Hacked Apple iTunes accounts sell in China for pennies on the dollar
China's Global Times this week revealed that about 50,000 illegal accounts are being sold through taobao.com, with prices ranging from just 1 yuan to about 200 yuan, or $30. Many of the sales are said to be stolen iTunes user accounts being re-sold by hackers.
"Potential buyers are promised access to music and movies through iTunes amounting to seven times more than the amount paid," the report said. "The only restriction is that all downloads should be made within 24 hours of the transaction being completed at Taobao."
A reporter for the publication tested the sales by paying $5 to a seller on Taobao. In return, they were provided an iTunes username and password which allowed access to an account complete with credit card details and a U.S. billing address.
Last July, it was revealed that iTunes account holders were being targeted in a number of fraud cases, in which some iOS developers used stolen accounts to boost their sales rankings of iPhone software. Apple quickly made a public response to the matter, suggesting that customers review their iTunes account for unauthorized transactions.
"Developers do not receive any iTunes confidential customer data when an app is downloaded," the company said in a statement. "If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. WE also recommend that you change your iTunes account password immediately."
In August, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes and store credit card information for purchases. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
31 Comments
deleted
8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.
Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
deleted
8 characters with mixed capitalization is worthless. They should require 10 character with 4 character types. Numbers, Symbols, Lower & uppercase letters.
Also wouldn't hurt for device activation to also require inputting characters from a garbled image to insure you're a real person & not an automated account hacking program.
...Which is all really great when entering data from an iOS device far too frequently. There has to be a balance between security and usability. Sadly, my iTunes password is my least secure of any accounts due to the limitations of having a memorable, secure password.
I recently was trying to make a charitable donation, and the capatcha kept me from being able to do it. After four tries, I decided another charity might be more worthwhile...
The gift card approach is a bit tin-foil-hat, and just limits your risk. It doesn't fix the fact that the system requires you to take on undue risk in the first place.
First, be careful of your security in what links you click on & have (windows) anti-virus & other software security. Also, simply select "no credit card" in your iTunes account, & just buy iTunes cards to redeem when you want to make purchases. I never keep a balance of over $10-20 in my account at any one time. That way, if my account is compromised, the crooks don't make any significant money. If you otherwise suffer a $1000 loss, you may eventually be able to successfully argue with your credit card company & have the charges reversed, but then the card company has to eat the loss. Either way, by selecting the credit card option in your iTunes account,YOU ALONE CHOOSE to provide the opportunity for these thieving ****s to profit & not have to otherwise honestly work for their money. They can only hack your account by tricking YOU into clicking on a bad link or compromising YOUR computer. Don't feed them.
To my other note, a lot of people don't understand what makes a strong password & there are some pretty weak ones out there. Never use common words, try to use 10 characters or more, mix 4 types of characters. Just couple examples (please don't use these).
Applerocks (Not strong, only a matter of time before you are hacked)
Apples01 (Ok but not strong)
Apples0001 (Much better but good programmer could create cracker that guesses common words)
@pples0001 (Even better, no common word)
@ppleS0001 (Very strong, uses upper & lowercase, symbol, & numbers)
Always have a separate password for things like e-mail & web forums than what you use for financial stuff. If you have mobileme I strongly recommend creating an outside e-mail account like gmail that you give to signup pages or friends who you know who's accounts get hacked frequently. You should also create e-mail aliases in mobileme that you can send from so if an alias gets compromised you can just delete it & create a different one. You can't protect against everything 100% but these steps can go a long way. Then of course I second everything kellya74u is saying, especially clicking links in e-mail. Make sure you check automated looking e-mails, check that the name tagged to the sender actually matches the e-mail. Recently got an e-mail from a friend (had their name on it) but the sender address was [email protected]. It had a link with instructions to sign into a site, it was a spam company that then would steal your gmail credentials by tricking you into typing them in & then it would get all your contacts from your account. Don't get click happy!!! Use your brain & practice some skepticism! Never think of the web as a safe place, it's actually extremely hostile (even inside services like facebook).