iTunes Security: Worse than you thought?

On December 1, 2008, I woke up to find a series of disturbing emails in my inbox.  They were a pair of PayPal receipts and the corresponding iTunes store receipts for 2 purchases of $200 gift cards sent to anonymous Hotmail and Yahoo email addresses.  The problem was, I didn’t make the purchases.

The transactions took place around 5:30am while my wife, myself, and our son were in bed.  Seeing as how I couldn’t possibly have made the purchases, and how they were suspiciously paired one after another and sent to random and easy-to-obtain email addresses combined with the fact that, though I had linked my PayPal account to my iTunes account “just in case”, I had never actually made a purchase previously, it seemed obvious that I had been the victim of a scam and I could easily get the transaction reversed.

Not so.  Thus began one of the most frustrating and infuriating experiences of my life, leaving me with a foul taste for both PayPal and iTunes.

Contacting Apple yielded no help.

I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. As part of the investigation, their fraud department will contact the iTunes Store directly to resolve this issue.

They also recommended I change my password, something I did the second I discovered my account had been hacked.

Unfortunately, my financial institution wasn’t a financial institution at all.  It was PayPal.  And there’s a difference — although I was blind to it at the time.  In a normal scenario, you could contact your bank, your bank would put a stop payment on the transaction, launch an investigation, and if anything seemed out of place at all you’d get your money back.  PayPal doesn’t work that way.  They aren’t a bank and don’t operate by the same rules as banks do.  Their only concern and primary objective is transferring money from one bank to another and, in that sense, their job was done.  It, apparently, didn’t matter to them my (presumably valid) claim that it was someone else who authorized the money transfer from PayPal to iTunes.  I had linked my PayPal account to iTunes and that stated intent (despite having gone unused), and made me liable for any transactions, including fraudulent ones.

I fought the issue for a week.  I had had just under $200 in my PayPal balance.  The remainder pulled from my bank account which I was able to get refunded easily (without even having to talk to anyone) from my bank.  (PayPal held firm even after I pointed out that the investigation my bank had done saw enough reason to refund the money.)  I called a hotshot New York criminal defense lawyer associate for advice. (File a police report, take it up in small claims court if I want to pursue it. I didn’t.)  Ultimately defeated, I let it drop.  If I wanted to take PayPal to court, I could force them to hand over the documents claiming to prove that it was me (or at least my IP address) that had initiated the transaction.  I had already lost enough sleep over the issue, I succeeded in getting the cash that was taken from our bank back, the rest, I felt, was the cost of two important lessons learned:

1) PayPal is not a bank.  As benign as they appear, they are a business.  A large, thriving business that makes money from you on every transaction you make through them.  That gives them huge capital without a large overhead since their costs of operating are minimal.

2) PayPal will, almost invariably, side with the seller as the default rule.  Even in the case of an eBay dispute, they will start by assuming the seller is correct and the burden of proof is on the buyer and potential victim in the scenario.

But one important lesson still went missed, even as I was removing my PayPal linkage from everything I could find, changing the password and email address on everything that matched what I had entered into my profile on iTunes, and finding alternative checkout systems to PayPal for my design business (we primarily use Google Checkout now).  That was: how secure is iTunes, anyway?  I had assumed my experience was an isolated incident, that I was just some poor victim most likely in a series of attacks that occurred that morning across multiple accounts.

According to this article, I was wrong.

It turns out, there have been a lot of people swindled on iTunes.  The most recent security breech artificially bumped up several Vietnamese books into the top 10 list by what looks to be authorizing the purchase without the buyer’s knowledge (or consent).  But this is only the latest scam.  Both the Mashable article and the comments on the article itself reveal countless others who have been swindled in similar ways — mysterious transactions that took place without their knowledge.  How is it that arguably the largest retailer for digital downloads has such shoddy security that accounts are routinely infiltrated and exploited for profit?  I was surprised to learn that, not only was I not alone in having my iTunes account hacked into (something I blamed myself for — my password wasn’t altogether secure and was the same one I’d been using for years, a combination of numbers and letters that was a combination of the AOL profile my dad had made me and the numeric code at the end of my username from the old telnet BBS systems I frequented back in the early days), but my $400 wasn’t the most that had been robbed (the first comment I saw on the Mashable post was from someone who lost over $550).

