feel sorry for Peter.
further justification that you should just use gift certificates for iTunes!
Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases. Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for wqfaqapk445 …
I'm pretty certain that when I created an itunes account last year, it forced me to enter a valid credit/debit card before it would allow me to download anything.
Why should I need to give Apple my card details when I just want to download a free app?
the WTF? icon, as this doesn't appear to be one of an apple with a crossbow bolt through it...
The exact same thing happened to my brother last week - for £800+. I asked him what (his now changed) password was and it was pretty unguessable.
Also got zero response from apple, he's now only going to add money to his itunes accounts via gift cards bought in shops, so he never has to store his card details with them ever again.
Incidently when I tried to remove my card details from itunes it wouldn't let me.
If you need to remove your working card details from iTunes, or any similar website, do what I do:
- Change enough of the information to render the card invalid. You could put in known test card visa numbers which pass the validation process but are invalid card numbers or you could modify the start/end date, issue number or name.
Do be warned though as modifying just the issue/end date and leaving the roll number the same could lead to your bank locking your account due to suspected fraudulent transactions. That's normally a quick phone call to clear up though.
This is something I find myself doing a lot, especially for online games.
Yeah the same thing did happen to me as my brother mentioned. I got done for 100 X £10 gift's, recived only one email from iTunes, had to wait a day for them to reply and eventially my bank (incidently also HSBC) refunded my money and charged it back to iTunes as fraud. They are still investigating and said that if iTunes can prove it wasn't fraud which I cant see how they can then they can take the £1000 back. I said in my email to iTunes that I cannot see how when I have never bought a Gift for someone in the many years I have had my account that they cannot spot 100 in a matter of hours as something out of the ordinary. Not too supprisingly I did not get a responce to that.
I'm hearing more and more about this type of problem with iTunes accounts. I'm very careful with my card details and I use a password manager to ensure high strength passwords etc, but even still I might just unlink my credit card from the iTunes system and just apply gift cards periodically to keep a balance on there for buying apps etc.
Too much of a hassle if anything fraudulent did happen...
I do feel for him, but what steps are we proposing apple does take? Plenty of stores let you buy gift vouchers for people online and they do not require you to verify your friendship. I guess we could get facebook to do it for us, they are nice and trustworthy.
I would be turning a far more critical eye on how this breach of his account security occurred. Whether it was a breach of his email account and a malicious password reset request, a shoddy password, or poor security on the PC's he accessed iTunes with.
Having said all that, apples handling of this customer complaint sounds terrible. And typical mores the shame.
Security breaches will happen whatever you do so I'm not sure that looking at how the credentials were breached will help. If you really want to protect your customers from fraudulent transactions, here's a suggestion:
1. Whenever a customer sends a gift to someone they've never sent a gift to before, send them an email to the email address you have registered for them, asking them to confirm that they do really intend to send the gift;
2.1. If they confirm the gift then all good, send it on and mark the beneficiary as safe;
2.2. If they deny the gift, don't send it on, mark the beneficiary as unsafe and start logging the gift activity for the beneficiary's account;
3. If the beneficiary's account shows a lot of gift to them, especially denied ones, block the account.
Note that if you hold other information such as a mobile phone number, you can do an alternative version of step 1 where you send an SMS or an automated voice call to the customer with a PIN in it that they have to enter before finalizing the transaction.
What you could also do to trigger the check in step 1 is use analytics to work out if there is a chance that the gift is fraudulent: e.g. several gifts in a short amount of time from someone who never uses the feature. Or gifts from one person to another person in a different country. Or use bayesian filters to mark transactions as potentially fraudulent based on previous user patterns and do the validation checks for all that are highlighted. In fact, rather than re-invent the wheel, you can probably re-use a lot of the technology in use in spam filters.
None of this is beyond the technical abilities of Apple and can be designed in a way that generates minimal annoyance for the customer. Any fraud prevention specialist worth his salt could come up with dozens of options to reduce the incidence of such payments irrespective of how the customer's account gets compromised. But I suspect Apple don't have one of those people on their payroll.
I use a pay-as-you-go / prepaid credit card for most online transactions with only a few notable exceptions.
That way, the damage will always be limited since I don't "charge" it with a lot of money.
There are quite a few reasonable deals around, some charge you a small percentage fee only when you transfer money to the card. If you think of that as an insurance premium, it's quite a good deal.
As a bonus, you can also use it when you're on holiday abroad...
> I do feel for him, but what steps are we proposing apple does take?
Do the same as credit card companies do ... if there's an abnornal set of transations (and in this case sounds like 80 monthly gifts set up in a short time which ought to be boviously seen to be "unusual") then put a block on the account until contact can be made to verify that these are correct transactions.
