iTunes Security: Worse than you thought?

On December 1, 2008, I woke up to find a series of disturbing emails in my inbox.  They were a pair of PayPal receipts and the corresponding iTunes store receipts for 2 purchases of $200 gift cards sent to anonymous Hotmail and Yahoo email addresses.  The problem was, I didn’t make the purchases.

The transactions took place around 5:30am while my wife, myself, and our son were in bed.  Seeing as how I couldn’t possibly have made the purchases, and how they were suspiciously paired one after another and sent to random and easy-to-obtain email addresses combined with the fact that, though I had linked my PayPal account to my iTunes account “just in case”, I had never actually made a purchase previously, it seemed obvious that I had been the victim of a scam and I could easily get the transaction reversed.

Not so.  Thus began one of the most frustrating and infuriating experiences of my life, leaving me with a foul taste for both PayPal and iTunes.

Contacting Apple yielded no help.

I understand you are concerned about purchases that were made with your iTunes Store account without your permission or knowledge.

I urge you to contact your financial institution as soon as possible to inquire about canceling the card or account and removing the unauthorized transactions. You should also ask them to launch an investigation into the security of your account. As part of the investigation, their fraud department will contact the iTunes Store directly to resolve this issue.

They also recommended I change my password, something I did the second I discovered my account had been hacked.

Unfortunately, my financial institution wasn’t a financial institution at all.  It was PayPal.  And there’s a difference — although I was blind to it at the time.  In a normal scenario, you could contact your bank, your bank would put a stop payment on the transaction, launch an investigation, and if anything seemed out of place at all you’d get your money back.  PayPal doesn’t work that way.  They aren’t a bank and don’t operate by the same rules as banks do.  Their only concern and primary objective is transferring money from one bank to another and, in that sense, their job was done.  It, apparently, didn’t matter to them my (presumably valid) claim that it was someone else who authorized the money transfer from PayPal to iTunes.  I had linked my PayPal account to iTunes and that stated intent (despite having gone unused), and made me liable for any transactions, including fraudulent ones.

I fought the issue for a week.  I had had just under $200 in my PayPal balance.  The remainder pulled from my bank account which I was able to get refunded easily (without even having to talk to anyone) from my bank.  (PayPal held firm even after I pointed out that the investigation my bank had done saw enough reason to refund the money.)  I called a hotshot New York criminal defense lawyer associate for advice. (File a police report, take it up in small claims court if I want to pursue it. I didn’t.)  Ultimately defeated, I let it drop.  If I wanted to take PayPal to court, I could force them to hand over the documents claiming to prove that it was me (or at least my IP address) that had initiated the transaction.  I had already lost enough sleep over the issue, I succeeded in getting the cash that was taken from our bank back, the rest, I felt, was the cost of two important lessons learned:

1) PayPal is not a bank.  As benign as they appear, they are a business.  A large, thriving business that makes money from you on every transaction you make through them.  That gives them huge capital without a large overhead since their costs of operating are minimal.

2) PayPal will, almost invariably, side with the seller as the default rule.  Even in the case of an eBay dispute, they will start by assuming the seller is correct and the burden of proof is on the buyer and potential victim in the scenario.

But one important lesson still went missed, even as I was removing my PayPal linkage from everything I could find, changing the password and email address on everything that matched what I had entered into my profile on iTunes, and finding alternative checkout systems to PayPal for my design business (we primarily use Google Checkout now).  That was: how secure is iTunes, anyway?  I had assumed my experience was an isolated incident, that I was just some poor victim most likely in a series of attacks that occurred that morning across multiple accounts.

According to this article, I was wrong.

It turns out, there have been a lot of people swindled on iTunes.  The most recent security breech artificially bumped up several Vietnamese books into the top 10 list by what looks to be authorizing the purchase without the buyer’s knowledge (or consent).  But this is only the latest scam.  Both the Mashable article and the comments on the article itself reveal countless others who have been swindled in similar ways — mysterious transactions that took place without their knowledge.  How is it that arguably the largest retailer for digital downloads has such shoddy security that accounts are routinely infiltrated and exploited for profit?  I was surprised to learn that, not only was I not alone in having my iTunes account hacked into (something I blamed myself for — my password wasn’t altogether secure and was the same one I’d been using for years, a combination of numbers and letters that was a combination of the AOL profile my dad had made me and the numeric code at the end of my username from the old telnet BBS systems I frequented back in the early days), but my $400 wasn’t the most that had been robbed (the first comment I saw on the Mashable post was from someone who lost over $550).

The most sound advice was given by another commenter: don’t use your debit card, don’t enter financial information at all, in fact; use only prepaid cards and remove them when you’re done.  It seems paranoid, but if it’s that easy to get into user’s account, wouldn’t you rather be safe than sorry?  From that perspective, it’s easy to imagine legions of opportunistic wanna-be hackers trying to infiltrate the mighty iTunes fortress and the treasures of nubile user accounts with endless caches of funds in the form of credit card info and PayPal accounts just waiting to be plundered.  The question is not is my information safe but rather how long until my information is comprimised?  With so little help from Apple and PayPal, it doesn’t hurt to be paranoid when your money is at stake.

