iTunes fraud

Topic

New Reply

There is another round of fraudulent iTunes Store charges cropping up this holiday season (and psssibly in the wake of new devices from Apple and Microsoft).

My experience was that I deposited a check into my local bank account, and found that the balance (which I ask for most times) was off by about 88 dollars. So I went online when I got home, and found three charges to my debit card from the iTunes Store. First was the usual $1.00 setup charge. Then two more charges.

I have never had any account with Apple, and I don’t own any Apple devices. They certainly have never had my debit card number. But Amazon.com, Frys.com, WalMart.com and Windows Secrets all have my card number.

When you make purchases online, most places send confirmation emails, and some of these may contain credit card information. I use Yahoo Web Mail, which has had numerous security issues over the past couple of years. Even though complete credit card numbers are not supposed to be sent in these emails, tracking links sometimes get very close to logging folks into your actual billing accounts.

I don’t know from whom nor how exactly the iTunes charges got assigned to my debit card. But the card had to be canceled, and my bank said they wouldn’t do anything about the disputed charges from their end for a few days.

Not satisfied, I tried to reach a live person at Apple Customer Care. Not easy. See this post, and at least for now, you will see one trick to get to a live person. Then I got put on a long hold waiting for someone from Apple’s Fraud Department. The Fraud Rep. looked into the situation and saw that it appeared that my card information had been compromised to set up the iTunes Account. So much for “improved” iTunes Security since Susan Bradley‘s report on her experience with iTunes fraud. (Original Story)

Well, once I got Apple on the case, the charges were reversed with all due haste, and I will not have to file any paperwork to get my money back. That’s the advantage of using Online Banking — you can intercept pending fraudulent transactions if you catch them in the act before they clear.

But I will be without my card at the time of the year when I want to do my Christmas shopping. This is the price I’ll pay for letting my card information reside in any durable form anywhere online. Believe me, I’ll reduce the possibilities of this happening again wherever I can!

I am posting this partly as a warning, and partly to post where and how to reach a Live Person to deal with iTunes fraudulent charges. Anyone with recent experiences with this sort of fraud may post below. Thanks for reading.

-- rc primak

Reply | Quote

Replies

Bob,

This is why I would never use a DEBIT card on the internet, or anywhere for that matter,…there is no protection, e.g. no Law like Credit Cards! Now the credit card I use on the internet gives me a 100% guarantee against fraudulent charges and it doesn’t even have an annual fee and gives me a 1.5% rebate on all purchases. I can also check current charges when ever I have an internet connection to nip things in the bud should something go awry and they even call me if they notice something out of the ordinary for my spending habits. It does make a difference which company you use. :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

What ever happened to the drive toward virtual card numbers? I use them all the time, but does anybody else? Five years ago there were several credit card companies offering that feature, but now it seems there are only two: Citicard and BofA–and BofA only offers it if you’ll tie the credit card to a high-balance savings acct with them.

Citicard is the only place online that has my credit card number. For all online purchases I get a virtual number from Citicard that’s essentially a one-time-use number. Different online purchases get different virtual numbers. Even if an online vendor tries to keep my credit card number, he only gets the virtual number, which is almost useless because it expires almost immediately.

I wonder why this valuable security feature never really took off?

Reply | Quote

dg1261, Just wanted to let you know that I too use them and I have Citicard also but choose to use my Discover credit card that offers the virtual numbers that are good for 1 time. The easiest feature of using it online from my computer/smart phone is it is incorporated into the browser you are using at the time and checks to see if in fact the connection you are using is actually secured.

Reply | Quote

I have used the Citi Virtual Card as well, but not recently. I believe they used to have an app to install. Now that I have Win 8 Pro I should check on this again.

Reply | Quote

I’d like to add that I took no losses on this one. But I want folks to know that if they get fraudulent iTunes charges in their statements, there is a way to talk to a live person at Apple, in addition to your card issuer.

I agree that virtual cards would be an improvement. Perhaps someday my bank will see the light on this one.

For those who don’t qualify for credit cards, there really isn’t much choice as to whether or not to use a debit card. At some sites, my card offers the service which adds a one-time use security code number. But only at participating merchants, and Amazon is not one of these. Obviously, neither is the iTunes Store.

