Comments

  1. I’ve got WY on the look out today to buy one, I’ll hopefully get to try it out tonight.

  2. See here for information regarding iTunes certificates purchased with stolen credit cards.

  3. @imron:
    The way I heard it they are made using key generator software, not stolen credit cards, the price on taobao is something like 20RMB (~$3) per $100US, kinda seems like a hassle to use a stolen CC# for such a small profit, but who knows. Was kind of waiting to hear of someone reliable trying it first……….

  4. Imron, John is referring to the iTunes gift card codes created using an algorithm that Chinese hackers have managed to decipher.

  5. christopher Says: March 11, 2009 at 11:34 pm

    Apple Insider did a piece on this yesterday, they even have a screenshot showing one of the seller’s accounts.

    http://www.appleinsider.com/articles/09/03/10/hackers_crack_apples_itunes_gift_card_algorithm.html

    Make of that what you will, seems people actually get a code that works but it could be a deception.

  6. I bought an iTunes gift card some weeks ago from a Chinese vendor. I paid $60 for a $200 and got an extra $100 as a bonus. The credit worked fine. Apparently, though, I overpaid significantly by today’s prices!

    I wondered what the angle was – I reasoned, however, that Apple have complete control over the gift card inventory in their database. If its true there is an algorithm for generating the cards illicitly, then I feel a little guilty, but I still can’t imagine why Apple would use such a system.

  7. I realise the article says the numbers are hacked, but given that these vendors are themselves paying hackers to generate the numbers, it wouldn’t surprise me if they were just being purchased with stolen credit card numbers, that’s really the only way that they can guarantee a valid number.

    Do you really think Apple doesn’t keep track of both serial numbers and activation codes for each gift certificate that has been issued and that all it requires is for you to guess some magic number and everything will work? The only way for generated numbers to work, is for gift certificates that have been distributed to stores, but that have not yet been purchased and redeemed by a customer. The first problem with this is that there is no way to guarantee which cards have already been purchased and which ones haven’t. The second problem is that eventually someone will buy that card and try to redeem it. When they can’t, they will follow the advice on Apple’s website and provide Apple with not only the activation code, but also the serial number for the card. Apple will then check which iTunes account claimed that gift certificate and find it was already taken by you. Given that the other person holds the physical card, it’s easy to determine that you were the one with the fake card, and so they suspend your account and/or take whatever other action they feel is necessary.

    In summary, certificates purchased with stolen credit cards are the only way to guarantee a working number. Generated values are a possibility, but can cannot be guaranteed to work and eventually someone will buy the real card anyway. Either way, after purchasing such a card, you’ll have a grace period of a few months before Apple finds out and then comes after you.

  8. Funny that even with the small amount of $ exchanging hands, this is over things that do not tangibly exist. Remember when there wasn’t a monetary value or price tag attached to MP3? I do.

  9. imron’s comments make a lot of sense, but again, I’m suspicious that credit card fraud can generate an unlimited number of vouchers llke this. Presumably, stolen credit cards that can buy $200 gift cards in the US are use for more than generating a couple of dollars this way.

    No, more likely is that some Apple inventory of card numbers was stolen/leaked/hacked and the hackers are simply selling off this list in bits and pieces as fast as they can. I think there’s indeed a good chance that those who redeemed the numbers will indeed be flagged at some point.

  10. @Coljac
    yea, agree with you that that is more likely, and that given the widespread nature something will be done to at the very least plug the whole if not take some sort of action to illicit code users. Back to stealing…errr… I mean procuring backups of things I already own legally…. via bittorrent

  11. Perhaps they can be put to more use, but there a few important things to consider. Firstly, a gift certificate is innocuous. A purchase through Apple counts as a purchase in the US, and as a gift certificate of relatively low value, it raises less flags at the bank than say purchasing $10,000 worth of goods in some foreign country. Therefore it’s less likely to be noticed by the bank as a fraudulent transaction and there’s also the possibility that a person is much less likely to notice a small amount added to their credit card bill than a large amount. If you’re a criminal in a foreign country with a bunch of stolen credit card numbers, you are therefore more likely to be successful in committing fraud in small amounts from a US vendor than you are in large amounts overseas (especially if said country has poor track record regarding credit card fraud).

    The second thing to realise is that the people stealing the credit card numbers are rarely the people that use them. Hacker A runs the phishing scam or hacks into some database to get the numbers and then sells these cards on to someone else, probably selling a list of thousands of numbers for a relatively cheap price. Hacker A makes his money by selling the card numbers, not by using them. The problem is, the market for stolen credit card numbers is limited to the amount of people willing to commit credit card fraud. So, to expand the market, the logical step is that you don’t sell the credit card numbers, instead, you sell a gift certificate “generator” to some vendor who is none the wiser and who isn’t really going to ask questions about how it works. They know it’s probably not entirely legitimate, but its works and it seems harmless enough. There is also added “safety” of having a reasonable amount of lead time (a few months) between committing fraud and having that fraud discovered.

    As for generating an unlimited number of vouchers, there’s no reason to believe it’s unlimited, just that currently there is enough to meet demand. As demand increases, that situation might change, but in any event, thousands of credit card numbers are stolen every day, and Hacker A is more than willing to keep supplying fresh numbers to people willing to buy them.

    Regarding numbers being stolen/leaked. What Apple is almost certain to be doing is something like this:

    They will have a database for storing all valid, currently circulating gift certificates. When you buy a gift card online, Apple’s servers generate a serial number and an activation number and store it in the database of valid certificates. When Apple manufactures a run of gift certificates the same thing happens, except they generate maybe 10,000 numbers which get printed on the back of cards and are also added to the valid certificate database. If Apple was smart, in order to prevent people from being able to steal the certificates, or to prevent people from scratching the activation number off in the store without purchasing the card, they might add another layer of protection and have it so that the certificate only gets added to the list of valid certificates when it is purchased (e.g. by requiring the teller to perform some activation step, which could even be done automatically when the barcode is scanned or whatever).

    When a consumer goes to redeem their certificate they enter their activation number. If the activation number is in the database of valid numbers, the account is credited, the number is removed from the list of valid certificates and then stored in another database along with the iTunes account of the person who redeemed the certificate, as well as the serial number of the card and any other useful information.

    If the number is not in the list of valid, circulating certificates it is rejected. A system such as this would ensure that only certificates that have been purchased can be redeemed.

    Apple has plenty of intelligent people working for them, and they also have complete control of the entire system. If I can come up with such a solution with only a few minutes thought, you can bet that Apple has something either similar or better. They would be stupid not to.

    Now it might take a few months for a particular instance of fraud (either credit card, or from number generation) to become apparent, but no system is going to be 100% fraud proof. It will however have plenty of checks and balances to both identify and reduce fraud as much as possible.

  12. RE: “they might add another layer of protection and have it so that the certificate only gets added to the list of valid certificates when it is purchased (e.g. by requiring the teller to perform some activation step, which could even be done automatically when the barcode is scanned or whatever). “

    FWIW I’m fairly certain this is the case for all those card based gift certificates, I’ve even seen signs in the US stating as much and that you are wasting your time stealing the cards as they are useless until activated when purchased.

  13. That being the case, it doesn’t really leave many other options besides using stolen credit card numbers (despite what some random Taobao seller who doesn’t know any better claims to the contrary).

  14. Speculation is great and all, but does anyone have any ACTUAL experience with this?

  15. And so what if Apple “comes after you.” Oh, sorry, I purchased the card number online, how was I supposed to know it was fake?

  16. how was I supposed to know it was fake?

    Because at $2 for a $200 card, the chance that it is legitimate is zero?

    Realistically it’s unlikely that Apple can do anything except suspend your account, especially if you’re not in the US.

    That may or may not be a problem depending on whether or not you had any money stored on it before adding the credit from the fake card, whether or not you are using to the account to get free updates to software you have already purchased, and whether or not you care about having to setup a new account.

    You might also want to consider that if there is reasonable suspicion to suggest that numbers are being obtained through credit card fraud, do you want to be a part of that?

  17. Taobao’s search is notoriously wonky, but as of right now there are no longer any ITunes gift cards listed. Thanks a lot, foreign bloggers.

    I may or may not have purchased cards this way in the past, but if I did they probably worked.

