From what I have been able to research the Kingdom Conquest in app purchases that are unauthorized just keep on coming. It has been about a year now (based on what I was able to find) that this has been a known issue, with Apple giving refunds to customers. Given the amount of data, it is looking like a significant number of people have been impacted, myself included this week. The interesting part is that I am a security researcher, so I did a little bit of digging around on this one.
The first clue that this had happened was a nice e-mail from Apple stating:
Your Apple ID, firstname.lastname@example.org, was just used to make a purchase in -KingdomConquest- from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.
If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
The idea being if they knew about it, then they should have been able to stop the purchase until I authorized it. After duly changing my password after seeing the 43 dollar bill that wiped out my ITunes account (thankfully nothing other than my prepaid card money was stolen), I did a little bit of digging around. Learning that this has been going on over a year with some 500,000 data points in Google on this one, it is a bad thing to let a known security flaw that influences purchases continue for a year. This is what they bought from me.
The weird part was that they changed all my billing information, I consider this hacked data, not real, even though it points to a real person who really does live at the address, I did not try the phone number, but on a people search, this person really does live at this address. The phone number is registered to the same address. That at least gives me something to work with.
The other surprising part was that the game remembered the user ID that was used to register the game in Apple Game Center and with Kingdom Conquest; I’ll be resetting my hacker’s information when I get a more reliable network to work with this afternoon.
Searching on the gamer tag takes me to a motorcycle enthusiast in Malaysia, telling me that some of the data is pretty well buried in the system, and that it will take Apple working with me to uncover just how deep this rabbit hole goes in regards to who is the actual hacker. I doubt it is both, but it looks sophisticated enough that maybe gold farming, reselling, or otherwise is going on with the game. At least I had it set in ITunes that anything that is downloaded is also downloaded to my local computer and IPad, it gives me something to play with in terms of I got a new game but I don’t know what to do with it.
The sad part is that this is so well known, that at 40 dollars a pop, even if 50,000 people are influenced this means millions of dollars in fraud, a well known well documented, well discussed, and otherwise that I am surprised Sega Kingdom Conquest is still allowed on the ITunes network. Any source of fraud should be investigated. Having it go on a year is not good information security, and while I do want my 43 dollars back, I’m also writing it off because it does not look like I will get the refund. Rather, what will end up happening is stopping all purchases through the Apple Store until I am certain that this kind of fraud will not continue, and that Apple/Sega and any other party is working diligently to restore faith in the ITunes store.
(Cross-posted @ Techwag)