iTunes Security: Worse than you thought?

On December 1, 2008, I woke up to find a series of disturbing emails in my inbox.  They were a pair of PayPal receipts and the corresponding iTunes store receipts for 2 purchases of $200 gift cards sent to anonymous Hotmail and Yahoo email addresses.  The problem was, I didn’t make the purchases.

The transactions took place around 5:30am while my wife, myself, and our son were in bed.  Seeing as how I couldn’t possibly have made the purchases, and how they were suspiciously paired one after another and sent to random and easy-to-obtain email addresses combined with the fact that, though I had linked my PayPal account to my iTunes account “just in case”, I had never actually made a purchase previously, it seemed obvious that I had been the victim of a scam and I could easily get the transaction reversed.

Not so.  Thus began one of the most frustrating and infuriating experiences of my life, leaving me with a foul taste for both PayPal and iTunes.

Contacting Apple yielded no help.

I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. As part of the investigation, their fraud department will contact the iTunes Store directly to resolve this issue.

They also recommended I change my password, something I did the second I discovered my account had been hacked.

Unfortunately, my financial institution wasn’t a financial institution at all.  It was PayPal.  And there’s a difference — although I was blind to it at the time.  In a normal scenario, you could contact your bank, your bank would put a stop payment on the transaction, launch an investigation, and if anything seemed out of place at all you’d get your money back.  PayPal doesn’t work that way.  They aren’t a bank and don’t operate by the same rules as banks do.  Their only concern and primary objective is transferring money from one bank to another and, in that sense, their job was done.  It, apparently, didn’t matter to them my (presumably valid) claim that it was someone else who authorized the money transfer from PayPal to iTunes.  I had linked my PayPal account to iTunes and that stated intent (despite having gone unused), and made me liable for any transactions, including fraudulent ones.

I fought the issue for a week.  I had had just under $200 in my PayPal balance.  The remainder pulled from my bank account which I was able to get refunded easily (without even having to talk to anyone) from my bank.  (PayPal held firm even after I pointed out that the investigation my bank had done saw enough reason to refund the money.)  I called a hotshot New York criminal defense lawyer associate for advice. (File a police report, take it up in small claims court if I want to pursue it. I didn’t.)  Ultimately defeated, I let it drop.  If I wanted to take PayPal to court, I could force them to hand over the documents claiming to prove that it was me (or at least my IP address) that had initiated the transaction.  I had already lost enough sleep over the issue, I succeeded in getting the cash that was taken from our bank back, the rest, I felt, was the cost of two important lessons learned:

1) PayPal is not a bank.  As benign as they appear, they are a business.  A large, thriving business that makes money from you on every transaction you make through them.  That gives them huge capital without a large overhead since their costs of operating are minimal.

2) PayPal will, almost invariably, side with the seller as the default rule.  Even in the case of an eBay dispute, they will start by assuming the seller is correct and the burden of proof is on the buyer and potential victim in the scenario.

But one important lesson still went missed, even as I was removing my PayPal linkage from everything I could find, changing the password and email address on everything that matched what I had entered into my profile on iTunes, and finding alternative checkout systems to PayPal for my design business (we primarily use Google Checkout now).  That was: how secure is iTunes, anyway?  I had assumed my experience was an isolated incident, that I was just some poor victim most likely in a series of attacks that occurred that morning across multiple accounts.

According to this article, I was wrong.

It turns out, there have been a lot of people swindled on iTunes.  The most recent security breech artificially bumped up several Vietnamese books into the top 10 list by what looks to be authorizing the purchase without the buyer’s knowledge (or consent).  But this is only the latest scam.  Both the Mashable article and the comments on the article itself reveal countless others who have been swindled in similar ways — mysterious transactions that took place without their knowledge.  How is it that arguably the largest retailer for digital downloads has such shoddy security that accounts are routinely infiltrated and exploited for profit?  I was surprised to learn that, not only was I not alone in having my iTunes account hacked into (something I blamed myself for — my password wasn’t altogether secure and was the same one I’d been using for years, a combination of numbers and letters that was a combination of the AOL profile my dad had made me and the numeric code at the end of my username from the old telnet BBS systems I frequented back in the early days), but my $400 wasn’t the most that had been robbed (the first comment I saw on the Mashable post was from someone who lost over $550).

The most sound advice was given by another commenter: don’t use your debit card, don’t enter financial information at all, in fact; use only prepaid cards and remove them when you’re done.  It seems paranoid, but if it’s that easy to get into user’s account, wouldn’t you rather be safe than sorry?  From that perspective, it’s easy to imagine legions of opportunistic wanna-be hackers trying to infiltrate the mighty iTunes fortress and the treasures of nubile user accounts with endless caches of funds in the form of credit card info and PayPal accounts just waiting to be plundered.  The question is not is my information safe but rather how long until my information is comprimised?  With so little help from Apple and PayPal, it doesn’t hurt to be paranoid when your money is at stake.

____________________________________

Chris Reynolds is one half of the design team at Arcane Palette Creative Design. He writes in his personal blog, jazzsequence, on subjects like music, technology and social media and shares links, videos, and posts various personal music and writing projects. You can also follow him on Twitter.