iTunes account theft strikes close to home

Susan bradley By Susan Bradley

These days, even online security experts can get burned by identity thieves who strike at popular online services.

A recent attack on an iTunes account dramatically points at the need to regularly change passwords and manage online billing info.

Inconvenient? Absolutely. But one of the most-effective ways to prevent online fraud is to close down automated billing on all of your online accounts.

I know this from first-hand experience. It started May 25 at 11:01 p.m. I happened to be online and received an e-mail confirming my payment of $40.65 for videos, tunes, and movies at the Apple iTunes store. There was one problem: I hadn’t purchased anything from Apple since May 15!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

Concerned, I went into my iTunes account to see what was up. Much to my surprise, my password no longer worked. I tried again but was locked out — was refused access.

Luckily, I could reset my password. Once logged in, I discovered that someone had just made another transaction — the newly purchased videos and music were awaiting download.

To put a complete halt to any additional, unauthorized charges, I immediately removed the billing option that automatically charged my bank account after each transaction. I also changed my user sign-in name.

Apple offers no help tracking down the perps

My next stop was Apple’s iTunes customer service, where I explained the situation and asked what had happened to my account. And that’s when the fun began.

Exactly how did someone gain access to my account? The e-mail I eventually received from Apple offered no explanation — just a recommendation that I change my password and contact my bank to remove the charges.

But I still wanted to know how someone had accessed my account. I checked my systems for unwanted password-sniffing programs but found nothing on two Windows 7 desktops, one Windows 7 laptop, and my MacBook Pro. Moreover, the content that someone had purchased was still in my iTunes download section. So what had the mystery purchaser gained by accessing my iTunes account? (There were no other fraudulent transactions using my bank account.)

As an IT professional who follows PC security issues, I took this event as a challenge. I tried to acquire the IP address of my identity thieves’ computers, which might tell me where they were located. This Apple would not provide, stating it could not release this information without a subpoena.

More Apple and AT&T security breaches

I researched the Web and quickly discovered I wasn’t alone. About a year ago, blogger Gary LaPointe suffered a similar fate. In late May 2010, others added similar experiences to his post. More reports also showed up in Mac forums and in a Facebook page devoted to iTunes issues. The problem spread as far as Japan, where a news story discussed local iTunes identity thieves.

Since May, there’s been more bad news for Apple. In a highly publicized incident, AT&T came under fire for a security breach affecting iPad 3G users. Hackers found a vulnerability in AT&T’s customer database and used it to harvest e-mail addresses. With that information, they then posted a list of notable iPad 3G users such as Diane Sawyer and my sister. AT&T sent apology e-mails to everyone who owned an iPad with 3G Internet access.

Apple’s woes didn’t stop there. On opening day for preorders for the iPhone 4, allegations by several tech sites — including a Gizmodo story — charged that the AT&T preorder site had inadvertently shared personal information among site users.

It should be noted that, although these latest breaches were AT&T’s problem, they still tarnish Apple.

Take control of your online services billing

The best way to protect yourself from online fraud and identity theft is not to leave your financial information in the hands of others. You’ve probably heard or read the following tips before, but now it’s more important than ever to implement them.
  • Use a passphrase and not a password. For example, “This is my passw0rd and 1t’s for my use only!” and “Purple ducKs run awkWardly” are good passphrases; they make a sentence that’s either nonsensical or would never be obvious to a hacker.

    Add capital letters, numbers, special characters, and (where allowed) spaces to enhance your passphrase. iTunes, for instance, would not allow me to use a space within my passphrase.

  • Don’t leave credit cards attached to online sites or services. Leaving a credit card number in a vendor’s database for automatic, recurring payments is enticingly convenient, but its security is no longer in your hands.

  • If possible, have just one credit card that you use only for online purchases. If its number is stolen, you can cancel it with minimal impact on your daily, necessary purchases.

  • Review your account reset information. Know how to reset your sign-in information quickly so that thieves cannot easily use your online habits or social-sites data to take over your account by resetting it to their own password and ID, as happened to me.

  • Regularly review your online transactions, both in your online banking account and in paid sites and services you’ve recently used. In the case of iTunes, it can take up to 48 hours for a transaction confirmation e-mail to land in your inbox.
Bottom line: I no longer get the instant gratification of immediately downloading that 99-cent, must-have iPhone app. Now, I have to return to my desktop for every iTunes transaction; but in the long run, it will mean a safer online experience.

Remember that you have few rights with online transactions. Apple, for example, is not obligated to reverse the charges. You have to ask the bank that issued your credit card to remove them. It’s too bad that Apple seems to treat iTunes identity theft as the customers’ problem.

Have more info on this subject? Post your tip in the WS Columns forum.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm and writes the Windows Secrets Patch Watch column.
= Paid content

All Windows Secrets articles posted on 2010-07-08:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.