Put simply, Apple’s impassiveness is becoming a distressing trend.
In a press release which Apple just issued, the company addressed the suspicious app purchase patterns news that we broke on Sunday by saying “The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.”
This is at least a good start. However, in what has become an alarmingly short-sighted pattern, Apple has refused to acknowledge the elephant in the room: widespread abuse of App Store billing.
The remainder of Apple’s statement, which suggests that users cancel credit cards used for fraudulent purchases and change passwords for security (both appropriate ideas), fails to address this issue. Apple did do the right thing by removing Thuat Nguyen’s app farm, but they should (and need to) go one step farther.
As we showed, Nguyen’s operation was just the tip of the iceberg in the app farm game. We received many tips from our readers alleging similarly dubious outfits like CHARISMAIST (iTunes store link), Storm 8 and other similar companies continue to scam their users out of hundreds of dollars.
Whether this is a fundamental problem with the architecture of the App Store, a problem of misunderstandings among users (which seems less and less likely with every report of fraud we’ve received), a security issue or anything else, it’s time for Apple to properly address the problem.
While Apple neatly glossed over the scariest parts of the Thuat Nguyen story in their press release, it’s incredibly important for consumers to remain informed about the facts of the issue. Accounts were compromised. Users were charged fraudulently, and enough users were scammed (just read the comments) to the point where these rogue developers overran the App Store’s leaderboards in more than one category..
While Apple steadfastly claims that “Developers do not receive any iTunes confidential customer data when an app is downloaded,” clearly these rogue developers were able to access users’ credit cards in some way. If not, how could people be charged for hundreds of dollars of apps purchases.
The truth is that Apple simply may not completely understand how their system was compromised. This would be a scary development, without a doubt. While there are likely hundreds of software engineers in Cupertino frantically cranking away at a solution, the bullheaded denials of any widespread issue have an odd air of Baghdad Bob to them.
In short, it’s time for Apple to own up to their mistakes. Despite building a reputation as the company whose products just work, they’ve seen multiple PR nightmares blow up in their face over the last few weeks.
While they may believe that keeping mum will help them dodge any permanent blows to their reputation, a simple mea culpa that addresses the issue in a straightforward manner and doesn’t beat around the bush would go a long way towards mending these problems.
It also wouldn’t hurt to take down other offenders’ apps, either.
Oh wow, thats really annoying. What is up with Apple lately?
Lou
http://www.total-anonymity.es.tc
Is it crazy to want apple to just address a problem without the run-around every now and then?
————
but they should (and need to) go one step farther.
—————–
what exactly is this next step? prevent people from buying apps?
because that is all that is going on here…
some Developer bought stolen iTunes passwords on the black market, and bought his own apps… should Apple ask each purchaser if they stole their accounts before buying?
Do you want Apple to really put a stop to this, by telling people to get a Mac, so the Dumb a** PC folks stop getting their PC’s hacked and passwords stolen?
this happens every day, it’s just that this developer was stupid to think buying his own app wasn’t going to get noticed when he did it to the tune of $600 or so for each stolen account.
this isn’t a problem with the App Store, it is a problem with dumb a** PC users who get their PC hacked every other day…
even funnier EVERY SINGLE ONE OF THEM blames someone else… it is always something like: (these are direct quotes, got to smile every time) and these are the type of quotes for THREE YEARS AND MORE. yet not once was it Apple, or the App store…
1. “sounds like Apple leaked passwords” naw.. couldn’t be the user..
2. “i’m ready to shoot someone at iTunes”, hey why not keep your PC secure as having a gun.
3. “someone hacked iTunes, i got charged hundreds”… oh couldn’t be your PC, must be someone else… right….
typical response, never their own fault.
Because we both know that it’s impossible to write anything malicious for OSx [rolls eyes]. Check over at macrumors. The people there have been having their account information obtained and they are using Macs. This kind of voids your anti-pc rant.
The issue isn’t platform dependent.
Thank you. That’s exactly it. It’s not platform-related.
