Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases. Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445@ …
feel sorry for Peter.
further justification that you should just use gift certificates for iTunes!
I'm pretty certain that when I created an itunes account last year, it forced me to enter a valid credit/debit card before it would allow me to download anything.
Why should I need to give Apple my card details when I just want to download a free app?
the WTF? icon, as this doesn't appear to be one of an apple with a crossbow bolt through it...
Apple told me why
They said it was to validate your address. Though the fact that you always have to have a valid card registered somewhat invalidates that reply.
The exact same thing happened to my brother last week - for £800+. I asked him what (his now changed) password was and it was pretty unguessable.
Also got zero response from apple, he's now only going to add money to his itunes accounts via gift cards bought in shops, so he never has to store his card details with them ever again.
Incidently when I tried to remove my card details from itunes it wouldn't let me.
If you need to remove your working card details from iTunes, or any similar website, do what I do:
- Change enough of the information to render the card invalid. You could put in known test card visa numbers which pass the validation process but are invalid card numbers or you could modify the start/end date, issue number or name.
Do be warned though as modifying just the issue/end date and leaving the roll number the same could lead to your bank locking your account due to suspected fraudulent transactions. That's normally a quick phone call to clear up though.
This is something I find myself doing a lot, especially for online games.
Test card numbers which pass the validation process
if its a simple check digit validation then the following passess the test.
8888 8888 8888 8888
not an itunes user. cannot test.
Details are so alike
Yeah the same thing did happen to me as my brother mentioned. I got done for 100 X £10 gift's, recived only one email from iTunes, had to wait a day for them to reply and eventially my bank (incidently also HSBC) refunded my money and charged it back to iTunes as fraud. They are still investigating and said that if iTunes can prove it wasn't fraud which I cant see how they can then they can take the £1000 back. I said in my email to iTunes that I cannot see how when I have never bought a Gift for someone in the many years I have had my account that they cannot spot 100 in a matter of hours as something out of the ordinary. Not too supprisingly I did not get a responce to that.
@Test card numbers which pass the validation process
4111 1111 1111 1111 works for Visa cards
You're saying your brother got scammed on Apple's system and when he tried to report it to them, they basically laughed and hung up the phone.... and he's still dealing with them?
Damn, Steve's good
Use gift cards
I always buy gift cards in the high street and use them to fund my account. That way, any fraud is limited to the £15 or so credit I currently have on the account.
I wonder how many who use itunes also play world of warcraft.
Perhaps the same trojans that steal wow passwords also steal itunes info
iTunes Gift Cards
I'm hearing more and more about this type of problem with iTunes accounts. I'm very careful with my card details and I use a password manager to ensure high strength passwords etc, but even still I might just unlink my credit card from the iTunes system and just apply gift cards periodically to keep a balance on there for buying apps etc.
Too much of a hassle if anything fraudulent did happen...
How did the breach of his account security occur though?
I do feel for him, but what steps are we proposing apple does take? Plenty of stores let you buy gift vouchers for people online and they do not require you to verify your friendship. I guess we could get facebook to do it for us, they are nice and trustworthy.
I would be turning a far more critical eye on how this breach of his account security occurred. Whether it was a breach of his email account and a malicious password reset request, a shoddy password, or poor security on the PC's he accessed iTunes with.
Having said all that, apples handling of this customer complaint sounds terrible. And typical mores the shame.
@Listen 2 Me
Security breaches will happen whatever you do so I'm not sure that looking at how the credentials were breached will help. If you really want to protect your customers from fraudulent transactions, here's a suggestion:
1. Whenever a customer sends a gift to someone they've never sent a gift to before, send them an email to the email address you have registered for them, asking them to confirm that they do really intend to send the gift;
2.1. If they confirm the gift then all good, send it on and mark the beneficiary as safe;
2.2. If they deny the gift, don't send it on, mark the beneficiary as unsafe and start logging the gift activity for the beneficiary's account;
3. If the beneficiary's account shows a lot of gift to them, especially denied ones, block the account.
Note that if you hold other information such as a mobile phone number, you can do an alternative version of step 1 where you send an SMS or an automated voice call to the customer with a PIN in it that they have to enter before finalizing the transaction.
