Feeds

iTunes gifting scam plunges Reg reader into the red

'Apple has turned iTunes into pseudo-PayPal, without security'

The Essential Guide to IT Transformation

Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases.

Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445@hotmail.com", an account he'd never heard of.

Apple describes iTunes Monthly Gifts as a "great way to give a gift that keeps on giving". The vouchers, sent to a recipient's email address, can be used to purchase music and audio books from the iTunes Music Store.

Peter checked his iTunes purchase history, where to his horror he discovered scores of these "Monthly Gift" purchases – all of which had been generated within a short space of time on 19 January, but only one of which generated an email.

As a result of the fraudulent purchases, Peter's bank account plunged from its £700 positive balance to £300 into the red, forcing him to borrow from friends in order to pay household bills until the mess was sorted out.

Peter promptly contacted both Apple and his bank (HSBC) over the scam. Apple responded with an automated message before suspending his iTunes account, a day after the damage was done. HSBC reacted better, restoring funds to his account so that Peter was able to make his mortgage payment, and sending him a form so that he could confirm in writing that he had had nothing to do with the disputed transactions.

Peter – who has had an iTunes account for years, spending an average of around £5 a month and never using it to make a gift purchase – is highly critical of Apple's handling of the matter.

"After years of buying Apple products and using iTunes to buy some music and apps now and again, they'd taken the whole day to get back to me and basically claimed no responsibility or offered any help," Peter, who works in IT and is aware of the security issues around online accounts, told El Reg.

"How is it even possible for iTunes to be used as some type of glorified bank account? Why the hell would I want to use iTunes to transfer money to people?

"It it completely unacceptable that Apple has turned iTunes into some type of pseudo-PayPal without the security measures, monitoring and care being taken to run something so important," he concluded.

Peter is unclear on how his iTunes account might have been compromised. Phishing attacks (or worse) aimed at iTunes users are far from uncommon – though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. In general, malware infection or the use of the same password on another site that falls victim to a hacking attack are routes towards becoming a victim of this type of attack.

It's unclear how Peter's account was compromised (we'll probably never know) or how many other people might also have been affected by the same scam. The fraudulent gift purchase most closely resembles the mass compromise of iTunes accounts linked to PayPal, widely reported in August 2010.

A quick search of "iTunes + fraud" reveals that Peter's case is far from unique, with other victims who link their iTunes account to a debit card account also waking up to discover hundreds of dollars in fraudulent purchases. Unlike the iTunes / PayPal scam, the many victims of iTunes-related bank fraud were not all hit around the same time, so the minor variant of essentially the same scam has escaped media attention, at least until now.

Peter's tale of woe raises questions about whether iTunes ought to allow monthly gifts, given that it is a secondary facility that appears to be easily abused. "iTunes isn't just a system for buying a bit of music; it's turned into a banking system that can wipe out your finances and put whole families into financial limbo," Peter warns. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.