In recent weeks, more and more iTunes users have been reporting fraudulent activity on their Apple accounts, reporting hundreds or even thousands of dollars worth of bogus purchases. With the reports of this type of fraud on the uptick in recent weeks, many users have been quick to blame Apple or PayPal, as many of the affected iTunes accounts were linked to PayPal accounts.
But the problem cannot be blamed on a software security flaw, nor can it be fixed with a quick patch. The problem, it seems, actually lies with iTunes users.
That’s right: iTunes users are the app’s big security flaw. Here’s what you need to know in order to keep yourself and your iTunes account safe.
The Problem is in the Passwords
Hackers can make fraudulent purchases on iTunes accounts to which they have obtained the passwords. But these passwords were not obtained by breaking into Apple’s servers; Apple sources tell CNET that “iTunes has not been compromised and the company is not aware of any sudden increase in fraudulent transactions.”
Instead, it seems, hackers are obtaining passwords through good, old-fashioned phishing scams. iTunes users often don’t know how their accounts were compromised, but it seems that many are simply handing out their user names and passwords without realizing it. Sometimes, they’re doing so in hopes of getting a good deal — by buying unauthorized iTunes gift codes online, for example.
The takeaway should be obvious, but it’s worth repeating: Never reveal your iTunes user name and password to anyone except within iTunes itself.
Many users store their credit card or PayPal account information with their iTunes account, so they need to enter only a user name and password to make a purchase. Once that info is entered, the amount of your iTunes purchase is automatically charged to your credit card or PayPal account. If you don’t check your billing statement regularly, hackers could rack up a good deal of iTunes charges before you even realize that your account has been compromised.
You have a couple of options to prevent this. One is to remove the credit card or PayPal account info that you have stored in iTunes. This means you’ll have to enter it manually every time you want to make a purchase, which could become annoying. If you decide you want to keep the info stored in iTunes, you should be vigilant about checking your accounts. Check your account activity and balance regularly to make sure that there has been no unauthorized activity.
What if there has been unauthorized activity? What should you do then? Apple recommends that all users contact their financial institution to discuss unauthorized charges. PayPal reportedly is reimbursing customers who’ve been hit with fraudulent activity on their accounts, and many credit card companies have standard policies in place to do the same.
Apple also suggests that users change their iTunes passwords immediately, which is easy enough if you still have access to your iTunes account. But some users have reported that the hackers have gone into their iTunes accounts and changed the passwords themselves — leaving the actual account owner without access. In this case, you’ll need to reset the password manually. To do this, you’ll need your Apple ID and access to a linked e-mail account, or you’ll have to answer the security questions that were provided when you created your Apple ID.
If you’re thinking it would be easier to start over and simply cancel your account, well, that’s not exactly the case. There is no link in iTunes that allows you to easily cancel your account; to do so, you’ll have to contact Apple directly. And if you do decide to cancel your account, you could lose access to all of the content you’ve previously purchased from Apple’s iTunes store.