-- rc primak

Reply | Quote

Last year I got a call from American Express asking if I purchased anything from the Apple store. There was a small (less than a dollar) charge on my card. When I said no, they told me it was probably a test purchase to see if the credit card number was valid. They immediately cancelled my card and sent me a new one. I also would never use a debit card for purchases either on the internet or locally.

Jerry

Reply | Quote

And remember, the banks never lose. If the transaction is fraudulent they debit the store, or charge you. Either way the bank doesn’t foot the bill.

cheers, Paul

Reply | Quote

I have yet to see whether my bank makes me fill out any paperwork, or makes me wait to restore the funds.

The one dollar or less charge from the iTunes Store is indeed a test ping, and is refunded to the account holder after the first purchase. Mine went away, even though the entire account setup was fraudulent.

Again, those who don’t qualify for credit cards are stuck with debit cards. I do not know for sure that any online source caused the leakage of my card number.

-- rc primak

Reply | Quote

Another option for those who don’t qualify for a normal credit card is a prepaid credit card. This will also help rebuild your credit rating. American Express offers one that come with some of the same consumer protection features as a normal credit card.

Jerry

Reply | Quote

Pre-paid CC’s usually charge a user fee. PayPal doesn’t. :rolleyes:

Reply | Quote

Re Citicard one-time-use credit card number.
I just email citicard and get a reply. Citi has a problem with Virtual Account Number software. They are working furiously to fix it.

I also use one-time-number for any long-period repeatable charges as well, and for those ‘hard to cancel’ services. With one-time number, they are effectively prevented from continuing charging you even if you have canceled the service.

PayPal is great but it is not universally accepted. Other than that PayPal is my pal.

Reply | Quote

From my experience explaining the virtues of virtual credit card numbers to others, I have an idea of why they are not used much. They are a pain in the butt.

To make a purchase normally, you just pull out your cc and enter the info. To use a virtual card, you have to open another browser window, log on to your cc bank, find where they’ve put the virtual cc option, request one, then start blocking, copying, and pasting the numbers from one window to another.

This assumes you understand copy/paste process. You might be surprised how many people don’t, or get confused when attempting it.

If you’re making several purchases from different sites, this gets old fast.

Reply | Quote

virtual credit card numbers … are a pain in the butt.

Do/can virtual CCs have the same expiration date and security code as your physical card? If so, form filler software would reduce the copy/paste side of the drawback.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

Discover Card has a one time use feature that I find pretty easy to use.

It installs a small app in which you log in and once that is done, it can auto-populate most data that is required (name, address, credit card number etc) and for the odd site that it cannot auto-populate, you can drag the data over from the app to the web page.

Only disadvantage to me is that it works with IE but not with Firefox.

Reply | Quote

Discover Card has a one time use feature that I find pretty easy to use.

It installs a small app in which you log in and once that is done, it can auto-populate most data that is required (name, address, credit card number etc) and for the odd site that it cannot auto-populate, you can drag the data over from the app to the web page.

Only disadvantage to me is that it works with IE but not with Firefox.

I do not trust Discover Card one time use because it requires Adobe Flash. Because of security issues and other issues with Adobe Flash, I uninstalled flash many years ago. I would not trust using the Discover Card one time use because it requires flash. I know Discover would take care of any misuse, but I refuse to have Adobe Flash on my computer.

Reply | Quote

I do not trust Discover Card one time use because it requires Adobe Flash. Because of security issues and other issues with Adobe Flash, I uninstalled flash many years ago. I would not trust using the Discover Card one time use because it requires flash. I know Discover would take care of any misuse, but I refuse to have Adobe Flash on my computer.

