Flaw in iTunes security penalises the victim?

8 June 2010

1929worldPicture this: You buy a stack of records from a record shop, frequently enough that the shop owner knows your face. However, someone pinches your credit card and spends a whole load of your cash at the record shop. You'd be pretty pissed off with the store owner for not doing anything about it. Worse still, you don't like the way he broke into your house and stole all the music you'd previously bought from them, back.

While this seems like fanciful glue-sniffing nonsense, this is the allegory used by Pete Bilderback at the Flowering Toilet blog after Apple's iTunes stung him after he'd been the victim of  a hacking.

Bilderback says that someone got access to his iTunes account, changed my account name and password, and proceeded to charge almost a thousand dollars worth of merch in a 24 hour period. They bought a load of rubbish music and iPhone apps, despite the fact he didn't even own an iPhone.

His credit card company got in touch after they smelled a rat and disputed the payment with Apple.

Oddly, Apple's view on the best way to solve this predicament was to close Bilderback's iTunes account completely, taking all the protected AAC music files, TV shows and films that he'd purchased with them. Oh, and they won't answer his calls.

It seems there's a gaping hole in Apple's security as this isn't exactly an uncommon scam. The Japanese Government has made an official inquiry with Apple about its billing practices and it is dicking people out of things that are rightfully theirs. If you've spent loads of money with the company and have a library worth of music and film bought from iTunes, it might be worth looking into ways of protecting it. Be it by removing your credit card details or storing your music on an external hard-drive or somesuch. Or, easier yet, buy your music elsewhere or you'll end up out of pocket and tuneless.

