iTunes account theft strikes close to home

Topic

New Reply

	TOP STORY[/size][/font] iTunes account theft strikes close to home[/size]
	By Susan Bradley These days, even online security experts can get burned by identity thieves who strike at popular online services. A recent attack on an iTunes account dramatically points at the need to regularly change passwords and manage online billing info.[/size]

---

The full text of this column is posted at WindowsSecrets.com/2010/07/08/01 (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

The solution to this problem is Virtual Credit Card numbers. BankRate.com has a good definition.. I use a CitiBank credit card for this. I can set my credit limit and expiration date and the virtual credit card number can only be used by one merchant. So I figure that I spend $50 at iTunes in the next year so I set my virtual credit card limit to $50 with an expiration date 12 months in the future.

When the $50 is used up the credit card will be declined. But I have an option to add more funds to the card at any time. And when the 12 months are up I just add another 12 months and upfate my account information on iTunes just like I would if I got a new real credit card with a new expiration date.

So I have a different virtual credit card number for each merchant.

Now here’s the real beauty of virtual credit cards: I hate automatic renewals of web services and the viirtual credit card solves that. I sign up for a trial newslettter and I don’t want the hassle of canceling if I don’t want automatic renewal. So the trial is $9.95 so I set my limit to $9.95 and the card is delined when the renewal come up, If I like the newsletter I just raise my credit limit so the renewal charge will go through.

/RockFox

Reply | Quote

People should remember that one of the way your accounts can be hacked is by using the password reset facility. These usually involve providing answers to either standard questions, or questions of your choosing. The problem is that someone who knows you and your past can probably guess at these answers — remember that this is how Sarah Palin’s yahoo account was accessed.

The solution I suggest is to give a false answer to a standard question — but since you provided the false answer, only you will know what that false answer was.

Reply | Quote

I use credit card “gift cards” for all my online purchases and payments. They’re available in denominations of $25, $50, $100, and $200. Similar in application to the virtual credit card approach noted in another post here, they limit my exposure to risk and also serve as a convenient budget constraint for purchases and services. Available from all major card brands, including VISA, MasterCard and AMEX.

Reply | Quote

When creating passwords use special characters that are not on the top row (above the numbers). People tend to use the special characters that are not on the top row (above the numbers) more and make solving your password easier if you limit your password to those special characters.
Make your password more complex by using other special characters.

Also, as said above, use virtual credit card #s online. Many banks have them now.
When I am buying online I open a separate window to my bank account and create a virtual # seconds before making a purchase. It is tied to my real credit card and ready for use immediately.
I then type in the virtual # on the other website and make my purchase.

Reply | Quote

The advice might be a little to specific but iTune cards are a good idea for keeping your exposure to theft controled. You can redeem them from your iPhone and the unspent balance is available from your computer or your phone. You are only risking the amount remaining since your last card was redeemed.

Reply | Quote

Judging by the different blogs this problem is rampant. I also had the misfortune of having my account hacked and even after changing my password and removing my payment method someone still tried to make bogus charges. Like you, Apple has stepped back absolving themselves from any blame suggesting password changes and contacting the credit issuing agency and this through email. Hm maybe it’s time to look at other options.

Reply | Quote

Credit card fraud struck me when I made a purchase at Geeks.com. 30 minutes after I made my on-line order someone used my card information to order $2,500 worth of computer products at Dell.com. I had used my Discover card and they called me because the purchase was flagged by their fraud software. They cancelled the account and re-issued the card, which was a real hassle for me. I even called Dell to warn them not to ship the order, but they acted like they couldn’t care less.

Discover card, and perhaps some others, offer a one-time use card number for making purchases. I now use this service for on-line orders especially from merchants I have never used before. I used the service for a purchase for the Ez Egg Cracker, and sure enough, they tried to use the card number to enroll me in a purchasing club. I recieved the item, but they couldn’t enroll me in their club. By-the-way, the item was a joke present for my Dad’s birthday.

I would recommend the one-time use service for everyone who makes purchases on-line. You can obtain a number at their web site if you have an account, or call for it if you are really paranoid.