What you could also do to trigger the check in step 1 is use analytics to work out if there is a chance that the gift is fraudulent: e.g. several gifts in a short amount of time from someone who never uses the feature. Or gifts from one person to another person in a different country. Or use bayesian filters to mark transactions as potentially fraudulent based on previous user patterns and do the validation checks for all that are highlighted. In fact, rather than re-invent the wheel, you can probably re-use a lot of the technology in use in spam filters.
None of this is beyond the technical abilities of Apple and can be designed in a way that generates minimal annoyance for the customer. Any fraud prevention specialist worth his salt could come up with dozens of options to reduce the incidence of such payments irrespective of how the customer's account gets compromised. But I suspect Apple don't have one of those people on their payroll.
the moral of the story is
don't link your DEBIT card to anything on-line.
Yes, they can still get scammed and cloned from dodgy chip & pin systems or ATM machines, but the on-line risk is far greater.
£1000 of fraud on a debit card? It's your money and you have to fight to get it back.
£1000 of fraud on a credit card? It's the bank's money and they have to fight to get it back, from either you or the retailer.
Never, ever, use your debit card to purchase anything online.
Actually wrong: You can do a chargeback on your debit card for up to six months (IIRC) and you get the money back.
iTunes Monthly Gifts "a gift that keeps on giving"
So, just like genital herpes then?
PAYG credit cards
I use a pay-as-you-go / prepaid credit card for most online transactions with only a few notable exceptions.
That way, the damage will always be limited since I don't "charge" it with a lot of money.
There are quite a few reasonable deals around, some charge you a small percentage fee only when you transfer money to the card. If you think of that as an insurance premium, it's quite a good deal.
As a bonus, you can also use it when you're on holiday abroad...
Peter reckons it's more likely the hacker guessed his password
RE: Peter reckons it's more likely the hacker guessed...
That's the same as my luggage combination!
Mines the one with perri-air logo on the back.
May the shwartz be with you.
If you thought that was bad it gets worse. I was in the position where I had transferred my bank account and killed all the cards which came with the old one some five years ago. Last month I got a call to say that a transaction against my old Visa card had been honoured and how would I like to pay the bill. This is a Visa card which was four years past it's expiry date and which was part of a closed account.
Apparently, if you have lodged card details against a 'potential' regular payment then they must be explicitly cleared or else at any time in the future a 'Guaranteed' Visa payment could be made. As far as the banks are concerned, the death of the card/account is an irrelevance.
The card is dead, long live the card.
Abnormal transaction patterns?
> I do feel for him, but what steps are we proposing apple does take?
Do the same as credit card companies do ... if there's an abnornal set of transations (and in this case sounds like 80 monthly gifts set up in a short time which ought to be boviously seen to be "unusual") then put a block on the account until contact can be made to verify that these are correct transactions.
What is the point of this fraud?
Hopefully this is an easy question to answer, but what is the point of this fraud? As far as I can tell, the fraudulent gift vouchers can only be used to buy music/apps/whatever from the iTunes store, for the recipient account. If Apple just blocked the gift recipient accounts when fraud comes to light, what would be the point of this hack anyway?
To buy apps or eBooks that the perpetrator is selling...
It permits the crook to buy any apps or eBooks they have in the iTunes system. So you submit an app or eBook of dubious worth, charge a few pennies or pounds for it and then use your nefariously obtained gift certificates to buy shed loads of copies of it thus boosting your rankings and turning a nice profit on the app/eBook.
The point is too simple
The "gift" funds (which by now are safely re-gifted to another, clean account) are used to purchase apps made by the author of the scam, so he can get his cash (or, 70% of it). 30% goes to Apple, which to some extent explains their reluctance to handle the situation.
