Why isn't Apple protecting iTunes/App Store users from purchase fraud?
John Gruber and MG Siegler may deny it, but there is massive fraud going on through iTunes and the App Store. Apple's response, or lack of it, is the first problem. Apologists are the second.
I'm a big fan of brand or product enthusiasts. They're the measure of a company's success and the best marketers. But enthusiasts also get in the way by their insistent denial, when they defend a company at fault. The worst-case scenario is when the deniers are highly influential writers like Gruber, who writes for himself at Daring Fireball, and TechCrunch writer MG Siegler, who also has personal blog Paris Lemon. Both men are unabashed Apple apologists.
Our story here today begins with yesterday's blog post by Scott Hanselman about unauthorized purchases from his iTunes account. Hanselman explains in stunning and documented detail about the purchase of mobile apps for the purpose of using "in-app purchase to steal money".
Siegler is a good writer and cleverly dismisses the credibility of Hanselman and his claims -- phrases like "Hanselman, who happens to work for Microsoft" and "he didn't like" in context of Apple's response. Siegler blames Hanselman -- his "password was clearly hacked. He doesn't seem to think that's the case because he's cautious". How cautious? "My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy", Hanselman writes. I believe him, because he works for Microsoft.
Gruber adds his two cents: "The problem may well be widespread, as Hanselman alleges, but I'm with Siegler: by all appearances, the problem is that Hanselman's password was compromised. There is no evidence that criminals have found a way to compromise iTunes accounts without knowing/guessing the victim's password...In Hanselman's case, though, he admits he was using PayPal, not a credit card. Perhaps it's therefore safer to use a credit card instead of PayPal for iTunes Store payments?"
We Documented the Problem
Neither blogger sees Apple at fault. I can't definitively say it is, but the evidence strongly suggests the problem isn't compromised passwords and there undeniably is a widespread problem of unauthorized app purchases to steal money through in-app purchases. Betanews has published about a half-dozen stories about this topic.
My colleague Ed Oswald also had unauthorized app purchases made from his account, which he first wrote about -- at my urging -- on June 2: "I got hacked on iTunes". He followed up, in order of publication:
- "Meet three people ripped off in iTunes fraud ring", June 2
- "iTunes hack widespread, and Apple appears to know about it", June 6
- "iTunes hack goes global, new affected games identified", June 8
- "Where in the world are iTunes hack victims [Map]", June 9
I encouraged Ed to write more news reports -- most recently after Apple added the email notifications for purchases. He let that one pass. Since it's the weekend, I've taken up reporting for him, in response to Gruber and Siegler denials. Ed created the map below at my suggestion, so that people could geographically document unauthorized iTunes/App Store purchases and amounts. If you're a victim, please add yourself. As I post, the map has received nearly 12,000 views.
View iTunes Hack Reports in a larger map
Ed writes in the first story: "It appears that these fraudulent charges are occurring across a wide range of iTunes users -- having an iPhone was not important. This is especially concerning to everyone because it seems to indicate this may be a wider hack of iTunes itself -- or even PayPal -- because somehow whomever is doing this has access to account information". Ed used PayPal for iTunes purchases.
Don't Blame PayPal
However, PayPal isn't the problem, as Gruber suggests it is. Ed's early reporting found that the majority of victims had account balances, mainly from gift cards, drained. "Although not uniform, Betanews investigations into the issue seem to suggest that attackers have primarily targeted users that had credit balances with iTunes", Ed explains in the second story, profiling three victims. They're no yokels, but IT people with experience using tough-to-break passwords. That criminals drained credit balances also suggests that PayPal isn't the pathway for attack.
Ed's stories painstakingly reveal the apps, mostly games, commonly exploited and offer many victim accounts. He is still receiving them by email two months after his first report. I'm hoping that after reading this post and those from Gruber and Siegler, he'll feel inspired to tell those stories. Or perhaps this chilling sentence from Hanselman: "Some folks have told me they reset their password every time they buy an app!"
Apple has been surprisingly silent about the ongoing iTunes/App Store fraud problem. It's easy to publicly ignore a problem, or even dismiss there is one, when enthusiasts like Gruber and Siegler or Mac blogs and news sites treat Apple like the protagonist in Hans Christian Andersen story The Emperor's New Clothes".
But as the saying goes, actions speak louder than words, suggesting that even while silent Apple is aware of the problem. This week, Jordan Golson reports: "Apple has begun sending emails when AppleID's are used to make purchases on iOS devices not previously associated with the account. It is likely these emails are being used as one way to combat increasingly frequent app purchase fraud".
Such an email alerted Hanselman to unauthorized purchases made on his account. So, that shows the emails are effective as band-aids. But that Apple has to send them at all indicates there's an unresolved problem -- and by review of App Store comments or Apple support forums, account sacking is widespread.
Hanselman astutely opines: "We'll never see this fixed until Gruber gets the error".