If you thought that was bad it gets worse. I was in the position where I had transferred my bank account and killed all the cards which came with the old one some five years ago. Last month I got a call to say that a transaction against my old Visa card had been honoured and how would I like to pay the bill. This is a Visa card which was four years past it's expiry date and which was part of a closed account.
Apparently, if you have lodged card details against a 'potential' regular payment then they must be explicitly cleared or else at any time in the future a 'Guaranteed' Visa payment could be made. As far as the banks are concerned, the death of the card/account is an irrelevance.
The card is dead, long live the card.
Hopefully this is an easy question to answer, but what is the point of this fraud? As far as I can tell, the fraudulent gift vouchers can only be used to buy music/apps/whatever from the iTunes store, for the recipient account. If Apple just blocked the gift recipient accounts when fraud comes to light, what would be the point of this hack anyway?
It permits the crook to buy any apps or eBooks they have in the iTunes system. So you submit an app or eBook of dubious worth, charge a few pennies or pounds for it and then use your nefariously obtained gift certificates to buy shed loads of copies of it thus boosting your rankings and turning a nice profit on the app/eBook.
"iTunes isn't just a system for buying a bit of music; it's turned into a banking system"
And that's the point. As long as you just allow customers to buy something for themselves only, you're a merchant. As soon as you allow gift purchases for someone else, you start taking on some of the responsibilities of a bank because roughly speaking you allow funds to be moved from account A to account B.
This is why every online bank worth banking with has strong validation measures around setting up a new payment beneficiary. Merchants who offer gift purchases are no different: if they allow you to set up a new gift beneficiary without offline validation, get the hell out of there.
I only ever use credit cards for this sort of thing. If there are dodgy transactions, the worst that will happen is that they might max out my credit card, my bills and other payments go out just fine and my bank accounts remain un-touched.
Things may have improved, but last time I read about the rules credit card companies hold the liability for fraudulent transactions, whereas it is pretty much up to the bank as to how good they are to you in situations like this.
Having recently been forced to "upgrade" within iTunes, it would not let me proceed without registering a card, despite my iTunes account being £26 in credit (and I don't buy very much).
While there was a suggestion above to register a false card, that could be taken as attempted fraud. There should be an option to remove all details (I will check when I go home, and if I can, I will).
Apple FAIL once again
I got hit on Sunday morning. Got an email to say a £10 monthly voucher had been paid to a hotmail account. Logged into iTunes to find 6 similar payments have gone through. Basically they had kept on going until my bank declined any more due to lack of funds.
Got a cut and paste reply from Apple telling me that it's down to my bank to refund me. My bank have been fine about it, have given me a small overdraft until they refund the transactions and cancelled my card. Only pain with that is I now have no way to draw cash until my new card turns up! I have a Paypal topupcard which I shall add to itunes in the future and just keep it topped up enough, no way am I trusting Apple with my bank card details again.
They've facilitated someone in robbing you, then abdicated responsibility for their breach of your trust... and you're going to continue giving money to this service?
Okay, as a thought exercise: replace "Apple" with "Sky", "O2", "British Gas" or "Virgin Media", and would you feel the same way?
If we were actual, thinking people, once such a report became public there would be a flurry of account cancellations until the Itunes store became a virtual desert.
Only then would Apple understand that its policy and behavior is unacceptable, and change it.
But here ? In this reality, Apple conducts itself like any unwashed street tramp having successfully hawked damaged wares to the unwitting at the curb - when said witless numpty wises up a bit and complains, the tramp just stares him down and turns his back, laughing all the way to the bank.
And the numpty, pissed off though he is, continues dealing with the tramp, thus justifying the haughtiness in the first place.
Seems to me that there has been a world-wide ablation of testes in the current generation. Given the fact that beauty stores see more and more men coming in to purchase creams and lotions, I guess it was inevitable.
I'm going to buy a shotgun and a dog and retire to the mountains now.
November last year, my iTunes account was stung for £30 of app purchases and "in-app" purchase in... Chinese. These is despite a 16 character mixed-case password (not easily guessed) and never accessed from anything other than iPad/iPhone and my Mac (which is secure). It took 48 hours to get Apple to refund the amount, and it came with a very curt-but-polite "Apple's policy is that all purchases are final, non-refundable" despite my multiple protests that *I* did not make the purchases. Something somewhere is leaking account information, either a hack somewhere in iTunes or leaking OSX... I dont know, but it wasn't pleasant, and Apples attitude was less that supportive.
On Jan 21st. I was lucky though, they only got 14 transactions from me. I phoned my credit card company who put me to their fraud department. They said it wasn't registered as fraud yet to put me back to customer services. They then told me they couldn't do anything till Apple had been given 30 days to sort it out. So I emailed Apple who said they can't do anything till my credit card company has issued a charge back. So now I have a disabled iTunes account, two companies that say they won't deal with me till I've dealt with the other, and a credit card I'm likely to have to cancel (even though there's been no breach of my credit card details as you can't see them even when you're logged into your itunes account).
