There have been a number of reports in the last days of iTunes app developers apparently accessing other iTunes users’ accounts to buy their applications, to increase their rating on iTunes. People have had bills of $100 or more generated for apps and books that they didn’t order.
It is not clear at the moment how the accounts have been hacked – whether Apple has a problem at their end or whether the users affected had weak passwords which have been hacked. However, there a couple of things I have done to reduce the risk of being “stung”:
- Changed my passwords to be stronger, by following these suggestions:
- Use more characters than the minimum required by Apple
- Make sure the passwords consist of a mixture of upper and lower case characters, one or more digits and special characters such as “§ $ % & / ( = ?”
- Don’t use a password which is a single word found in dictionary, but where some characters have been substituted with similar digits (i.e. containing Leets, e.g. “pa55w0rd” for “password”). Leet passwords can be cracked with a dictionary attack almost as easily as words in “clear” text.
- Deleted all my credit cards and bank details defined as payment methods and replaced them with a pre-paid Mastercard which I recently ordered to pay Ryanair with. This card never has more than a few hundred Euro pre-loaded, often much less. It limits my financial risk and means if I have to have the card cancelled, it don’t affect the rest of my life.
Note that potentially, any credit card or bank account details you have permanently stored in an internet account for a supplier are similarly at risk. Other suppliers where I have updated my password and credit card details are Amazon and Google Checkout. The risk is same in both cases – a crooked employee could copy the credit card details or their server could be hacked from outside. I think although Amazon and Google are both security conscious, it doesn’t hurt to take these relatively simple precautions.