While it could very well just be scammers using illicitly purchased app store account info (which would still be a big concern for Apple), we don’t know. The primary reason we are concerned is that Apple won’t tell us (or anyone, for that matter) what is actually going on. This is not some piddly little issue. It’s a big, big problem.
We, Storm8, have replied to the previous article from TheNextWeb. We do not hack into anyone’s account and we do not use anyone’s account to make purchases. If you have more questions, please email support@storm8.com.
Next steps :
- seperate payment from the main account :
If I purchase with a credit card, I’m redirected to a website where I have to give an additional code, that I have to generate on a little device I received from my bank. Or they could use paypal. Paypal accounts can be suspect to phishing too, but then that’s not Apple’s problem any more.
- work on security. You forgot that Iphones could be hacked by SMS and that last year Symantec discovered a botnet of Apple computers. It’s not because you never detect anything on an Apple, that there isn’t anything on an Apple. Actually, Apple-nutcakes trusting on Apple’s built-in safety are no smarter than PC-fools doing the same.
Dixit Apple : http://news.cnet.com/8301-1009_3-10110852-83.html
@honkj What a nob! lol… So you believe, because Microsoft Windows users out number Mac users 100 to less than 1 that you’re all safe. You somehow believe for some stupid reason that Windows users are either A. less intelligent or B. less aware of the vulnerabilities of being on the Internet, when Mac users rest all snug as a bug in rug, in a far less distributed OS (some say less secure now)! That’s Just Ludicrous!!!
I’m betting that the majority of those accounts hit, are Mac users, who simply aren’t as well educated or experienced with spams, spoofs, hacks, etc, because their Mac OS is seen falsely as NOT vulnerable! …..you people need to wake up and come out of your cave. Quit making excuses and educate your users instead of just pulling their blinders down further to hide them from the truth!
All Operating Systems are indeed hackable and lately the gun sight has moved from being over Microsoft’s head to Apple skull as bullseye target!
I’ll put money on this simple fact…… Windows users (by their own experience) are better educated about the web than Mac users and there is absolutely no difference in average intelligence levels whatsoever between the two groups. That people like you are the primary reason people around the World view Mac users as Pompous Arrogant B__t_rds. That are on course to fall like the Roman Empire in their ignorance of the Real World around them!
I have a MAC and yet was a victim of the fraud and I havent even purchased an App in the recent past nor have I logged into my iTunes account – so how did my account get hacked? I am sure it was a fault in the system at Apple.
If you’ve never logged into your iTunes account, you wouldn’t have a creditcard on file with iTunes.
honkj sounds like a troll from Apple…
Ever heard of a key logger? There are so many ways to “hack” accounts, but more often than not it’s a matter of someone logging in using a computer with malware installed. What is apple supposed to do about the poor security practices of the world at large? To blame them for this just doesn’t make any sense.
Also, I’m getting tired of how sensational TNW is getting. I’m beginning to consider removing it from my RSS feed and list of sites I check daily, I would have thought TNW to be above all that.
I doubt this developer wanted his apps in the top 50, this was probably just a side effect of him just trying to line his pockets as fast as he can by buying his own apps with large purchases… trying to make money right then, not trying to make money from other purchasers…
although i could be wrong, and this guy was just a complete idiot, which isn’t too much of a stretch.
Double edged sword. You do huge spam purchases by getting access through a couple people’s iTunes accounts and your apps spam the top of the charts. Thusly, you trick people into buying it by making it look tempting by being ranked so high.
I think he could have gotten just as much money through legitimate purchases as he did fraudulent.
My friend is a cofounder of Storm 8. I can’t speak for others, obviously, but I can account for the fact that Storm 8 is a legitimate business. My occupation is also tangible and related to social games in Silicon Valley, so I can also account for the fact that their pricing model is fairly rational and non-scammy for the virtual currency they’re trying to sell.
The “reasoning” put forth by TheNextWeb that they’re an app farm shows a profound lack of understanding of how virtual currency/social game business models work, as well as gross ignorance of the simple rule “correlation does not imply causation”.
