iTunes Security: Worse than you thought?

On December 1, 2008, I woke up to find a series of disturbing emails in my inbox.  They were a pair of PayPal receipts and the corresponding iTunes store receipts for 2 purchases of $200 gift cards sent to anonymous Hotmail and Yahoo email addresses.  The problem was, I didn’t make the purchases.

The transactions took place around 5:30am while my wife, myself, and our son were in bed.  Seeing as how I couldn’t possibly have made the purchases, and how they were suspiciously paired one after another and sent to random and easy-to-obtain email addresses combined with the fact that, though I had linked my PayPal account to my iTunes account “just in case”, I had never actually made a purchase previously, it seemed obvious that I had been the victim of a scam and I could easily get the transaction reversed.

Not so.  Thus began one of the most frustrating and infuriating experiences of my life, leaving me with a foul taste for both PayPal and iTunes.

Contacting Apple yielded no help.

I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. As part of the investigation, their fraud department will contact the iTunes Store directly to resolve this issue.

They also recommended I change my password, something I did the second I discovered my account had been hacked.

Unfortunately, my financial institution wasn’t a financial institution at all.  It was PayPal.  And there’s a difference — although I was blind to it at the time.  In a normal scenario, you could contact your bank, your bank would put a stop payment on the transaction, launch an investigation, and if anything seemed out of place at all you’d get your money back.  PayPal doesn’t work that way.  They aren’t a bank and don’t operate by the same rules as banks do.  Their only concern and primary objective is transferring money from one bank to another and, in that sense, their job was done.  It, apparently, didn’t matter to them my (presumably valid) claim that it was someone else who authorized the money transfer from PayPal to iTunes.  I had linked my PayPal account to iTunes and that stated intent (despite having gone unused), and made me liable for any transactions, including fraudulent ones.

I fought the issue for a week.  I had had just under $200 in my PayPal balance.  The remainder pulled from my bank account which I was able to get refunded easily (without even having to talk to anyone) from my bank.  (PayPal held firm even after I pointed out that the investigation my bank had done saw enough reason to refund the money.)  I called a hotshot New York criminal defense lawyer associate for advice. (File a police report, take it up in small claims court if I want to pursue it. I didn’t.)  Ultimately defeated, I let it drop.  If I wanted to take PayPal to court, I could force them to hand over the documents claiming to prove that it was me (or at least my IP address) that had initiated the transaction.  I had already lost enough sleep over the issue, I succeeded in getting the cash that was taken from our bank back, the rest, I felt, was the cost of two important lessons learned:

1) PayPal is not a bank.  As benign as they appear, they are a business.  A large, thriving business that makes money from you on every transaction you make through them.  That gives them huge capital without a large overhead since their costs of operating are minimal.

2) PayPal will, almost invariably, side with the seller as the default rule.  Even in the case of an eBay dispute, they will start by assuming the seller is correct and the burden of proof is on the buyer and potential victim in the scenario.

But one important lesson still went missed, even as I was removing my PayPal linkage from everything I could find, changing the password and email address on everything that matched what I had entered into my profile on iTunes, and finding alternative checkout systems to PayPal for my design business (we primarily use Google Checkout now).  That was: how secure is iTunes, anyway?  I had assumed my experience was an isolated incident, that I was just some poor victim most likely in a series of attacks that occurred that morning across multiple accounts.

According to this article, I was wrong.

It turns out, there have been a lot of people swindled on iTunes.  The most recent security breech artificially bumped up several Vietnamese books into the top 10 list by what looks to be authorizing the purchase without the buyer’s knowledge (or consent).  But this is only the latest scam.  Both the Mashable article and the comments on the article itself reveal countless others who have been swindled in similar ways — mysterious transactions that took place without their knowledge.  How is it that arguably the largest retailer for digital downloads has such shoddy security that accounts are routinely infiltrated and exploited for profit?  I was surprised to learn that, not only was I not alone in having my iTunes account hacked into (something I blamed myself for — my password wasn’t altogether secure and was the same one I’d been using for years, a combination of numbers and letters that was a combination of the AOL profile my dad had made me and the numeric code at the end of my username from the old telnet BBS systems I frequented back in the early days), but my $400 wasn’t the most that had been robbed (the first comment I saw on the Mashable post was from someone who lost over $550).

