How stolen Apple IDs allow hackers to steal money in Alipay and WeChat
WeChat Pay and Alipay have confirmed that the digital wallets of some iPhone users were stolen to buy games and other items from Apple’s App Store.
Chinese media say the breach affected at least 700 users in China, with some reporting losses of up to hundreds of US dollars. Victims say they’ve been receiving notifications at odd hours of the day, alerting them about transactions they don’t recognize.
Here’s how it happened.
In China, WeChat Pay and Alipay are included as payment options in Apple’s iTunes and App Store -- the same way that PayPal and credit cards are elsewhere in the world.
That means once you select WeChat Pay or Alipay as your default payment method, money will automatically be deducted for purchases made via Apple ID -- whether you’re buying music, movies or apps.
Both Chinese companies say hackers are making unauthorized purchases through stolen Apple IDs. It’s unclear how they managed to steal the IDs in the first place, but Alipay said it’s asked Apple “many times” to look into how the thefts occurred, and WeChat also says it has been in contact with Apple. Apple did not immediately respond to our request for comment.
So what can Apple users in China do to protect themselves?
First off, enabling Apple’s “two-factor authentication” is an effective way to help prevent Apple ID fraud. When you log in from a new device, it requires you to enter your Apple ID password, as well as a verification code that will automatically pop up on another device you’re already using. That means even if a hacker has your password, it’s unlikely they can use your Apple ID on any devices other than your own.
Meanwhile, Alipay issued an online notice on Weibo instructing users how to put a cap on the amount of money that can be transferred from Alipay to Apple. The limit can be set to as low as US$29 a month.
Apple has run into other problems in China lately. In July, it was slammed by Chinese state media after some Apple users were bombarded by spam on iMessage. Back then, the company said it reached out to telecom firms about the issue.
(Abacus is a unit of the South China Morning Post, which is owned by Alibaba -- an affiliate of Ant Financial, which operates Alipay.)