...on 20th Jan in the afternoon got a call from my bank saying suspicious activity on my credit card, 25 transactions at £10 each from iTunes in the small hours whilst I was tucked up in bed. After 25 the bank declined any more.
I confirmed that I hadn't done them and then checked my email and iTunes account. One email saying "monthly gift to firstname.lastname@example.org", iTunes purchase history showed all 25 with exactly the same details.
I've had an iTunes account for around 5 years and never had a problem before this, no idea how the account was hacked (password was unique to iTunes account and never used anywhere else - I think from now on I will change it at regular intervals though).
Contacted iTunes via email, the usual stock response basically saying take it up with your bank - which I duly did. The bank has cancelled the card and is issuing chargebacks to iTunes.
I've changed my iTunes password and removed the card details, in future gift card only credit for me (yes I will still begrudgingly give money to Apple whilst I have an iPhone for apps etc, but when my contract is up I may consider going HTC depending on how Apple handle this).
If the bank can spot 25 transactions as being suspicous, why can't iTunes? Why would I perform 25 transactions all giving the same £10 gift to the same hotmal account? Apple need to install their own fraud monitoring routines and be pro-active, rather than passively relying on banks and users to spot fraud and sort it out.
"[...] Peter, who works in IT and is aware of the security issues around online accounts [...]"
... to this...:
"[...] though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. [...]"
Okay, this guy (a) claims to be competent in online security and (b) uses a password simple enough to be guessed and (c) is aware of that.
Massive, complete, fail. But not on Apple's side.
Big thanks to the co-operative bank for acting quickly and stopping the transactions. It was 750 quid in my case. This was last Friday night.
Apple were ok but getting through to them was much slower than getting through the co-ops fraud team. The co-op had the job done and dusted before Apple made first contact.
It was pure luck that I caught it in time, I just happened to check my mail.
Interestingly Apple sent me one mail to say I'd bought a 10 quid gift for someone, but when I checked via itunes there were 75 * 10 quid gifts.
The iphone is the first and last Apple hardware that I will buy.
I've just had a call saying exactly the same thing; £750 worth of "Monthly Gift" transactions against my account. Luckily my bank was good enough to spot it and is in the process of refunding the charges, but it's still very frustrating! I'm also completely clueless as to how they got access to my account. I consider my password to be pretty secure (over 15 characters, including letters, numbers and symbols), so I can't imagine they brute forced it?!?
What I find really frustrating is the lack of phone support from Apple in the UK! Surely with their enormous user base we should get more than a sodding email support form?!?
Why did it take the bank TWENTY FIVE transactions to spot that fraud may have been occuring?
Perhaps TEN would have been better or perhaps even FIVE transactions?
How many times have you wandered into Tesco and bought something TWENTY FIVE times in one day? Would it have looked suspicious to a security guard?
This post has been deleted by its author
I think the most annoying aspect here is Apple's reluctance to see it as their problem and let the banks deal with it. I informed Apple as soon as I got the email about 1 transaction, then discovered loads more on the account history. Smile (Co-op) bank were fine, at the time the charges were only pending, but the only way Smile could stop them was by cancelling my card, therefore leaving me without access to cash for a few days to a week.
This is Apples problem, they were advised by me that it was fraudulent when at the time the charge was only pending. Now that they have actually made the charge to my card after informing them, then does that not make them an accessory to fraud.
So now I have a locked iTunes account, and a locked bank account. Yes, I'm a victim of crime, but had Apple got off their arses and stopped the payments immediatly, then I wouldn;t also be a victim of Apple's criminal ways.
I shan't be buying another Apple product ever again.
Exactly the same happened to me, I noticed 40 x £25 "monthly gift to SNNT" on my credit card dated 24th January, though when looking at iTunes purchase information it appears they were done on the 22nd January.
As a result I have had to cancel my credit card (even though it was not compromised), and having a ridiculous email (as this appears the only way) conversation with apples fraud team (which appears to be based in asia). Who only answer in specific script format answer no matter what you tell or ask them.
They are insistant that my card was compromised, despite the transaction taking place on iTunes only? If I was the only one, and gullable, I might believe them, however when there appear to be hundreds, if not thousands of these, surely apple should come clean.
I also had a nine alphanumerical password with upper and lower case characters, so seems incredibly unlikely that someone guessed it.
If anyone is interested in seeing the itunes emails let me know, and I will happily send them on.
