iTunes+PayPal -> fake charges

Discussion in 'Fred's House of Pancakes' started by bwilson4web, Oct 23, 2010.

  1. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    Earlier this week, I used iTunes to buy a single and found a new link to support PayPal payment. I prefer PayPal instead of the credit card to I took it . . . BAD MOVE.

    Two days later, two separate iTunes payments for $40 and $46, fraudlent charges against my PayPal account. So I contacted Apple and they refunded the money. I also changed both the iTunes and PayPal passwords . . . first time in over a year.

    This morning at 3:00 AM, another iTunes payment for $16.00. This time I found my iTunes account frozen (GOOD!) I contacted Apple and got a refund but when I went into PayPal, I was able to disable the "iTunes billing agreement." (VERY GOOD!)

    The Apple tech believes the $16 charge had been submitted before I first contacted them about the $40 and $46 charge. . . . must have been one of those old computers. Regardless, lessons learned.

    "Phishing scam" - H*LL NO! This came from iTune (V10) offering a PayPal payment link. This is an Apple-to-PayPal problem.

    I don't know how it was hacked but it happened so . . . deal with it. I'm just offering a 'heads up' to avoid the problem I ran into.

    Bob Wilson
  2. Paul58

    Paul58 Mileage Miser

    Jul 31, 2010
    2010 Prius
    Good to know! Thanks for sharing this... I was not aware iTunes accepted PayPal, but I certainly won't be using it now! I prefer the pre-paid iTunes cards, harder to get scammed, but I doubt if it's impossible these days!
  3. Rae Vynn

    Rae Vynn Artist In Residence

    May 21, 2007
    Tumwater, WA USA
    2007 Prius
    I've noticed a few issues with Paypal, as well.

    I'm very, very careful in using it anymore. After any purchase, I go and delete any "recurring payment" that might be listed.
  4. Zythryn

    Zythryn Senior Member

    Apr 28, 2008
    Other Electric Vehicle
    Never had an issue with iTunes, however I never used Paypal with it.
    After reading the small print in the pay pal account, I have never opened a pay pal account. This was a number of years ago though, they may have improved...
  5. daniel

    daniel Cat Lovers Against the Bomb

    Feb 25, 2004
    Spokane, WA
    2004 Prius
    I've never had any problems with either iTunes store or PayPal. I use both, but I've never used PayPal to pay at iTunes. I have a low-balance debit card I use for internet purchases from merchants I "trust" (Amazon, Apple, big-name on-line stores, etc.) and I use PayPal for merchants I don't trust if they accept it, and that also comes out of a low-balance account.

    When you pay with PayPal you should be directed to the PayPal web site and the merchant should have no way of submitting charges. Only you should be able to authorize payments. Unless someone has hacked into your PayPal account.

    May sure you are really on the PayPal site, and give your PP password ONLY to the genuine PP site. Apple should have no way to charge your PP account. My guess is someone got your PP password.
  6. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    Well let's look at the evidence:
    Column 1 Column 2 Column 3 Column 4
    0 Oct 23 2010 Payment To iTunes Store Refunded -$16.07 USD
    1 Oct 19 2010 Payment To iTunes Store Refunded -$40.92 USD
    2 Oct 19 2010 Payment To iTunes Store Refunded -$49.34 USD
    3 Oct 18 2010 Payment To iTunes Store Completed -$1.06 USD
    The last 7 days activity from my PayPal account.

    So let's assume an ordinary criminal got my PayPal password. Their first action is to buy music from iTunes, not 'gold coins', jewels, or precious gems because this criminal really, really wants some music.

    Now between Oct 19 and Oct 23, I changed the PayPal password. So the criminal somehow gets that password and once again, they're at the iTunes Store buying music. Thank God they didn't find some Nigerian bank offer to chase down a fondness for GM products!

    On Oct. 23, I turned off the PayPal "business" relationship to iTunes. You are of course welcome to test it but I've had enough.

    Bob Wilson
  7. SageBrush

    SageBrush Senior Member

    Jun 4, 2008
    Southwest Colorado
    2012 Prius v wagon
    This sounds like both the Apple and Paypal passwords were stolen, implying either iTunes or the Apple database is compromised. Or maybe the passwords were lifted off the personal computer ?

    Sounds pretty sophisticated, unlike the usual.
  8. SageBrush

    SageBrush Senior Member

    Jun 4, 2008
    Southwest Colorado
    2012 Prius v wagon
    lol, my thoughts exactly.
  9. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    I disagree which is why when reading the August articles claiming it was "PHISHING," I realized that it was just more 'blame the victim' nonsense and lazy journalism. I don't know how the iTunes-to-PayPal link got compromised and in truth, I could get in a lot more trouble trying to diagnose it. I'm not that into doing the Apple/PayPal work.

    I'm not worried about the iTunes account as it is now 'disabled.' I had changed the password. Now all passwords are disabled with the account.

    Yes, I'll eventually find something to buy via iTunes in the future but it will be a different account. I'll probably buy one of the pre-paid cards and be done with it. No more credit cards or PayPal paying for iTunes stuff. Still, I encourage the skeptics . . . those who doubt my word . . . do the experiment. <grins> Hummmm, there are two characters on my "Ignore User" list . . .

