
Hackers crack Apple's iTunes gift card algorithm - sahaj
http://www.appleinsider.com/articles/09/03/10/hackers_crack_apples_itunes_gift_card_algorithm.html
======
eli
Why does this need an algorithm at all? Why not make them all random numbers?
People have to connect to your server to redeem them anyway.

Sounds like sloppy design.

~~~
dkokelley
_Sounds like sloppy design._

Possibly. It looks like they've found a way to accurately 'guess' the codes
Apple has already generated and distributed to be sold. The only thing for
Apple to do now is recall the cards with the possibly compromised numbers and
re-issue new ones with a randomly generated number.

This reminds me of when Vista came out. Someone found a way to get legitimate
activation keys to activate their pirated copies, which meant that people
buying them off of the shelf couldn't activate because that key was already
used.

~~~
eli
Well, if they're actually random, that would be impossible beyond, perhaps,
brute forcing the validation server.

------
aneesh
Suppose you're running the team at Apple that works on the iTunes gift codes.
What do you do here to cut your losses?

Obviously change the algorithm used to generate the codes for a start. And
even though the codes themselves are indistinguishable from real codes, you
can probably detect patterns in their use (ie, someone from a town in China
who's never had an iTunes account before suddenly buys $100 of music) and
prevent a subset those codes from being redeemed (with some very small amount
of false positives).

What else would you do?

~~~
huhtenberg
It might've been not the _algorithm_ that got broken, but, say, a private
(RSA) signing key was recovered. It all really depends on how exactly the
whole thing is designed.

------
zyb09
I'm really surprised they don't store all sold gift keys in some kind of
database and rely solely on an algorithm.

~~~
anamax
What do you think that Apple should do when it detects someone trying to
redeem a "bogus" gift key?

If they reject it, there's now a good chance that they've rejected a
redemption request by a legit customer.

~~~
zyb09
What? No, just store every key that you officially sell in an internal
database. Now if someone enters a key you check if it's in your DB, therefore
if the key has been legitimately issued. Everything else gets rejected and
your now 100% counterfeit safe, unless someone hacks your database, which is
unlikely. Don't wanna pick on apple, but that's pretty much how things like
that are done.

~~~
whughes
What's your definition of 'sell'? Should Best Buy report back to Apple
whenever a card is sold? Or are we just talking about shipping to retail?

There's also probably a chance of collision, considering the volume of iTunes
certificates Apple probably sells.

~~~
zyb09
Well, in case of retail cards the keys are registered before shipping. You
give the manufacture a set of registered keys, which are then printed on the
cards. If done right you won't have any issues - that's exactly what people
are doing with CD-Keys or Prepaid-Cards. However, if you mess up (can't always
avoid mistakes) and have shipped invalid keys or may be the key-printer didn't
work right, you have the customer send you the certificate card and you can
refund him.

It's by far the better system than using just a algorithm-based genuine check,
especially for things that directly translate into money, like gift
certificates.

------
rscott
I saw this story earlier today and I must say I'm still very skeptical about
the truth behind it. I don't really buy it, sorry.

~~~
modoc
What don't you buy?

Many serial number protected commercial applications have had their algorithms
for validating a SN cracked and Key Generators spit out any number of valid
serials for them.

Why would they use an fixed algorithm like that instead of using a good random
generator and maintaining a database of valid codes? Perhaps they want the
redemption side to not be reliant upon a backend code lookup and validation
system (due to uptime, performance, etc...). Perhaps they thought no one would
break it, and that would save them from having to build a high availability,
low latency, high throughput, lookup system with some amazingly large database
tables.

~~~
rscott
I don't buy it because I don't think that these iTunes gift cards are
activated until you purchase them.

------
mhb
Is it possible that Apple might not mind so much if this encourages people to
buy more iPods at the expense of music sales? Depends on the relative margins,
I guess.

~~~
mlinsey
A $200 gift card going for the equivalent of $2.60 (and zero of that 2.60
going to Apple)? I would expect that right there is higher than the profit
margin of an iPod.

~~~
lukifer
Since Apple has to turn around and pay 70% of that $200 to the copyright
holders of the purchased content, I'm sure they stand to lose quite a lot more
than they could possibly gain.

------
fatbat
I am more curious as to how the hacker even start on cracking the algorithm.

Do you suppose the hacker spent alot of $$$ on the real gift cards in the
first place then go from there?

