Apple Fiddles While App Store Burns: $1M Bitcoin Scam FAIL
Phillipe Christodoulou got ripped off to the tune of more than a million dollars. An iPhone app stole 17.1 bitcoins from his Trezor hardware wallet.
How’s that possible? Apple curates its App Store, to ban malware, right? Wrong: If an app developer submits a benign app initially, it can later replace that app with a malicious update, admits Apple.
Are you serious? Deadly. In today’s SB Blogwatch, we learn valuable lessons.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Owen Magnetic.
Tim’s Security Halo Slips
What’s the craic? Read Reed Albergotti’s report—“A fake app stole his life savings in bitcoin”:
Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed. … “They betrayed the trust that I had in them. … Apple doesn’t deserve to get away with this.”
…
Apple says it curates the store and checks each app, which creates high levels of consumer trust. … Apple touts user safety as its defense against accusations from lawmakers, regulators and competitors that the company uses its monopoly over app distribution on iPhones anti-competitively.
…
[But] the ability of apps to morph into something else entirely after they are approved by the App Store raises questions about the effectiveness of Apple’s review process to stop scammers. … The fake Trezor app got through the app store through a bait-and-switch, according to Apple. … Apple does not allow these sorts of changes, but Apple says it does not know when they occur. It relies on users and customers to report it when it happens, the company said.
Christodoulou says he’s taking medication and seeing a psychiatrist. “It broke me. I’m still not recovered from it.” … He still hasn’t heard from Apple.
And Paul Lilly puns it up—“Scammer Bitcoin App Scales Apple Walled Garden”:
It’s an unfortunate situation that both serves as a cautionary cryptocurrency tale, and highlights a need for better vetting of mobile apps. [But] there are nearly 2 million apps in the App Store, and new ones are being added all the time … so malicious apps sneak through, some of which [are] designed to trick users into forking over their cryptocurrency.
…
Trezor does not actually have an app. Christodoulou’s big mistake was assuming it did. … The cold reality is, that part falls on Christodoulou. Anyone who has a significant amount of money invested in cryptocurrency should be ultra-cautious.
…
At the same time, the situation raises the question if Apple bears any responsibility. Apple vetted the app, after all, and deemed it legitimate. … Apple should have a better handle on that kind of thing. [And] Trezor says they have been telling Apple and Google for years about fake apps masquerading as one of its own, to scam people.
Darn straight. People assume Apple vets all the App Store apps because … errm because Apple tells people it vets all the App Store apps. sw1tcher relays this: [You’re fired—Ed.]
Wait. I thought the walled garden App Store was supposed to protect people from this, and that’s why we don’t have other app stores or allow people to download apps from websites.
It’s cryptocurrency, so of course he’s gonna get his imaginary “money” stolen. But OrangeTide foresees it happening in the real world, too:
That really sucks. And could happen to any of us if the app instead was faked to looked like etrade/schwab/ameritrade/etc.
…
Except when I move an unusual sum out of my account, my broker calls me up. I say, yes I’m buying a house today and this is part of the down payment. … Sure I pay massively more in fees than someone using bitcoin. But … completely removing the human element is a level of convenience we probably don’t need.
No love lost for the loser from Pawn Trader, who wins the internet for their description of cryptocurrency fans:
At least this time they’re scamming the Dunning Krugerrand aficionados directly, instead of roping [in] innocent bystanders.
And so we start the inevitable fall down the victim-blaming rabbit hole. Here’s WiseAJ:
Apple has no control of a third party login system. the guy willingly gave up his login credentials without checking to make sure that company actually had a legit App Store app. His fault.
And couchslug waxes similar:
Effective curation of outside software is not possible because there will always be too many applications. … Convenience and greed always trump security.
…
If you put your life’s savings in one place and fail to diversify you’re, to put this as kindly as possible, ****ing stupid. There is no excuse to live a life of lazy ignorance because it has such painful consequences.
Meanwhile, “holy” graylshaped simply scoffs:
”I do not know you, nor do I have any way of finding you. Would you please hold my wallet?”
…
There apparently is a reason a third of Americans have no retirement savings. They lack the sense God gave a goose.
And Finally:
This hybrid car is more than 100 years old
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Ashkan Forouzani (via Unsplash)
