My Apple ID was stolen, and I spent 4140 yuan in just one minute! ”
Recently, users of Xiaohongshu, Tiktok and other platforms have been posting about their experience of being stolen. The group that someone joined for this matter has more than 200 members within a few days after its establishment, and the amount of losses of the candidates ranges from hundreds to tens of thousands of yuan.
A person close to the China Consumers Association revealed to reporters that Apple’s customer complaint volume has been relatively high recently.
This is not the first time an Apple ID theft incident has occurred. Similar situations have been concentrated as early as 2018.
Nowadays, scammers are more sophisticated than before, not using clich é d phishing links, but disguising themselves as sellers on e-commerce platforms to lure consumers into their carefully designed scams. Many people only realize that multiple funds have been embezzled after receiving a deduction message.
How can Apple users protect their IDs and prevent their phones from becoming someone else’s “cash machine” as the level of hacking continues to escalate?
Thief brushing ‘ghost’ attacks: platform ‘buys card’, but Apple ID is stolen
The ‘secondary card’ I found on Xianyu has become much cheaper, and I feel like I’ve picked up a treasure. “During this year’s National Day and Mid Autumn Festival holiday, Feng Ping (pseudonym) clicked on the link sent by the seller and never expected to lose money.
During the communication, the seller first confirmed that Feng Ping was using an Apple phone, and then asked him to provide an ID and password under the pretext of “requiring binding an Apple account for activation”. I hesitated for a moment and asked, ‘Why do we need a password?’ The other person said, ‘Apple devices are all like this.’ Feng Ping thought that he also needed facial recognition when paying for goods, and thought that ‘there shouldn’t be too much risk,’ so he sent the relevant information over.
The seller then sent another message: “We need a verification code to complete the login. Please check your SMS.” Feng Ping recalled that he sent the device code or verification code to the other party twice in total.
Unexpectedly, his mobile phone then popped up multiple Alipay deduction messages: three payments of 648 yuan, 1944 yuan in total, were made to purchase the “member currency” of a platform.
“I was fooled at once, but I didn’t consume it myself.” Feng Ping said that he was so flustered that he quickly turned off the secret free payment function of Alipay and called the merchant’s mobile phone number disclosed by Xianyu Platform. The other party admitted to being the seller, but hung up the phone as soon as they heard about the “theft” and subsequently lost contact.
Another netizen, Fang Fang (pseudonym), told reporters that she spent over 4500 yuan on a stolen Sam’s Club membership card, and her victim group had over 200 people in just a few days. Many people are still in other groups, and the number of victims may be in the thousands. “In her opinion,” this is caused by a ‘vulnerability’ in the Apple system. When deducting money, I was not asked to enter a password or perform facial recognition, and it was automatically deducted and not operated by myself.
A person close to the China Consumers Association revealed to reporters that there has been a high volume of customer complaints related to Apple recently. The reporter noticed that as of October 29th, the Black Cat Complaints Platform has received over 3700 complaints about Apple ID theft and fraud.
Every reporter learned that most of the Apple users of China CNTC were induced to provide Apple ID and password when communicating with sellers on platforms such as Leisure Fish, Tiktok and Little Red Book because they bought low-cost goods or services, such as Sam’s membership experience card, fitness card, clip member, QQ music member, etc.
Specifically, scammers usually ask for verification codes under the pretext of “login verification”, and may then induce users to click on unknown links. Taking advantage of Apple’s failure to provide detailed instructions on the purpose of the verification code in text messages, they secretly turn off the user’s facial verification settings and enable features such as free payment, thereby bypassing Apple’s “dual” protection and implementing multiple fraudulent transactions. Although many users did not bind their bank cards directly, they were still deducted because Apple ID was associated with Alipay or WeChat.
Thieves bypass’ dual ‘protection:’ Trojan links’ iterate into ‘e-commerce disguises’
It is worth noting that this is not the first time that Apple IDs have experienced widespread theft, as it occurred in 2018. At that time, Apple stated that investigations had found that a small number of users’ accounts had encountered phishing scams without enabling two factor authentication, and strongly recommended that all users enable two factor authentication.
The recent resurgence of hacking incidents has led to the escalation of scammers’ techniques.
Unlike 2018, this scam is more covert, “Yin Zhentao, Vice President of the Institute of Financial and Economic Strategy at the Chinese Academy of Social Sciences, pointed out to every reporter. In the past, most scams involved ordinary links implanted with trojans, but now fraudsters rely on transaction scenarios to gain trust as” merchants “and lower consumer vigilance. There are merchants and social networks… the external affiliate links of scammers are even more abundant
7 years have passed, why hasn’t the problem of illegal brushing been stopped?
Yin Zhentao has participated in the interpretation of China’s payment policies multiple times. He told reporters that the essence lies in the security settings of Apple’s password free payment. Behind Apple Pay, many people use third-party payment tools instead of bank cards. These payment tools are also linked to our bank account through the permission of secret free payment, and the chain is complex. However, the risk is concentrated in the front-end, that is, the security authentication link of Apple Pay
Several netizens who have experienced fraud claim that due to Apple’s lack of clear instructions on the specific purpose of the “verification code”, it leaked information without their knowledge.
From October 13th to October 28th, the reporter contacted Apple several times but received no response. The reporter also called Apple customer service as a consumer, and the other party admitted that there have been multiple complaints of theft recently, and pointed out that sending Apple IDs and passwords to others is the core reason for the users to encounter theft. The Apple account password is the only core identity credential. To simplify member subscriptions, app purchases, and other operations, the system supports a password free payment function, but this function needs to be validated before it can take effect
The above-mentioned Apple customer service further stated that “(unknown phishing) links often disguise themselves as’ account verification ‘and’ rights collection ‘pages, inducing users to enter account passwords and click on authorization, thereby stealing permissions”. It emphasizes that Apple will not send authorization login requests in the form of individual text messages. The verification information for dual authentication is pushed through the system notification of trusted devices, or synchronized with notifications to send verification codes, and confirmation operations need to be completed on the device side.
