If you google "itunes credit card fraud," you will see that this problem has been going on with iTunes since 2007. They have absolutely NO fraud prevention on their site at all. Any schmoe who uses authorize.net can get the software to hold or just cancel transactions where the billing info doesn't match, there's a mismatch of the ip address, or there are too many transactions going through in too short a time, but iTunes, even though they are oh-so-sophisticated, does not apparently have any access to such software. All you have to do is go and see what experiences many hundreds of people have had with this--and with iTunes' non-response. In my case, why did iTunes authorize a transaction where there was a mismatch on the billing address? Because they just don't give a damn, that's why. They have absolutely no fraud prevention in place whatsoever. They don't HAVE to have it. They know nothing will happen to them regardless.
I too have been working in ecommerce for ten plus years. I use a fraud detection suite. iTunes has yet to discover such a thing. Or rather, they know they don't need it.