What's the point?
How much is a £25 iTunes card worth to the average schoolboy? £10? £15?
Merchant vs Bank
"iTunes isn't just a system for buying a bit of music; it's turned into a banking system"
And that's the point. As long as you just allow customers to buy something for themselves only, you're a merchant. As soon as you allow gift purchases for someone else, you start taking on some of the responsibilities of a bank because roughly speaking you allow funds to be moved from account A to account B.
This is why every online bank worth banking with has strong validation measures around setting up a new payment beneficiary. Merchants who offer gift purchases are no different: if they allow you to set up a new gift beneficiary without offline validation, get the hell out of there.
Another reason never to use debit cards for online or remote transactions
I only ever use credit cards for this sort of thing. If there are dodgy transactions, the worst that will happen is that they might max out my credit card, my bills and other payments go out just fine and my bank accounts remain un-touched.
Things may have improved, but last time I read about the rules credit card companies hold the liability for fraudulent transactions, whereas it is pretty much up to the bank as to how good they are to you in situations like this.
use gift cards from respectable sources...
and not from ebay - those are another scam/money laundering operation in itself!
Having recently been forced to "upgrade" within iTunes, it would not let me proceed without registering a card, despite my iTunes account being £26 in credit (and I don't buy very much).
While there was a suggestion above to register a false card, that could be taken as attempted fraud. There should be an option to remove all details (I will check when I go home, and if I can, I will).
Apple FAIL once again
Same thing happened to a friend of mine a couple of weeks ago. £1000 of gift cards to numerous e-mail addresses in China. Again Apple were less than helpful.
Got hit this weekend
I got hit on Sunday morning. Got an email to say a £10 monthly voucher had been paid to a hotmail account. Logged into iTunes to find 6 similar payments have gone through. Basically they had kept on going until my bank declined any more due to lack of funds.
Got a cut and paste reply from Apple telling me that it's down to my bank to refund me. My bank have been fine about it, have given me a small overdraft until they refund the transactions and cancelled my card. Only pain with that is I now have no way to draw cash until my new card turns up! I have a Paypal topupcard which I shall add to itunes in the future and just keep it topped up enough, no way am I trusting Apple with my bank card details again.
They've facilitated someone in robbing you, then abdicated responsibility for their breach of your trust... and you're going to continue giving money to this service?
Okay, as a thought exercise: replace "Apple" with "Sky", "O2", "British Gas" or "Virgin Media", and would you feel the same way?
And that just demonstrates the sheeple mentality
If we were actual, thinking people, once such a report became public there would be a flurry of account cancellations until the Itunes store became a virtual desert.
Only then would Apple understand that its policy and behavior is unacceptable, and change it.
But here ? In this reality, Apple conducts itself like any unwashed street tramp having successfully hawked damaged wares to the unwitting at the curb - when said witless numpty wises up a bit and complains, the tramp just stares him down and turns his back, laughing all the way to the bank.
And the numpty, pissed off though he is, continues dealing with the tramp, thus justifying the haughtiness in the first place.
Seems to me that there has been a world-wide ablation of testes in the current generation. Given the fact that beauty stores see more and more men coming in to purchase creams and lotions, I guess it was inevitable.
I'm going to buy a shotgun and a dog and retire to the mountains now.
How to remove card details
If you want to delete your payment info, change your password and once that's done, you'll be asked to "verify your payment information" to be able to make purchases.
In the menu, select the "none" option and your old details will be removed.
Stung by iTunes too
November last year, my iTunes account was stung for £30 of app purchases and "in-app" purchase in... Chinese. These is despite a 16 character mixed-case password (not easily guessed) and never accessed from anything other than iPad/iPhone and my Mac (which is secure). It took 48 hours to get Apple to refund the amount, and it came with a very curt-but-polite "Apple's policy is that all purchases are final, non-refundable" despite my multiple protests that *I* did not make the purchases. Something somewhere is leaking account information, either a hack somewhere in iTunes or leaking OSX... I dont know, but it wasn't pleasant, and Apples attitude was less that supportive.
