By John Gruber
Upgraded — Get a new MacBook every two years. From $36.06/month with AppleCare+ included.
MG Siegler, responding to this screed by Scott Hanselman:
Maybe I’m missing something here. Reading this over, Scott Hanselman’s password was clearly hacked. He doesn’t seem to think that’s the case because he’s cautious, but I’m going to go with Occam’s Razor here.
Apple prompts you for your password when buying apps and when doing in-app purchases. Someone would have had to both know your Apple ID and enter that password, unless there’s some in-app exploit, but he doesn’t seem to be suggesting that.
The problem may well be widespread, as Hanselman alleges, but I’m with Siegler: by all appearances, the problem is that Hanselman’s password was compromised. There is no evidence that criminals have found a way to compromise iTunes accounts without knowing/guessing the victim’s password.
In a comment, Matt Galligan adds:
Not only would the have had to know his email and password, but also his credit card security code. Each new device that’s authenticated that tries to purchase something is sent through a credit card security code verification process.
In Hanselman’s case, though, he admits he was using PayPal, not a credit card. Perhaps it’s therefore safer to use a credit card instead of PayPal for iTunes Store payments?
★ Friday, 12 August 2011