Most software has security issues; that’s why software has regular updates and new versions. Ubiquitous products like Flash, Windows, Internet Explorer, etc. are under constant assault, so the solution isn’t to not use them, but to make sure your computer is set up properly so you can use them safely. Make sure your Windows firewall is turned on, use a good antivirus product, update all software on a regular basis, and access the internet through a limited account, not the administrator account. You can learn more about how to properly set up the security of your computer here: http://www.mechbgon.com/build/security2.html

Reply | Quote

Thanks for the post. My iTunes account was compromised well over a year ago and it took a great deal of time and effort to get to speak to a real person about it. My bank had alerted me to the suspicious transactions on my credit card within 24 hours, so no huge sum of money was taken at that stage. My account was compromised after I bought the paid version of a free app that I had bought. At the time the only names I new were Steve Jobs (he was still alive) and Tim Cook, so I wrote to them. Finally someone who only gave their firstname contacted me. The Apple person said what happened was highly unusual. He said he could not guarantee that my personal data was also compromised as my major concern was with identity theft. I asked about internet security software the for the iPad and was told there was none. I do have an app which will read email attachments but that would not have helped with what I considered to be malware in the app I downloaded. Apple man and I had an interesting exchange about how I could have downloaded an app which had malware and I reminded him that the only way I could download an app onto my iPad was through iTunes. Essentially, Apple did not help me at all.

As I teach Apple iPad workshops to seniors, I let them know of my experience and advice them to clear all their credit card information from their iTunes account and to use the iTunes cards only. Cheers from Australia:cool:

Reply | Quote

Problem with using Paypal though, is if the transaction failed, you’ll have a hard time getting it resolved. It’s happened to me twice, both times upon being approved by Paypal but failed when getting back to the shopping site. The first time I lost a bargain due to the discount being valid for one-time use only. The second time when making a flight booking.

The flight booking failure was especially bothersome. The airline could not find the booking, but the purchase was shown as pending in Paypal. Calling Paypal to get it resolved was useless. They said I should contact the airline, with me having already told them that I have done so at the beginning of the conversation. I made three calls to them in total with no result. Eventually the entry in Paypal was cancelled after 30 days. Do you want to wait that long for a flight booking? I didn’t, and risking double booking made the booking again using my credit card directly.

Reply | Quote

I don’t know about the US but in Canada you can get a gas card. The max limit for this card is $500.00 or $1000.00 if you want, I kept it at $500.00 and told master card to expect to see small on line purchases. Therfore my real credit card is never used on line You still must follow the other safety issues but your exposure is reduced.

Bob

Reply | Quote

Bob,
I use gas and gift cards also and I like the fact that I purchase them with my credit card and then get discount off gas and cash back from my credit card.

I don’t know about the US but in Canada you can get a gas card. The max limit for this card is $500.00 or $1000.00 if you want, I kept it at $500.00 and told master card to expect to see small on line purchases. Therfore my real credit card is never used on line You still must follow the other safety issues but your exposure is reduced.

Bob

Reply | Quote

Do/can virtual CCs have the same expiration date and security code as your physical card? If so, form filler software would reduce the copy/paste side of the drawback.

Nope, the idea is to have the virtual numbers totally different. Also, the expiration date will be very soon.

Reply | Quote

PayPal does not require the use of the security code found on the back of one’s credit card. This means that if someone can hack into PayPal using my name and account number then they can make charges on my account. I had one person make a charge on my credit card through PayPal using only my name. This resulted in my having to get a different card number.
If hackers can hack into the Pentagon (which they did) then it seems reasonable to assume that they can also hack into PayPal. I don’t think it too much for PayPal to require one simple extra step – that of requiring the CCV number for each payment made. Each year I have made on-line purchases in excess of a thousand dollars. I do my best to avoid any on-line merchant which requires payment via PayPal.
I ask that you refuse to do business via PayPal unless they change their policy and begin to use the extra security step of requiring the security code on the back of one’s credit card. Your using a company that shows a lack of regard for the security of the customer also reflects on your company.
BY the way, Amazon also does not use the CCv number for verification either.

Reply | Quote

Re Citicard one-time-use credit card number.
I just email citicard and get a reply. Citi has a problem with Virtual Account Number software. They are working furiously to fix it.

I use Citicard virtual numbers all the time, but wasn’t aware there was a problem. Do you know what sort of problem? Is it a security problem, like a loophole or something? Or is it just an incompatibility problem with newer OS’s?

I do my online purchases in a virtual machine running XP with Firefox, and the Citicard software has been running fine for at least a few years. If it’s just a problem with Win7/8, maybe that’s why it’s still working for me. But if it’s got a security loophole, that’s different.