Now I have one more reason to never, ever, EVER own or use anything from Apple...
Glad I spent time avoiding giving them CC details this morning
Created my account by trying to download a free app from the app store - this gives you the 'none' option for payment method. Creating an account from iTunes does not give you the 'none' option.
How to buy download apps without giving CC details?
The app store is a great place to browse. If I find anything I want, I then go to the developers site, download from there. Pay with PayPal if necessary.
"Pay with PayPal if necessary."
Yeah, like PayPal is more trustworthy than Itunes. That's like burning your eyebrows instead of singeing your foot.
Way to go.
You can sign up for an anonymous itunes account using a free music download card, commonly available at Starbucks (in Canada & USA)
My condolances, sir.
I can think of one reason for recurring gifts: 'pocket money' for the iPod generation.
Its a sorry state of affairs when your safest option is piracy.
same thing happened to me
On Jan 21st. I was lucky though, they only got 14 transactions from me. I phoned my credit card company who put me to their fraud department. They said it wasn't registered as fraud yet to put me back to customer services. They then told me they couldn't do anything till Apple had been given 30 days to sort it out. So I emailed Apple who said they can't do anything till my credit card company has issued a charge back. So now I have a disabled iTunes account, two companies that say they won't deal with me till I've dealt with the other, and a credit card I'm likely to have to cancel (even though there's been no breach of my credit card details as you can't see them even when you're logged into your itunes account).
Happened to me too...
...on 20th Jan in the afternoon got a call from my bank saying suspicious activity on my credit card, 25 transactions at £10 each from iTunes in the small hours whilst I was tucked up in bed. After 25 the bank declined any more.
I confirmed that I hadn't done them and then checked my email and iTunes account. One email saying "monthly gift to firstname.lastname@example.org", iTunes purchase history showed all 25 with exactly the same details.
I've had an iTunes account for around 5 years and never had a problem before this, no idea how the account was hacked (password was unique to iTunes account and never used anywhere else - I think from now on I will change it at regular intervals though).
Contacted iTunes via email, the usual stock response basically saying take it up with your bank - which I duly did. The bank has cancelled the card and is issuing chargebacks to iTunes.
I've changed my iTunes password and removed the card details, in future gift card only credit for me (yes I will still begrudgingly give money to Apple whilst I have an iPhone for apps etc, but when my contract is up I may consider going HTC depending on how Apple handle this).
If the bank can spot 25 transactions as being suspicous, why can't iTunes? Why would I perform 25 transactions all giving the same £10 gift to the same hotmal account? Apple need to install their own fraud monitoring routines and be pro-active, rather than passively relying on banks and users to spot fraud and sort it out.
"[...] Peter, who works in IT and is aware of the security issues around online accounts [...]"
... to this...:
"[...] though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. [...]"
Okay, this guy (a) claims to be competent in online security and (b) uses a password simple enough to be guessed and (c) is aware of that.
Massive, complete, fail. But not on Apple's side.
Happened to me but I was lucky and caught it before the money left my account
Big thanks to the co-operative bank for acting quickly and stopping the transactions. It was 750 quid in my case. This was last Friday night.
Apple were ok but getting through to them was much slower than getting through the co-ops fraud team. The co-op had the job done and dusted before Apple made first contact.
It was pure luck that I caught it in time, I just happened to check my mail.
Interestingly Apple sent me one mail to say I'd bought a 10 quid gift for someone, but when I checked via itunes there were 75 * 10 quid gifts.
The iphone is the first and last Apple hardware that I will buy.
- It's true, the START MENU is coming BACK to Windows 8, hiss sources
- Pic NASA Mars tank Curiosity rolls on old WET PATCH, sighs, sniffs for life signs
- How UK air traffic control system was caught asleep on the job
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Microsoft: Don't listen to 4chan ... especially the bit about bricking Xbox Ones