MG Siegler, responding to this screed by Scott Hanselman:
Maybe I’m missing something here. Reading this over, Scott
Hanselman’s password was clearly hacked. He doesn’t seem to
think that’s the case because he’s cautious, but I’m going
to go with Occam’s Razor here.
Apple prompts you for your password when buying apps and when
doing in-app purchases. Someone would have had to both know your
Apple ID and enter that password, unless there’s some in-app
exploit, but he doesn’t seem to be suggesting that.
The problem may well be widespread, as Hanselman alleges, but I’m with Siegler: by all appearances, the problem is that Hanselman’s password was compromised. There is no evidence that criminals have found a way to compromise iTunes accounts without knowing/guessing the victim’s password.
In a comment, Matt Galligan adds:
Not only would the have had to know his email and password, but
also his credit card security code. Each new device that’s
authenticated that tries to purchase something is sent through a
credit card security code verification process.
In Hanselman’s case, though, he admits he was using PayPal, not a credit card. Perhaps it’s therefore safer to use a credit card instead of PayPal for iTunes Store payments?
★ Friday, 12 August 2011