Surging news reporter Zhou Ling
Recently, many iPhone users reported that Apple ID was stolen, hackers used the secret-free payment function of Apple ID, purchased game currency and other virtual products, resulting in economic losses to themselves, ranging from hundreds to thousands of dollars, and even tens of thousands of dollars.
A security technology expert told Peng Mei journalists that since Apple introduced no-secret payment, the phenomenon of users being stolen and brushed exists, not just today. "There have been more reactions in recent August and September, and some people around me have been caught." To this end, the security technology expert recommends that users open dual authentication as soon as possible to avoid subsequent attacks.
The so-called "secret-free payment" refers to access to the Apple account payment method "no password", or a certain amount of "no password", hackers take advantage of this vulnerability, through online purchasing virtual products for cash. More recently, users responded more to Alipay and WeChat paying for stolen brushes. In fact, credit cards and debit cards also support non confidential payment, and there is also risk of stolen brush.
CCTV Finance reported that the number of stolen brushes counted now is expected to exceed 700. Apple hasn't responded systematically to the attack, and not all users are refunded in the current Apple customer service solution.
You Yunting, senior partner of Shanghai Dabang Law Firm, said in an interview with Peng Mei journalists that the incident of Apple users being stolen and brushed is complicated and it is difficult to judge who is responsible.
Questioned "no secret" payment
At present, Apple has opened up third party payment users, adding Alipay and WeChat client's Secret proof payment security verification and SMS verification.
According to CCTV financial report, the reporter found in Apple mobile payment information that the interface of Alipay payment function appeared in the agreement called Alipay free secret charge authorization. After clicking the agreement, the reporter found that the agreement was signed by Alipay and Apple users, and made it clear: "Alipay is just Unless the Alipay fails to operate in accordance with the instructions of the specified third party or the operation instruction is wrong, Alipay will not be responsible for the loss and liability arising from this service.
Reporters found in their Alipay account settings that Apple has already signed up the "non payment" function of the Apple App store. In setting up the "safety month limit" column, the reporter found that the quota was selected by default "unlimited" instead of the "limited" option it provided.
According to the above report, "no-secret payment" must be agreed, and the default "unlimited" amount, such a setting increases the potential security risks of users. But this time Apple users suffered brush theft, users in the rights and interests of Apple complaints, but found that the default agreement did not have Apple's due responsibilities and obligations.
Some legal experts pointed out that the compulsory "no-secret payment" function of the general user is not directly signed with the user agreement, such a practice not only infringes the consumer's right to know and free choice, but also causes the user's right to defend difficult.
Technical expert: hackers hit the library easily, and recommend users to double check.
So why is the recent robber so rampant, why hackers will easily succeed?
"These stolen users are not using double authentication, manufacturers are gradually guiding users to do double authentication, in our security circle, the password of the system account is no play, the need for short message authentication code, dynamic password generator in this way to ensure security. The technical expert said that in recent years, database leaks have occurred frequently, and many users'information has been leaked, which has become a source of information for hackers to hit the database.
"In that small circle, someone specialized in collating these data for profit, some users are different accounts with the same password login, your password is leaked, hackers take to the library, try your Apple account, it is easy to win, once successful will steal brush." The expert recommends that users should rush to double certification.
In addition to apple, other mobile phone companies also support "no secret payment", but fewer cases of stolen brush.
The technology expert said that other mobile phone brands pay less users themselves, and users pay more directly for the three party, such as Alipay and WeChat, so there is less phenomenon of stolen brush.
For iPhone users, open the "Apple Store" app, log on to Apple ID, open the "Security" bar, and enter the double password authentication settings. If you're not sure, reduce the amount of non-confidential payment, or even select "No" in the "Payment Information" column.
Apple customer service gives three solutions.
The stolen and brushed iPhone users communicate with Apple Customer Service to apply for a refund, and it is ultimately up to Apple to decide whether to give the user a refund.
From the perspective of user feedback, apple customer service process finally gives three solutions. Some users received full reimbursement for the stolen money; some received partial reimbursement, some failed to pass the bill; and unfortunately, Apple did not pay a penny.
According to Peng Mei journalists understand that the process audit Apple has a set of technical mechanisms to identify whether the user is stolen brush, and ultimately give the conclusion of whether to pay. There are also Apple customer service reuse calls, they do not know why, but the company's internal process conclusions to inform users.
Apple China has previously said it will actively communicate with others, but so far Apple China has not given an official deal.
Alipay has made clear before that: monitoring of some apple users' ID theft, resulting in related ID binding payment tools suffered capital losses. Alipay said that it has repeatedly contacted the Apple Corp and promoted its positioning as soon as possible, and raised the level of security and thoroughly solved the problem of loss of user rights and interests. Apple Corp's reply has been actively resolved.
The above security experts also pointed out that Apple should make more technical adjustments about user accounts being stolen and brushed.
Whose fault? Who is responsible for it?
You Yunting, senior partner of Shanghai Dabang Law Firm, said in an interview with Peng Mei journalists that it was difficult to determine who was responsible for the theft and brushing of Apple users.
"One possibility of mass loss is that Apple has a vulnerability that causes the user's password to be lost; another possibility is that the user lost his username and password on other websites or because of a vulnerability in his own system, and then was hacked into the library to apply the username and password elsewhere, resulting in leakage." You Yunting said, therefore, the basic facts are difficult to determine, so it is also difficult to solve the problem of civil compensation.
It is understood that according to the business logic of the hacker circle, if a large company is found to be vulnerable, it is entirely possible to sell the vulnerability to make money, a vulnerability is called millions of dollars, and will not choose to steal the user account this time-consuming way to cash.
There were also reports that the user account could be stolen by Apple insiders.
But the above-mentioned security experts said that insiders do not have evidence, the likelihood is not high, the possibility of a collision is higher.
You Yunting said that such a case is a criminal offence from the legal point of view, the theory should first arrest the hacker, determine the way it stole the password, and then determine the responsibility of Apple, the responsibility of users, or the responsibility of a third-party website, and then determine who will compensate.
"I suggest Apple Corp report it. Because it's a user loss, not Apple's loss, and it's hard for a single user to meet the filing standards. It's still possible only for users to report a case to a local public security officer collectively. You Yunting said.
Waonews is a news media from China, with hundreds of translations, rolling updates China News, hoping to get the likes of foreign netizens