All of this is probably based on a completely erroneous understanding of how it was done. Think about it. An unknown, but likely LARGE number of iTunes accounts appear to have been 'hacked' on the same day, maybe even all around the same time. Should we imagine, then, that this was done by making use of the normal user ordering interface? I guess it's possible that the perpetrators wrote some software to do this, then hijacked a number of computers to run as bots, maybe using previously cracked passwords, but that seems unlikely to me. For one thing, IME, it's normal when placing orders using saved debit/credit card details, that the ordering process then asks for the CSV to be (re-)entered. Maybe this isn't the case in all territories, but it does seem to be the case in the UK, and that being the case, it makes it seem even more unlikely that this fraudulent activity was perpetrated by individual use of the normal iTunes ordering interface.
My guess is that this whole operation was actually carried out by people who, somehow, hacked the iTunes store servers - and if that is so, is it surprising that Apple have kept quiet about it? What matters is that those affected have, as quickly as possible, been refunded in their bank accounts, with the minimum of hassle and disruption. I'm pleased to say that, in my case, that is exactly what happened. My bank refunded the money and I was able to ascertain that this had been made possible by Apple providing all necessary information and cooperation from Apple - and indeed, it is perhaps hard to see how the banks could have acted so promptly without that support.
The fact that Apple have - as many here have commented - been 'unresponsive' may well be because the number of users affected made it impossible for even a large company like Apple to respond to everyone individually. There's also the fact that such responses would likely not, in themselves, have achieved anything useful. Instead, perhaps Apple simply focussed on the useful task of confirming the necessary details, as quickly as possible, to each and every bank used by the affected users, in order to ensure the fastest possible correction to those users' accounts - and I, for one, am happy that that was what they chose to prioritise!
In summary, then, a story that was first over-dramatized for greater 'impact', followed by the usual ill-informed, knee-jerk responses from the proles. SNAFU.
CCVs are never checked. Well, I've never had one checked and I've made many purchases. Multiple failed logins should be flagged and accounts disabled. First time gifts should be validated. Many gifts in short periods should ring alarm bells. My god damn bank should recognise 9 £25 transactions in 3 minutes as possibly fraudulent. The response should not be to disable an account I've already made safe (card gone, password changed) and explained as such.
Yeah, got screwed too.
For f**ks sake.
I agree with you mate, my bank should have declined long before 25 transactions had been done. Makes me wonder if £250 is the "alert" rather than the number of transactions.
I still maintain though that APPLE should have fraud routines in place to spot this kind of activity and should have stopped it far earlier - an email to say "is this genuine?" would have prevented all this hassle for me, the bank (how much does it cost them to create new card, new account, investigate etc) and iTunes (my understanding is that the bank charges the merchant for chargebacks).
Why are Apple not taking this seriously, 1000 of people are getting hit for several £25 transactions as monthly gift. Banks are saying they are getting loads of these requests for refunds. Apple dont seem to care, and have not aknowledged that there is an issue.
any one else out there able to give me any more on what has happened here or if apple have changed any thing to stop this from happening again?
Register can you do an article on this? Let people know that this is going on and make apple tell us why we are having to go through this pain. They have been hacked, admit it and stop passing the pain on to us and the Banks. Where is their integrity?
Now I've finally got my iTunes account reactivated I added a little used payment card and realised I was also asked to register the CVV number. No wonder it's insecure if Apple can just charge when they want to.
All Apple need to do is to ask fro the CVV at each point of purchase, then only a card holder would be able to complete. One of the reasons the use of CVV was introduced, and one that Apple continue to ignore.
Almost 2 weeks on, I have my new card and the £250 fraudulent transactions were charged back to Apple by the bank, but trying to get any info or an acknowledgement of a problem from Apple is impossible. They simply don't want to know. All they did was suspended my account, (after I changed the password and removed the card details) which I have since had re-activated.
A complete FAIL from my point of view. Even though in my initial email I informed them I have already changed my password and removed my card details they just keep sending me emails advising me to "change password and remove payment details if you wish", or they say "necessary actions on card ending xxxx, please do the needful with your bank" and finally to "contact your bank if you think you have been the victim of identity fraud". The emails seem to be a mix of stock cut-and-paste paragraphs interspersed with custom pidgeon English text.
I haven't been a victim of identity theft, the only fraud going on here is through Apple, and that's obvious via the number of reports on this "monthly gift card fraud" issue (including this thread on Apple's own discussion forums):
I've tried various times to get Applie to acknowledge the issue and asked them if they plan to proactively fight fraud in future, but every single email I've sent just results in the stock "sorry you have had a problem, please contact your bank" response. If I didn't know any better I'd think that no-one was actually reading the emails I sent.... ;-)
I give up. It's going to need someone with a bigger drum to bang than me to get Apple to acknowledge this. I've sent copies of all correspondence to Watchdog, Trading Standards and Consumer Direct. I suggest anyone affected also does this, perhaps if the powers that be take it up Apple will be forced to respond.