Series of fraudulent iTunes charges reported in Singapore

Posted:
in General Discussion
Dozens of iTunes users in the Southeast Asian country report that they have lost hundreds of dollars due to charges recorded to their accounts for purchases they did not make.

Apple loves Singapore sign


According to Channel News Asia, two people say they were charged the equivalent of around $5,100 to iTunes on their bank-connected credit cards. The bank, Oversea-Chinese Banking Corporation (OCBC) reported 58 cases total of the fraudulent charges.

A customer at another bank, DBS, told the news organization that six fraudulent transactions led to his account balance being "completely wiped out."

Apple Singatore told Channel News Asia that it is "looking into" the charges, and has nullified the purchases.

Several of the charges were in the amount of exactly $112.03 in Singapore dollars ($82.22). Another customer reported the charge showing up on his phone bill, charged to "iTunes orders."

Apple has of late made a strong push into Singapore. It opened its first Apple Store there last year, with an "Apple Loves Singapore" insignia in front of the store as it was prepared for opening- and it also added transit directions in that country to Apple Maps.

Apple has refunded many of the charges, but not all. The company also says that it is looking into the situation.

Comments

  • Reply 1 of 15
    racerhomie3racerhomie3 Posts: 1,170member
    For crying out loud people use 2 Factor Authenticion.
    Fun fact 2/3 of all iCloud accounts now have 2FA enabled 
    source: WWDC
    SolidewmeMplsPjbdragonwatto_cobra
  • Reply 2 of 15
    mcdavemcdave Posts: 1,632member
    Duh! Use a different password for you AppleID and the other-service email address?  If (or when if it’s Yahoo) that email service gets hacked they can’t just use the combo on you AppleID account.
    jbdragonwatto_cobra
  • Reply 3 of 15
    gatorguygatorguy Posts: 22,887member
    "As noted by the Strait Times, Apple customer support informed an affected user that no purchases had been made on her Apple account, but rather her card had been used by a fraudulent iTunes account. Apple subsequently banned that account."
    muthuk_vanalingamGeorgeBMac
  • Reply 4 of 15
    foggyhillfoggyhill Posts: 4,767member
    Combi phishing of account X and then they used their god damn password.

    People are basically morons. Don't reuse passwords, userID (emails as user ID), whatever for anything you care about.

    And never enter your god damn info from a link coming from an email or text, always go directly to the original site on a trusted network (in  case of man in the middle attacks).
    If they got a message for you, you'll see it there. It's very very likely they don''t and yeah, it was a scam.
    Soliwatto_cobra
  • Reply 5 of 15
    FatmanFatman Posts: 513member
    Chinese bank? A bit of an oxymoron.
    watto_cobra
  • Reply 6 of 15
    matrix077matrix077 Posts: 867member
    gatorguy said:
    "As noted by the Strait Times, Apple customer support informed an affected user that no purchases had been made on her Apple account, but rather her card had been used by a fraudulent iTunes account. Apple subsequently banned that account."
    Exactly. When Apple charge you for anything you’ll know because they’ll send you an email for the purchase, and in that email there will be a link for you to dispute that purchase right in there. 
    edited July 2018 watto_cobra
  • Reply 7 of 15
    charlitunacharlituna Posts: 7,217member
    mcdave said:
    Duh! Use a different password for you AppleID and the other-service email address?  If (or when if it’s Yahoo) that email service gets hacked they can’t just use the combo on you AppleID account.

    this doesn't have to be a case of the same email at all. someone uses a computer program to generate thousands of possible emails for a local ISP and phishes them claiming to be Apple. they log in and there's how someone can get in. a fake 'confirm your payment info' page would get them the bank info
    watto_cobra
  • Reply 8 of 15
    Rayz2016Rayz2016 Posts: 6,764member
    foggyhill said:
    Combi phishing of account X and then they used their god damn password.

    People are basically morons. Don't reuse passwords, userID (emails as user ID), whatever for anything you care about.

    And never enter your god damn info from a link coming from an email or text, always go directly to the original site on a trusted network (in  case of man in the middle attacks).
    If they got a message for you, you'll see it there. It's very very likely they don''t and yeah, it was a scam.
    All of this. 

    👍🏾


    jbdragonwatto_cobra
  • Reply 9 of 15
    racerhomie3racerhomie3 Posts: 1,170member
    Never use a password you can remember. If you can memorize it , a hacker & a computer can calculate it faster. It’s best to use a Password Manager to generate random passwords, like the one on iOS 11( iCloud Keychain) .
    watto_cobra
  • Reply 10 of 15
    GeorgeBMacGeorgeBMac Posts: 9,428member
    matrix077 said:
    gatorguy said:
    "As noted by the Strait Times, Apple customer support informed an affected user that no purchases had been made on her Apple account, but rather her card had been used by a fraudulent iTunes account. Apple subsequently banned that account."
    Exactly. When Apple charge you for anything you’ll know because they’ll send you an email for the purchase, and in that email there will be a link for you to dispute that purchase right in there. 
    Those emails are VERY slow in coming.  
    Better to set your credit card alerts to let you know of ANY and EVERY charge to the card when the charge is made.   You can then go into your iCloud account and see what the charge was.   I use that method for my grandson on my Family Sharing plan because the emails are so delayed that they are worthless to me.
  • Reply 11 of 15
    GeorgeBMacGeorgeBMac Posts: 9,428member
    Rayz2016 said:
    foggyhill said:
    Combi phishing of account X and then they used their god damn password.

