Scammers steal from users' PayPal accounts through Apple's iTunes

Posted:
in iPod + iTunes + AppleTV edited January 2014
A phishing scam relies on hijacking users' iTunes accounts linked to PayPal, giving thieves the ability to drain money from someone's online account [updated].



Update:Various users have reported being charged thousands of dollars through the scam, in which the charges are made to an iTunes account through PayPal. While the problem was reported as a "major security hole" associated with iTunes accounts by TechCrunch Monday, John Paczkowski of Digital Daily reported that it's actually a phishing scam that's been around for some time.



"Sources close to Apple tell me iTunes has not been compromised and the company isn?t aware of any sudden increase in fraudulent transactions," he wrote.



PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.



An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem.



"Among other new security measures iTunes now requires more frequent re-entry of a customer's credit card security code," the spokesperson said. "But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."



Earlier this summer, iTunes was hit by developer and account fraud, which some developers used to boost their sales rankings. Apple said, in that incident, that only 400 accounts were compromised of the more than 150 million active iTunes users.



This month, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
«1

Comments

  • Reply 1 of 35
    str1f3str1f3 Posts: 573member
    This is old news but I would tell my fellow iTunes users to use anything with the shift key to prevent keylogging or password cracking. They will only go after the naive and simplistic regarding tech. This, alone, will increase the odds for password encryption.
  • Reply 2 of 35
    mstonemstone Posts: 11,510member
    Somehow I ended up with three different iTunes accounts. I wish I could merge them like you can on Network Solutions. Anyway after this news I went into all of the accounts and disabled all the credit info. ITunes is just too big of a target right now. When I first got a Paypal account I made sure to link it to a new bank account which I keep very little money in just as a precaution.
  • Reply 3 of 35
    iloilo Posts: 6member
    Nothing in these articles points to any security flaw in Apple's software. These cases appear to be people who had their login name and password stolen from somewhere else (typically by phishing emails or by keyloggers on an infected Windows PC). The thief then logged into iTunes with VALID credentials and used them generate bogus charges.
  • Reply 4 of 35
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by mstone View Post


    When I first got a Paypal account I made sure to link it to a new bank account which I keep very little money in just as a precaution.



    PayPal has so many more problems than iTunes.
  • Reply 5 of 35
    sendmesendme Posts: 567member
    Quote:
    Originally Posted by ilo View Post


    Nothing in these articles points to any security flaw in Apple's software.



    "PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.



    An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem, and working on a fix."



    If there is no security flaw in Apple's software, then how are they working on a fix? They say that they are aware of the problem, but you think that no problem exists?



    Sorry, but I will believe Apple. Every time.
  • Reply 6 of 35
    Quote:
    Originally Posted by Chris_CA View Post


    PayPal has so many more problems than iTunes.



    No kidding... PayPal is a nightmare.

    They don't need the help of phishers to take someone's account away.



    Like the other fellow, my PayPal is linked to a dedicated and empty bank account.
  • Reply 7 of 35
    Quote:
    Originally Posted by ilo View Post


    Nothing in these articles points to any security flaw in Apple's software. These cases appear to be people who had their login name and password stolen from somewhere else (typically by phishing emails or by keyloggers on an infected Windows PC). The thief then logged into iTunes with VALID credentials and used them generate bogus charges.



    Try again.
  • Reply 8 of 35
    robin huberrobin huber Posts: 3,235member
    One more reason why I dropped PayPal years ago and have never looked back.
  • Reply 10 of 35
    madlamadla Posts: 3member
    Sorry there is no hole in ITunes in this case. People gave someone their userid and password and that was then used to buy stuff. Valid userid and password = valid access. Stop clicking on fake emails!
  • Reply 11 of 35
    lkrupplkrupp Posts: 6,712member
    Quote:
    Originally Posted by Robin Huber View Post


    One more reason why I dropped PayPal years ago and have never looked back.



    I've used PayPal all the time for years without a problem. It's all about having strong and regularly changed passwords. In fact, these days, the whole security thing is about weak passwords and human engineering (phishing). My bank now has an optional RSA SecureID fob that requires a four digit pin code followed by a six digit passcode that changes every 60 seconds. In effect my password changes every 60 seconds. I have used the same SecureID card at my workplace for over a decade now. Even if there's a key logger installed, even if I give away my pin number, my password still changes every 60 seconds. The bad guy has to have my SecureID fob in his physical possession to get into my accounts.
  • Reply 12 of 35
    sendmesendme Posts: 567member
    Quote:
    Originally Posted by lkrupp View Post


    In effect my password changes every 60 seconds.







    That sounds way to complicated. Apple would never do anything like that.



    Instead, I bet that they will come up with something that changes the entire security industry forever. They will make it easy enough for a 4 year old to use.
  • Reply 13 of 35
    sendmesendme Posts: 567member
    Quote:
    Originally Posted by madla View Post


    Sorry there is no hole in ITunes in this case. People gave someone their userid and password and that was then used to buy stuff. Valid userid and password = valid access. Stop clicking on fake emails!





    Apple says different, and I beleive Apple.
  • Reply 14 of 35
    SpamSandwichSpamSandwich Posts: 30,748member
    I say PayPal is the problem and they're not fessing up.
  • Reply 15 of 35
    kingkueikingkuei Posts: 137member
    Quote:
    Originally Posted by SpamSandwich View Post


    I say PayPal is the problem and they're not fessing up.



    I say human beings who can't tell a phishing scam from a legitimate email are the problem and THEY'RE not fessing up.
  • Reply 16 of 35
    Quote:
    Originally Posted by SendMe View Post


    Apple says different, and I beleive Apple.



    I'd like to have a look at that Kool-Aid you are holding.
  • Reply 17 of 35
    ihxoihxo Posts: 562member
    rather strange that it seems to be limited to itunes user using paypal account.
  • Reply 18 of 35
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by lkrupp View Post


    I've used PayPal all the time for years without a problem. It's all about having strong and regularly changed passwords.



    It's not about people getting access to your account.

    It's about (lack of and poor) customer service.

    Try to get refund or credit for something not received is a crap shoot.



    From the article - "PayPal has said it is reimbursing customers for the fraud, but added that the problem "

    Many people have simply been told that it is NOT PayPal's problem and that they would not refund anything or do anything to help the customer.



    Many more horror stories about PayPal than there are for Apple/iTunes.
  • Reply 19 of 35
    sendmesendme Posts: 567member
    Quote:
    Originally Posted by AppleInsider View Post


    it's actually a phishing scam that's been around for some time.









    <Emily Litella>



    Oh! Well that's different, then.



    Never mind!



    </Emily Litella>
  • Reply 20 of 35
    MacProMacPro Posts: 18,013member
    Quote:
    Originally Posted by SendMe View Post


    That sounds way to complicated. Apple would never do anything like that.



    Instead, I bet that they will come up with something that changes the entire security industry forever. They will make it easy enough for a 4 year old to use.



    A four year old probably knows the difference between to and too.
Sign In or Register to comment.