Scammers steal from users' PayPal accounts through Apple's iTunes
A phishing scam relies on hijacking users' iTunes accounts linked to PayPal, giving thieves the ability to drain money from someone's online account [updated].
Update:Various users have reported being charged thousands of dollars through the scam, in which the charges are made to an iTunes account through PayPal. While the problem was reported as a "major security hole" associated with iTunes accounts by TechCrunch Monday, John Paczkowski of Digital Daily reported that it's actually a phishing scam that's been around for some time.
"Sources close to Apple tell me iTunes has not been compromised and the company isn?t aware of any sudden increase in fraudulent transactions," he wrote.
PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.
An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem.
"Among other new security measures iTunes now requires more frequent re-entry of a customer's credit card security code," the spokesperson said. "But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."
Earlier this summer, iTunes was hit by developer and account fraud, which some developers used to boost their sales rankings. Apple said, in that incident, that only 400 accounts were compromised of the more than 150 million active iTunes users.
This month, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
Update:Various users have reported being charged thousands of dollars through the scam, in which the charges are made to an iTunes account through PayPal. While the problem was reported as a "major security hole" associated with iTunes accounts by TechCrunch Monday, John Paczkowski of Digital Daily reported that it's actually a phishing scam that's been around for some time.
"Sources close to Apple tell me iTunes has not been compromised and the company isn?t aware of any sudden increase in fraudulent transactions," he wrote.
PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.
An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem.
"Among other new security measures iTunes now requires more frequent re-entry of a customer's credit card security code," the spokesperson said. "But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."
Earlier this summer, iTunes was hit by developer and account fraud, which some developers used to boost their sales rankings. Apple said, in that incident, that only 400 accounts were compromised of the more than 150 million active iTunes users.
This month, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.
Comments
When I first got a Paypal account I made sure to link it to a new bank account which I keep very little money in just as a precaution.
PayPal has so many more problems than iTunes.
Nothing in these articles points to any security flaw in Apple's software.
"PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.
An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem, and working on a fix."
If there is no security flaw in Apple's software, then how are they working on a fix? They say that they are aware of the problem, but you think that no problem exists?
Sorry, but I will believe Apple. Every time.
PayPal has so many more problems than iTunes.
No kidding... PayPal is a nightmare.
They don't need the help of phishers to take someone's account away.
Like the other fellow, my PayPal is linked to a dedicated and empty bank account.
Nothing in these articles points to any security flaw in Apple's software. These cases appear to be people who had their login name and password stolen from somewhere else (typically by phishing emails or by keyloggers on an infected Windows PC). The thief then logged into iTunes with VALID credentials and used them generate bogus charges.
Try again.
http://digitaldaily.allthingsd.com/2...ullible-users/
One more reason why I dropped PayPal years ago and have never looked back.
I've used PayPal all the time for years without a problem. It's all about having strong and regularly changed passwords. In fact, these days, the whole security thing is about weak passwords and human engineering (phishing). My bank now has an optional RSA SecureID fob that requires a four digit pin code followed by a six digit passcode that changes every 60 seconds. In effect my password changes every 60 seconds. I have used the same SecureID card at my workplace for over a decade now. Even if there's a key logger installed, even if I give away my pin number, my password still changes every 60 seconds. The bad guy has to have my SecureID fob in his physical possession to get into my accounts.
In effect my password changes every 60 seconds.
That sounds way to complicated. Apple would never do anything like that.
Instead, I bet that they will come up with something that changes the entire security industry forever. They will make it easy enough for a 4 year old to use.
Sorry there is no hole in ITunes in this case. People gave someone their userid and password and that was then used to buy stuff. Valid userid and password = valid access. Stop clicking on fake emails!
Apple says different, and I beleive Apple.
I say PayPal is the problem and they're not fessing up.
I say human beings who can't tell a phishing scam from a legitimate email are the problem and THEY'RE not fessing up.
Apple says different, and I beleive Apple.
I'd like to have a look at that Kool-Aid you are holding.
I've used PayPal all the time for years without a problem. It's all about having strong and regularly changed passwords.
It's not about people getting access to your account.
It's about (lack of and poor) customer service.
Try to get refund or credit for something not received is a crap shoot.
From the article - "PayPal has said it is reimbursing customers for the fraud, but added that the problem "
Many people have simply been told that it is NOT PayPal's problem and that they would not refund anything or do anything to help the customer.
Many more horror stories about PayPal than there are for Apple/iTunes.
it's actually a phishing scam that's been around for some time.
<Emily Litella>
Oh! Well that's different, then.
Never mind!
</Emily Litella>
That sounds way to complicated. Apple would never do anything like that.
Instead, I bet that they will come up with something that changes the entire security industry forever. They will make it easy enough for a 4 year old to use.
A four year old probably knows the difference between to and too.