Feeds

iTunes gifting scam plunges Reg reader into the red

'Apple has turned iTunes into pseudo-PayPal, without security'

Secure remote control for conventional and virtual desktops

Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases.

Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445@hotmail.com", an account he'd never heard of.

Apple describes iTunes Monthly Gifts as a "great way to give a gift that keeps on giving". The vouchers, sent to a recipient's email address, can be used to purchase music and audio books from the iTunes Music Store.

Peter checked his iTunes purchase history, where to his horror he discovered scores of these "Monthly Gift" purchases – all of which had been generated within a short space of time on 19 January, but only one of which generated an email.

As a result of the fraudulent purchases, Peter's bank account plunged from its £700 positive balance to £300 into the red, forcing him to borrow from friends in order to pay household bills until the mess was sorted out.

Peter promptly contacted both Apple and his bank (HSBC) over the scam. Apple responded with an automated message before suspending his iTunes account, a day after the damage was done. HSBC reacted better, restoring funds to his account so that Peter was able to make his mortgage payment, and sending him a form so that he could confirm in writing that he had had nothing to do with the disputed transactions.

Peter – who has had an iTunes account for years, spending an average of around £5 a month and never using it to make a gift purchase – is highly critical of Apple's handling of the matter.

"After years of buying Apple products and using iTunes to buy some music and apps now and again, they'd taken the whole day to get back to me and basically claimed no responsibility or offered any help," Peter, who works in IT and is aware of the security issues around online accounts, told El Reg.

"How is it even possible for iTunes to be used as some type of glorified bank account? Why the hell would I want to use iTunes to transfer money to people?

"It it completely unacceptable that Apple has turned iTunes into some type of pseudo-PayPal without the security measures, monitoring and care being taken to run something so important," he concluded.

Peter is unclear on how his iTunes account might have been compromised. Phishing attacks (or worse) aimed at iTunes users are far from uncommon – though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. In general, malware infection or the use of the same password on another site that falls victim to a hacking attack are routes towards becoming a victim of this type of attack.

It's unclear how Peter's account was compromised (we'll probably never know) or how many other people might also have been affected by the same scam. The fraudulent gift purchase most closely resembles the mass compromise of iTunes accounts linked to PayPal, widely reported in August 2010.

A quick search of "iTunes + fraud" reveals that Peter's case is far from unique, with other victims who link their iTunes account to a debit card account also waking up to discover hundreds of dollars in fraudulent purchases. Unlike the iTunes / PayPal scam, the many victims of iTunes-related bank fraud were not all hit around the same time, so the minor variant of essentially the same scam has escaped media attention, at least until now.

Peter's tale of woe raises questions about whether iTunes ought to allow monthly gifts, given that it is a secondary facility that appears to be easily abused. "iTunes isn't just a system for buying a bit of music; it's turned into a banking system that can wipe out your finances and put whole families into financial limbo," Peter warns. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.