The most sound advice was given by another commenter: don’t use your debit card, don’t enter financial information at all, in fact; use only prepaid cards and remove them when you’re done.  It seems paranoid, but if it’s that easy to get into user’s account, wouldn’t you rather be safe than sorry?  From that perspective, it’s easy to imagine legions of opportunistic wanna-be hackers trying to infiltrate the mighty iTunes fortress and the treasures of nubile user accounts with endless caches of funds in the form of credit card info and PayPal accounts just waiting to be plundered.  The question is not is my information safe but rather how long until my information is comprimised?  With so little help from Apple and PayPal, it doesn’t hurt to be paranoid when your money is at stake.


Chris Reynolds is one half of the design team at Arcane Palette Creative Design. He writes in his personal blog, jazzsequence, on subjects like music, technology and social media and shares links, videos, and posts various personal music and writing projects. You can also follow him on Twitter.

lightning never strikes twice. unless you’re a spammer.

they say that lightning never strikes the same place twice.  that’s a good thing, because if you happened to be an idiot out in a lightning storm holding a weather vane in an open field unlucky enough to get hit once (and walk away),  you probably wouldn’t want to be the guy out in a lightning storm holding a weather vane in an open field with some seriously frizzed hair when lightning struck there again.

if you go to today, you’ll see a disclaimer announcing that ashley morgan wants to relinquish control of genesis rocket, and pawn if off on some other poor sap so they can spam it to the masses and try to turn a profit, or else assimilate it into a new and equally unsavory “twitter method“.  this act couldn’t be a selfish act at all; no, i’m sure it’s done with the best of intentions.

but as effectively as holding a lightning rod in a thunderstorm, ashley morgan — author of “the only legitimate passive income twitter method” — has had his own twitter accounts suspended.  again.

@uptheoctave (his upcoming “book“)
@followenormous (his band — which is actually unfortunate because there are at least 3 other members of the band who may not condone scamming or spamming)

that couldn’t possibly have colored decision to pass on the ownership of his “successful twitter method” to someone else.  it’s a little like playing chicken with thor, there’s only one way that’s going to end: burnt to a crisp.

seriously.  let this be a lesson to anyone even remotely thinking about either taking over genesis rocket, purchasing it now or in the future, or publishing it in another form or something similar in the future: spammers get banned.

How not to use Twitter

I’m done.  Seriously, I’ve had it.  I’m done with the lies and the hype and the spam and the spin doctoring.  I’m done with “twitter methods” that promise thousands of followers and fame and fortune and all they really deliver is spam, affiliate marketing, and zombies – the precise thing they claim to avoid.

You want to ruin any desire you had to ever use twitter for what it is – a microblogging, communication platform?  Here’s what you do:

Spam RocketStep 1 – find some kind of site, network, ebook, method, scam, or tool that requires you to auto-follow people who follow you.  It doesn’t matter what site, network, ebook, method, scam, or tool you choose.  There’s plenty to choose from.  Some are free, and some are $97.  This is the single best way to crap up your twitter account.

Now why would I say it craps up your account?  Isn’t it required to send Direct Messages to people on twitter to follow them?  Doesn’t that hinder communication?

You want to know what hinders communication?  Not being able to read the stuff that I actually wanted to read to begin with.  Having to dig through line after line after line of bile I don’t care about, and retweeted links I saw 2 hours ago.  Having to filter through teeth whitening, and auto-fed links from Google Alerts that probably the twitter user in question hasn’t even read.  You want to know what hinders communication?  Being auto-DM’d shite links for more affiliate crap, scams, networks, ebooks, tools, and twitter methods that require me to join their network or buy their book.  Not being able to even look at my own DMs and creating a rule in Outlook to auto-delete all DMs that aren’t a message from TrueTwit to verify my identity, because the alternative is hundreds of emails a day for garbage I don’t care about.  That hinders communication.  Not able to send a DM?  @mention me and deal.