TheNextWeb is basically making the following claims:
1) Storm 8 looks to produce apps with scammy pricing models (by TheNextWeb’s standards)
2) There are iTunes accounts hijacked to purchase Storm 8 applications
3) OMG! Storm 8 are hijacking iTunes accounts to purchase their own applications to goose their ratings!
By TheNextWeb’s brilliant logic, the following is also true:
1) Today is Tuesday
2) It did not rain today.
3) OMG! Tuesdays cause the sky to not rain!
I only have time to clear up Storm 8′s name. Don’t even get me started on:
1) How bad at math TheNextWeb is (30 accounts hacked over 100 million active accounts is not really a big deal)
2) How sensationalistic and click-bait these articles have been, and how obtuse and stubborn TheNextWeb has been in correcting themselves for their way-below-average research methods and reasoning skills.
Having someone’s apps spam the top of the lists like that is definately a red flag and if people report in that someone made large purchases on their account to these apps then it would definately mean something’s up.
Oh, an Apple responds to the fraud:
http://www.macrumors.com/2010/07/06/apple-responds-regarding-app-store-sales-ranking-fraud/
As i told in other thread, Storm8 was a good candidate for scapegoat given the problematic reports on them last year. So the real perpetrators could had chosen it purposefully. Also, the Thuat Nguyen case, with a so generic name for a developer (“Artist Smith”, say), smells to script kiddies. The real perpetrators are spreading fog, in the hope to escape.
It could be of some help to Apple if people reports the OS where its iTunes was hacked, and some conjecture for the date where the hack happened. It it is multiplatform, it is definitely not a trojan. If dates are near, a atack on the servers is more likely than a phishing. And there are reports denying the phishing; still, look in your trash folder and report. Be helpful.
KevinKWS (or as you’re calling yourself here, Bob), I will agree that correlation does not imply causation. However, it makes little to no sense for hackers to buy non-transferable game currency with compromised accounts.
Storm8 has an incredibly dubious legal record, with a pending class-action suit on the books against them for illicitly collecting and sending sensitive user data back to company servers. This included phone numbers, users’ names, carrier information and other information.
While the facts, as they stand, don’t necessarily prove causation, they certainly suggest it.
@jacob
What? It makes perfect sense that stolen iTunes accounts are traded around like commodities. There are plenty of jailbroken devices out there that can taken advantage of this.
As an IT Professional. you don’t seem to understand why the case against Storm 8 is more innocent than it sounds. When you write a social game or some kind of application, sometimes you want to look for ways to uniquely identify users, for whatever reason (prevent fraud, having cleaner account data, etc). The reason storm 8 is in trouble is because they use the telephone number as a way of uniquely identifying users. Unfortunately they pass it in clear text and that violates privacy concerns. I really appreciate how you frame the lawsuit as if they’re harvesting data for some malicious purposes though.
And yes KevinKWS is my backup-backup email account that has no ties with my real identity (neither does Bob), and I usually use it when questionable websites such as yours require an email address. You see, you never know if a shady admin losing an argument is going to take that email address you submit and expose that publicly in a last-ditch attempt to discredit you. You mean his email address is PlanetFalcon@hotmail.com and he gave his name as John? Oh my god, I guess the rest of his comment makes no sense!
So what else does the TheNextWeb admin CMS allows you to see? My IP address? I live in Mountain View. My browser’s user agent? I use Chrome for Mac. Please violate my privacy even more, Jacob. You know what? Maybe you have an app farm too!
Storm 8 is legit? Laughable. My account was hacked today, 8/13/10, with 32 charges to Storm8′s World War App for $180 each. My bank account was literally drained to $0. Who, other than storm 8, does this benefit (since the points are linked to my account, not like they can be sold and money made). I’m sick that Apple continues to let this go on- and from the same developers no less!
I’m from Vietnam. This is the only comment I’ll give:
There are stores (brick and mortar, mind you) here that sell iTunes account. You pay about $5 – $10, you get an iTunes account and password with several hundred dollars, you then proceed to download whatever you like.
I have never tried this “service” before.
