Itunes Account Hacked?!

[peternm22]

I was checking my credit card statement online today (I recently purchased the SageTV 7 upgrade, and wanted to see what the total was with the Canadian exchange rate), and noticed a charge from Apple....

I go through my e-mail and notice one from Apple a few days ago thanking me for my iTunes purchase, but I didn't purchase anything. I originally didn't bother opening the e-mail since I had just installed an upgrade for AirVideo on my iPod and figured it was just confirming that.... Total was about $20, and it has been charged to my credit card. One of the apps purchased was some bluetooth thing, but my iPod Touch (1st generation) doesn't even have bluetooth!

Has this happened to anybody else?

I changed my iTunes password, and deleted my credit card info. E-mailed Apple asking them to fix it, and I phoned my credit card company but they are closed right now. I'll contest the charge when I get a hold of them, and have them cancel the card.

Any idea how they could have gotten into my account? I Googled and noticed quite a lot of other people with this problem.

This is the first time I've even had any type of online fraud directed at me. Feeling quite frustrated right now

[Lucas]

No need to get upset over this.

Happens quite frequently.
Your card info could have been stolen by fraudsters/hackers from any number of places were you used it including ATMs. Fraudsters have also broken into cc processor servers and got whole databases of the stuff.

Just make sure you dispute the particular transaction and you will be credited the money since you did not initiate the payment and there is no proof that you received the product purchased.

Your company/Bank is obligated to do that. The cost will be borne by either the merchant, or one of the 2 Banks in the middle depending on whether your card is chip or not.

[david1234]

The one time we had a problem the CC company told us to contact the merchant first, but they made it clear that if the store wouldn't fix it, they most definitely would. Of course the store wouldn't even talk to us about it, since we couldn't provide the right customer information, and they wouldn't remove the charge because the bank "authorized it". So, the CC company removed the charge for them.

The CC companies are really "all powerful" when it comes to this stuff, and they don't like to risk customers over small dollar amounts like this. There is enough competition for customers that the CC companies take care of this stuff.

[CyRex]

Consider yourself lucky... This happened to me a few months ago, but it my case it was a debit CC that withdrew directly from my checking account. It took me a couple weeks to notice, but in that short time, they managed to spend over $2400.

Apple was no help. They wouldn't tell me anything without being ordered to by a court. Luckily my bank was understanding and I was able to get the money back after putting my John Hancock on about 60 forms (one for each fraudulent charge).

I'm still not convinced that the person was actually using my card to purchase music off iTunes. I think that was a front, and they were really just sucking cash out of my account. I mean come on, who steals a CC only to buy $2400 worth of music???

-Dan

[matt91]

AMEX called me at 7am a few weeks ago to ask if I made a $1 charge at the itunes store. I said no, and they said that my card was probably compromised and that the itunes purchase was just a 'probe'. They cancelled the card and fedex'd me a new one.

I think it was related to the monoprice.com server compromise which had just happened.

[Fuzzy]

Quote:

Originally Posted by CyRex

I mean come on, who steals a CC only to buy $2400 worth of music???

-Dan

Considering CC theft has a practically zero change of getting caught (especially for things that aren't shipped to a real address), it doesn't sounds THAT unlikly.

I mean, I had a wallet stolen once, and the only charge that was made was about $40 worth of gas at the station around the corner. That's it.

Though in the OP's situation, it looks like they didn't steal CC info at all, but in stead just got his iTunes password, which had stored billing information. His CC numbers are probably safe, as the numbers are masked when viewed on the account. This is more an issue of password security than anything else.

[peternm22]

Quote:

Originally Posted by Fuzzy

Though in the OP's situation, it looks like they didn't steal CC info at all, but in stead just got his iTunes password, which had stored billing information. His CC numbers are probably safe, as the numbers are masked when viewed on the account. This is more an issue of password security than anything else.

I believe that is correct. I received an e-mail receipt from iTunes, and that wouldn't happen if they had just stolen my credit card number. Also, iTunes is the only thing that has been put through so far on the credit card, so it doesn't appear they actually have my card number.

I just don't know how it was stolen. Downloading the upgrade for AirVideo on my iPod Touch is the first thing I've done on iTunes in months (honestly, I can't remember the last time I logged into iTunes). I downloaded it on my iPod Touch via my WPA protected wireless network, so I don't think it was compromised that way.... time to try calling the bank again.

Thanks everyone.

[sic0048]

Quote:

Originally Posted by matt91

AMEX called me at 7am a few weeks ago to ask if I made a $1 charge at the itunes store. I said no, and they said that my card was probably compromised and that the itunes purchase was just a 'probe'. They cancelled the card and fedex'd me a new one.

I think it was related to the monoprice.com server compromise which had just happened.

Exact same thing happened to me during that period of time. Except I had not made a recent purchase from Monoprice, but I have in the past, so they certainly had my information.

iTunes seems to be a popular fraud purchase. I guess it is easy to sell the stolen credits.

[peternm22]

Just got off the phone with the bank. They say they can't do anything, I have do deal with Apple directly.

From what I've read online, Apple is VERY unhelpful with these sorts of things. I e-mailed them yesterday and haven't heard back from them yet (they say 24 hours). I'm not expecting much from them except a standard form letter saying I'm S.O.L.

Canceled my credit card just to be on the safe side.

Ugh....

[Fuzzy]

Quote:

Originally Posted by peternm22

Canceled my credit card...