William Bailey

Reply | Quote

I agree the way to go is Virtual credit card numbers. (After I wrote this, I saw somebody already mentioned it below.) I use Virtual Credit Card Numbers to help prevent fraud on the web. Most Credit Card companies offer that option. Basically a new new credit card number is generated with an expiration date that can be used one time (Or the virtual number can be used multiple times by the exact same company for recurring charges.) You can set the credit limit and expiration date also. I usually use a very low limit for small purchases and add several dollars over the purchase price to cover either taxes or shipping & handling, etc. Anything more than that amount you set, just won’t work fortunately. You can later go back and raise the limit for future purchases if you so desire or simply just create a new number. Once the virtual card number is used by a company, it can’t be used by anybody else. That way if there is a problem, you can simply cancel that virtual credit card number and not effect you main credit card number for other purchases. I use many virtual credit card numbers for different companies during the same time period.

Hope that helps!
MG

Reply | Quote

Whenever possible I use Discover Card Secure Online Account Numbers. You can generate a new number for each online vendor. If anyone except that vendor submits a charge against that number it will be rejected. http://www.discovercard.com/customer-service/security/create-soan.html

Reply | Quote

Apple has no way of knowing who’s using who’s account and password, with or without permission, so like all merchants they leave it to the customer to take precautions. If you have an easily-guessed password (or, more likely, an easliy-answered personal-identification question), it’s your own carelessness that’s the problem.

That said, I think Apple is in a position to do a bit more than most retailers, because all of their “goods” are delivered electronically. Surely they have the ability to give you the option of limiting downloads to one or two approved IP addresses, and/or emailing you for confirmation if a new IP address is used; and perhaps they could even blacklist the IP addresses of thieves. I’ve always thought that they had the ability to cut off delivery of services to stolen iPods, iPads, and iPhones as well. If these devices had little or no value to thieves, I think that would be a huge selling point — and I find it strange that Apple, which is so consumer-centric in other respects, doesn’t see it.

Reply | Quote

I also use Citibank virtual credit card numbers for every purchase online. I set it for the exact amount of the purchase including shipping and use a different number for every purchase I make.

Reply | Quote

Great column! Forwarded to all my users.

Reply | Quote

I cast another vote for virtual credit cards. Band of America calls it ShopSafe. You can have multiple numbers for different vendors, and you can raise and lower each number’s credit limit at will. Frequently I won’t know before I place an order exactly how much I’ll be charged for tax and shipping, so I pad the limit a bit. Once the charge goes through, I can reduce the limit to virtually nothing until I’m about to place another order with that vendor. I do that regularly with iTunes, and my bank seems unfazed by my doing it.

Careful, though, if you have more than one account with the same issuer, and make sure you know which virtual card is linked to which account.

All in all, it’s a great idea that hardly anyone I mention it to has been aware of.

Reply | Quote

One thing I’ve noticed about iTunes through my travels on the Apple discussion site is that a lot of its users have the mistaken impression that they are required to have a card on file. You only need one to sign up because it’s how they verify your legal country of residence. Once it’s set up you can remove it. Some of them also think that they can’t get the free downloads without one. That’s not true either. There are a lot of people with CC info on there that don’t even need it. There were people on that board that got hacked who have never previously made a purchase on iTunes.

I’ve also noticed two different kinds of attacks. The one getting the most recent attention is primarily account hacks. Many of these are tied to the fraudulent promotion of a particular app developer. The others are stolen CC info from other places. They get lumped together because iTunes is a common target for spending these stolen funds and also for testing if a card number is valid.

I don’t have info stored on iTunes. I have info on a couple of other sites, but it’s generally the branded card for that particular company, and they are deliberately low-limit cards with no overdraft enabled. I’m not responsible for fraudulent charges, and if it happens it only ties up that one account while it’s getting sorted out. None of my current cards have virtual cards available but this system works for me. If I need a purchase on iTunes I eiither put my info in for that transaction then remove it, or buy an iTunes gift card. I usually buy my music from other sources anyway.

Christa

Reply | Quote

Christa beat me to my post! Never, ever – repeat! Never, ever store your credit card information with any ecommerce site.

I don’t buy from iTunes, I have a deep hatred of the company, its policies and politics. But I am aware that they don’t require you to leave a credit card on file.

