1) Apple enforces the walled garden, so without a jailbreak you have no option but to use their appstore.
2) People use the appstore and load up credit under the assumption that everything is safer under that system, because apple ensured everyone so.
3) People’s credit gets jacked and then the onus falls on them to:
a) notice their credit has been used without their authorisation
b) comprehensively prove to apple they didn’t download whatever content they have been charged for
4) When people return to the appstore to check their credit hasn’t been stolen they will possibly make an impulse purchase that they wouldn’t have otherwise made if they didn’t log on to check their credit.

This happened to me before the Gawker hack.

This isn’t an uninformed rant against jailbreaking. Do it if you want, but remember when you jailbreak, you are giving someone else’s code (Cydia and all the apps on it…) root privileges. That code can access anything on your device, including your Apple ID and any cookies associated with it. App Store apps definitely do not have that kind of access. Everything they do goes through iOS’s APIs, which allow things like in-app purchases without revealing account details.

Your iTunes password is never stored, and is never sent to Apple in the clear. When you log into your account at least two cookies get set on the device. One permits read-only access to your account for an indefinite period of time, allowing you to browse the store, download content, etc… The other permits purchases and changing account details for a small window (I think an hour, maybe?). That’s why you have to enter your password the first time you buy something, but then you don’t have to for a while.

It would be trivial for a rogue app installed thru Cydia, etc… to snatch those cookies and send them somewhere, at which point they could be used on any device to purchase from your account.

So you break into someone’s iTunes account, change their billing zip and add a stolen card. Then you buy a bunch of crap you put on the App Store, and Apple pays your cut. You’ve just used iTunes to launder money. But that isn’t what’s happening here… On the other hand, if you had credit on iTunes, wouldn’t that get used before any card gets charged? Maybe the credit being drained is just a side effect.

Simple fraud. Monitor a dozen stores in one small town and you have a few thousand quid, monitor a all the stores in all the towns on one motorway stretch and you have a shed load of cash over a few months. This also works with gift cards for other e-retailers/B+M stores too. Nearly every supermarket and card shop has at least one display with gift cards and apple/ebay/paypal/amazon gift cards openly available.

And if people complain too much, the stealFactor variable scales back.
It could be possible, after all, it’s a closed source platform.

Regardless, that particular argument that the credit card holder is merely inconvenienced whereas the store is the *real* victim really irks my chickens.

Oh, and F YOU AGAIN APPLE. Now I have to login to your crapstore to make sure you didn’t steal/lose my money.

It’s worse than it sounds.The game in question was something to do with poker – a game I’d never downloaded – not even by accident.  The credit was being drained via in-app purchases of this game, a game that not only have I not bought or downloaded but has also never been installed on any of my devices.

I use a unique password for iTunes and I’m not the kind of chap to fall for Phishing scams.  I am convinced that someone gained access to my account either via accessing my password directly from Apple (unlikely) or managed to download this app without knowing my password, or managed to brute-force mine and several other peoples accounts.

So 2 things here.  A game was able to make in-app purchases on my account via a game I hadn’t purchased and had never been installed.  And a totally secure, unique password wasn’t enough to prevent it. In short, if you don’t want this to happen, never buy iTunes Credit (for some reason it wasn’t able to use my stored card details).

I’d guess it’s more likely that it’s just people being slack with passwords, the gawker hack etc, even without getting an Itunes password, an email account password will likely grant you access to enough that you can get into Itunes.

I do know that Apple has a BIG problem if they can not solve this security issue and I wonder what other security issues will pop up in the future as their gear becomes more popular.