PayPal and financial institutions linked to the itunes service are apparently reimbursing consumers for unauthorized charges made to iTunes sometimes thousands of dollars but neither PayPal nor Apple has much to say about how the scammers are perpetrating the ongoing fraud, or what if anything can be done to stop them. PayPal directs queries to Apple, while Apple issues its usual stock security response.
A number of iTunes customers with PayPal accounts have fallen victim to a scam that apparently has been going on for some time. These customers know someone has been using their PayPal accounts to purchase items from the iTunes Store -- in some cases racking up thousands of dollars in fraudulent charges.
What the victims don't know -- and may never find out -- is exactly how their accounts were compromised or what happened to their money. That's because neither Apple (Nasdaq: AAPL) nor PayPal will talk about the situation, which attracted attention on Sunday when Dennis Rockstroh, Action Line columnist for the San Jose Mercury News, posted a letter from one of the victims on that newspaper's webssite.
"My iTunes account has been hacked to the tune of more than (US)$650," reads a letter from Valerie Gould of San Francisco. "I found 10 transactions in PayPal, all for the iTunes store. I called PayPal, where the customer support On-demand Remote Support - Free Trial from LogMeIn Rescue: Fast, secure solution for today's most popular platforms. person said it was the third call this morning regarding unauthorized charges to their PayPal account via the iTunes store. They immediately escalated my case to a claims person, who canceled my account agreement with iTunes and reversed the charges. You need to let people know to check their PayPal and iTunes accounts for someone hacking their account."
Rockstroh responded that he also had been a victim of this scam, and when he contacted Apple he was told the company was "aware of the problem" and was working on it.
By Monday, numerous media outlets had picked up on the story, with some reporting that hackers had obtained customers' account information by exploiting a "major security hole" in the iTunes sites and others attributing the breaches to a phishing scam in which the fraudsters had somehow solicited -- and received -- account information directly from the victims.
PayPal apparently is reimbursing victims for any unauthorized charges, but it won't say what, if anything, it knows about how the charges were made.
"PayPal is not commenting on the issue," Stephanie Jucar, a PayPal spokesperson, told MacNewsWorld. "We can confirm that any unauthorized charges sent through PayPal are being reimbursed. If you'd like more information, please contact Apple."
Apple's Standard Response
Apple spokesperson Jason Roth wasn't any more forthcoming.
"ITunes users with accounts linked to PayPal may contact PayPal directly regarding charge backs for any unauthorized purchases," Roth told MacNewsWorld, before reverting to the same written statement that Apple consistently uses to respond to questions regarding iTunes security.
"We're always working to enhance account security for iTunes users," the statement reads. "If your credit card or iTunes password is stolen and used on iTunes, you should contact your financial institution about charge backs for any unauthorized purchases, and be sure to change your iTunes password right away."
While the exact method used to access these customers' accounts may never be known, it's clear that the large numbers of people using iTunes has made that site a popular target for cybercriminals.
Last month, Apple booted a software developer from the iTunes App Store after customers reported seeing hundreds of dollars in unauthorized charges for that developer's apps.
Return to security news headlines
View Security News Archive