That brings me to Step 2 on how to ruin your twitter experience.

Step 2 – Auto DM your new followers.  What better way to make your twitter experience miserable than to spread some misery of your own?  Here’s a clue: no one likes auto-DMs.  The whole world of twitter has turned into a den of con-jobs, marketers, and spam, and the whole auto-DM thing basically ruins Direct Messaging as a whole.  The solution?  Stop following stupid people.  I propose that from now on, anyone who auto-DMs anyone else is instantly unfollowed.  Honestly, I don’t care what you have to say if what you have to say is forced on me in a Direct Message.  Now, some people just say Hi in an auto-DM, and those people I may be able to tolerate.  Maybe.  But if there’s [co]http://anythingatall[de] I don’t care, you go into the fecking trash bin.  If I followed you, probably I looked at your home url and thought you were cool, but if you are going to send me the same url I already know – or worse, send me your affiliate coded link to whatever-the-crap you’re selling – you’re on a fast track to my shit list.  And honestly, I should make a shit list, now that twitter’s added lists…

Step 3 – follow a whole bunch of people you don’t really care about.  Now why would you do this?  Simple: because some twitter method told you to.  Or because some site or network that guarantees hundreds or even thousands of followers requires it.  If you don’t care what they have to say, why bother?  So what’s the definition of “someone you don’t really care about”?  Well, one trick is to go into someone’s follower list who you do care about, and follow all of their recent followers.  You know nothing about any of these people, whether they’re robots, humans, porn, or spam, you just click click clickety-click through page after page after page until you’ve capped out your maximum number of users you can follow in a day.  Effing fantastic, sounds like a great way to waste a half hour.  While you’re at it, you might as well try to scoop out your eyeballs with a spoon, pour some mustard on them, and eat them for breakfast for all the good either of those things will do you.

Here’s the thing: twitter is all about communication and sharing.  At its best, it opens up a channel to communicate globally about topics you’re interested in, with people you would never have known about otherwise.  As such, it comes down to Dunbar’s number: 150.  You honestly can’t keep up with a whole lot more than 150 people and have a real, engaging, two-way dialog with those people.  It’s been proven in studies that Facebook users with hundreds of friends really only actually keep in touch with a small handful.  Our brain just can’t handle relationships in excess of  a few dozen.

So, with twitter, if you are following a ton of people, into the thousands, your twitter stream becomes an unreadable landfill of refuse that never ends.  There’s no conversation, only chaos, and amidst the chaos is spam and ads and affiliate marketing and crap.  Sure, about 50% of those thousands of people (maybe more, but it’s always been roughly 1:2 when I’ve tested this theory) will give you a reciprocal follow, but who cares?  It’s just a number, it doesn’t mean anything.  Most of those reciprocal follows are from auto-following zombies like you’ve made yourself into.

There are those that will say that the numbers mean everything.  That it’s all about the numbers, and the content doesn’t even matter.  That once you hit a magic twitter number, say 10,000, you’re set.  You can advertise anything, blog anything, sell anything, and have enough people click it that you can make a decent living off it.  Even if only 1% of your followers click on your links or ads, that 1% still amounts to 100 people, and that still equates to a lot of traffic/money.

The reality is this theory is bullshit.

No, really, it’s bullshit.

I say this as someone who’s tested and used one of these fabulous “twitter methods” for several months.  Let me give you a little comparison.  I have our business website [ap].  [ap] has a twitter account @ArcanePalette.  I ran through the steps of setting up the “twitter method” on @ArcanePalette for about a week and stopped shy of adding 1000+ people to follow.  I probably got to 800 or so that I was following, and quit.  I left the account sit, and gradually the follower (and following) numbers exceeded 1000 because I was doing reciprocal follows.  The twitter stream was unreadable, but it didn’t matter because I had other accounts (namely @jazzs3quence) that I actually read.  I didn’t pay much attention to who ended up following @ArcanePalette.

