Wednesday, August 25, 2010

iTunes breach: Much ado about nothing.

It's a big story. It was reported on TechCrunch that there's a flaw in iTunes that allows bad guys to go in and empty your bank account if you have Paypal selected as the payment method. One poor customer racked up $4700 worth of charges in a matter of hours. Other customers were reporting hundreds and thousands of dollars stolen. The story grew from there.

There was just one problem. It was wrong. The real culprit wasn't a flaw in iTunes or Paypal, it was a successful phishing attack that harvested peoples usernames and passwords, allowing the hackers to access accounts and rack up charges as if they were the legitimate owners.

An overzealous reporter or editor at TechCrunch fails to adequately check a story, uses twitter to verify that there's a problem, and runs with it. There was a real newsworthy story here, but it wasn't a flaw in iTunes, it was gullible users passing on their passwords.

Don't trust requests for identifying information in email. Don't trust anything in such an email, and whatever you do, don't give out your information just because the email looks pretty. You'll keep your account and your sanity intact.