Feeds

iTunes gifting scam plunges Reg reader into the red

'Apple has turned iTunes into pseudo-PayPal, without security'

Choosing a cloud hosting partner with confidence

Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases.

Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445@hotmail.com", an account he'd never heard of.

Apple describes iTunes Monthly Gifts as a "great way to give a gift that keeps on giving". The vouchers, sent to a recipient's email address, can be used to purchase music and audio books from the iTunes Music Store.

Peter checked his iTunes purchase history, where to his horror he discovered scores of these "Monthly Gift" purchases – all of which had been generated within a short space of time on 19 January, but only one of which generated an email.

As a result of the fraudulent purchases, Peter's bank account plunged from its £700 positive balance to £300 into the red, forcing him to borrow from friends in order to pay household bills until the mess was sorted out.

Peter promptly contacted both Apple and his bank (HSBC) over the scam. Apple responded with an automated message before suspending his iTunes account, a day after the damage was done. HSBC reacted better, restoring funds to his account so that Peter was able to make his mortgage payment, and sending him a form so that he could confirm in writing that he had had nothing to do with the disputed transactions.

Peter – who has had an iTunes account for years, spending an average of around £5 a month and never using it to make a gift purchase – is highly critical of Apple's handling of the matter.

"After years of buying Apple products and using iTunes to buy some music and apps now and again, they'd taken the whole day to get back to me and basically claimed no responsibility or offered any help," Peter, who works in IT and is aware of the security issues around online accounts, told El Reg.

"How is it even possible for iTunes to be used as some type of glorified bank account? Why the hell would I want to use iTunes to transfer money to people?

"It it completely unacceptable that Apple has turned iTunes into some type of pseudo-PayPal without the security measures, monitoring and care being taken to run something so important," he concluded.

Peter is unclear on how his iTunes account might have been compromised. Phishing attacks (or worse) aimed at iTunes users are far from uncommon – though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. In general, malware infection or the use of the same password on another site that falls victim to a hacking attack are routes towards becoming a victim of this type of attack.

It's unclear how Peter's account was compromised (we'll probably never know) or how many other people might also have been affected by the same scam. The fraudulent gift purchase most closely resembles the mass compromise of iTunes accounts linked to PayPal, widely reported in August 2010.

A quick search of "iTunes + fraud" reveals that Peter's case is far from unique, with other victims who link their iTunes account to a debit card account also waking up to discover hundreds of dollars in fraudulent purchases. Unlike the iTunes / PayPal scam, the many victims of iTunes-related bank fraud were not all hit around the same time, so the minor variant of essentially the same scam has escaped media attention, at least until now.

Peter's tale of woe raises questions about whether iTunes ought to allow monthly gifts, given that it is a secondary facility that appears to be easily abused. "iTunes isn't just a system for buying a bit of music; it's turned into a banking system that can wipe out your finances and put whole families into financial limbo," Peter warns. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.