And contrary to RandySea’s experience, it’s certainly not a problem. On most sites, the plugin offers to populate the form fields for me, saving me a lot of typing. Yeah, you have to do the additional login to Citicard, but that’s actually faster and easier than digging out your plastic card and manually typing in all the card info.

Reply | Quote

Hadn’t thought of that option. That’s a real possibility for use online or at unreliable retail stores. Yes, there tend to be extra fees on a prepaid card, but it can be worth it, so as not to expose any larger amount of funds than is necessary to possible fraud.

I got a Case Number from iTunes on the fraud. My own bank took my afadavit. Waiting to see when or whether the funds get restored.

-- rc primak

Reply | Quote

I’ve used Citibank’s virtual card number feature for years. It’s the only card I use online.

There are two options when generating a virtual number.

1) A one-time use virtual number with an open $-amount that expires at end of the next full month. If I generated a number today (11/22) it’d have an expiration date of 12/2012. The card is effectively “expired” after a transaction occurs, although refunds can be posted until the stated expiration.

2) A virtual number for which I enter a maximum $-amount and an expiration date (which can be changed later). In this case (I assume) the virtual number can be used multiple times up to the $-amount and expiration date.

The virtual number in either case has a unique CVV, not the same as the “real” card.

Virtual number generation can be done either via log-in to Citibank’s web site, or via a utility that runs local on the computer.

Reply | Quote

American Express will next day your new card. I do not know of others that give this service.

Reply | Quote

I use a credit card that has built in fraud protection, meaning, with many instances they will call me to confirm a big transaction.
I never allow my credit card information to be stored by any merchant period. If your bold enough to make a purchase over the
internet, then you can suck it up and enter all your information with each transaction. (being lazy gets you in more trouble)

Reply | Quote

At sites which require a login, you can log in as a guest in many cases, so you never have to create an account in the first place. Some tracking services will not be available, but your credit card info will never reside at a site where you logged in as a guest. Amazon does allow this.

I also don’t trust PayPal, and apparently there have been quite a few stories over the years of PayPal Accounts getting hacked. Personally, I don’t know if this is true, but I don’t like having my email address be the only thing standing between crooks and my money. (This is based on PayPal not accepting anything other than a valid outside email address for a login name. Amazon does the same thing.)

I don’t have access to Citibank or its credit cards. And I don’t have access to Discover.

Visa used to have one-time transaction numbers in an arrangement with some online merchants. But the practice never caught on, and the big sites like Amazon never joined the program.

Mastercard (my current brand) has never to my knowledge had such a program. I may be wrong about this. If so, someone please post!

FINAL OUTCOME of my case:

Apple issued two “refunds” and got the money back into my checking account faster than a fraud investigation from my bank could possibly have done. I have a new debit card, and intend to try to take steps to better safeguard its info online.

The suggestions in this thread have been helpful, but haven’t entirely resolved my original issue with fraudulent use of card info obtained from by unknown path. The info may well not have been stolen online at all, but through a bricks and mortar retailer whose security practices have a long history of breaches. (They are a subsidiary of TJX, which has made many headlines about this issue.) The timing was just about right for this theory.

-- rc primak

Reply | Quote

Paypal has a nice feature — whenever I want to do anything with my Paypal account, it sends a code as a text message to my cell phone. If I don’t enter the code, I can’t log into my acct, which means I can’t buy anything with my paypal acct.

An added benefit is that if anyone tries to hack my Paypal acct, I get a text message immediately.

I believe this is called “Security Key”.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

Nice one; thank you!

As a semi satisified PP user, I went looking for and activated the SMS Security Key to beef up my security. Have had the same mobile/cell # for over a decade now!

The link for the well hidden & hard to find security feature you mentioned is here: SMS Security Key for PP
You can also generate a 6 digit pin to secure telephone contact with PP (or use a one time webcode) from here.

To be really paranoid you could pay PP/feBay for a physical token/key too, which generates 6-digit codes used during the sign-in process, once activated?

Reply | Quote

Maybe I should get a cell phone. This option is also used for password recovery at Google (GMail) and other places online. Microsoft Live ID also has the cell phone code option for password reset.

-- rc primak

Reply | Quote

Similar experience but not with Apple. Mine was with Dominoes pizza. Someone took my info to activate an iPhone.

Reply | Quote