iTunes fraud surge hits gift card balances, PayPal accounts
The frustration and questions surrounding iTunes App Store purchase fraud are (unfortunately) continuing. Over the past three weeks, we've received several first-hand reports of accounts with positive gift card balances being unexpectedly drained; often the charges are for in-app purchases for apps such as Section8's World War, Sega's Kingdom Conquest or Kamagames' Texas Poker. Even as Apple is pushing forward with iCloud, questions remain about the security and safety of those millions of accounts.
You can read the examples on Apple's discussion boards (stretching from November of 2010 until this week), a series of posts over at Betanews, or coverage at PC Pro -- but many of the stories are similar to the one below. Users who funded their accounts with gift cards saw those balances chewed through with unauthorized purchases; one user with PayPal funding for his account saw over $500 in fake purchases. The in-app buys were for apps the users never downloaded; most claim that their passwords were never compromised and only used for iTunes. Even if phishing or password compromises can explain some of the purchases, it's hard to imagine that all of these accounts were cracked.
Here's our first example, from mid-May. If you have similar instances, let us know in the comments or send us a tip. We're asking Apple's media team for answers, if there are any to be had.
I bought a $15 iTunes gift card from Apple so I could buy a chat app (Verbs). I also purchased some other apps (Monopoly, mostly because it's cheap, Bumpy Road and loaded a few free apps) which left me with roughly $7-ish dollars remaining in my account.
On 5/19, the following happened:
- I noticed that my store credit had decreased to 51 cents when I went to purchase another app, but thought nothing of it. Actually, my initial thought was maybe a purchase from the past had caught up with me. I wasn't sure.
- Later that evening I received an iTunes receipt email to the tune of a $99 in-app purchase for a game called "World War".
- I immediately tweeted about the issue and changed my password.
- From that I was able to glean info that the app was purchased on 5/18 at 7:59pm. A free app called World War and then a $99 in-app purchase for "1700 honor points." The strange thing is I've never downloaded nor purchased this app myself, it doesn't even exist on my device so this is not a case of the smurf-berries.
- I emailed Apple support and went to bed because their human-powered support line was closed by 10:30p.
Today I called Apple support and was on the line with them for close to 30-40 minutes. I explained everything above to the support person, who at the same time was IM'ing his iTunes store support contacts. They asked me when I had purchased the gift card, I told them at/around the 13th and what my first and last purchase was. I told them the first purchase was for Verbs, the last was Bumpy Road.
They investigated further and noticed that prior to the free app + in-app purchase that two $50 store credits were put into my account. At which point the free app was "purchased" along with the in-app purchase of $99 (which equaled to $108 with tax). This raised a flag with them and their Support Manager and they immediately froze my account and escalated my case to Apple's Fraud Dept. The support person says this was the fastest occurrence of this that he has ever seen and he along with others had to deal with the Smurfs case.
I'm convinced that they will refund the $7-ish dollars that was there before and they mentioned that the account should only be closed for 24-48 hours. During this time they will be investigating this issue and trying to piece together this on their end. Right now I'm less concerned with the refund and MORE concerned with the app developer and whatever scheme is going on.
As for the advice they gave me, basically to change my password (yadda, yadda) and turn off in-app purchases in Settings. They could not, however, explain to me how a free app + in-app purchase was associated with my account.
A second example, this one featuring multiple PayPal charges totaling over $500:
I basically started receiving emails from PayPal saying "You have just sent $44.95 to iTunes" and I was shocked because I did not buy anything. I immediately logged into PayPal and cancelled my payment agreement with iTunes. I received 11 charges of $44.95 each. I have filed a complaint with iTunes and PayPal but I have not received any reply yet.
From what I read online, it seems like it is not clear if iTunes has been hacked or if the Sega software used for the hack (which I never downloaded) has been compromised. I never had the feeling that my account had been compromised before. Everything worked perfectly fine, never had strange emails, phishing attempts, etc.
Our final report, with gift card balances being drained:
Shortly after loading $50 of gift card credit on my itunes account, a remaining balance of $37 (after some earlier purchases) was wiped out by Kamagames Texas Poker chips. I googled the problem and it seems like many many people have experienced the same thing, and a snotty response from Apple about it as well. Everyone affected seems to have been gift card users, or those with a positive itunes balance, rather than money being charged to a credit card.
I don't understand how this kind of fraud is being perpetrated but I am angry with Apple for not coming clean about it and explaining the problem given that it clearly seems something more specific than stolen usernames and passwords... The forum linked above is just one of many reporting this issue which seems to have started earlier this month.
Subscribe to Newsletter
Software Updatesmore updates
- Daylite 5 adds refinements to the business management app
- 1Password 4.5 for iOS gains features, slims down
- IFTTT for iPad brings service/device mashups to your favorite tablet
- Daily App: Rormix brings indie music videos to your iPhone and iPad
- Pebble updates its iOS app with new apps, sharing options and v2.1 fix
- PSA: Pebble for iOS v.2.1 update contains critical flaw that breaks the app - Update