If only more Americans would do that on general principal.. :-)

[peternm22]

Quote:

Originally Posted by Fuzzy

If only more Americans would do that on general principal.. :-)

I never carry a balance on the credit card. It's exclusively used for online purchases, since there is no other way to pay for things online (apart from Paypal, which seems even worse). I wish there was another (safe) way to buy things online, but there isn't.

[Lucas]

Quote:

Originally Posted by peternm22

Just got off the phone with the bank. They say they can't do anything, I have do deal with Apple directly.

From what I've read online, Apple is VERY unhelpful with these sorts of things. I e-mailed them yesterday and haven't heard back from them yet (they say 24 hours). I'm not expecting much from them except a standard form letter saying I'm S.O.L.

Canceled my credit card just to be on the safe side.

Ugh....

What reasons did the Bank give for not helping. If you say you want to dispute a transaction then there's a certain process they have to follow.
They will request the trace evidence from the Bank with which the merchant (Apple) connects to for clearing payments.

Now that I read your OP more carefully it seems that someone got hold of your credentials. Most likely case is a trojan. Your e-Banking userid, password and certificate could also be at risk.
Many of the main stream AV software don't capture the recent key loggers.

I would try a few different AVs and malicious software scanners just to be safe. (bit diffender, spybot etc)

[peternm22]

They said that since it was my iTunes account that was compromised, and not my credit card number it wasn't their responsibility and that I should contact iTunes.

If it was a keylogger, my iTunes login details seem like one of the least interesting things to steal. As I said before, I haven't logged into iTunes on my computer for months. I have used my credit card number for several purchases in that time, so I would think that would be the first thing compromised.

I just setup a new computer a few days ago (not because of the fraud, I was planning on doing it anyways), so the old computer which would have been "compromised" is no longer in use. I ran MBAM just a few weeks ago on that computer, and nothing came up. I'm pretty strict about blocking things on my system before they can become a problem (auto updating blacklist of sites in HOSTS file, No Script on Firefox, Windows patches as soon as they come out).

Honestly, I don't think my computer was compromised by any type of keylogger. I've read some message boards and blogs, and I'm finding literally hundreds of people saying this has happened to them with iTunes. Is it possible someone could have bruteforced my password or my password reminder question?

[jpwegas]

Quote:

Originally Posted by peternm22

I changed my iTunes password, and deleted my credit card info. E-mailed Apple asking them to fix it, and I phoned my credit card company but they are closed right now. I'll contest the charge when I get a hold of them, and have them cancel the card.

I've never heard of a credit card company that doesn't have a 24 hour fraud line.

--John

[peternm22]

Quote:

Originally Posted by jpwegas

I've never heard of a credit card company that doesn't have a 24 hour fraud line.

--John

Thought it was bizarre too, especially since the card is from a major bank in Canada. There were two options on the prompt, one to report a stolen card, and one to contest a charge. I went for the contest a charge option, and it said to call back during business hours. I'm guessing the stolen card option would be open 24/7, but since the card wasn't actually stolen/compromised....

[jpwegas]

Quote:

Originally Posted by peternm22

They said that since it was my iTunes account that was compromised, and not my credit card number it wasn't their responsibility and that I should contact iTunes.

I'm not sure that matters. The laws in the US cover unauthorized use. Your card was used by an unauthorized person. Period. If someone breaks into your house and writes down your card number and uses it, does your bank tell you to take it up with the lock manufacturer?

Dispute it and let Apple prove it that it was a legitimate charge.

--John

[jpwegas]

Quote:

Originally Posted by jpwegas

The laws in the US cover unauthorized use. Your card was used by an unauthorized person. Period. If someone breaks into your house and writes down your card number and uses it, does your bank tell you to take it up with the lock manufacturer?

Just saw your reply that the card was from a Canadian bank. I'm not sure what the requirements are for unauthorized credit card use in that case.

--John

[peternm22]

I read a story of another person in Canada with the same bank I have, and they couldn't get their money back.

One thing that seems a bit odd is that they only went for $20 worth of charges. I didn't discover the charge for a few days, so they had more than enough time to buy more things.

[GKusnick]

Quote:

Originally Posted by jpwegas

I'm not sure that matters. The laws in the US cover unauthorized use. Your card was used by an unauthorized person. Period. If someone breaks into your house and writes down your card number and uses it, does your bank tell you to take it up with the lock manufacturer?

A better analogy might be a fast-pass transponder in your car that debits your account automatically every time you drive through a tollbooth. If somebody steals your car and goes joyriding on toll roads, are you liable for those toll charges? I'm guessing the bank will say you are, since you did after all authorize the use of the account for settling those charges. It was the use of the car that was unauthorized, and that's not their problem, since the car thief never had your credit card info in order to make any direct fraudulent use of it.

I'm not a lawyer (or a banker) but it seems to me the same reasoning can be applied to the iTunes hack. The hacker never had your credit card info, or used it fraudulently; they just went joyriding on your iTunes account, which you had already authorized to use your credit card for all charges arising from that account.

[peternm22]

I can see the banks point of view in this. From the stories I've read online, I can see some people have had their bank refund the money (others have not been so lucky). I was just hoping they would be able to do something, since I hold out little hope for Apple doing anything. I'm betting that they tell me I need to dispute it with the bank.

The more reading I'm doing about this leads me to believe they bruteforced the password somehow.