itunes credit card fraud

From all the stories that I read herein, Apple would get the money if the iTunes account holder didn't notice the fraudulent charge. When the account holder noticed the charge, he would dispute the fraudulent charge with his credit card company. How would the credit card company reverse the charge? I don't know. Will they get the money back from Apple? I don't know.... I think if it was Apple losing their own money in frauds, they would do everything in their billion dollar power, perhaps dispatching iPolice if they exist, to bring the culprit to justice, to solve the case.

I've personally heard of multiple great experiences with iTunes support from multiple people I know. I wanted to reply to this thread to argue my belief that any assumption that Apple, iTunes, and/or iTunes' security is at fault in any of these scenarios is probably an assumption without any sound basis or proof.

I think most of these cases that are actually fraud and not purchases by kids are probably due to being tricked to provide their password and or billing information in response to fraudulent phishing emails. Other causes may be unrelated sources such as unscrupulous online vendors, local places such as restaurants, gas stations, etc. Maybe that place where you pulled over for gas and tried to run your card and it mysteriously didn't work? You hear the stories of people that setup card scanners that look like they're part of the pump or ATM. Maybe you tried to go to the Apple Online Store site, but typed in a Google search instead of a URL, and then visited some fraudulent site that pops up on Google's advertised results. Maybe the charge was on your wireless statement, and one of their support reps that doesn't know a thing about what they're talking about referred you to Apple. That happened to me when I called them about a $10 scam charge that started occurring on my phone statement which showed up from a scam associated with a technique known as "cramming." I asked my wireless rep to speak to a supervisor and got that taken care of. Anyways…

The iTunes Store is one of the largest worldwide online storefronts in the world. Over 400,000,000 iTunes accounts exist according to Wikipedia. I'm sure nobody ever uses a stolen credit card at Wal-Mart… yeah right. So the iTunes Store has tons of music and is reaching nearly a million third-party apps that are only sold for the iPhone, iPad, or iPod touch from the iTunes Store… unfortunately there are ethically challenged people out there that will want to try to acquire this content without using their own funds, and unfortunately there are people out there that make a business out of stealing/acquiring/selling/buying compromised personal and billing information. I don't see how it can be Apple's fault that someone else just happened to have your credit card information and decided to buy something from iTunes.

How could APPLE let this happen? If the necessary measures were taken to prevent all fraud, then Apple would probably run into an issue where 15,000 dollars of legitimate attempted purchases by legitimate people would be lost for every 1 dollar of additional fraudulent purchases that were prevented.

You'd have people freaking out because they'd have 4 kids but only 3 different credit cards, and it wouldn't be possible to use a specific card number on more than one Apple ID that you use for iTunes. They'd have to go exchange the new iPad and buy a pony for their fourth kid. You'd have to go to an Apple Store with a copy of your utility bill, either your social security card or birth certificate, and a photo ID in order to create an iTunes Apple ID. Or whenever you wanted to create an Apple ID, you'd need to fax in high resolution photo-copies of the front and back of your photo ID and credit card. You'd have a thread here with 5000 pages of posts per year instead of 17 pages over 3 years of people all complaining how they were on a trip and they couldn't buy that album, book, or movie because they were in a location other than their authorized desktop computer that they used to create the account 4 years ago which only works with iTunes when they bypass their router and connect the computer directly to their cable modem with an ethernet cord. Even after visiting the Apple Store the first time with their electric bill, they'd need to go back with 2 forms of ID in order to authenticate their new iPhone or iPad with their account. One of ten potential users would give up trying to use iTunes due to their inability to provide billing information in a standardized format or in a format that precisely matches the information their bank or credit card company has on file.

I'd assume 75% or more of the "unauthorized" or "fraudulent" purchases that people report are actually legitimate purchases made by people's family members (probably often young children). "But my kid is 4 years old and couldn't have done this because he can't read and does not know my password!" That is what my neighbor said when he contacted iTunes and was told that the $200 or so of charges that hit his bank over 1 or 2 days appeared to be "In-App Purchases" from within a free app/game he had allowed the kid to download. The iTunes person was able to help him as an exception and explained to him how to set restrictions to ensure his child didn't puchases without his permission. By default there is a 15 minute time-frame after you enter your password for your kid so they can download their free game... hand the kid an iPad with a signed in iTunes Apple ID that has a $5,000 limit CC on file and they have a free ticket for a 15 minute shopping spree... and while a 4 year old may not understand what the $100 price tag means, they do understand that a treasure chest of gems or coins is better than a sack of coins or 3 individual gemstone. Fifteen minutes go by with your kid playing the game, and 2 days later you notice a page of transactions of $9.99, $49.99, $99.99, etc. on your bank or credit card statement. Just because there were not restrictions set by the guardian of the child does not mean there is a hole in Apple's security.

