One recent Facebook wall poster reports that a hijacker got into his iTunes account  last Friday and made 27 purchases of $160.86, each of the same product, totaling  $4,343.22. “May I suggest that Apple take some responsibility and be proactive in helping the customer with unauthorized purchases,” writes the poster. “Better yet would be some sort of fraud monitoring that flags suspicious activity such as this.”

Schwartz is miffed, as well. “I refuse to buy from a company that can’t even admit there’s a problem when the problem is pretty big and it’s been going on for quite some time, from what I can gather,” Schwartz told LastWatchdog. “If I were to buy any of their products, and that’s a big if now, I’ll probably be getting it from a local Best Buy or some other store. I certainly wouldn’t put my debit card info on their site again.”

Tried-and-true scams

iTunes hijackers are doing nothing more than adapting variants of scams that work well broadly across the Internet, and fine-tuning them to exploit weaknesses in the iTunes set-up. Obtaining logons is a cinch. Ready sources include e-mail phishers expert at tricking you into typing your credentials at spoofed web sites, and malware specialists who spread computer infections via tainted web links.

Bad URLs have come to infest the Internet. Click on one and you risk losing  control of your PC to botnet command-and-control operator. The attacker will routinely install a keystroke logger that captures your usernames and passwords as you type them.

iTunes accounts evidently are set up so that once a hijacker logs in, it’s a simple matter to make purchases with whatever  credit or debit card, checking account, or PayPal account happens to be set-up as the default payment mechanism.

“When you have a consolidation of personally identifiable information and financial information it is very attractive to cybercriminals,” says says Randy Abrams, education director for antivirus firm ESET. ” The most secure option is to do things the old fashioned way and provide billing details for each purchase, and demand that companies not keep your billing information online.”

Deflecting responsibility

Schwartz is lucky; he got his $87 back from Huntington Bank. Many others haven’t been as fortunate.

LaToya Irby, a credit management expert at About.com, says a common complaint among iTunes hijack victims is that financial institutions and Apple often both deny responsibility, leaving the consumer to eat the loss.

Lately, banks and PayPal have been more receptive to reimbursing victims, says Irby. For its part, Apple has consistently declined to reimburse anybody. The lion’s share of the more than 100 commenters to Irby’s July 2 post on this topic complained about Apple’s refusal to assist hijack victims.

“I think Apple should really be more willing to work with their users to refund those charges,” says Irby.

Apple earlier this week issued a statement to allthingsd.com suggesting that consumers rightly bear the burden for protecting their financial data:

ITunes is always working to prevent fraud and enhance password security for all of our users. But if your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and/or issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately.

Consumers obviously should keep antivirus protection and all software updates current, change passwords often, avoid disclosing personal information and surf the web judiciously. See LastWatchdog’s recent story about new tools designed to help consumers do this.

“Ultimately, it is up to the users to safeguard themselves,” says Sean-Paul Correll, threat researcher at Panda Labs. Apple, he says, could stand to advance to better fraud detection technology, more like what banks use.

“Apple could alleviate the situation by implementing fraudulent activity checking mechanisms, similar to what most banks use to detect unauthorized activity,” opines Correll.

Kaspersky’s Baumgarnter says he understands — but doesn’t necessarily agree with — Apple’s lack of transparency and lack of compassion for iTune customers –  on this issue:

Apple’s denial of the existence of malware for their platform didn’t do their customers any favors, so there seems to be a history of this hardball approach. It also seems to be a result of their customer support business model and the outsourcing that they do. It also is similar to the way the banks originally dealt with effective phishing and MiTM attacks and other fraud. Pushing all of the burden for the various scams fully onto their customers while blocking any transparency into the issues may be common operating procedure for Apple, and is unfortunate for everyone involved. For the victims, the complete uncertainty of what happened to them, how or why, can be very stressful to deal with.

By Byron Acohido