That’s a little concerning. Looks like we may have pinpointed where some of the compromised accounts came from.
Now we need to find out where they get the information. Can’t all be from phishing, if you read the reports.
And brute-forcing is terribly easy to prevent. If that’s a possibility on iTunes, that’s another blame for Apple.
Well, they were so honest to admit there are security leaks in iTunes in the past (see the security updates on the Apple webpages). Wonder when their next patch will be issued…
My itunes account was hacked into and my credit card was charged over $1200.
I own a shuffle, which I hardly ever use, and nothing more from Apple. I keep my itunes software on a computer that I rarely use.
The last time that I logged into itunes was May 2010.
On July 1 and 2nd, 2010 someone logged in and charged $1200 to my itunes account. My credit card company noticed the charges and contacted me right away. Apple, on the other hand, has been less than helpful in dealing with this and I won’t be using itunes again.
@jacob,
I find this article highly irresponsible and possibly libelous. I realize that in this new world of tech blogging the latest and greatest scoops you feel that you are somehow exempt from following the basic rules of journalistic decorum, but that doesn’t mean you get to harm people’s business.
Storm8 is not accused of “app farming”, nor are they accused of “hacking”. In fact, you seem to conflate “hacking” with illegal access. But you are perfectly willing to associate them with the current faux outrage you’ve stirred up. Your article reads like a NY Post Lady Gaga review than a real tech article, all full of piss and vinegar. But then again, “bloggers” are redefining journalism everyday to just eliminate those pesky things like source verification, fact checking or just making a frigging phone call.
What is the most likely scenario is that accounts are being purchased on the black market, said purchaser’s are logging in, changing the email to prevent the account holder from being alerted, and then downloading all the apps they want. With a jailbroken device the DRM is easily bypassed.
I won’t debate the merits of PC vs Mac, or how the accounts are being bought and sold, but as a developer myself (including iPhone development) I can say this is not related to apps purchased by the victims, but their account being accessed illegally. If there is “hacking” involved, it would involve an incredibly clever discovery of an obscure hole in the entire app store ecosystem. Not this is impossible, but if this was the case, would you really expect Apple to release the details of the exploit?
I may be pissing in the wind when I say this, but, you might want to read up on some Journalism 101 and then head over to the legal department, because Storm8 may just have a legal case against you. But then again, this web site reads more like a British Tabloid or Fox Nation than a legitimate news source.
Don’t bother responding. I followed a link here and now that I know what kind of shit bucket this web site, I’ll be hanging with the adults who have stuff to do instead a pretending to be real live news man!
“While Apple steadfastly claims that “Developers do not receive any iTunes confidential customer data when an app is downloaded,” clearly these rogue developers were able to access users’ credit cards in some way. If not, how could people be charged for hundreds of dollars of apps purchases.”
I don’t think you quite understand how the iTunes Store works. People could be ‘charged for hundreds of dollars of apps purchases [sic]‘ because they provided a payment mechanism to Apple to enable one-click purchasing. Once the iTunes account is compromised, the charges sail on through.
If you have one-click turned on for Amazon, someone who compromises your Amazon password can send themselves gift certificates without your permission, causing charges to hit your card. Same deal.
http://www.macrumors.com/2010/07/06/apple-about-400-accounts-affected-app-store-not-hacked/
This article contains no information about how the iTunes accounts were “hacked” and seems to use the word hacked pretty loosely.
The statement ” clearly these rogue developers were able to access users’ credit cards in some way.” is just stupid. Yes if the itunes account had a credit card attached that’s waht was sued to pay for the fradulent purchases. it does not mean the fradster had access to the credit card number. In fact the lack of evidence of fraudulent purchases outside itunes implies that they did not.
If they knew how they were hacked, I think they could now prevent it. But unfortunately like magic we only see the evidence of something stolen or changed when it’s too late to figure out how it’s done. Called slight of hand….. and thieves use it all the time even though their magic is not worked on brick and mortar stores!
