Massachusetts Attorney General Martha Coakley announced Tuesday that her office will be investigating Apple Computers to determine if they are in compliance with her state’s data breach notification laws.
Coakley spoke at a business luncheon at the Massachusetts’ Advanced Cyber Security Center (ACSC), where she was reaching out to business leaders to assure them that compliance with the regulations would not be burdensome if they simply complied with the notification requirements.
Coakley herself was a victim of identity theft recently and her stolen credit card details were used to successfully make fraudulent iTunes purchases.
Has Apple’s luck run out in denying there might be an issue with iTunes security?
Perhaps Coakley should contact Apple’s friends at the San Francisco Police Department to help track down the thieves?
It will be interesting to see the results of the investigation, but I think Coakley is barking up the wrong tree.
While there are many creative criminals trying to leverage iTunes to launder their money and steal content, none have been the result of a data breach at Apple (to my knowledge).
Does Apple have some responsibility in all of this? Sure. They have not put in technical measures to better secure iTunes accounts or purchases made from iOS devices.
Many users choose poor passwords for iTunes and the App Store because they must enter this password from their mobile device. Entering a complex 20 character passphrase with punctuation isn’t something most of us choose to do from our phones.
The other common problem is password re-use. Many friends of mine have had their iTunes accounts compromised after other major data loss events at other organizations.
Attackers will frequently use purloined emails and passwords to attempt authentication at Facebook, Twitter, Gmail and iTunes. If you aren’t using unique passwords for sensitive accounts you may have your account used for a scam as well.
While it might be a pain to have a secure password for your iTunes purchases, it’s your credit card and reputation that’s at risk. Choose a passphrase wisely.
If the Attorney General’s office finds Apple in breach of the Massachusetts law it could have far reaching implications for businesses with customers in the state. Follow Naked Security for further developments to this story.
3 comments on “Massachusetts Attorney General to investigate iTunes fraud”
So if her stolen credit card data was used at Amazon or Walmart she'd be going after them? Why is it politicians don't give a flying rats butt about this stuff until they're a victim?
The article suggests that Apple should implement a policy requiring user passwords that meet certain minimum standards…by which I mean something with more requirements than "password should contain four to eight characters".
I completely agree. It's definitely possible. Many websites require passwords with both uppercase and lowercase characters, both alphabetical and numeric characters, and some non-alphanumeric characters. If your password doesn't meet the requirements, you can't create an account.
Apple doesn't do that. I don't recall their ever having had a security breach, but if they do, it's likely that many users will suffer the consequences of Apple's own antiquated password standards. All the more reason for users to NOT rely on Apple (or any other company) to implement better policies, but Apple is missing an opportunity to set an example by doing something that's good for its customers. Ultimately it will be good for the company.
May I suggest that more users check out their password strength using the free facility over at GRC
I've found it invaluable in using mobile devices especially being able to get my wifes I-pod hooked up to our LAN. The previous password might have been strong due to number of dictionaries used and length but after referencing "Password Haystacks" I've managed to trim the passwords for everything to smaller easier to use passwords that are relatively easy to input from a variety of mobile devices while retaining their overall strength.