    Bob Wilson
  10. Stev0

    Stev0 Honorary Hong Kong Cavalier

    Sep 23, 2006
    Northampton, MA
    2022 Prius Prime
    Plug-in Base
    I pay for iTunes by PayPal and never had any problems. But I'm guessing the problem was on the iTunes end and not the PayPal end.
  11. davesrose

    davesrose Active Member

    Aug 27, 2010
    2010 Prius
    I also haven't had any problems with paypal or itunes seperately. With paypal, the main thing I'm sure to do is to only sign on to the legitimate site. I do get numerous spams/phishings that I "should confirm my login info" with this "genuine" e-mail....of course they're always some other site then paypal. I have an expired credit card on file with itunes now, which looks like this is a good thing. I decided to google itunes paypal, and I come up with nothing but current news reports of people being ripped off of itunes :eek: Apparently, it does look like a security issue with Apple...and at least you can count your blessings that it wasn't thousands of dollars that were stolen! The one case of fraud I've had is with my credit card: it was swipped a couple of times in China, and resulted in about $600 worth of charges....which my credit card told me the easiest way to handle was to pay the balance and then they would refund me the money. They didn't freeze my card then....but I notice they freeze my card on random occasions for minor charges. Who can figure out credit card companies??
  12. daniel

    daniel Cat Lovers Against the Bomb

    Feb 25, 2004
    Spokane, WA
    2004 Prius
    Bob, had you entered into some sort of thing where iTunes had authorization to charge your PayPal account without you having to go to PayPal and enter your password each time? iTunes has my credit card info and I can buy stuff from iTunes by one-click as long as I am at my home computer. But it does not go through PayPal. If I am on my iTouch I have to enter my iTunes password to buy anything. So far, there have been no bogus charges.
  13. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    • Oct 18 - upon hearing about Julie Brown's "Big Clown Pants" on the Stephanie Miller show, I opened up iTunes and looked at Julie's body of work. It looked like "Big Clown Pants" was the single most popular of her tunes and I wasn't interested in the others. So as I went to pay for the tune, I saw the PayPal option, something I had not seen before. Since I have a lot of confidence in PayPal for my Ebay purchases, I thought 'Why not' and selected it. I didn't record the exact sequences at the time because there was no reason to be alarmed. I trusted iTunes and PayPal and this looked to be a better way to avoid having a credit card in the middle. The song downloaded and on my iPod and I had a good laugh driving into work and playing for some co-workers ("Big Clown Pants" is a derivative work of Lady Gagga with a little, blue satire. Just a touch too racy to share with most women.)
    • Oct 19 - two fraudulent charges on my iTunes account using the PayPal payment. I spied the charges on Oct. 20th on my PayPal e-mail account and then checked the different e-mail, iTunes account. I contacted Apple about the problem and changed the passwords on both the iTunes and PayPal accounts. The refunds from Apple iTunes were rapid and came in even as I was in a 'chat' session with the Apple iTunes help desk person.
    • Oct 23 - third fraudulent charge on my iTunes account found within 45 minutes via an e-mail on the iTunes account. The PayPal notice had yet to show up but did a couple of hours later. I contacted the Apple iTunes staff and they explained 'may take 3-5 business days' for some business transactions to clear and this one was done about the same time as the earlier two. Regardless, iTunes refunded the money and enabled my account (again!) with instructions on how to disable the PayPal option. I changed the iTunes password again and disabled all payment options. I also found an option under PayPal to disable the iTunes "business" relationship (whatever the heck that means.)
    Please understand I had not 'changed my passwords' for either iTunes nor PayPal in the previous year. There was no PHISHing compromise. Please put that chestnut in the same pot with having rape victims pay for their own rape kit or being forced to carry to term a rapist fetus. Of the many articles published in August about this iTunes-PayPal fraud, claiming this was PHISHing is the most hurtful, mean and despicable lie floated by those who claimed or echoed that lazy nonsense.

    Rather, let me suggest the following:
    Do the experiment

    Go to your iTunes account and enable "PayPal" to buy a tune. Monitor it for a week or so and see if your account also shows fraudulent charges. I've done it and would love to hear exactly what you did and the results. As for my configuration:
    • iTunes version 10
    • MacOS V10.5.8
    • T-mobile Rocket USB network access
    It may be this is unique to this Mac user on a T-mobile network. Who knows, I may have a keycaps capture program running (and I'm checking using 'tcpdump'.) Having worked in network security, I'm not perfect but few have called me lazy.

    Seriously, if you want to investigate the vulnerability, repeat the experiment and take good notes. I would be happy to find someone who does not see this problem or even the happy case that the problem has been found and fixed. But I fear no one from Apple nor PayPal is going to let us know that this problem has been diagnosed and/or fixed. I say that because I've had two sessions with iTunes support staff and they have not volunteered that it is a know problem even though I asked. I have not had to take it to PayPal but their system prompted me to terminate the "business relationship."

