Recently, several media outlets have been running a fascinating story about hackers making oodles of money selling iTunes gift cards activation codes at online auctions, supposedly after cracking the secret algorithm Apple uses to generate voucher codes for iTunes gift cards.
But a blog post published today by one of the security industry's most prominent researchers suggests that the real hack here is far simpler: The crooks are merely using stolen credit cards to purchase and resell the iTunes gift cards.
Joe Stewart, director of malware research at SecureWorks writes:
This would be a pretty clever hack if it were true -- however, something just isn't quite right here. Nowhere in these articles does it explain one simple thing - how do they manage to generate activated iTunes gift voucher codes? When you purchase an iTunes gift card, it has to be activated before it will work, otherwise you will get an inactive code message from the iTunes store when attempting to redeem it. If this were not the case, anyone could simply walk into any of the numerous retail outlets that stock iTunes cards, grab a hook-full and run out of the door with hundreds to thousands of dollars in iTunes money. This would be a shoplifter's dream! But, much to the dismay of those who have already tried this, the cards are simply worthless plastic until they are activated at the point-of-sale. Since this system works well and doesn't require a "secure" algorithm to generate the numbers, it stands to reason that the same system would be used for the online gift certificate vouchers.
But, third-party reports have confirmed that the voucher codes being sold by the Chinese hackers are in fact redeemable in iTunes (not sure how they verified this without exposing themselves to criminal charges however). So what is actually happening here? I see two likely scenarios: either the Chinese hackers have managed to penetrate Apple's internal network and/or iTunes gift card database and are directly stealing activated numbers before they can be used, or they are simply using stolen credit card numbers to purchase the cards.
Rather, Stewart said, it is more likely that hackers in this case are using stolen credit card numbers to purchase the gift voucher codes from iTunes and then reselling them. After all, shipping another eBay user a voucher code only takes a single e-mail and can be done instantly.
What boggles my mind is how many people actually bid the price of an iTunes gift card well beyond what it's worth.
Since we're on the subject, I should probably mention that Apple on Wednesday released a new version of iTunes to fix at least two security flaws in the software. The latest version, iTunes 8.1, is available from this link here, for both OS X and Windows systems.
Finally, a shameless plug: Please join us tomorrow morning at 11 a.m. ET for a Security Fix Live online chat. I won't start answering questions until then, but please feel free to drop a question or comment in the queue as soon as you'd like. You can review archived Security Fix Live discussions, here. Thanks, and see you tomorrow!
Update, Mar. 13, 2:15 p.m. ET: As it happens, new fraud data on the ground as reported to the FBI supports Stewart's assertion. I heard from Craig Butterworth, spokesman for the National White Collar Crime Center, which works with the FBI and the Internet Crime Complaint Center to field reports of Internet fraud. Butterworth said the center has received a total of nine complaints about credit card fraud related to unauthorized purchases on iTunes. All of the complaints came in during the last 13 days, and some of the charges were for as much as $1,600.
"This does give credence to the argument that hackers are simply purchasing gift cards with stolen credit cards and laundering the money using the ruse 'We cracked the iTunes algorithm,'" Butterworth said.