Surfers who link their debit or credit card to iTunes have reason to be cautious after a Reg reader found his bank account plunged into the red overnight following £1,000 in fraudulent iTunes gift purchases.
Reg reader Peter woke up one morning last week to discover an email informing him of a "£10 Monthly Gift for email@example.com", an account he'd never heard of.
Apple describes iTunes Monthly Gifts as a "great way to give a gift that keeps on giving". The vouchers, sent to a recipient's email address, can be used to purchase music and audio books from the iTunes Music Store.
Peter checked his iTunes purchase history, where to his horror he discovered scores of these "Monthly Gift" purchases – all of which had been generated within a short space of time on 19 January, but only one of which generated an email.
As a result of the fraudulent purchases, Peter's bank account plunged from its £700 positive balance to £300 into the red, forcing him to borrow from friends in order to pay household bills until the mess was sorted out.
Peter promptly contacted both Apple and his bank (HSBC) over the scam. Apple responded with an automated message before suspending his iTunes account, a day after the damage was done. HSBC reacted better, restoring funds to his account so that Peter was able to make his mortgage payment, and sending him a form so that he could confirm in writing that he had had nothing to do with the disputed transactions.
Peter – who has had an iTunes account for years, spending an average of around £5 a month and never using it to make a gift purchase – is highly critical of Apple's handling of the matter.
"After years of buying Apple products and using iTunes to buy some music and apps now and again, they'd taken the whole day to get back to me and basically claimed no responsibility or offered any help," Peter, who works in IT and is aware of the security issues around online accounts, told El Reg.
"How is it even possible for iTunes to be used as some type of glorified bank account? Why the hell would I want to use iTunes to transfer money to people?
"It it completely unacceptable that Apple has turned iTunes into some type of pseudo-PayPal without the security measures, monitoring and care being taken to run something so important," he concluded.
Peter is unclear on how his iTunes account might have been compromised. Phishing attacks (or worse) aimed at iTunes users are far from uncommon – though Peter reckons it's more likely the hacker guessed his password rather than he mistakenly handed it over. In general, malware infection or the use of the same password on another site that falls victim to a hacking attack are routes towards becoming a victim of this type of attack.
It's unclear how Peter's account was compromised (we'll probably never know) or how many other people might also have been affected by the same scam. The fraudulent gift purchase most closely resembles the mass compromise of iTunes accounts linked to PayPal, widely reported in August 2010.
A quick search of "iTunes + fraud" reveals that Peter's case is far from unique, with other victims who link their iTunes account to a debit card account also waking up to discover hundreds of dollars in fraudulent purchases. Unlike the iTunes / PayPal scam, the many victims of iTunes-related bank fraud were not all hit around the same time, so the minor variant of essentially the same scam has escaped media attention, at least until now.
Peter's tale of woe raises questions about whether iTunes ought to allow monthly gifts, given that it is a secondary facility that appears to be easily abused. "iTunes isn't just a system for buying a bit of music; it's turned into a banking system that can wipe out your finances and put whole families into financial limbo," Peter warns. ®