Chinese hackers attack iTunes; selling $200 gift cards for $2.60

[toxin]

http://tech.yahoo.com/blogs/null/128263

[Tomoso]

I'm suprised Apple haven't even done anything about it. Must be some laws involved of which I'm ignorant but if I was them I'd count how many vouchers have been sold, introduce a new "safer" system, advertise that people can now exchange there old codes with new ones and stop the exchange once it reaches how ever many have been legit sold. Sure a lot of the fake codes will get through and a lot of the legit people will be disapointed, but thats life.
I can't think of a fair way to do it.

[xBleuWolfx]

We they say in the business, Oh Snap!

[simka]

And any of these work?
What if somebody buy's and uses (if it work) and then apple catches you?!

[Tomoso]

I don't think they can distinguish which codes are real or "fake".

[Scion]

The lesson for us is....

if your generating tokens or similar for storing player payments/donations then you should also keep a record of the tokens that you have sold. rather than just relying on a programatic check that the token is valid.

(I assume that they are recording the tokens that have been cashed in....to prevent double usage)

alternatives are to encode information about the source of the token into the token itself....(purchasers account or simililar)

[Tomoso]

I was thinking the same thing. Strange that they didn't think to do this in the first place, but then look at any kind of serial type security. Once the algorithm has been cracked many programs fall to this kind of abuse. Maybe the reason serials like these are not stored anywhere until they are used is because the cost to produce the product goes up. We all know companies like to keep production costs as low as possible, seems that shot there selves in the foot here though.