I'm an Apple fan. I'm typing this on a Mac, we record my radio show on a Mac, and I sell both audio books and music via the iTunes Store. Apple does a lot of things right. Unfortunately, security of your personal information via iTunes isn't one of them.
Over the weekend, my iTunes account was hacked. I found this out when I noticed unauthorized charges for iTunes downloads on my bank statement.
When I got on iTunes to see what was going on, I couldn't get into my account. When I used iForgot to retrieve my info, I found out that not only had my password been changed, my Apple ID had been changed also. This made their automated password retrieval system useless.
You would think that Apple would let you know when a change is made to your account, especially your email address. That's a standard security measure, which most sites do. For some reason, Apple doesn't.
How easy is it to get your iTunes login info? Anybody with your email address, date of birth, and address can change your Apple ID information. And since, for me, that information is all over the place online, whether it be Wikipedia's entry about me or the contact page on any number of web sites I'm associated with, that's not hard to come by...
Think it can't happen to you? Apple security is so bad that a class action lawsuit has been filed, alleging it violates the Fair Credit Reporting Act (FCRA) by printing purchaser names, addresses, email addresses, and phone numbers on receipts.
Fortunately, I caught the problem early. After a couple of emails to Apple and a helpful phone conversation with somebody from Apple Cares named Edward, after about an hour of work and conversations with two additional departments, I was back in. It's worth noting though that Apple refused to refund charges, even when all evidence pointed to its lack of proper security as the cause of this incident. If this happens to you and you want your money back, you'll need to go to your credit card company and file a dispute.
SECURITY SUGGESTIONS FOR PEOPLE WITH AN ITUNES ACCOUNT:
1. Use a fake date of birth.
2. Remove your credit card from iTunes. If you need to buy something, you'll have to type it in each time, but this will save you considerable hassle should your account ever be compromised. Do a search for "itunes account was hacked" and you will see several stories of this happening to people.
3. Make the answer to your "Security Question" something that nobody will be able to guess.
Using a Mac or iPhone? 1Password is a great solution to the issue of online security. It can create strong, unique passwords for you as well as remember them. You simply remember a single, master password.
PC users, try RoboForm for a similar solution.
As many of the readers of this blog, like me, make money selling content via iTunes, I hope Apple will improve iTunes security and start doing a better job looking out for its customers. Not only is this is nuisance if it happens to you, it can also cause people to lose faith in iTunes and stop spending money there.
Hi
The exact same thing happened to me just last week. My account was hacked with the password and ID changed, I noticed that they also changed the correspondence email address so that any email receipts for purchases would not be sent to me. This meant that I only realised my account was hacked when I tried to access the a/c to upgrade an iPhone app and my original password was denied.
Like yourself, after a couple of emails with iTunes and some security questions (such as last few purchases) I managed to reset the password, get into the accouint and delete my credit card details. the problem for me though was that I was not able to revert back to my original email address and have had to set up another email address to log in with.
Again, I was also a strong advocate for Apple but this experience has left me a little sour. Apple were of little help via email and dialogue seemed quite standardised (Dear , etc) and I now am not sure whether to trust leaving my credit card details with them. The problem with this though is that it means I am obviously unable to purchase songs or apps via my phone but also means I can't upgrade apps I already own.
After looking into the problem online it does seem to be quite a common thing, with many noting that the hackers would buy £50/100 gift cards that would then be sold online half price. For me, I think that this is one of the causes of the hacks with the people who buy these 'cheap' gift cards contributing to the cycle. Although these offers seem too good to refuse, without the income from selling these cards, hacking into acounts would not be worthwhile as other purchases such as songs can only be used on up to 5 authorised accounts - putting possible organsied gangs off.
Paul
Posted by: Paul | November 20, 2009 at 08:29 AM
And what gives you any certainty at all that 1Password cannot be hacked? If anything, there is a lot more bang for your buck for any hacker to get in there, providing additional incentive. Try again.
Posted by: Withheld for Security | November 22, 2009 at 08:05 AM
It's on a local machine, not a network, which helps security.
Could it be done? Yes. Anything can be hacked. But why spend a lot of time on it when you can hack Apple so easily?
