From what I have been able to research the Kingdom Conquest in app purchases that are unauthorized just keep on coming. It has been about a year now (based on what I was able to find) that this has been a known issue, with Apple giving refunds to customers. Given the amount of data, it is looking like a significant number of people have been impacted, myself included this week. The interesting part is that I am a security researcher, so I did a little bit of digging around on this one.
The first clue that this had happened was a nice e-mail from Apple stating:
Your Apple ID, rmorrill@e-mailaddress.com, was just used to make a purchase in -KingdomConquest- from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.
If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple
The idea being if they knew about it, then they should have been able to stop the purchase until I authorized it. After duly changing my password after seeing the 43 dollar bill that wiped out my ITunes account (thankfully nothing other than my prepaid card money was stolen), I did a little bit of digging around. Learning that this has been going on over a year with some 500,000 data points in Google on this one, it is a bad thing to let a known security flaw that influences purchases continue for a year. This is what they bought from me.
The weird part was that they changed all my billing information, I consider this hacked data, not real, even though it points to a real person who really does live at the address, I did not try the phone number, but on a people search, this person really does live at this address. The phone number is registered to the same address. That at least gives me something to work with.
The other surprising part was that the game remembered the user ID that was used to register the game in Apple Game Center and with Kingdom Conquest; I’ll be resetting my hacker’s information when I get a more reliable network to work with this afternoon.
Searching on the gamer tag takes me to a motorcycle enthusiast in Malaysia, telling me that some of the data is pretty well buried in the system, and that it will take Apple working with me to uncover just how deep this rabbit hole goes in regards to who is the actual hacker. I doubt it is both, but it looks sophisticated enough that maybe gold farming, reselling, or otherwise is going on with the game. At least I had it set in ITunes that anything that is downloaded is also downloaded to my local computer and IPad, it gives me something to play with in terms of I got a new game but I don’t know what to do with it.
The sad part is that this is so well known, that at 40 dollars a pop, even if 50,000 people are influenced this means millions of dollars in fraud, a well known well documented, well discussed, and otherwise that I am surprised Sega Kingdom Conquest is still allowed on the ITunes network. Any source of fraud should be investigated. Having it go on a year is not good information security, and while I do want my 43 dollars back, I’m also writing it off because it does not look like I will get the refund. Rather, what will end up happening is stopping all purchases through the Apple Store until I am certain that this kind of fraud will not continue, and that Apple/Sega and any other party is working diligently to restore faith in the ITunes store.
I was just hacked last night for this exact same thing. Fortunately I caught it quickly and reported the problem directly to PayPay so I’m hoping they can back me up and keep the money from actually being taken from my bank account. It’s so infuriating.
you should let Apple know as well, they were really responsive and totally took care of me on this one after a bit. Took some prodding with a sharp stick, but they know about it, and they are trying to make it right.
I’m the latest one, $27.55, disputing it now. Grrrrrr….
$25.99 charged to my PayPal account on 12/20. My billing information was not changed. I am a director of information systems for a major corporation and my iTunes password is what I would consider very secure. I changed it anyway. There is something more at play than just a simple password generator hack, something much deeper that Apple probably doesn’t understand themselves.
@Pwndmealso – very possible that there is something very deep in the Kingdom Conquest code that is allowing pass through charges like this. It is very possible that Apple does not understand this, because they have been giving refunds back to people, I got my 70 bucks back from them after three weeks.
I would love to dive into the code and the handshakes to see what is going on when an in game purchase is being made. But I doubt they will let me at it to check it out.
$25.99 taken from my bank account on the 19th because of this.
I don’t even own an iPod, iPhone, or iPad, and haven’t had any linked to my account.
Disputing and waiting. I actually needed that money to buy a christmas present too.
6 days later and Apple has not refunded my money. They are claiming the transaction was never processed and Apple did not receive any funds. Is it possible that Apple did not receive any money eventhough my PayPal and bank account (linked to paypal) show a withdrawal for $25.99? There is no credit pending on my iTunes or PayPal account. Here is Apple’s latest response to my dispute.
“I can confirm that the charges are in chargeback. It would be very easy for you to confirm this by logging into your account. If you continue to have questions about these charges I would contact Paypal as they are responsible for releasing these funds to you. iTunes currently is out of the equation.
If you would like me to refer you to Apple’s legal department then I can provide you with this. But, we are very certain that iTunes is secure as millions of customers can attest.
Again, any further questions concerning your monies must be forwarded to Paypal at this time. iTunes does not have the money for these purchases as has been explained to you multiple times. I will consider this matter closed as there is no further action that can be taken on your account.
Sincerely,
Trevor
iTunes/Mac App Store Support Senior Advisor http://www.apple.com/support/itunes/ww“
Just got hit this morning. Unfortunately it was at 4:00 AM while I was sleeping and when I finally noticed it and changed everything the total billed amount was up to $107.98. It is ridiculous that Apple knows about this (since May 2011) and has yet to remove the app.