The most sound advice was given by another commenter: don’t use your debit card, don’t enter financial information at all, in fact; use only prepaid cards and remove them when you’re done.  It seems paranoid, but if it’s that easy to get into user’s account, wouldn’t you rather be safe than sorry?  From that perspective, it’s easy to imagine legions of opportunistic wanna-be hackers trying to infiltrate the mighty iTunes fortress and the treasures of nubile user accounts with endless caches of funds in the form of credit card info and PayPal accounts just waiting to be plundered.  The question is not is my information safe but rather how long until my information is comprimised?  With so little help from Apple and PayPal, it doesn’t hurt to be paranoid when your money is at stake.


Chris Reynolds is one half of the design team at Arcane Palette Creative Design. He writes in his personal blog, jazzsequence, on subjects like music, technology and social media and shares links, videos, and posts various personal music and writing projects. You can also follow him on Twitter.

how am i going to tell my kids there’s no christmas this year?

gather ’round the fire, kiddies, it’s story time.  i’ve been hanging on to this one for a good long while, but it’s time for this rant to come out and rear it’s ugly head.  mostly, it’s a tale in which we laugh at people who have not been born with an overabundance of intelligence, but there’s a morality tale in here as well.

and this story is called, as you could probably tell…

how am i going to tell my kids there’s no christmas this year?

(cue dramatic music)

so, i used to do tech support.  for a long, long while i was a tech support monkey, and i got my monkey start working for a callcenter who was doing support for MSN.  MSN is, or at least was many years ago, microsoft’s answer to AOL.  they’re both the devil, really.  they’re both glorified browsers with a bunch of crap added on that are supposed to make browsing easier but really just crowd your screen.  i will say that after msn8 was released, i did use it — at work — but it was slow and bogged down my computer at home.  and i couldn’t imagine wanting to use it over a dialup connection, which is what most of the folks calling in were on at that time.

tech support is usually divided up into three tiers, and these tiers’ functions vary depending on the company and infrastructure.  tier 1 is invariably the front line.  they are the first people you talk to when you have a problem.  doesn’t matter what problem it is, you’re talking to some tier one schmuck.  and most of them are schmucks.  even though officially you weren’t supposed to move up to a higher tier until you’d been on tier 1 for at least 3 months, i got a tier 3 position in a little over a month.  only the schmucks or the n00bs are ever left on tier 1.  tier 1 is trained to try to get first call resolution.  and probably 8 times out of 10 they can, because most problems are dumb.  it’s the other 2 that leave you, the customer, screaming at your tier 1 schmuck and begging him for something, anything, else, because you’ve already flushed your cookies and cache, you’ve rebooted the computer and the modem, and you’ve repoptimized your msn client — whatever the hell that does — and you still can’t connect to the internet.

at the call center i worked at, msn tier 3 handled all escallations, which means billing, customer service, and technical support escalations.  billing was, understandably, always the worst.  usually folks were okay if you refunded a couple months back to them.  but we had a policy not to do more than 3 months.  technically we had the ability to do more (with manager approval — hint: they wouldn’t), but it was discouraged.  (I think later they disabled the actual ability to do more than 3 months, but those of us who had that ability before, kept it later.)

My most difficult call is also, in retrospect, my most amusing story, and is a lesson about keeping your finances in check.  Being on tier 3, we got a lot of calls from customers who had gotten a new computer at best buy.  best buy was running a promo at the time that signed you up for 3 months of free msn internet service when you bought your computer on your credit card (or visa/mastercard debit card).  i agree, the deal was pretty slimy.  from what i understood, it sounded pretty difficult to not get the msn service, and anyway, who can argue with free internet?  this didn’t stop us from being really snotty towards the people who didn’t realize they were being billed months after the billing cycle started.  we got these calls every day.  does anyone actually look at their credit card or bank statements?  i started to doubt they did.

so one day in december i got a call from an angry african american lady in chicago.  i remember chicago, because the people who called me from chicago when i worked at msn were always angry.  (it’s one of those social stereotypes that somehow just always applies, like everyone from the east coast is brash and a little (or, often, a lot) offensive, and everyone from the south, particularly african americans in the south, are pretty cool.)  i once got a call from a lady whose phone number was on a list of dialup access numbers, so she was constantly barraged by phone calls from modems — she was angry, also, she was in (or around) chicago.  why she didn’t just change her number, i didn’t understand. (“why should i have to change my number. you’re the ones with the problem.”)  back to this angry african american lady in chicago.  she had a pretty good sob story: the family was low on cash, they had a couple kids and they couldn’t afford christmas presents this year.  “i really hate to have to put all this on you,” she said, “i’m not trying to ask for a handout.*”

“okay, how can i help you?”