Per the iTunes Store Terms and Conditions (URL: http://www.apple.com/legal/itunes/us/terms.html#SALE ) that everyone must agree they've read and understand before accessing the iTunes Store:

"In order to purchase and download App and Book Products from the App and Book Services, you must enter your Apple ID and password to authenticate your Account. Once you have authenticated your Account, you will not need to authenticate again for fifteen minutes. During this time, you will be able to purchase and download App and Book Products without re-entering your password. You can turn off the ability to make App and Book Product purchases by adjusting the settings on your computer or iOS Device. For more information, please see http://support.apple.com/kb/HT1904 or http://support.apple.com/kb/HT4213. "

In other words, this means updating to iOS 5 or later and going to Settings > General > Restrictions on your iPhone, iPad, or iPod touch, tapping "Enable Restrictions," choosing a restrictions passcode, and then scrolling down and making sure that the "Require Password" setting is changed to "Immediately" instead of "15 minutes" in the various items contained in the "Allowed Content" section of the Restrictions settings. Anyone that has young children using the devices should also set "In-App Purchase" to "OFF."

Here are articles about iOS restrictions and "In-App Purchases."

iOS: Understanding Restrictions - http://support.apple.com/kb/HT4213

iTunes Store: About In-App Purchases - http://support.apple.com/kb/HT4009

If you're not going to supervise your children or take the necessary due diligence to understand the powerful hand-held computer's they're using, you should make sure they use their own Apple ID with no PayPal or credit card setup, or remove the payment type from your Apple ID. You can still download free stuff with no payment type.

iTunes Store: Changing Account Information - http://support.apple.com/kb/HT1918

Creating an iTunes Store, App Store, iBookstore, and Mac App Store account without a credit card - http://support.apple.com/kb/HT2534

If you've noticed a bunch of unrecognized charges and you have kids that may use your iPhone, iPad, or iPod touch sometimes, I'd recommend checking your iTunes purchase history ( WHICH CANNOT BE VIEWED AT A WEBSITE ). If you think your kid doesn't have an account, go to "Settings" > "Store" or "Settings" > "iTunes and App Stores" on the iPhone, iPad, or iPod touch, and check what is listed as the Apple ID. Make sure you're signed in and viewing the purchase history within iTunes that is installed on your computer with that Apple ID.

iTunes Store & Mac App Store: Seeing your purchase history and order numbers - http://support.apple.com/kb/HT2727

If charges just randomly started showing up on the credit card statement and you don't have kids or family members that could have made purchases and they're not showing in your iTunes ( not Apple Online Store ) purchase history, then your credit card was probably stolen at the restaurant or gas station. Or... you provided it to a illegimate source after being fooled by a fraudulent phishing email. In order for someone to use a credit card on iTunes, they need your full credit card number, expiration date, and security code. This is not information that you can get by signing into someone's iTunes account. Whether your name, address, and phone number is required or not for a transaction to be authorized by your bank or CC company is something that is decided on the bank or CC side.

Do not be fooled by fraudulent "phishing" and "spoofing" emails. It's too easy for the fraudsters when you just give them your information and they don't even have to take it. This isn't just applicable to iTunes. See the info below:

Identifying legitimate emails from the iTunes Store - http://support.apple.com/kb/HT2075

Identifying fraudulent "phishing" email - http://support.apple.com/kb/HT4933

Also included in the iTunes Terms and Conditions:

"As a registered user of the App and Book Services, you may establish an account ("Account"). Don’t reveal your Account information to anyone else. You are solely responsible for maintaining the confidentiality and security of your Account, and for all activities that occur on or through your Account, and you agree to immediately notify Apple of any security breach of your Account. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

In other words, it is your responsibility to have the online equivalent of "street smarts" so that you can maintain the security of your personal information and billing information.

If you think your account has been compromised, you should immediately contact Apple. You should also visit the http://appleid.apple.com site DIRECTLY ( not via a potentially fraudulent link in a phishing email ) and change your Apple ID password and security questions immediately . You should ALSO change the password of your email account (i.e.: your Gmail, Yahoo, MSN, Live, Hotmail, etc.) You should change the password of any social network site that used your old password to something different than your Apple ID password. Adding a "RESCUE EMAIL ADDRESS" in "Password and Security" at http://appleid.apple.com is something Apple recently let us do that can significantly increase the security of your account. This makes it to where password reset and security question reset emails go to the "RESCUE EMAIL" which can't be the same as the primary. This prevents someone from being able to reset your password and security information in the event your primary email account is compromised.

Here are articles that explain the rescue email and that provide general tips for protecting account security:

About the rescue email address - http://support.apple.com/kb/HT531

Apple ID: Tips for protecting the security of your account - http://support.apple.com/kb/HT4232

Seriously guy? Maybe you should have read through the posts before blatenly stating your "opinions".

I am the owner of a computer store. I design and develop websites and write code for ecommerce websites. We help get new businesses off the ground. I set people up with POS systems as well as online merchant accounts and teach them how to be PCI compliant. I know what i'm doing, I know how to protect myself online and I know how to be sure i'm using my card on a secure server and I personally take offense to your statement that it's probably something I did or one of my children hacking into my account. Please do the world a favor and read over the posts before taking all that time to leave such an offensive statment.

1.) I didn't even have an apple ID or account when my card was compromised

2.) Therefore, I did not have a credid card associated with my account.

3.) The charges originated from overseas as do many of these because it harder to prosecute for internet crimes abroad.