    The stolen credit card angle is ridiculous, and is only being brought up as a way to shame people who would otherwise consider this a victimless crime by implying that this taobao itunes card thing is somehow hurting innocent people. For the vast majority of Americans, $200 is not a “small charge” — an unexpected $200 charge to their cards would certainly raise some red flags. And for the thieves, $2-3 of profit (2-3% of the value of the transaction) is way too small to even bother with. Stolen goods can generally be fenced for a much higher percentage of their value. The keygen story is much more likely.

    Since these cards are apparently no longer available, I can let everyone in on the scam I now wish I’d implemented when I had the chance:
    1) Write simple iphone app
    2) Sell in app store for $200
    3) Buy $200 gift card for 20RMB
    4) Buy own app and collect $197 (minus Apple’s fees)
    5) Repeat steps 3-4 as necessary

  18. oops, $2-3 is 1-1.5% of $200

  19. The keygen story is much more likely.

    I don’t see how. I don’t believe a company as controlling as Apple would not have a system in place that only allowed redemption of purchased certificates. If they are going to the trouble of doing this in retail, it’s trivial enough to do it for online purchases also.

    Regarding pricing, according to the article half a year ago the cards were selling for RMB 320. The price only dropped after increased competition.

    Stolen credit card numbers can be bought cheaply (Google tells me as low as $1 each). So Criminal A sets up a system to purchase gift certificates from Apple using stolen credit cards. He charges vendors for access to the system who initially are selling cards for RMB 320 each, making ~$40 profit each sale. As more vendors enter the market, competition drives prices closer and closer to the cost price until you get a situation where they are selling for $2.60 each. Even at that price though, they are still making over 100% profit for something that requires no effort, is completely electronic and gives them instant cash.

  20. Almost makes me feel “clean” about getting my music off rapidshare – at least I’m not using someone else’s stolen credit card.

    What’s the point in using a legitimate source like iTunes for illegitimate purposes? It’s not like P2P had disappeared or something.

  21. iTunes has more than music. It also has software for the Mac and iPhone that can only be purchased through iTunes and not downloaded elsewhere.

  22. imron, perhaps you should google “gift card fraud”.

  23. If it’s credit card fraud, presumably Apple is getting hit by huge numbers of chargebacks which would be costing them a fortune. Wouldn’t we expect them to have tightened up the requirements by now?

  24. Googled it, and of all the gift card fraud mentioned, nowhere is there anything like using a key generator.

    It’s mostly thieves going into stores, noting down the number, and then waiting for the cards to be activated and then using them before the real customer has a chance to do so. Again it might be possible that they have been doing this with the Apple cards (assuming neither the customer nor the clerk activating the card noticed that the protective layer had already been scratched off to reveal the activation number), but a method like this still has a margin of error and can’t guarantee that a card won’t have been used by the legitimate owner before being sold off cheaply on Taobao.

    Assuming Apple has a system that ensures only purchased cards can be redeemed (not really difficult to do technically, especially considering they control the entire system, from gift card generation to redemption), it doesn’t leave a lot of room for possibilities about where these cards are coming from, and even if it’s not from credit card fraud, it will still be redeeming a card that someone else has purchased.

    Now here’s a google search for you: iTunes gift card scam.

  25. I’ve done a bit of googling and found other, similar discussions – the conclusion that it must be CC fraud, then objections (why only iTunes, not Amazon or other popular retailers? How can there be so much volume?). Something dodgy is happening, but only Apple can tell us what.

  26. The “Coming after you” only concerns me in terms of the legitimate stuff I’ve bought for my iPhone, I would imagine they could disable the account meaning that to ever sync again with a new account, everything on my phone would be wiped, not a huge deal, but probably about $50-$75 in legitimate apps lost. For music, as long as you had a DRM free version on your PC it could be reloaded.

  27. @coljac. It’s part of the cost of doing business. Say fraudulent credit card transactions account for 5% of all iTunes gift certificates. Absorbing the cost of the charge back is relatively small compared to the total amount of business they are doing. It will also be less than the amount of sales they would lose by introducing more restrictive measures before accepting “card not present” transactions.

  28. “why only iTunes, not Amazon or other popular retailers?”

    Because, much more likely that credit card fraud is the possibility that someone has hacked Apple’s gift card activation system. That, combined with the use of a key generator (or even a couple of boxes of stolen gift cards) explains the volume and why only ITunes has been affected.

  29. Is it really worth to pay even if you can actually download for free using Baidu?

Leave a Reply

Your email address will not be published. Required fields are marked *