I do a lot of online shopping and I use many websites that require some form of account that you log into, normally via a username and password combination. I’m very cautious and take security seriously, working as I do in the IT and more specifically Internet industry for over 10 years I know how to protect myself online.

Imagine my surprise this evening when I get 2 emailed receipts from the iTunes Store for purchasing 2 gift card vouchers, one at £75 and a subsequent one for £25. At first I thought it might be a phishing scam, designed to make me curious/alarmed and click on some link in the email, so I do the sensible thing, fire up iTunes and check my account history that way instead. The purchases were genuine, I was down £100…

How could this have happened?

The only way to purchase items on the iTunes Store on my account is to use iTunes itself and login using my credentials.
How could someone have my credentials? They would have to figure out my AppleID, not difficult as I have a .Mac account (mobileme) and I use that email address everywhere, and then the hard part, they would have to figure out my password. I was using a 10 character password made up of numbers and letters, no real words. So how did they figure that out?

There’s no way I have any dodgy malware on my Mac, I don’t install dodgy stuff from dubious sources and no-one has access to my machine as it’s always with me. There are only 3 possible explanations:

1) They did a brute force attack against my iTunes/MobileMe account, running billions of attempts through until they hit the jackpot.

2) They hacked another site I use (perhaps a forum?) where I use the same password and saw my email address on that account and thus figured out my AppleID and tried said forum password with it?

3) They got into the iTunes Store by some other security hole.

I consider no. 1 to be highly unlikely, no.2 to be possible and no. 3 to be scary.

Of course, as my iTunes account and my MobileMe account are one and the same, the scary thought is the fact that they could have access to all my email as well as who knows what…

Putting aside the “how” for a minute, what was Apple’s response?

After searching vainly for an iTunes Store phone number which does not exist (I thought it was a legal requirement these days?) I filled in their online form and waited. 90 minutes later I got an email back which was part form letter and part human. Basically they were very sorry to hear about what had happened and advised me to change my login details (duh!) and contact my financial institution to claim the money back as they, and I quote “cannot refund your money”. Afraid of losing my custom (I have bought almost 700 tracks/videos through iTunes over the years) they offered me 5 free song credits.
While I will be calling my bank tomorrow morning (can you believe that the fraud dept isn’t 24 hours?) I fail to see that this is a matter for the bank. My card was not cloned/stolen from elsewhere and used to purchase items from the iTunes Store, someone broke into my account on the iTunes Store and made purchases using stored card details. Having alerted Apple to this breach of security, and fraud, I would expect them to provide the refund via a card chargeback which all retailers can do.

I replied to Apple with words to this effect and got a response an hour later repeating that they cannot refund my card.

Not one to give in I responded with the reasoning behind my demand and made it clear that I was not going to “go away”.

A quick search on Google reveals this is a much more common occurrence than Apple would probably admit to and people using Paypal, and sometimes debit/checking cards like myself, are often left out of pocket when Paypal or the bank refuse to do anything and bounce them back to Apple.

Now, if you use a proper, secure password and your iTunes account gets compromised isn’t it down to Apple to do something about it as opposed to divert blame and continue with the status quo?

A quick update (23:30 14/12/08):

Checking my email after making this post, I notice another reply from Apple, again refusing to refund my money and advising me of the telephone numbers for Apple Corporate Security and Fraud dept should my legal people want to make a legal request to Apple for iTunes store records that might help identify the hacker. Tracking down the hacker isn’t my job, it’s the job your network/server security guys while your customer services department refunds my money…

A quick update (23:50 14/12/08):

Latest from Apple:

I need to inform you that Federal stipulates that your card issuer handles this case.
I do apologize Robert, but I and anyone else from iTunes, is unable to refund the purchases due to the Electronic Funds Transfer Act of 1978 Federal Law.

I sincerely hope that you are able to resolve this matter with the help of your financial institution.”Apple considers this issue resolved”.

Hmm…

First off my name isn’t Robert, secondly I am a UK citizen purchasing from the UK Apple Store.

According to the terms of sale posted at:

http://www.apple.com/legal/itunes/uk/sales.html

“All sales on the iTunes Store are governed by English law.”

US Federal law has no juristiction in this matter.

Under English law thay are bound to refund my money due to:

A) Distance Selling Regulations 2000
Which can be found here: http://www.opsi.gov.uk/si/si2000/20002334.htm

Apple may consider this matter over but it isn’t until both parties see it that way and I most certainly do not.

Quick Update (10:30AM 15/12/08):

Spoke to the bank fraud team this morning.
Guess what?
They say they can do nothing. If I go to my branch (just about to head down there) I can file a claim for a chargeback, ie the bank will contact Apple and ask for the money back as it was not authorised.
*IF* Apple returns the money to the bank the bank will return it to me.
Sent another email to Apple, informing them the bank can do nothing but doubt I’ll hear anything as they ignored the last one I sent…