Users on Weibo, the Chinese microblogging site, had a common story to tell: without their knowledge, their Apple IDs were used to buy content from App Store. Unverified reports indicate that many of them have reported losses in hundreds and thousands of Chinese currency.
One of the first users to report the issue was a man from Liaoning province. The user told Chinese finance portal NBD (每日经济) that hackers used the bank card linked to his Wechat account to transfer money to his Apple ID and later used that money to top up credit for some online video games. The man claims to have lost CNY 6,083.
Similar stories started circulating across China last week.
“We have created a QQ (one of Tencent’s chat apps) group for the victims and it already has 100 members. We will create more groups. The number is rising by the day,” the alleged victim from Liaoning told NBD NBD.
On October 10, Alipay, Alibaba’s online payment platform, issued an official statement reminding users of security measures and ways to monitor if their accounts have been hacked.
When applying for a refund from Apple, some users were luckier than others. For instance, One Mr Zhang from Anhui province told state media, Voice of China, that he got in touch with Apple shortly after realising the hacking that led to a loss of CNY 3,000. After being told to cancel the password-less payment by the customer service agent, Zhang claims to have got a refund.
Xiao Li, a student in Shaanxi province who claimed to have lost CNY 1,600, was initially told his request was being processed, but was later informed that he would only get a partial refund of CNY 952.
The video-games-related purchases are a constant among the victims. Many of them explain on the QQ group they have never purchased anything similar before and some even claim that someone used a different iPhone to log in their accounts and complete the purchase.
According to the report by NBD, many users in the victims’ QQ group were sharing a file explaining how to effectively claim a refund from Apple. The file includes some guidelines to explain Apple how they are the one who should refund them instead of Alipay, Wechat Pay or their banks.
App Store in China accepts a number of payment methods, which include Alipay, Wechat Pay, bank card and others. Among them, Alipay offers a password-less payment, that under certain conditions and below a certain amount of money, allows users to pay without entering any password or code.
However, NBD informs that the Alipay’s user agreement, for security reasons, does not clearly state how much the daily limit is because it sets different limits for different users.
Li Tiejun, a security expert from Cheetah Mobile, a NASDAQ-listed Chinese Internet company, told NBD, “In order for an account to be hacked, it has to fulfil two conditions: the user has not set two-factor authentication for Apple ID (one of Apple’s security layers) and the user has signed some kind of password-less payment agreement on Alipay, Wechat or other platforms”.
According to Li, if those two conditions are fulfilled, it will be difficult for the user to get a refund from Apple. “Although password-less payment is very convenient, it has risks after the acceptance of the users’ agreement,” Li says. One of the risks of such payments is, even when logging in from other iPhone, the password-less payment still works, which makes it easy for hackers to steal money, the expert stated.