____________________________________

Chris Reynolds is one half of the design team at Arcane Palette Creative Design. He writes in his personal blog, jazzsequence, on subjects like music, technology and social media and shares links, videos, and posts various personal music and writing projects. You can also follow him on Twitter.

f*** you, clown. f*** you

it kind of makes me belligerently angry when people try to make money at someone else’s expense.  it could be argued that this describes all commerce, but it’s a different thing when the methods used to make said money involve deception, fake product reviews and false advertising.  (you could say that microsoft is guilty of all these things, and you might be right.  but, these days at least, microsoft offers product demos and free versions of their software so you can try it before you buy it, and the thing i’m thinking of has no such “preview” version.)

this is why i blogged about the ipad scam thing and this is why i’m still pissed off about twitter fireball.

i mean, here he is 6 months after getting his twitter accounts suspended the first time which followed a review of the original product doing the exact same thing.  hoping the internet has a short memory so he can launch his “fireball” into the sky and scam some people out of their hard-earned dollars again.

obviously he’s learned nothing.  obviously he’s not changing.

the new, rebranded version of twitter rocket, and the somewhat preposterous name, just makes it feel like a dare to me.  the name in particular: fireball?  my mind flashes with comebacks like “so you’re already planning to go up in flames?” and “being burned once isn’t enough for you?”  the thing is, he knows what i have on him, he’s begged me not to expose it, he’s relying on my good graces to not just out him right now, and, thus far, i haven’t.  but really?  you’re going to try to con some more people out of their money with the same shit you pulled last year?  the same way you conned me out of my money?  seriously? it’s really testing my patience and making me feel much less graceful about things…

anyone curious about upstartblogger.com’s new “owner“, you need to look no further than twitter, apparently…

quick question for the initiates: how does someone who has a total of 4 tweets accumulate 3,000+ followers and 12 additions to twitter lists?
trick question: you don’t.  unless you employ shady bulk following methods and don’t care about the followers themselves (and the conversation you might have with 3,000+ people) as much as the number those followers create.

Caution: Beware of Fireballs

are there any regular readers out there?  anyone who might know about the whole upstart blogger and twitter/genesis rocket debacle?  a few?  well, good.  if not, check the archives for a refresher.

the short story is that over the last year i followed, became entangled with, and then uncovered all sorts of unsavory things about mister ashley morgan and his blog upstart blogger, about which i’m writing a book.  the sad thing is that i actually learned a lot about blogging in the process, but the downside is that he’s a scam artist and one of his cons is/was Twitter/Genesis Rocket, about which i wrote, then purchased, then exposed as a scam and a recipe for how to create a twitter spam account.  the good news is, i can’t imagine this new thing works anymore given twitter’s increasing crackdown on spammers, but the bad news is, no one’s told mister morgan, and he’s back at it again.

it came to my attention today when i suddenly saw two incoming links from comments i’d posted on upstart blogger from august and september 2009 on my wp-stats page.  given they weren’t there yesterday (and they weren’t, i’ve been checking since my traffic suddenly peaked with my post about the “test it and keep it” ipad scam).  i scanned the post for any link to me and saw that it was just my old comments.  but something else had changed on the posts.  he’s gone through, more than once, all the posts on upstart blogger replacing “twitter rocket” with “genesis rocket” and then “twitter rockstar” and then some other crap i can’t even remember, but this time he’s done the switcheroo again and the new name is “twitter fireball.”  (anyone following his blog will know there’s been a fire theme of late.)

let me make this as plain as possible:

Twitter Fireball is nothing more than a rebranded version of Twitter Rocket.

this is obvious when you consider that the promotional copy written about Twitter Fireball is almost identical to the copy for Twitter Rocket, then Genesis Rocket, with a few minor modifications here and there.

Twitter Rocket is a scam.  the method itself is not a scam, it works fine — it works fine, that is, if your goal is to build a zombie following of marketers and other spammers and add no value whatsoever to twitter or the blind hordes of followers you’ve raked up from the depths of twitter sludge.  no, the scam is the air of legitimacy that Twitter Rocket, and then Genesis Rocket given to it by the author and his untouchable PageRank 7.

Twitter Fireball is the latest attempt at reaching the success and level of income (at the expense of hundreds, if not thousands of marks — myself included) that he tasted briefly at the height of Twitter Rocket (before he got hit by EMI lawyers by posting about Lilly Allen and, simultaneously, have several of his own twitter accounts suspended for suspicious activity).

run far and fast.

after posting a half-hearted apology for some of what he had been caught doing the first time around, he’s trying to build up the empire again.  scrolling down to the bottom of the Twitter Fireball page, you’ll see that it’s an “upstart fireball” product.  (sound familiar?)  a google search for “upstart fireball” brought a wordpress site running the default theme on sonicfireball.com (his twitter name du jour is @morgansonic).  sonicfireball.com currently has all the content from upstartblogger.com that has to do with making money, and — as far as i can tell from a brief scan — not much else.  the tagline is “making money since 2009.”  the intent is fairly obvious.  this is going to be the hub.  he’s setting it up and he hasn’t launched it yet.

upstartfireball.com itself is being parked currently, but, having dug up all kinds of dirt on him back in december and january (that being the pretext to my book), i recognize the parking page as being a domain registrar he’s used in the past.

let me say it again: Twitter Fireball is a scam.  Do not purchase Twitter Fireball.  If you want to be a spammer, fine, whatever, by all means give ashley your $97.  twitter will deal with you eventually.  if you have any intention of using twitter for what it is — a social network and communication platform — run far, far away.

and, ashley, i know you’re reading this.  don’t think i’ve stopped working on the book.  i would just like to say thank you — this adds more fuel to the fire with which i can complete it.  fireball indeed.