On the other side I set up several different twitter accounts that all ultimately directed to  At the beginning, they were pointing to the home page, and then later they were directing traffic to specific pages reviewing (with my fabulous affiliate link embedded) aforementioned “twitter method”.  In total, I only set up about 4 or 5 accounts but I got each one to 1000 followers before moving on and creating a new account.  I tried every trick that all of the supporters of the “twitter method” said to do: automated tweets with my affiliate link to sell copies of it, automated tweets by feeding links via twitterfeed, I even made myself sound important like I was actually getting sales (although never actually lying and saying it outright.  I’m sure some will say that was my problem).  With 1 account at over 3000 followers, 3 accounts at over 1000 followers each, and 1 account with several hundred (because I stopped mid-week) all pumping links and ads and trackbacks to my site, you’d think that eventually I’d get a single affiliate sale.  Nope.  Not a one.  If there are people with 10,000 followers saying they can make hundreds or even thousands of dollars a day getting 9 or 10 sales everyday, you’d assume with a combined total nearing 7,000 followers that I’d get at least one.  In six months.

It’s a lie: no one’s selling anything. Or not at the scale they say they are.

And what do I get in return?  At first, just looking at numbers, I compared the growth of my twitter followers to the increase in traffic to my blog.  I figured, even if the sales didn’t come, whatever, I’m not a salesman and I don’t want to be.  But traffic is good both for my site and [ap], and if it helped to generate traffic to either of those places, then that would help me/us get a higher Google PageRank (secret: it didn’t).  Sure, the hits to my blog increased steadily, roughly in line with the twitter numbers.  But on the other hand, there’s @ArcanePalette, doing none of the spam, only occasional autofed (and dare I say relevant) design links from blogs I follow and respect, and then a feed for new posts on our website.  [ap] gets more traffic by a significant margin by using none of the sneaky tricks to grab people from twitter.  Sure, twitter is one of the biggest sources of links to, but the average time on the site is generally under a minute, wheras the average time on ranges from 4-9 minutes.  The majority of people who land on couldn’t give a crap about me or my site, not really, regardless of how I got them there, so that increase in numbers really just amounts to two things: Jack. Shit.  (I guess that really counts as just one thing.)  if I get 50% or more of my traffic to from twitter, but all of it is just a brief glance, wheras I get actual, quality traffic from Google, design sites, and various other places (including, occasionally, twitter), then I could care less about the 30 second traffic from twitter, I really could.

Sure, there might be some great people in the midst of the hundreds of people a day I’m meant to follow according to the “twitter method” but how would I ever know?  Only luck would allow me to actually notice one of their tweets in between and “whiten your teeth now”.

I’m not the first person to say that automatically reciprocating all follows is a bad idea.  And probably, if all you want to do is set up hundreds of twitter accounts selling affiliate products and cumulatively generating thousands of links, a fraction of a percentage of which actually result in sales, then using one of these wonderful twitter methods is great for you.  But if you actually want to use twitter as a social networking application, engage with people, & learn things you didn’t know before, then following someone else’s rules for how to use twitter is a surefire way to make you hate everything about twitter and not use it the way it was meant to be used.

And how is it meant to be used?  However the hell you want to use it.  the rules are there are no rules.  It’s like a dance – it’s a fledgling technology that has adapted to the way the users have used it and the users adapt to the changes the technology implements based on how it’s used.

Take it from someone who went around the block and finally came back home and wondered what the fuck was I thinking? If I’m doomed to obscurity with this blog because I didn’t completely sell out and start posting porn to boost my traffic numbers, then into obscurity I go.  I’ve got better things to do than to waste another minute on one guy’s dream to put more cash into his own pocket at any cost.

Looking for an affiliate program that sucks?