It looks as if Apple iTunes users who have been the victim of identity theft will have to look for a new knight in shining armor to wring answers from the notoriously close-lipped Cupertino technology giant.
The Massachusetts Attorney General’s Office said on Monday that it isn’t planning to conduct an investigation of a rash of account takeovers affecting users of Apple’s iTunes online media store, despite suggestions last month that such an investigation might be in the works.
Attorney General Martha Coakley, who has admitted that her stolen credit card number was used to make fraudulent purchases on iTunes, told an audience of technology leaders in September that she planned to ask Apple for information about a wave of similar incidents stretching back months and affecting an unknown number of iTunes users. However, a spokesman for Coakley‘s office told Threatpost on Monday that no investigation is pending.
“At a technology conference last month, the Attorney General was asked a question and spoke about a personal story about a stolen credit card number being used to make purchases on iTunes over a year ago. The issues raised by this incident reflect general ongoing concerns we have about data breaches, privacy and jurisdiction of law enforcement. But as of right now, our office does not have a specific investigation into iTunes on this matter,” said Brad Puffer, Director of Communications for the Office of the Massachusetts Attorney General.
The statement followed an inquiry from Threatpost about the status of the Attorney General’s Office’s communications with Cupertino, California-based Apple after a September address before business and technology leaders in Massachusetts.
Puffer declined to give the Attorney General’s Office’s reasons for not pursuing the issue. It is also unclear whether the Attorney General’s Office contacted Apple or received any official explanation of a rash of account compromises stretching back months. Apple is notoriously tight-lipped about all manner of company information – including product security. The company has steadfastly refused any comment on the compromises despite multiple requests for comment from Threatpost.
The fraudulent purchases vary. In some, accounts are raided for the value of iTunes gift cards on file. In other instances, a compromised iTunes account is matched with stolen credit- or debit card information belonging to an entirely different victim (such as Coakley). iTunes users often become aware of the breach only when they receive e-mail receipts for bogus purchases made through their accounts. In most cases, Apple has been quick to refund any fraudulent purchases, though other users claim that they have been locked out of iTunes accounts and left with little recourse.
Compared an estimated 200 million iTunes account holders, the number of compromised accounts is believed to be small. However, for those affected, the compromises can be burdensome. In the absence of an explanation from Apple, victims have formed their own theories about what is going on. Some contend – in line with Apple’s own support engineers –that the iTunes victims’ accounts were protected by weak passwords which were guessed in a brute force or dictionary attack. Others have theorized that victims have reused passwords with other social media or Web-related accounts that were compromised.
Others have suggested that Apple’s platform – either the iTunes application or Apple’s back end servers may be the source of the problem. One going theory is that rogue application developers have planted malicious code in legitimate-seeming applications that are engineered to phish and then steal user logins.
Apple is by no means the only e-commerce vendor contending with fraudulent online activity. Just last week, the Web site Arstechnica reported that support forums catering to Microsoft XBox users have registered a similar-sounding rash of fraudulent in-game purchases. Microsoft has indicated that no large scale compromise of its infrastructure took place, but has not explained the cause of the reported hacks, either.