Posted by: David Hooper | November 23, 2009 at 05:04 PM
Thanks for the info David! I'm starting a blog in the new year, with my name as url, so this is a good tip. tighten up certain private info as we push ourselves deeper into the public domain!
cheers,
Jamie Wilmott,
Vancouver, Canada
Posted by: Jamie | November 26, 2009 at 10:31 PM
I am sorry this happened to you David. I think you for the info.
I hope you were able to get your money back from the bank. I know the banks will force Itunes to make changes. Banks do not want their customers dealing with companies that do not make refunds. I had purchase a download from a company and the item did not work. My bank took over the rest. I will not deal with that company again.
Paula
Posted by: Paula B. | December 01, 2009 at 10:37 AM
I didn't worry about the money, although a dispute with the credit card company would have handled it. Too much time investment though... :)
Posted by: David Hooper | December 01, 2009 at 12:44 PM
My account was also hacked and itunes refuses to do anything about it. No less than seven e-mails with several different customer service reps. I begged them to call me or give me a phone number to call and they will not. Now they tell me I have to get a lawyer and police report and contact their legal department. I had to cancel my credit card and have my CC company charge back itunes. A big hassle as that card was tied to other accounts I then had to change. There are now unauthorized orders on my account that have not been paid as I canceled the credit card. They have locked my account and will not open it until I pay for these unauthorized orders. They will not even cancel the orders. Without a doubt the worst customer service I have ever dealt with. There is an obvious security problem with itunes as evidenced by this blog and a quick google search revels many others with this same type of problem. I just wish there was something the CC companies could do, because little guys like me stand no chance.
Posted by: Guy | December 29, 2009 at 10:21 PM
Hi,
The same thing happened to me today... I wanted to update a few apps on my iphone and the store wouldn't accept my username and password information. I also couldn't send my password to my account as my account username seemed to no longer exist. Seemed a bit strange, I thought, so I checked the forums online, which mentioned hacked accounts and credit card fraud.
I checked my bank account online and found that several purchases had been made, about $200 worth in total. I've cancelled the card with my bank, who will investigate the charges using their fraud department.
I also can't believe that Apple have such weak security measures.... even being notified of changes to accounts would limit this kind of activity. Do they really expect me to buy from them again in future?
Useless!
Posted by: Al | March 14, 2010 at 06:51 PM
The same thing happened to me, appears my account was compromised about a week ago (userID and password changed and then the charges started) and Apple's behavior has made the whole thing feel twice as bad.
Apple's business setup for this is horrendous. There is no phone number for iTunes account support - even though someone is stealing money from you through their system - you have to send an e-mail to them (probably so it can be handled cheaply in India or something) and can take a day or more to get a real response via e-mail (and someone is stealing from you during this time), then they say they can't reverse the charges or do anything besides locking down your account.
So, someone is stealing from you through Apple's system, you can only talk to Apple through email and then they say they can't do anything about it (other than lock down your account). You have to have your bank fight it out to get your money back, even though its obvious someone hacked their system.
Yeah, I want to go put my financial information in their hands again, cause they know how to take care of their customers.
My userID was 25 characters long, unusual and the password was 7 characters long with letters and numbers and unusual as well. How did someone just guess that without locking out my account in 3 tries?
The answer is that nobody just guessed my ID and password, Apple's internal systems were obviously compromised.
Great blog entry and suggestions, I like Apple to, been a iTunes member from the beginning, but I have my doubts I'll reopen my iTunes account now because of how they handled this.
Just a note as far as changes to account stuff, these folks obviously have the UserID/Password (not banging away trying to figure them out), so they just go in and change the e-mail address first without changing anything else (now you no longer get notifications of account activity changes), then they can change userID and password without you knowing about it.
Posted by: Scott | March 26, 2010 at 05:10 PM
$471.00 for me today. they changed my user ID and took off from there. Apple should send a confirmation email about changing your ID (most company's do).
Posted by: Shawn | April 13, 2010 at 11:04 PM
Thankfully my bank realised something was amiss and cancelled my card. However, there is an outstanding balance on my account and I cannot remove payment information as a result.
So not only is the account insecure, I cannot remove my card details and my account is presumably authorised (I can't even check to see which computers are authorised).
Apple are scum. They've offered no help, and judging by this blog, they're going to try to force me to pay for the order that was fraudlently placed.
The more people that know about this the better and hopefully the evil megalomaniac that is Steve "I've had one idea in my life" Jobs will see the impact.
Time to change mp3 player.
Posted by: Rob | June 17, 2010 at 05:21 PM