I am involved with hosting many companies’ ecommerce infrastructure, and though PCI standards exist:

[*]PCI requirements are a joke, they are the bare minimum I would require for my own site
[*]Companies do not follow through on compliance between audits

Apple’s typical attitude of “stupid customer, it’s your fault” will come back to bite them. They have been reported to the PCI Standards Security Compliance Council and more importantly beginning to go through hell with the banks attached with Visa and Mastercard for their level of fraud. I am sitting back rubbing my hands together, wishing that I could be a fly on the wall when the Evil Dictator in Cupertino discovers that he doesn’t hold the scepter when it comes to finance.

Reply | Quote

For any on line purchases I use a thing called a “Debit VISA” card that my bank puts out. It works just like a credit card but can only draw on the money already put into its account. It usually sits close to zero, but when I need to make a purchase on line I just transfer the funds I need into it and use it. If some hacker gets hold of the number and tries to clean me out all he/she will get is a few dollars I leave in it to keep it alive. Seems the perfect answer to me.

Reply | Quote

For any on line purchases I use a thing called a “Debit VISA” card that my bank puts out. It works just like a credit card but can only draw on the money already put into its account. It usually sits close to zero, but when I need to make a purchase on line I just transfer the funds I need into it and use it. If some hacker gets hold of the number and tries to clean me out all he/she will get is a few dollars I leave in it to keep it alive. Seems the perfect answer to me.

Let’s not confuse this type of rechargeable, special-purpose debit card with the more general term “debit card”.

I do not recommend the use of debit cards on line. Your account linked to the debit card may not have sufficient funds for a purchase, but your bank can assess hefty fees for any transaction which would overdraw the account linked to the debit card. And with a debit card, once the money is spent, you have no recourse if goods are not delivered in good condition or in a timely fashion. Dispute resolution is much more difficult with a debit card compared with a single-use actual or virtual credit card. Gift Cards are a good alternative, and as posted above, it is possible at the iTunes Store to remove a credit card once you are signed up, and not replace it with another card.

All of this having been said, I have a Yahoo Mail Plus Account which charges my debit card every year automatically. And Yahoo’s Terms of Service clearly state that if your card cannot be billed, they can find another account you own, and start charging that account, unless you notify Yahoo to discontinue the Mail Plus services. I would be surprised if Apple did not have a similar term in their TOS. So if they wanted to pursue you, I believe they could. They just don’t in most cases.

So, do I worry about ID Theft in my Yahoo account? Yes, a little. Have any problems shown up? None in three years. And my Yahoo Web Mail Account has never shown any sign of being hacked in eight years, some with the free account, and sometimes even when I was using Public Computers at my local Library. Dumb luck? I don’t think so. Lack of on line shopping and social networking? Possibly. Someone already checked me out and found out that I have little personal wealth? That could explain it.

-- rc primak

Reply | Quote

A couple of years ago my daughter’s iTunes account was hacked like yours. Her account was hit for two $200 gift certificates. Like you, Apple would not give us any information without a formal request from the police department on the departmental letterhead. That’s different than Apple requiring a subpoena. I filed a complaint at our local sheriff’s office, and Apple accepted a Faxed request from the sheriff’s office. Faxing both to and from Apple (iTunes) speeded up the process considerably. At the time, my daughter and I were 2,000 miles away from home, but there were no hitches in getting the bank, the sheriff’s office, and Apple to communicate smoothly. The result was that we were able to track the transaction — to a point. The transactions were made from Phoenix, about 1,000 miles away from our home, but the gift certificates were sent to an e-mail address in China, a bit further away from our home and impossible for sleuthing any further.

Financially, my bank reimbursed our checking account (my daughter was a minor at the time, so we were both named on the account) for the full $400 plus all fees involved, and Apple reimbursed the bank for the $400. iTunes was able to cancel the gift certificates before they were used, so Apple was not out $400. In all, it was a hassle for us, the sheriff’s department, the bank, and Apple, but in the end the hackers did not succeed.

Apple’s refusal to give information stems from federal privacy requirements, not just from being ornery. My suggestion if your account is hacked — file a complaint with your local law enforcement agency and get the tracing information from Apple, iTunes, or whichever company where your account was hacked.

Reply | Quote

Another vote for virtual numbers. We had a rude shock when we discovered the number lasted for a month, allowing the company to slip in an extra “subscription” shipment. So, do check on that, and if yours isn’t set to auto-expire after one use, one day, or whatever, cancel it as soon as the charge appears on your statement. If you cancel before that, you risk canceling your shipment or service.

