iTunes store account hacked

A few basic controls would help cutting this out I'm sure (unless the hacking is at the backend of course),

• Allow accounts to be resitricted to use in their own country.
  I asked about this, Apple said 'Oh but you might go to the States and want to buy something'. Well guess what, I don't even have a passport and if I did, I'm sure I could either wait until I was home or remember to change my preferences before I left.
  Yes there are ways around such controls, but security is all about layers.
  
• Allow accounts to require some form of additional authorisation when accessed from a new device - FaceBook has something similar I think.
  
• Lock accounts after a definable number of incorrect access attempts (actually, is this already in place? in which case a keylogger becomes a more direct suspect).

Clearly no-one from Apple is reading this thread though.

Well add another to the list.

3 purchases for Kingdom Conquest totalling $107

• I use a separate email address and password for iTunes only
• I am in IT and would never respond to a phishing email
• As soon as I deauthorized Paypal from my iTunes account I was charged a third time for $36
• Created disputes in Paypal and reported to iTunes

Really nice right before Christmas.

I am certain that it is NOT related to PayPal or gift cards.

These hacks are happening on Apple's servers.

As has been posted (and deleted by Apple) on this very thread what seems to be happening is that a program called 'Apple Hack' is available in China. This program somehow has access to Apple's servers (feel free to speculate as to how this program has access to Apple's servers). Once in Apple's servers it then finds iTunes accounts with credit (either giftcard, credit card or PayPal) and then breaks the password, probably by bruteforce (repeatedly trying).

This scenario is shocking for a number of reasons:

1. How does the program 'Apple Hack' get access to Apple's servers?
2. Are iTunes user names and passwords NOT encrypted?
3. Or, if they are encrypted, it appears that somehow the hackers have got access to encryption key.
4. Why are bruteforce attacks not tripping a billion alarms on Apple's servers?

In conclusion, you may want to compare Apple iTunes and Amazon. Both have very similar business models but one, apparently, has far superior security.

Am I the only one to notice that every time this happens the money is used to buy a Chinese app on an 'unauthorized device'?

Granted, I've got a PhD in computer science, but I think it would a very easy fix (2 lines of code max) to stop any transaction that is:

1. A Chinese game
2. Downloaded to unauthorized device
3. When the account holder is located in the US or UK.

Just sayin'.

World's most valuable company, huh?

I don't use Mac computers (I stopped writing for the Macintosh when their market share dropped below 7% in the '90s). I don't store passwords on my computer. And, yes, there are some very talented people working for Apple (I know many of them).

Here is the problem with Apple security and iTunes:

1. Everybody on this list has reported the same thing: unauthorized charges on their iTunes account for apps downloaded to unauthorized devices. Why is Apple allowing this?
2. When bots (like Apple Hack) repeatedly attempt to brute force a password the system SHOULD throw them out and lock down that account. Why isn't Apple doing this?
3. Apple says that our account information is encrypted. I take them at their word. How then are our encrypted user IDs and passwords cracked? It is very time consuming to break standard 128 or 256 bit encryption. I think that somebody has Apple's encryption key.

Mr. Transmogrification, I hope you morph into a more respectful state soon...but...

Do I have any proof? Of course I do - well, let's call it inductive proof. I was at a party and an app that I never purchased showed up on my iPhone. When I got home, I received a note from Apple that my account had been accessed by an unauthorized device in China.I had installed no deviant files, no "secret way" to download free apps...and truth be told, I'm an old broad without the patience or interest to do something like that to save 3 bucks anyway. If you read through the 1700 some-odd posts on this forum, you'll find some very common features and some very un-common features.

• we dont use the same devices
• we dont use the same OS's (I just posted here because it was the first place I found when I googled up "Apple Hack"...I actually am a PC user).
• we have varying degrees of technical expertise, from very little to very much.
• some had gift cards, some just had vanilla purchases.

I dont know who you are or what you do for work...I do know myself though. And there is ZERO doubt in my mind that this was a server based attack. We just don't have enough similarities for it to be otherwise.

Peace.