Feeds

iTunes gifting scam plunges Reg reader into the red

'Apple has turned iTunes into pseudo-PayPal, without security'

Intelligent flash storage arrays

Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases.

Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445@hotmail.com", an account he'd never heard of.

Apple describes iTunes Monthly Gifts as a "great way to give a gift that keeps on giving". The vouchers, sent to a recipient's email address, can be used to purchase music and audio books from the iTunes Music Store.

Peter checked his iTunes purchase history, where to his horror he discovered scores of these "Monthly Gift" purchases – all of which had been generated within a short space of time on 19 January, but only one of which generated an email.

As a result of the fraudulent purchases, Peter's bank account plunged from its £700 positive balance to £300 into the red, forcing him to borrow from friends in order to pay household bills until the mess was sorted out.

Peter promptly contacted both Apple and his bank (HSBC) over the scam. Apple responded with an automated message before suspending his iTunes account, a day after the damage was done. HSBC reacted better, restoring funds to his account so that Peter was able to make his mortgage payment, and sending him a form so that he could confirm in writing that he had had nothing to do with the disputed transactions.

Peter – who has had an iTunes account for years, spending an average of around £5 a month and never using it to make a gift purchase – is highly critical of Apple's handling of the matter.

"After years of buying Apple products and using iTunes to buy some music and apps now and again, they'd taken the whole day to get back to me and basically claimed no responsibility or offered any help," Peter, who works in IT and is aware of the security issues around online accounts, told El Reg.

"How is it even possible for iTunes to be used as some type of glorified bank account? Why the hell would I want to use iTunes to transfer money to people?

"It it completely unacceptable that Apple has turned iTunes into some type of pseudo-PayPal without the security measures, monitoring and care being taken to run something so important," he concluded.

Peter is unclear on how his iTunes account might have been compromised. Phishing attacks (or worse) aimed at iTunes users are far from uncommon – though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. In general, malware infection or the use of the same password on another site that falls victim to a hacking attack are routes towards becoming a victim of this type of attack.

It's unclear how Peter's account was compromised (we'll probably never know) or how many other people might also have been affected by the same scam. The fraudulent gift purchase most closely resembles the mass compromise of iTunes accounts linked to PayPal, widely reported in August 2010.

A quick search of "iTunes + fraud" reveals that Peter's case is far from unique, with other victims who link their iTunes account to a debit card account also waking up to discover hundreds of dollars in fraudulent purchases. Unlike the iTunes / PayPal scam, the many victims of iTunes-related bank fraud were not all hit around the same time, so the minor variant of essentially the same scam has escaped media attention, at least until now.

Peter's tale of woe raises questions about whether iTunes ought to allow monthly gifts, given that it is a secondary facility that appears to be easily abused. "iTunes isn't just a system for buying a bit of music; it's turned into a banking system that can wipe out your finances and put whole families into financial limbo," Peter warns. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.