Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Scammers steal from PayPal accounts through users of iTunes [u]

A phishing scam relies on hijacking users' iTunes accounts linked to PayPal, giving thieves the ability to drain money from someone's online account [updated].

Update:Various users have reported being charged thousands of dollars through the scam, in which the charges are made to an iTunes account through PayPal. While the problem was reported as a "major security hole" associated with iTunes accounts by TechCrunch Monday, John Paczkowski of Digital Daily reported that it's actually a phishing scam that's been around for some time.

"Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions," he wrote.

PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.

An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem.

"Among other new security measures iTunes now requires more frequent re-entry of a customer's credit card security code," the spokesperson said. "But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

Earlier this summer, iTunes was hit by developer and account fraud, which some developers used to boost their sales rankings. Apple said, in that incident, that only 400 accounts were compromised of the more than 150 million active iTunes users.

This month, Apple also bolstered the security of its Apple ID accounts, which are shared by iTunes. Users must verify their account information when they log into new devices, and new iTunes account passwords must have at least 8 characters with mixed capitalization.



35 Comments

β˜•οΈ
str1f3 16 Years · 572 comments

This is old news but I would tell my fellow iTunes users to use anything with the shift key to prevent keylogging or password cracking. They will only go after the naive and simplistic regarding tech. This, alone, will increase the odds for password encryption.

🎁
mstone 18 Years · 11503 comments

Somehow I ended up with three different iTunes accounts. I wish I could merge them like you can on Network Solutions. Anyway after this news I went into all of the accounts and disabled all the credit info. ITunes is just too big of a target right now. When I first got a Paypal account I made sure to link it to a new bank account which I keep very little money in just as a precaution.

πŸͺ
ilo 15 Years · 6 comments

Nothing in these articles points to any security flaw in Apple's software. These cases appear to be people who had their login name and password stolen from somewhere else (typically by phishing emails or by keyloggers on an infected Windows PC). The thief then logged into iTunes with VALID credentials and used them generate bogus charges.

β˜•οΈ
chris_ca 18 Years · 2540 comments

Quote:
Originally Posted by mstone

When I first got a Paypal account I made sure to link it to a new bank account which I keep very little money in just as a precaution.

PayPal has so many more problems than iTunes.

πŸŽ„
sendme 14 Years · 567 comments

Quote:
Originally Posted by ilo

Nothing in these articles points to any security flaw in Apple's software.

"PayPal has said it is reimbursing customers for the fraud, but added that the problem "is happening on the iTunes side." Further questions about the scam were referred to Apple.

An Apple spokesperson told the San Jose Mercury News that the company is aware of the problem, and working on a fix."

If there is no security flaw in Apple's software, then how are they working on a fix? They say that they are aware of the problem, but you think that no problem exists?

Sorry, but I will believe Apple. Every time.