    Bob Wilson
  14. daniel

    daniel Cat Lovers Against the Bomb

    Feb 25, 2004
    Spokane, WA
    2004 Prius
    Just a few questions: Did you give iTunes your PayPal password, in order to "enable" that option, or when you clicked on "Pay with PayPal" did it take you to the PayPal site? And if the latter, did you authorize just that one purchase, or did you authorize PayPal to charge any amounts submitted by iTunes?

    If you gave iTunes your PayPal password, or if you gave PayPal permission to charge any amount submitted by iTunes without asking you, then the problem is likely to be with iTunes alone.

    If you never gave iTunes your PayPal password, and if you never authorized PayPal to accept iTunes charges without confirmation from you, then both PayPal and iTunes are doing something wrong.

    I would never give my PayPal password to any other site, ever; and I would not authorize PayPal to charge my account without asking me every time unless it was a recurring charge of a fixed amount, such as a monthly subscription. If I trust a site enough to allow them to keep my charge information on file (Amazon, for example) then I trust them enough to give them my low-balance debit card. Adding PayPal into that chain just complicates things. The whole point of PayPal is for when I want to hide my credit card from a merchant. Giving a merchant permission to make unconfirmed charges to my PayPal account negates the whole purpose of PayPal.
  15. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    Sad to say, I don't remember exactly the sequence. I vaguely remember a new window popping up after the iTunes click for a PayPal option. I'm sure the PayPal password was needed but I really don't remember which window prompted for it. Regardless, this is not an experiment I look forward to repeating.

    Everything started from a PayPal option available via iTunes. How the iTunes software led to the problem is an iTune-PayPal problem, not mine. I'm just sharing my tale of woe and folks are welcome to ignore or take it as a cautionary tale. Time for others to do 'the heavy lifting.'

    Bob Wilson
  16. daniel

    daniel Cat Lovers Against the Bomb

    Feb 25, 2004
    Spokane, WA
    2004 Prius
    I think the lesson here is: Before you give your PayPal or bank password, be damn sure you know what site you are on and who you are giving it to. Also, when authorizing a payment on PayPal or on your bank's bill-pay page, be damn sure you check to see if you are authorizing a one-time payment, a recurring payment, or an open-ended authorization for someone to withdraw as much as they like from your account.

    You probably gave permission for iTunes to charge your PayPal account without PayPal asking you for authorization each time, and then someone got your iTunes password and bought a few songs. As you said, if they'd gotten your PayPal password they could have taken all the money available to your account, but all they could do with your iTunes password was get some free music.
  17. GeekEV

    GeekEV Member

    Sep 12, 2006
    NorCal, USA
    2006 Prius
    There have been other reports of compromised accounts with iTunes and PayPal. The prevaling theory is a compromised PayPal account, but I have no idea what the truth is. All I can tell you that iTunes has had the PayPal option for a long time and I've been using it since they added it. I buy things regularly from iTunes and also use PayPal regularly online with every merchant I buy from that takes it. I've never had any problems whatsoever. While I'm sorry to hear about your experience, and don't doubt that it happened, does iTunes + PayPal guarantee fraud against your account? Absolutely not. You can be sure both companies are investigating these incidents as it would be bad for business to allow it to continue... I think it's just a little irresponsible to go around insisting that iTunes + PayPal is a recipie for trouble. Fraud happens everywhere, everyday. If you're going to be all chicken-little over it, just use cash everywhere. Oh wait, even that can be faked... May as well just pull the covers up over your head and not get out of bed.
  18. Lilypads

    Lilypads New Member

    Oct 23, 2010
    2009 Prius
    I got a call from my credit card company's fraud division this week, and they found 2 fraudulent charges--one was iTunes (I never bought ANYthing from iTunes, but I use it to listen to music) and the other was a $500 contribution to the March of Dimes. Maybe these criminals are disabled music lovers!
  19. qbee42

    qbee42 My other car is a boat

    Mar 2, 2006
    Northern Michigan
    2006 Prius
    I used to install and support computer based point-of-sale systems, and I have seen problems like this before. One of my clients was a chain of high-end women's clothing stores. At one point the interface between their credit card draft capture and the credit card processor hit a glitch, and many of the transactions were double billed - never a good thing for maintaining happy customers.

    That incident had nothing to do with the Internet or phishing. I bring it up as an example of how two good companies with good intentions can have things go south when systems are involved. The OP's case sounds like a simple case of a system problem, not someone scamming.

  20. bwilson4web

    bwilson4web BMW i3 and Model 3

    Nov 25, 2005
    Huntsville AL
    2018 Tesla Model 3
    Prime Plus
    Ok, you win. You want me to go back and edit all of my earlier postings to 'nothing?' That would be the 'responsible' thing? No my friend, that would exceptionally foolish.

    You have just advocated a robbery victim be quiet and not report what happened. These are just the facts and data to the best of my memory. Since you've had a different experience, how about sharing some configuration details:
    • operating system
    • version of iTunes when you selected the PayPal option
    • when this was done - I noticed a rash of news reports around August 23 of the iTunes-PayPal fraudulent charges . . . as if something happened this summer
    As a famous American once said, 'Those who are not part of the solution are part of the problem.'

    Bob Wilson