“well i bought this computer last year, and i just noticed you guys have been charging me every month for msn that i’m not using.”

the story was obvious: she bought a computer at best buy, paid on credit card, and was automatically signed up for 3 months of free msn.  after the trial period, the billing cycle had started.  the amazing thing was that she has been billed for a year — and it really had been almost a full year, like 10 or 11 months — without noticing.  i explained the likely scenario and she seemed to agree that that was likely the case.

“well, i can’t give you a full refund, but based on your situation, i can cancel your account and refund the last three months,” i said.  that wasn’t good enough.  the phone call escalated more and more, and each time i explained that i could not refund more than 3 months.  she wanted the full year.  she made accusations and threats and — at the peak of hysteria — screamed into the phone, half-sobbing, half full of pure rage: “how am i going to tell my kids there’s no christmas!”

newsflash: why don’t you start by explaining to your kids that you are so unable to manage your own money that you not only signed up for an internet service without realizing it, but additionally, didn’t realize that you had been billed every month for said internet.. service.

* dialog is approximated and probably not the actual things that were spoken.  the christmas line, however, is too good to be something i made up.  that actually happened.

sometime after this she asked to speak with my supervisor and i was more than happy to let her.  of course, he didn’t want to talk to her at all, and ended up getting in a shouting match with her.  i, at least, had kept my cool.  (at least, i think i did.  for the purposes of this story, we’ll just assume i did.)

sidenote: i recently got slammed with a $400 charge for 2 $200 itunes gift cards i did not purchase.  someone had gotten into my itunes account,  and used it — which had already been pre-loaded with my paypal account — to purchase 2 $200 gift cards for two anonymous and random users at 5:20am when myself, my kids, our cats, and erin were all sleeping.  i filed a dispute with paypal and they refused to refund the charges, stating that they’d tracked the transaction to my ip address, and they don’t issue refunds for “buyer remorse.”  i filed a similar dispute to reverse charges with wells fargo (because the first $200 had pulled from my paypal balance, but the second $200 had overflowed into our bank account), and they reversed the charges without a second glance.  important note: paypal is a business — it is not a banking institution.  it should never be assumed that paypal is a bank.  this assumption makes it easy to assume they will be on your side in a dispute.  they aren’t.  they want their money and they only get their money when money changes hands.  they are on the side of the seller.  i talked to a lawyer friend/client who was similarly outraged, and suggested filing a police report, and taking paypal to small claims court, but i really didn’t really want to go through the trouble.  i filed it as a loss, changed my itunes email address, changed the password associated with all accounts that used that email address, removed all but one email address from paypal and changed that password, and now, use paypal for as little as possible (except, when necessary, billing clients, but mostly we use google checkout now).

here’s the hidden moral: there’s lots of ways for businesses that are both benevolent and morally gray to get at your money.  don’t make it easy.  if you ever are required to give out your credit card number and it isn’t clear why or what it might be used for, and you aren’t directly making a purchase (like subscription services such as itunes, xbox live, wii store, etc), for gods’ sake, be conscious of what you are doing, and know that now that they have your credit card number, it will be used whenever money needs to change hands for a purchase, whether you are aware of it or not.  when i filed my complaint with itunes, they brushed me off: i had submitted my paypal information, therefore, as far as they were concerned, i authorized the use of my paypal account.  they encouraged me to settle the dispute with paypal.  thank you, drive through.  (that is, what we in the tech support biz called a flog — a generic response that the recipient can’t act on immediately, that gets them off the phone.  another flog could be reboot your computer and try again, or buy an antivirus software, run a scan, and call back if you still have problems.)  honestly, i have no idea what inspired me to link my paypal account with my itunes account. probably it was just the fact that i could.  i never used it, and i’ve never payed for mp3s (p.s. i used that in my defense — paypal wasn’t impressed).

and here’s a bonus hint: don’t blame other people for your own failings.  the people i dealt with at msn that i issued refunds to (particularly those i issued the maximum refunds to) all had one thing in common: they were all hopelessly unaware of their own finances.  they allowed themselves to be charged several months’ worth of internet service before noticing.  it’s not the fault of the internet service provider that you can’t have christmas, it’s your own fault for not looking at your credit card statement and maxing out your cards.  if there’s no christmas, it’s no one’s fault but your own.