The Mac Security Blog

Apple

What Apps Are Acceptable on the App Store?

Posted on by

There’s some discussion this morning about a perplexing app that’s currently available for sale on the App Store for iPad and iPhone, which raises questions about how Apple decides which apps are acceptable. The app in question is called BIN Checker, and its intended purpose is to check the Bank Identification Numbers to determine if they’re valid. On the surface, this seems relatively harmless. Perhaps something that could be useful to small merchants who’re having problems with fraud. There are quite a few freely available sites on the Web that will offer this same ability, so how bad could this app really be?

BinCheck

There are a couple ways to look at this app, neither of which bode very well. The first possibility is that this app is simply a scam, charging users almost $11 for something that they could freely get online. The reviews for the app seem to point in this direction, as they all state that the database is woefully lacking.

The other way to view this has to do with the Track 1 Generator option. This has to do with the data in the magnetic stripes on the back of credit cards. That stripe is generally composed of three separate tracks, which adhere to different standards. The most commonly used are the first two, which have fairly similar information, including things like the account number and expiration date for the card. Track 1 has more detailed information than Track 2, including the card holders name. Credit card companies are increasingly trying to motivate vendors to use Track 1, so this is more valuable information than simply Track 2 data.

A Track 1 generator takes the data from Track 2 plus the card holder’s name and generates the code for Track 1. That’s where this gets mighty suspicious. If you were a merchant, you would have a credit card machine and it would require either one type of data or the other. You’re not going to need to generate the other track’s information. This capability is going to be useful primarily for people who’ve gotten hold of a dump of credit credit data, and are looking for ways to generate a more widely accepted and useful card for fraud.

Either way, I have to wonder how this crossed some Apple employee’s desk without getting sufficient scrutiny as to the purpose of the app. This seems pretty easily “over the line” of what constitutes an app that is not worth approving.