    People are basically morons. Don't reuse passwords, userID (emails as user ID), whatever for anything you care about.

    And never enter your god damn info from a link coming from an email or text, always go directly to the original site on a trusted network (in  case of man in the middle attacks).
    If they got a message for you, you'll see it there. It's very very likely they don''t and yeah, it was a scam.
    All of this. 

    👍🏾


    Yeh, but others have reported that this was not a case of a stolen AppleId but of stolen credit cards -- and somebody simply used the stolen card info to open a fraudulent iTumes account.

    Or, since these charges were repeats of the same amount, it could also have been some glitch at the server level.

    I think we need to learn more about what happened.


    watto_cobra
  • Reply 12 of 15
    I'm going to take a wild guess and say this is related to the SingHealth hack that happened this month, likely these guys had the same user ids and passwords for their iTunes accounts, which don't require 2FA to make purchases, unlike iCloud access, even if they had it switched on I believe.
  • Reply 13 of 15
    MplsPMplsP Posts: 3,039member
    For crying out loud people use 2 Factor Authenticion.
    Fun fact 2/3 of all iCloud accounts now have 2FA enabled 
    source: WWDC
    Would that have mattered here? It’s not at all clear how the fraud occurred, or even if the fraud occurs with Apple vs with a stolen card used with Apple. 
    GeorgeBMacwatto_cobra
  • Reply 14 of 15
    croprcropr Posts: 1,046member
    Never use a password you can remember. If you can memorize it , a hacker & a computer can calculate it faster. It’s best to use a Password Manager to generate random passwords, like the one on iOS 11( iCloud Keychain) .
    Password managers are great but still have some risks.  Most people have multiple devices, with the same multi-device password manager. The chance of one the devices being hacked cannot be neglected.

    Using passwords that you cannot remember is not a secure advice, people tend to write things down which they cannot remember

    I use passwords that I can remember but that others cannot remember or derive, because the logic behind the remembering is private (not even my wife knows it).  The passwords are long enough (at least 16 characters to avoid brute force attacks), are different per website, and are not human readable. Better that any password manager
  • Reply 15 of 15
    jbdragonjbdragon Posts: 2,244member
    I've had issues with Paypal a couple of different times in the last month.  I had 2 factor on in the form of a security Key.  I also have a completely random generated password that Lastpass created, and yet still gain ed access.  I'm at a loss!!!  It's a 20 digit password with letters, numbers of symbols.  I even had someone call me claiming they were PayPal and trying to get info from me, and then hung up.  Somehow I ended up with SamSung Pay,Inc in my Paypal account.  Like I would ever use one of their phones and have Samsung Pay setup.  Nope.   A couple of weeks later, someone tried a couple more big charges,  Paypal stopped it, called me to make sure it wasn't me.   I didn't give them any personal info, just said it wasn't me, then I called them back by the number I got looking it up myself to double check it was really them calling me.  

    You really want 2 Factor turned on.  PayPay 2 factor I think is a little flawed because you can get around it by using security questions.  I don't like that, but you are forced to use them.  I'd rather the 2 factor be calling me to enter a code or better yet an Authenticator App.  I'm started using LastPass to generate long passwords for a number of sites.  #1 on your list should be GMAIL or whatever site you use.  Once someone has access to your mail account, they can pretty much gain access anywhere.  They can just go to a site, said they forgot the password, it gets sent to your mail account, and they use that link to gain access and create a new password for themselves.  Also, make sure 2 factor is on.   I'm normally using LastPass Authenticator, which works anywhere that Google's Authenticator does.  I actually use Google's Authenticator for Lastpass 2 factor. so it's not from the same company for extra protection.  Lastpass Authenticator is used for GMail and everywhere else I can use it at.

    It does make gaining access to places a pain at times.  Apple's Keychain I use on my iPhone to make things easier. to get access over and over again on my iPhone.  But I use LassPass as my main password manager.  It has everything.  It works with everything.  Keychain is Apple only.  Maybe that's enough for you. Lastpass allows me to use my iPhone, iPad, and Windows computers.  It has a nice Password Generator.  Really, a lot of capabilities.  It works pretty well on iOS devices, but generally, I'll use it to get the password and then save it on Keychain so I can get access to sites faster.  

    NEVER click on any link you get in email, if you didn't expect it.  Like forgot your password and they're sending you a link to gain access again.  The last thing you want is getting an email saying you need to update your banking info, click here!!   Don't do it!!!!  

    If for whatever reason, someone has you on the phone, and wants to keep you on the phone and hear what's going on around you as you get a bunch of cash, and go to WalMart or some other store to put money on a bunch of cards to pay them, and you have your phone on with them the phone time,  THAT'S A SCAM!!! STOP!!!!!!

    watto_cobra
Sign In or Register to comment.