400 Apple iTunes Accounts Compromised; Are Users Secure?


Apple has already banned an application developer the company said made fraudulent purchases from more than 400 iTunes App Store accounts, racking up thousands of dollars in unwanted charges for unsuspecting consumers.

The alleged fraud by Thuat Nguyen, a Vietnam-based developer, who reportedly purchased his own applications by hacking into other users' accounts, was "removed from the App Store for violating the developer Program License Agreement," Apple said. The fraud falsely earned the hacker the number 42 position in the top 50 spots in the iTunes book sales charts for his comic book apps.

Basically, Thuat Nguyen and other developers were hacking into iTunes accounts to buy their own App Store creations, then leaving themselves positive feedback to boost their application rankings, Apple has said.

In a statement from Apple on Tuesday, the company told Engadget that "The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns."

While the hack only impacted about 400 of the roughly 150 million iTunes users, the incident begs the question: Is Apple iTunes secure? Apple says yes.

Apple claims that its iTunes servers weren't touched. Apple also noted that developers don't get access to confidential user information when their application is purchased.

Also still pressing is how a developer managed to hack into other users' accounts to purchase his own applications if, indeed, Apple's iTunes servers weren't accessed.

One security expert suggests that user account information was acquired via a phishing attack or from compromised Web mail accounts.

"We are seeing a trend for hackers targeting accounts such as iTunes, online poker accounts. You can monetize this kind of account very quickly," Amichai Shulman, chief technology officer of security firm Imperva, told the BBC News.

In its statement, Apple doesn't address exactly how Thuat Nguyen was able to make the fraudulent purchases, but is telling users to better protect their Apple iTunes accounts to prevent future trouble. Apple also doesn't address the issue whether any actual fraud occurred.

First, Apple is telling users who suspect bogus purchases were made from their account to contact their bank and cancel the credit card in question. Some reports indicate that fraudulent charges ranged from $100 to $1,400 a pop.

Apple is also urging all users to change their iTunes passwords, just in case.

Additionally, Apple said it will tightening security on App Store purchases. One measure includes more frequent requests for their credit card CCV number – typically a three-digit number printed on the back of a credit card - which Apple asks for only on some iTunes App Store purchases.