Even the most secure of web sites are busy revising their Security Schemes. Yahoo is constantly revising how you log in or recover your password, etc. Apple needs to revamp their Secure Transactions Procedures to include remote authentication like Newegg does when using Visa or MasterCard. It’s another step, but well worth your time to enable it! …..another thing is to use things like Paypal for iTunes purchases instead of credit cards that don’t require remote authentication of some kind. That way any hacker that gains access to your iTunes account must also then hack your Paypal account before he can pay. Never just letters and numbers, always use combos of letters (upper & lower case), numbers and special characters and use the max allowable string. I use 20 characters on everything if they’ll let me and no i remember them, but if I could for me then they’re not good enough. I write them down at home and put them in a safe place. I also put them into a locking secure folder on my computer.
Then when I need them, I open them up and copy/paste them in to where I need them. But even these extreme measures won’t help me stay safe from hacks using packet sniffers other snooping tools. Go to a coffee shop with WiFi internet access and it’s perfect spot for these kinds of hacks to find victims. If you are connecting up at Hot Spots without using Secure Data encryption, you’re a fool!
This morning (13 July/14 July depending on dateline), I received 6 email invoices from the iTunes store for purchases I had not made. Suspected spam, so checked my iTunes store account and found same purchases listed – noted as ‘Not Downloaded’.
I have only used iTunes store for music purchases (aside from the iTunes software I have not downloaded or installed any Apps).
Invoices were for a number of Apps, apparently from different developers along with an album purchase. Have requested that transactions be reversed (by Apple). No reply as yet. Bank is next on my list…
It’s not Apple’s job to reverse the charges; a product was paid for and downloaded. How do they know it wasn’t you? It is not a store’s responsibility to just eat charges related to fraud; it is the issuer of the credit card. They protect you incase your account is compromised, and they should be contacted about any charges not made by you, and unless you have the worst card in the world, they will refund any fraudulent charges.
I do find it interesting that all of a sudden EVERYONE has had their iTunes account compromised. This is not a widespread issue yet every couple of comments there is someone saying their account was hijacked. Either one out of four readers here have lost control of their account, or people are lying. My guess is it’s the latter.
No they’re not responsible for reversing charges on the credit card, naturally. But they are responsible for the integrity and security of purchases made from their site and that’s the problem. Their system is broken and this should be a wake up call for them. But instead they simply choose to sweep the problems under the rug!
Nothing to worry about here. People were just holding it wrong… ;)
I have now successfully had the unauthorised purchases refunded (by the credit card company).
No acknowledgment or reassurance from iTunes as yet regarding the potential security breach.
This is what I have proposed that iTunes should do to protect its customers. (Feel free to copy-and-paste to your own correspondence with iTunes Store.)
I’m seeking reassurances from iTunes Store, that:
-iTunes will (or has) investigated reports of account access details being disclosed and onsold.
-iTunes will audit iTunes account security policies and procedures.
-iTunes will not automatically store credit card numbers when a person creates a new iTunes account.
-iTunes will contact all iTunes customers advising them that, in light of potential security issues, iTunes has cleared all stored credit card details; and recommends that users change their passwords.
My Itunes account hacked to the tune of $500! Beware. Apparently Apple knows about this but failed to notify it’s users.
My account was hacked today, 8/13/10, with 32 charges to Storm8′s World War App for $180 each. My bank account was literally drained to $0. I contacted Apple and was oh-so-helpfully sent a form letter telling me to change my password and contact my bank- basically to blow off. Luckily my bank was more helpful and is doing chargebacks on all the charges. I’m sick that Apple continues to let this go on- and from the same developers no less!
It won’t do to use paypal because that is how they charged me over $800.00 to my checking account.
Thank God I was able to get all of my money back. I would like to know the person or persons that did this so we could take legal action against them.
I live on a small income and could not afford these charges they were $106.59, $159.89 and $165.21. My account was charge twice for these amounts. It took me a week of worring about what was going to happen to my account.
