Is Your Apple iTunes Account Safe From Being Hacked?

My Apple iTunes account was hacked into recently. I know this because, I received an email like this from Apple:

Your Apple ID, XXXXXXXXXXX, was just used to make a purchase in Island Empire from the App Store on a computer or device that had not previously been associated with that Apple ID.

As soon as I received the warning email, I reset my password, but by then, the hacker had already drained my account. I then went in search of an Apple hotline or email address that would let me immediately solve the issue. I filled out the contact form ~~here~~, then waited (Apple has removed this form already and now redirects you to "express lane" instead).

I received a reply within 1 day that asked me to reset my password, so I reset my password again.

Then, I received an email receipt where Apple had reimbursed me for the $16.22 cents that had been stolen.

I was very happy with the reimbursement and the time-frame of resolving this problem was speedy in my mind. The only issue that I still have, is all of my unanswered questions. I still want to know how this happened and I still want to know how to prevent it from happening again. No other aspect of my online life has been compromised in any way. No other accounts were hacked. No other programs or apps had issues. Only iTunes. So what gives?

Well, if you can’t get answers directly from Apple, then maybe Google can turn up something. It does... here is an entire 40+ page Apple Discussion Thread on the topic.

Over 40 pages worth of people wondering about the same thing. There were multiple people per page and that’s only one of the several discussion threads on Apple’s own site. This let me know that its not just me and my account that is having this issue. It’s a widespread problem. Apple was actually very timely and diligent about refunding and handling the hacking issue (kudos for that), but the universal complaints running through the discussion thread are “how did this happen?” and “how can I prevent this from happening again?”. This is where Apple dropped the ball. Maybe they don’t know what happened or maybe they don’t know how to fix the problem yet. Whatever the reason is, the answers haven’t been forthcoming.

Is there a potential fix to this?

When I put on my programmer hat (yes, I have a hat for that, complete with propeller) and think about the current pattern of the problem, I see one glaring trend. In every case I read about, the hacker used a device that “has not been previously associated with this account”. Now, I don’t claim to know the back-end programming of iTunes, but it seems like after people first set up their account and attach a device or two, it really doesn’t change that often. I mean, how many times per month or per year do you add new devices? I haven’t added a new device in over a year. Even if you bought the latest device every year in order to upgrade and also purchased a new device or computer in addition to that every year, you are still looking at only 2-3 changes per year. That’s not a lot of changes in programming terms.

If there was a way to simply lock down your account to specific devices, then you would be throwing another roadblock in the way of a hacker. No, I don’t think any online system is hackproof, that’s just the nature of the internet. But if your company is encouraging people to directly link their credit cards to your system, then security needs to be an incredibly high priority.

I was lucky. My account was created using gift cards only. I have never attached a credit card to my account. The best a hacker can do is take me for the amount on the latest gift card. I saw several people who had actually attached their credit card and got taken for a lot more. I have personally called people I know who have an iTunes account and told them to switch to gift cards. You can limit your liability by limiting the amount of money on your account. This lesson can apply to ANY internet account.

I have no plans on dropping my account or switching to anything else. Apple products and services work for me and my lifestyle. They reimbursed me for what was stolen and my password has been reset, but I have no way of knowing if this can happen again tomorrow. I have no assurance that my account, my information or my money is safe. That’s a tough pill to swallow.

Apple is being extremely quiet about being hacked, but at some point, they are going to have to be transparent about how they are fixing the problem or they are going to loose people's trust, and that's worse than being hacked.

Toff Ward
OpenSourceMarketer.com

Have you had a similar experience with your iTunes account? Leave a comment below and tell me about it.

Where Are The Webinar Show Notes?

Medusa Tank Marketing Chart - Part One - 12 Marketing Channels

Creating Membership Websites, Part One

How To Minimize The Damage of A Hacked iTunes Account

How To Reduce Your Online Buying Risk

Upcoming Event - First Corona SDK Meetup In Dallas

Toff Ward

here is another article on how these stolen accounts are being resold: http://www.appleinsider.com/articles/11/01/07/hacked_apple_itunes_accounts_sell_in_china_for_pennies_on_the_dollar.html
Fred Fnord

Another way you can protect yourself from this stuff, and the most important way, is to use a unique and unguessable password for each web site/service that has any credit card/account info for you.

It’s pretty obvious what you’re risking if you use a simple password. It’s less obvious if you’re using a single (complex) password for all of your online business. But if you use one internet password, or a small set of them, for all the web sites you log into, you risk having a malicious person set up a web site that looks interesting and have you create an account, and then record your password. And once he’s done that, he makes some guesses at your Apple ID (or, if you use your @me.com or @mac.com email address in signing up on his web site, he already knows it!) and tries the password, and voila.

So far, I’ve known two people who had this happen to them. Both of them used the same password for a lot of other web sites that they used for iTunes.
- Charles McKeever
  
  So true Fred. Valid points all around. For this particular instance I happen to know that Toff uses some pretty strong passwords for his accounts. He’s even more cautious with his online activities than I am, and I have some squirrely passwords. So, I think there may be something else going on here that isn’t being addressed publicly. That’s just my personal opinion though.
mark

Im actualy in China at this momment, my wife being Chinese, i asked her to look at the taobao website to see about the accounts being sold.
What i was told, sorry if its baby English.
The accounts are being used with stolen credit cards.
a common way was with a few applications used on the actualy apple website.
a hacked itunes account can be purchased for as little as 100 yuan per account. They tell you to use them right away.
or
in game purchases, they will take your udid number, and load your game up with, coins and honor ect……
the wife is trying to ask for more info, on the pretence of being intrested in being part of the game. when im home, ill have more info i hope to share about the way they are doing it.
mark
- toff
  
  I would love to hear more about it, Mark! It certainly surprised me that this was possible and that Apple isn’t more proactive about it.

About Charles McKeever

Recent Articles

Important Stuff

Recent Posts

Recommendations

Other Stuff You Might Like:

About Charles McKeever

Recent Articles

Important Stuff

Recent Posts

Recommendations