Music lovers take note: If you use iTunes, pay attention to your e-mail receipts and bank records. Users of the popular online music store have complained of unauthorized charges for songs, movies, games and apps.
The charges, some of which may have come through phishing scams, drew heightened attention in August when customers reported on social networking sites that they saw hundreds and, in a few cases, thousands of dollars worth of items they didn't buy show up on their accounts.
The issue has dogged some of iTunes' 160 million worldwide customers for more than a year.
Among the victims is Edward van Eckert, who said that more than $2,000 in unauthorized iTunes charges were billed in August to his PayPal account, which is funded by a checking account. Other customers of iTunes and PayPal reported similar fraud.
For van Eckert, the charges began on a Sunday night and stopped when he got his bank to unlink the accounts early the next morning. Van Eckert said he lost access to his Gmail account for two days and that perhaps his accounts were tapped during that period. "That's the only breach I've been exposed to. I don't think I got caught on phishing.
"It was the frustration of seeing someone was stealing in my name and I was unable to notify anyone to put a stop in place," said van Eckert, 50, of Metuchen, N.J., who has since gotten a refund.
While iTunes acknowledged that some users have been the victims of identity theft and credit card fraud, Apple spokesman Jason Roth declined to comment on how often it happens or how much money has been involved.
No culprit emerged after the batch of cases in August, and it's not clear how the thieves profited.
One possibility is that they received a commission or kickback for every sale. In July, Apple said 400 customers were hit with bogus charges in a hacking scam involving an app developer. The thieves may also have sold passwords to others who downloaded items for their use, said Clifford Neuman, the director of the University of Southern California's Center for Computer Systems Security.
"They might just want the music, but there's only so much music one person can get or needs," Neuman said. "Usually there's some desire to get the funds into the account of the attacker rather than just steal the contents."
PayPal, iTunes: Don't blame us
After the August complaints, Michael Barrett, PayPal's chief information security officer, wrote a company blog post on Aug. 25, saying that neither the PayPal nor the iTunes system had been compromised.
"We've looked into this extensively," he wrote, "and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account."
PayPal did not say how many customers were hurt or how badly. Spokeswoman Sara Gorman said the company had no comment beyond Barrett's post.
Roth said the iTunes server wasn't hacked either.
"They're trying to say the vulnerability is not in our system, but what is happening is that whoever is doing this is compromising individual users' accounts through failures of those individuals," said USC's Neuman.
PayPal said it will help its burned customers get their money back.
"If a criminal gains unauthorized access to your PayPal account, PayPal will cover you for the full amount of unauthorized transactions," Barrett wrote.
Roth, at Apple, said the first step is to contact your bank, which should decide if the account needs to be closed.
"We're always working to enhance account security for iTunes users," Roth said in an e-mail. "If your credit card or iTunes password is stolen and used on iTunes you should contact your financial institution about charge-backs for any unauthorized purchases, and be sure to change your iTunes password right away."
Because there was no wholesale breach, the most likely scenario was that it was a phishing attack, Neuman said.
In such attacks, hackers spam potential victims, trying to get them to click on links in e-mails that take them to lookalike -- but fake -- websites, where they are asked to enter personal information.
"It's essentially handing the iTunes password to a phisher, who can then log into iTunes and make purchases," Neuman said.
To stay secure, avoid clicking on links in e-mails, Neuman said. Instead, go directly to a site to log in. Barrett offered the same advice, "even if the e-mail looks like it's from your bank, an e-commerce site, the IRS or popular sites like PayPal."
Both also recommended having strong passwords -- a combination of upper and lowercase letters, numbers and symbols. Protect your computer by having a modern operating system with an updated browser that blocks fraudulent sites, as well as anti-virus protection, Barrett said.
Become a fan of MSN Money on Facebook
Van Eckert urged consumers to use an up-to-date e-mail address and a credit card with a low limit, rather than a checking account, when making online purchases.
"It just happened to be on my main e-mail account," he said. If it had been the account where he routed junk mail, "a month could have gone by, or I could have found out when checks started bouncing."
To comment, the following rules must be followed:
If you believe a comment violates the above rules, please use the Flagging Tool to alert a Moderator.
Flagging does not guarantee removal.
Decisions to suspend or unsuspend accounts are made by Station Moderators.
Questions may be sent to firstname.lastname@example.org. Please provide detailed information.