I agree Lee. My bank account was drained of thousands by Storm8 World War, and I am disgusted that apple has been aware of what is going on for over a month but has done nothing to remove the app involved. My bank account is still in the negative because of the incident on the 13th, and my paypal account is now frozen as well because of the investigation. I would love to take legal action. Although I’m not sure what the odds of winning would be, I feel like a class-action lawsuit (who knows how many this has happened to by now?) would be justified. The first time around it may not of been Apples fault (other then some bad security), but they have now admitted they know what is going on but are still allowing it to continue.
Apple is lying.
This all kicked off over two months ago? And only 400 accounts were compromised?
Seems to me that if this were really the case, I wouldn’t have woken up this morning to find my iTunes account hacked, and $2200 worth of charges waiting for me in my PayPal account (for multiple purchases of, shock-of-shockers, World War points).
Seems to me that if Apple had any clue WHICH accounts were compromised and HOW it was done, they might’ve been able to warn those people, so that they could take the proper precautions.
And it seems to me that is Apple were looking out for anybody other than their shareholders, I wouldn’t have been on the phone for half the morning, trying to get the charges reversed.
I know the Apple Fanboy response is going to be to blame the victim. But here’s the thing: I’m not someone’s grandmother. I’m an IT professional. I don’t own a Facebook account, because I’m well aware of the potential privacy risks. My AV software is up-to-date, and I scratch my head over how someone could fall for a phishing scam.
On the completely off chance that I made a mistake in keeping my information secure, I want to know what that mistake was so I can rectify it. But so long as Apple wants to keep throwing up a smokescreen in regards to their accountability over this issue, I have no way of knowing where the weak link was.
As a follow-up, the three principals involved in this matter (Apple, PayPal, and my credit union) responded in the following ways:
1.) Apple followed up within a few days of my call, and offered to refund the balance. In spite of the fact that I still think they’re covering up more widespread issues, I have to say that this was about as good a response as I could hope from them.
2.) PayPal said that they would perform an investigation (taking up to ten days), and perform a chargeback to my debit card, if evidence of fraud was found. They suspected nothing less, considering that I wasn’t the first to call in about fraudulent charges from iTunes.
3.) My credit union offered temporary credit to cover any overdrafts that might occur. They also said that they could perform a chargeback as a last resort, but in light of the fact that the other two companies appeared to be making good, they didn’t think there was a need for it.
My itunes account just got charged 250 bucks by Streetview Labs, after my 5 year old girl downloaded a free app game from them. Streetview got my account info from itunes. How can Apple allow thrid party charges without my permission? The app was free to download. This is insane, and itunes only responds through email. Please help.
My account was hacked yesterday, Oct. 16. So 3 months and no fix from what I’m reading. My store credit was wiped out with app downloads, and I don’t have an iphone.
DON’T BUY itunes gift cards, they aren’t safe either. Apparently nothing is safe on itunes!
October 31. My account hacked this afternoon. My store credit drained by world war honor points Ive not authorised Thankfully I’ve no credit card linked to account. Agree with previous poster that iTunes vouchers not safe. I’ve emailed apple. Anyone had positive response from them to reimbursing stolen credit?
November 29th – My account was hacked yesterday and drained of the last $40 iTunes gift card credit for World War honor points. So, almost 5 months in and a) this is still happening and b) Apple still hasn’t done anything to stop it? RIDICULOUS. Thank God they don’t have my credit card information.
I to can confirm this. I found this article after my account got hacked. Luckily i didnt have my card information on file, but they used all of my itunes money I had through gift cards.
It was the same seller “Yip Hong Tai Kenny”. I have no idea how they were able to get my account information, i think it was somehow hacked directly through itunes. I have not purchased anything through Itunes in quite some time, definitely nothing that would give away my information and I don’t have any kind of malicious software on my PC as I have done a reformat less than a month ago and have not installed anything suspicious.
First, it is happening again. I just saw over $500 of charges from Storm8, and called the credit card company. This is positioned as a FREE app, which somehow attaches to credit card via iTunes by calling in “in App Purchases” when none really occur. Second, It happened entirely on a iPhone (no PC, and not through my Mac). However the glitch/hack occurs, it is entirely in Apples EcoSystem, and they need to fix it.