Of course my card was likely compromised somewhere else. I don't dispute that fact. It's not really that hard to do. My problem is that Apple does not collect CVV/CSV code when a purchase is made. This is an extra level of security and is an option for all online retailers. They choose not to ask for it, i'm sure for convenience of purchasing, therefore leaving us all succeptable to these kinds of fraudulant charges. Thank goodness i'm with an effecient bank who notifies me immidiately and understands this is a big problem for consumers. I'm told they see this all the time with Apple. It's been years, you would THINK changes would be made to protect the consumer but like everything Apple, it's all about the allmighty dollar.

Just had fraud on my CC from apple store, but not iTunes Store, this time it was a physical swipe of credit card at a New York apple store at 3AM in the morning for 650$, that's all the details my bank would release to me as they are pursuing the case and trying to get my money back, apple, you are slipping up big time, this is not a 2.99$ transaction, It seems like maybe apple employees are going rogue on the company and trying to make extra money on the side, honestly never expected this to happen from apple, I really hope I can get my money's back.. It's like someone just stole a brand new iPad from with full options..

I just had an hour discussion with a "senior Apple fraud supervisor" after a bogus pre-authorization charge in itunes, also after downloading a free app.

"My problem is that Apple does not collect CVV/CSV code when a purchase is made. This is an extra level of security and is an option for all online retailers. They choose not to ask for it, i'm sure for convenience of purchasing, therefore leaving us all succeptable to these kinds of fraudulant charges. "

It is required to include a valid 3/4 digit CVV (in addition to full CC number and expiration) when adding a credit card or debit card as the payment type to be used with an Apple ID for the iTunes Store. I have a credit card on file, and the information that can be obtained by accessing my account information is the last four digits of the CC. A billing name / address is also required.

All needed information has now been updated on my account. If you need anything else please let me know.

I have had my itunes account for a whole two weeks, checked my credit card statement today and two transactions have been made using my credit card for $200+ in the sydney store. No confirmation received through my itunes account. Just cancelled my credit card and the bank is now investigating. Called itunes support, closed for holiday, how is everyone else open, but this huge company? Person at bank couldn't believe how bad the security is and will pass the word around recommending everyone close their itunes accounts.

Only got the IPad and account opened because it was part of my daughter's autism therapy. Merry Christmas to us.

I've just had to spend 6 hours updating my kids ipods form ios4 to ios6, something I've dreaded from past experiences... The amount of rubbish, errors, and just downright awful software is unbelievable. So after resolving the dreaded 1064 error message and syncing over and over about 10 times (still lost some content!!)... It came to the point were they wanted to redeem their itunes cards (£15)... Guess what.. yeah came up the same bull that people have been suffering here and disabled the accounts because the cards were invalid (even though we've the receipts and the strips hadn't been damaged).. So, I thought what shall I do.. it must easy to resolve..? Oh no of course it 'Just Works' doesn't it? Well, after reviewing the postings on here and other sites I'm going to do myself and my kids a favour, I'm going to leave the accounts disabled and get rid of my Apple hardware.. enough is enough...

There are far better music services provided by Amazon, Google, Microsoft, Spotify, Rdio that kick this walled garden rubbish into space...

Do all yourselves a favour and move on from this controlled, inflexible, rigid service and be free.

This has happened to our family as well not once but twice even with a replacement creit card within 10 days of the change over.

We should DEMAND that Apple sends us the IP address of the fraudulent user so that we can pass it on to FBI.

Apple have NO INTEREST in stopping this as they only care to give a return to their investors and care nothing for the fraud!

You cant even find anyone at Apple as they hide behind a firewall of chat rooms like this that get us nowhere.

Clearly, the initial problem is that Apple have lousy safety controls of their clients credit card info as I believe we are only seeing the tip of the iceberg.

Shame on Apple!

can you let me know what he says as to how to stop this.

Our credit card was hit with $1300 in fraudulent charges. When we changed the card the new one was hit with $350 in less than 2 weeks. This is a nightmare for us to find out how to stop it and I cant get through to anyone at Apple.

I dont want to have to ban all payments to Apple or Itunes but if I cant get this stopped Ill have to.

inform your bank and they will credit your account with the money as we are all covered by insurance by the credit card agencies.

Jeffrey512

I noticed your post as we too have been hit many times even with our replacement card.

I will try to change my settings but if I have access then so does the fraudulent user (FU). Can I make changes that the FU will not be able to change? Should we change our account with Itunes or maybe have a separate bank card for credit purchases?

thanks for your comments

to iipad22me, your bank will reverse the charges made to your account as it is part of the automatic protection when you use a bank card. Dont worry about what they will get back thats not your worry. you have to be vigilent in checking your bank statement and look out for those itunes payments and keep telling your bank. jeffrey512 has given some good advice.

i just got a text today my card was tried to be used the card was an old card do to someone tried to and did download a lot of stuff i did get the support guy to do 21 questions with me until i hit an e mail close to me but this person act got closed when i reported it. since then we are trying to mend the fences but i fear a friend of theres mayhave gotten hold of my card off the i phone she has since she not near it right now, when i called the 800 # i tunes told me to go to support /cc to see but that link is not there .