Earlier today, TechCrunch posted a somewhat alarming story detailing how iTunes users were having their accounts drained by "fraudsters" via PayPal. A number of unlucky folks checking their iTunes accounts were dismayed to see exorbitant charges, and one user who called up PayPal to investigate was told that "a large number of iTunes Store accounts were compromised."
Relying on Twitter, TechCrunch noted that the problem appeared widespread and jumped to premature conclusion that there was some sort of security hole in iTunes. "It seems like the problem i son the iTunes side", the report noted.
Naturally, this was cause for concern. After all, Steve Jobs has on more than one occasion touted the iOS platform to developers by highlighting that Apple has over 150 million credit cards on file. It goes without saying that a security hole in iTunes that might compromise those millions of accounts would be cause for grave concern.
But, alas, it turns out that the initial TechCrunch story was much ado about nothing. Well let me clarify that. There was, in fact a problem, but it was revealed shortly thereafter that folks who saw their accounts drained were actually victims of a phishing scam. In other words, concerns over iTunes security were pre-mature and unwarranted.
Citing sources close to Apple, John Paczkowski of All Things D writes that Apple is not aware of any iTunes security breach at all.
Not much to them, I’m told. Or, rather, not much to their assertion that Apple (AAPL) is at fault here. There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam–a variation on the one that’s been around for years now. Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions.
So there you have it. And for as much as people talk about security holes, exploitable code or what have you, it's important to remember that sometimes the most damage is done via good old fashioned social engineering.
Lastly, PayPal reassured affected users that their accounts would not, in fact, be charged on account of fraudulent transactions.