The China Consumers Association has emphasized that even with the activation of password free payment, operators should still fulfill their obligation to prompt consumers for each transaction. Payment and deduction transactions can only be made after consumers confirm, and password free payment should only be limited to exempting consumers from entering passwords.
Yin Zhentao pointed out that most domestic platforms will promptly remind users of abnormal login, force secondary verification or even temporarily lock their accounts, while Apple is somewhat “out of place” in terms of risk identification and intervention mechanisms. Apple leaves security to users to choose for themselves, leaning more towards the former between ‘experience’ and ‘security’. The ‘shield’ of protection is not strong enough, and the ‘spear’ of attack can take advantage of it
The reporter communicated with the scammer provided by the interviewee and was informed that an Apple ID was required
On October 23rd, the reporter called the China Consumers Association as a consumer, and the relevant staff stated that they have paid attention to the recent incidents of fraud. As a payment party and related service provider, Apple should fulfill its obligation to ensure user security.
Who will bear the cost of Apple users’ losses as the means of stealing and brushing continue to escalate?
The China Consumers Association has stated that in cases of account fraud where it cannot be proven that the user is at fault, the operator and third-party payment companies are responsible for compensation.
But the reality is that victims face difficulties in safeguarding their rights. If there are multiple platforms and enterprises involved, who should bear the main responsibility?
In response, Yang Yi, a partner at Beijing Zhongwen Law Firm, stated that if businesses cause losses to users through illegal or false links, they should bear civil liability for compensation. During the process, if there is an illegal possession purpose, it may be suspected of fraud or theft, and one may bear significant responsibility for the occurrence of the event. But consumers are easily misled and voluntarily provide Apple ID, password, and verification code, which also fails to fulfill their reasonable duty of care and has certain negligence.
Yang Yi stated that only recommending users to enable dual authentication to prevent risks cannot be seen as exhausting their security obligations. Apple can also take more measures to ensure the safety of customer property.
So, how can Apple users make their devices more secure?
Apple’s customer service emphasized to reporters that users must never disclose their account passwords to anyone, and Apple staff will never ask for passwords in any form. If any abnormal login or unknown consumption is found in the account later, it is recommended to change the account password and reset the two factor authentication as soon as possible, and take a screenshot to save the abnormal transaction record. Immediately initiate an appeal through the relevant refund path and contact Apple customer service to explain the situation. If the amount involved is large or the transaction is frequent, it is necessary to supplement the report materials to the police at the same time for multi-party collaboration and tracing
Every reporter noticed that there are many posts in the community of Apple’s official website about ID theft and hoping to recover the losses.
Can stolen funds still be recovered? The above customer service representative stated that there have been successful refund cases of ID theft and fraud, and the key is to provide credentials in a timely manner and initiate processing. The stolen funds are not left in the Apple account, and scammers usually profit by ‘reselling rights’. For example, they give away the stolen website members to other consumers, charge the cash price difference, and complete the fund transfer
How to establish a secure closed loop when convenient functions become backdoors for hacking?
It should be noted that most users who suffer from password free hacking fall into traps on e-commerce platforms. Faced with upgraded hacking methods, how should platforms build a strong defense line? As of press time, Xianyu has not responded.
“Users need to be alert to abnormally low price goods such as supermarket experience cards, and not click on suspicious links at will.” The relevant person in charge of Tiktok E-commerce told every reporter that the platform is continuing to control fraud, upgrade risk control models, strengthen the review of commodity access, intercept illegal information in the “Flying Pigeon” customer service scene, and actively pop up a window to remind of transaction risks.
Xiaohongshu also told reporters that the platform has been cracking down on fraudulent activities for a long time. Users can report violations on the platform, and the platform will verify and handle them as soon as possible
When it comes to measures to enhance payment security in the industry, Yang Yi suggests that mandatory behaviors such as “no password payment cannot be used for in app purchases” should be prohibited. Clarifying the division of responsibility, compensation ratio, and rights protection path after theft and fraud will be more conducive to users safeguarding their own rights and interests. She pointed out that Apple should establish a real-time monitoring and blocking mechanism for abnormal login, frequent purchases, and cross regional transactions, and may consider implementing mandatory secondary verification if necessary.
Yin Zhentao believes that the lack of unified security standards for secret free payments, inconsistent implementation by enterprises, and unclear responsibilities of all parties in the payment chain have led to victims seeking accountability. He suggested establishing a unified industry standard to regulate and guide domestic and foreign enterprises to follow it together. Chinese enterprises should treat Chinese enterprises equally. At the same time, they should also adapt to local needs. The trust of domestic users is built on strict protection of enterprises. (Apple) should be in line with domestic standards and cannot use global loose standards. It needs to match China’s payment security level and user habits
Yin Zhentao reminds Apple users not to click on the link that requires them to fill in their Apple ID and password; Proactively setting limits or disabling non essential confidential payments; Regularly check account login records and consumption details, freeze accounts immediately and report any abnormal situations to the police.
Jia Yuqian, a lawyer from the Shanghai branch of Beijing Long’an Law Firm, emphasized that security should not rely solely on user vigilance, but also require proactive risk interception at the technical level, high-intensity risk warnings, and rapid and effective remedial mechanisms. If regulatory authorities can establish unified rules to cover existing loopholes and achieve rapid response and disposal in the event of damage, it will provide consumers with stronger protection.
暂无评论内容