Read the full saga here

TOPICS:   Technology   TV   Cool Stuff   Scams


  • Lumoruk
    I laughed so freaking hard you wouldn't believe thinking of Paul and Andy crying in their cots
  • James D.
    He should have torrented it.
  • Nobby
    > Bilderback says that someone got access to his iTunes account, changed my account name and password, and proceeded to charge almost a thousand dollars worth of merch in a 24 hour period. So they changed your account name and password via his account? Or did you forget to change the my to a his.
  • The B.
    And that ladies and gentleman is another reason why I will never use iTunes, if ever did get another iPhone, I'd jailbreak the bugger.
  • Codify
    I hate Apple with a passion, but one thing they are good at is customer service. This random guy's assertion that Apple 'won't take his calls' sounds well fishy. One the one occasion my GF went through a similar situation, Apple quickly refunded all the money that was taken and re-authorized all previously purchased content, all within a couple of days. To be honest, this guy sounds like a bit of a moron, who can't figure out how to navigate Apple's site to get to the customer support section.
  • Klingelton
    i'd say that he maybe got a disgruntled apple employee on the day he did manage to get in touch with them, or he was shitty with them. It'd be no difficult task for apple to descern what music Bilderback had bought previous to a given day and re-instate that. Having said that, save your money, torrent.
  • Mark
    'Having said that, save your money, torrent.' Some of us (a minority it seems) like to contribute to the artist. That said I tend to use other sites for buying MP3's such as Play.com or Amazon.
  • Ryan E.
    Contribute to the artist by going to gigs and buying merchandise. They make way more money that way.
  • Pete B.
    Thanks for the link Mof. It is gratifying to see what I wrote getting some attention, I really appreciate it. Codify, I like to think of myself as a pretty tech savy person, but perhaps you are correct and I lack the intelligence to navigate Apple's customer support section effectively. Considering I'm the person that everyone I know comes to when they have computer problems, I doubt I'm the only one who would have this difficulty under the circumstances. My initial email communications with Apple's iTunes customer support team where actually very friendly, and I assumed that the problem would get worked out fairly easily. That turned out not to be the case, but I did not want to bore the world with all the details. But to address your concern directly, in order to access any of the features on Apple's support page, you have to have an Apple ID and password. You need this to email them and you need them to get a phone number to call to speak to a customer service rep. But once Apple disabled my Apple ID, I was no longer able to do that. It's sort of a Catch-22. As I state in the post, I have no doubt I could have gotten this issue resolved with Apple if I were willing to put more effort into it. Any solution would likely have involved contacting Apple at the corporate level which would involve long waits on hold, etc. At a certain point I just decided to cut my losses, because I had not purchased enough from iTunes to make it worth my effort. That's my decision and I take responsibility for it. I suspect the problem here is more a matter of me not being persistent enough to get the issue resolved than lacking the intelligence to do so, but you are of course free to make your own judgment on that. Also, I never expressed any anger toward anyone at Apple during this process, and in fact I've never really been "angry" about any of it. I created the post to raise awareness about what I regard as a rather large hole in Apple's security. I don't have any particular grudge against Apple, but I do think people should be aware of this problem, because it is real, and I am not the only one to have gone through it. As to the torrent suggestion. I am not comfortable with that at all. First, I believe artists deserve to be compensated for their work. Second because whatever software I need to install on my computer is likely even less safe than iTunes. The vast majority of my music purchases are on LP and CD from my local music retailer. But, I think it is obvious that physical retailers of music are not long for this world and will be going the way of the horse and buggy soon. Yes, they will continue to exist, just as you can take a novelty horse and buggy ride through Central Park today, but they will soon largely be a thing of the past. Thanks again for noticing my post. Cheers!
  • Mark
    'Contribute to the artist by going to gigs and buying merchandise. They make way more money that way.' They really don't.
  • Mark
    Actually, I take that back. http://labs.timesonline.co.uk/blog/2009/11/12/do-music-artists-do-better-in-a-world-with-illegal-file-sharing/ But still I have kids and therefore no social life so for me the only way to contribute is via record purchases.
  • maxtweenie
    Only today some bastard hacked my Itunes account. Luckily I don't trust anyone with my card details so they only got away with a fiverfrom a prepaid 'gift' card. I hope the thieving scum get cancer and die.
  • Stuart b.
    Apple? Ripping people off? That'll be the iPhone/iPad/iPod then?
  • Mr G.
    The real problem is DRM, which in turn is the fault of pirates and torrenters. However DRM is so wrong that you can legally avoid it by buying your music from places like Amazon and Play.com and using them in proper MP3 players instead of Apple products. If you must use Apple products there are alternatives to iTunes. OK, not as simple as allowing yourself to be forced down the iTunes path, but not as risky, either.
  • Stuart b.
    Sorry Pete, but if you were 'Tech Savy' you would have realised that Apple are making more money than the GDP of Africa and you would have got your mp3's from 'alternative' sources, which rather than Apple kicking you in the bollox which theyv'e done, you would kick them in the bollox. If an artist is good, they will make plenty of money regrdless of piracy.
  • Pete B.
    Hi Stuart, I've never been a big fan of iTunes. Most of my MP3 downloads come from eMusic, but most of the music I buy is on LP or CD. iTunes has released a few "exclusives" from artists I like such as Belle and Sebastian, Iron & Wine and Robyn Hitchcock, and that is mostly the kind of thing I downloaded from iTunes. Apple may make more money than God (just as record labels used to), but those artists do not, and I feel they should be compensated for their recordings if I am going to listen to them. And I do not believe in stealing from someone regardless of whether they "make a lot of money" or not. I've heard a million rationalizations in favor of illegal downloading, but none of them sit right with me personally. If you feel it is alright, I'm not one to judge. But this has nothing to do with being "tech savy" or not. I'm certainly technically capable of downloading from "alternative" sources as you call them, but I chose not to. It's interesting, because I've actually had a fair amount of vitriol directed at me both from Apple's fans (because I dared to criticize their God) and its detractors (because I was foolish enough to do business with the Devil). But what is more interesting to me is the argument that I somehow had this coming to me because I didn't go the illegal download route in the first place (you are not the first to make this suggestion). I'm not offended by the assertion, I just find it interesting. I'd love for you (or someone with a similar point of view) to elaborate on this point further, as I guess I don't really understand where you are coming from.
  • -]
    You didn't have it "coming to you" because you didn't go the "illegal download route" (which isn't actually illegal). That type of blame the victim mentality is engrained in the middle-class psyche (and the bourgeoisie make up 99% of BW readership). It's certainly a lesson for future though, don't buy anything that isn't DRM free. If the only place to sell it is somewhere that uses DRM then do without. Boycott. Some of the people that boycott will download it via "illegal" means. Others will just do without. I only buy music from artists on independent labels, so DRM isn't something I have to put up with much. When I do want something by a major label artist I'll "pirate" it and buy a gig ticket and a t-shirt at the gig. That way the artist gets a decent pay. I also have kids, that isn't an excuse. (you can buy official merch online btw).
  • Stefanie
    My itunes account was compromised june 8th and was charged over 200$ in apps! Most of the apps had chinese characters which i cannot read and maps of shanghai?? I called my credit card company and they immediately cancelled my card and the five pending transactions. I called itunes and they told me they do not deal with situations like this on the phone but they would give me a website to go to?!? It's their fault they got hacked yet they won't talk to customers on the phone about fraudulent charges?? I had to send an email to customer service and still no response! Something needs to be done about these crooks.
  • Ian G.
    Same thing happened to me recently: iTunes account hacked, unauthorised purchases made. No way to contact Apple about this by phone, only through web-based e-mail, and then they simply do not reply or reply with automatic, computer-generated and unhelpful responses. Mine was: "Sorry you haven't been able to download your purchases, here's how you can do it..." I don't want to download these things as I never purchased them in the first place, a thief did using my account! Moral of this story: iTunes is insecure, don't use it.
  • Mike
    This just happened to me too. My account was hacked, the fraud was refunded but then several weeks later my account was disabled. Now I cannot update any of the apps I have purchased over the past 3 years which means eventually they will break as the OS continues to update. I have contacted my state attorney general because this is an illegal practice. I had close to $100 of iTunes gift cards that they disabled along with my account and that is an illegal business practice plain and simple. I'll sell you a gift card but won't let you redeem it. Illegal. If this has happened to you contact your attorney general and we can get a class action lawsuit started.

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment