|Security hole in iTunes accounts linked to PayPal|
| 3:05 pm on Aug 23, 2010 (gmt 0)|
|At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.” |
| 4:56 pm on Aug 23, 2010 (gmt 0)|
A few months ago, someone in Europe stole my credit card number and "tested" it on iTunes. I don't have an account with them, thank the gods. I saw the charge coming through my bank account and tried contacting iTunes about it. Their canned response was that they could not help me because the account was not in my name and they had "no way to look up credit card numbers." Can you believe that? I said fine, I will do a chargeback and you can deal with it that way, Einsteins. They didn't give a damn.
iTunes appears not to care if fraud is racked up through their business because NOTHING they do will cause them lose their capacity to accept credit cards. They are making too much money for it to matter. When my card was compromised, my bank told me that testing stolen cards on iTunes was incredibly common. iTunes is aware of this. How much they care: last time they had a massive fraud onslaught, Apple said it was "only" 400 accounts that were compromised.
| 5:58 pm on Aug 23, 2010 (gmt 0)|
|A few months ago, someone in Europe stole my credit card number and "tested" it on iTunes. |
I'm not sure if that's related to the story above, but fraudsters "testing" card numbers is not just an "iTunes" problem.
I've been working in ecommerce for 10+ years and fraudsters will "test" cards with 100's of different companies ranging from digital goods, online services (like RPG gaming sites) to sites selling physical products.
Some companies are definitely more responsive than others when trying to get the mess cleaned up.
| 6:09 pm on Aug 23, 2010 (gmt 0)|
If you google "itunes credit card fraud," you will see that this problem has been going on with iTunes since 2007. They have absolutely NO fraud prevention on their site at all. Any schmoe who uses authorize.net can get the software to hold or just cancel transactions where the billing info doesn't match, there's a mismatch of the ip address, or there are too many transactions going through in too short a time, but iTunes, even though they are oh-so-sophisticated, does not apparently have any access to such software. All you have to do is go and see what experiences many hundreds of people have had with this--and with iTunes' non-response. In my case, why did iTunes authorize a transaction where there was a mismatch on the billing address? Because they just don't give a damn, that's why. They have absolutely no fraud prevention in place whatsoever. They don't HAVE to have it. They know nothing will happen to them regardless.
I too have been working in ecommerce for ten plus years. I use a fraud detection suite. iTunes has yet to discover such a thing. Or rather, they know they don't need it.
| 7:41 pm on Aug 23, 2010 (gmt 0)|
Airline tickets is another test mode, but they've been clamping down on that. Had a friend who just had one of those the other day. Only it came from a computer tech shop that he used... He figured it out because they spelled his name wrong on the invoice, and the fraud charge came through a few days later with his named misspelled the same way. Store is right down the street from his house... Talk about having b**ls.
| 10:43 pm on Aug 23, 2010 (gmt 0)|
Hope your friend went to the cops about that. In Australia a whole bunch of 7/11s and petrol station card readers had their card readers modified (after bribing/coercing the attendants) with additional skimming circuitry that transmitted the data to someone sitting in a car outside.
| 8:13 am on Aug 24, 2010 (gmt 0)|
According to some this is the old PEBKAC issue... ;)
|The Real iTunes Fraud Vulnerability: Gullible Users [digitaldaily.allthingsd.com] |
So these reports of a major security hole in iTunes, one through which people have had their PayPal accounts drained?
Not much to them, Iâ€™m told. Or, rather, not much to their assertion that Apple (AAPL) is at fault here. Thereâ€™s no security hole in iTunes, and if youâ€™ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, itâ€™s likely because youâ€™ve fallen victim to a bot attack or phishing scamâ€“a variation on the one thatâ€™s been around for years now. Sources close to Apple tell me iTunes has not been compromised and the company isnâ€™t aware of any sudden increase in fraudulent transactions.
| 8:51 am on Aug 24, 2010 (gmt 0)|
|A few months ago, someone in Europe stole my credit card number and "tested" it on iTunes. I don't have an account with them, thank the gods. I saw the charge coming through my bank account and tried contacting iTunes about it. Their canned response was that they could not help me because the account was not in my name and they had "no way to look up credit card numbers." Can you believe that? I said fine, I will do a chargeback and you can deal with it that way, Einsteins. They didn't give a damn. |
HRoth, to be honest I don't think there is much wrong with their response.
Since you had had fraudulent use of your card you would presumably cancel it anyway, and that process would necessarily involve a chargeback of the fraudulent iTunes purchase. If they issued a refund for it as well, could that not result in a double refund?
I know that I always tell customers to do a chargeback in cases of fraudulent purchases on our sites. As I see it, that is how such situations are meant to be resolved.
| 10:50 am on Aug 24, 2010 (gmt 0)|
The problem is that iTunes refused to even look into it. If you see a charge coming through your account from a vendor, that vendor should be able to tell you what it was for. They could not/would not.
This morning, according to Paypal, the problem is with iTunes:
I guess I shouldn't be surprised that Paypal wants to blame iTunes and iTunes wants to blame its customers. iTunes always has the same response: contact your bank. Change your password. What if iTunes actually used some fraud prevention, like checking ip addresses? Or even checking billing addresses? Does it not send up any signals for them when, as is typical, someone in the US who has been ordering American pop song downloads suddenly starts to order hundreds of dollars worth of Chinese stuff? All of us on the ecommerce forum constantly talk about ways we have to spot a fraudulent transaction. One of those ways is seeing a small test purchase and then seeing attempted transactions of hundreds of dollars. You mean to tell me that iTunes can't use the same techniques as a tiny ecommerce merchant? They have NO WAY to prevent that sort of thing? You have to go out there and read some of the stuff people have been experiencing with iTunes for years now, and the get-lost attitude that iTunes has about it.