Reply | Quote

So my daughter (has me wrapped around her finger) convinces me to provide a CC so she can download apps for her iPod Touch. I say only if you give me your username/pw to your account. A month goes by, no charges, no problem. Now I have a $1 charge from iTunes on my account. red flag. I go to itunes.com to configure “my” account but there is no login, no My Account, nothing. How do I log in to change my account settings?

Reply | Quote

This is a slight twist on the iTunes credit card problem……

I bought an iPad on July 2 at a physical Apple Store; activating the iPad required me to create an iTunes account and enter a credit card. Also had to create an AT&T 3g account, so all three had the same credit card number (never used elsewhere).

On July 9, someone used my card at a baseball hat website. Fortunately, the merchant called me to verify the purchase and voided it.

This has to be the fault of the Apple store (owned by Apple) or the iTunes website (owned by Apple) or AT&T (chosen by Apple).

Reply | Quote

I purchased an Itunes card at a local Sam’s Store a few months ago. I scratched off the card to use it, and to my surprise someone had already used this card number. Apple customer service put the blame on me and told me that I should have used the card immediately. I was also told that they would credit my account this one time but don’t make a habit out of it. I felt like a criminal dealing with them as they made this my fault. By them telling me to use the card immediately, I realized that they have a problem with theft of card numbers and really don’t know how to fix it. They would not consider a refund without a receipt and that was alarming as well. I give these cards to teenage relatives as gifts and I never thought to send a receipt. I did provide them with a receipt and they finally credited my account but added that I should use the credit immediately to prevent it from happening again. That statement also alarmed me to the fact that they have no handle on people hacking into accounts.

As a person who has purchased gift cards for many many years, I was shocked by the problem and Apples abrasive response to it. I have found unused gift cards from other major retailers that still work after several years and I was really surprised that this card had been used after purchasing it a few months back. Be wary and steer clear of Itunes Customer Service.

Reply | Quote

OK, this thread took on multiple topics, I’m sticking to mine. I found out the only way to manage your itunes account is to actually download the app (93Meg!!) and Store > Sign in from the menu. Now I need to take the advice in this O.P. original article and remove the credit card from my account. To do that, click “Edit Payment Information” and pick None across the top of the CC list.

Reply | Quote

This is still happening. I had an iTunes account I hadn’t used since early 2008. At that time, I purchased a couple of albums using Paypal as my form of payment. I use Paypal because it is supposed to limit your financial exposure to all these other internet businesses. But apparently, if you use Paypal on iTunes, it sets up some kind of ongoing subscription that allows iTunes to charge your Paypal account and you don’t have to sign in to Paypal to authorize it. Not only that, it sets a spending limit of $5,000 a month!

I found this out when I started receiving emails on the 18th from iTunes and Paypal thanking me for my purchases. Between 8/16 and 8/18, there were 17 fraudulent charges to my Paypal account from iTunes, totaling nearly $700. I know my computer is not infected with a keylogger or anything else. I hadn’t signed into that iTunes account in over two years–would a thief wait that long to use his ill-gotten gains? I religiously scan my computer for virus and malware.

There’s a group on Facebook with several other people who are having the same problem right now, so Apple/iTunes have done nothing to secure their website yet. I see several people in different places say it’s because “you had an easy password,” “it’s because you are using Windows,” “your computer is compromised,” etc. It’s my belief that iTunes has been compromised, not us! My password was strong, consisting of a combination of 10 letters and numbers. It was not a dictionary word. As I said previously, I had not even signed into that account in over two years.

Paypal says I will get my money back, but it hasn’t happened yet. They are still waiting for a response from iTunes.

Another thing that irks me about this, all but one of the 17 charges are less than $50. I read here on AppleInsider that iTunes invoices the account when you get close to $50 to limit their liability and because purchases less than $50 are not protected by law. The law regarding purchases less than $50 is here, on FTC.gov. If Apple/iTunes wants to help put an end to junk like this, they should only invoice one purchase, regardless of how large it is. Scams like this might be shut down much quicker if that were the case. I’ve never experienced any other online merchant who does this, so why is Apple/iTunes doing it?

Reply | Quote