Professional Services from Professional Techs

Kim Boatman's Article on iTunes Hacking

Many Thanks to Kim Boatman for including my thoughts on iTunes Hacking and account protection. 




Is Your iTunes Account Vulnerable?

By Kim Boatman

When unauthorized charges for iTunes downloads showed up on his bank statement, David Hooper knew something wasn’t right.

He immediately tried to check his iTunes account, but the music-industry marketing expert found both his password and his Apple ID had been changed. His iTunes account had been hacked. Hooper worked with Apple personnel to restore access to his account, although Apple refused to refund the charges.

The latest scams from cybercriminals are anything but sweet music. As always, hackers follow popular culture trends. With the explosion in popularity of the iTunes store and its multitude of applications and music downloads, the bad guys have started targeting iTunes users and their accounts.

How iTunes Could Be Hacked
The iTunes target may be relatively new, but the tactics used by hackers are quite familiar. “Hacking an iTunes account is not an easy thing to do,” says Bob Williams, a security expert who runs The Binary Guys IT consulting firm in Hamilton, Ontario. “For the most part, it is because the iTunes ID and password must be compromised in some way.”

Hackers can obtain the information through keylogging, in which a malicious program tracks every key stroke and gathers sensitive information such as passwords and credit card numbers. But in many cases, iTunes users are simply revealing the information by falling victim to old-fashioned phishing scams.

Recent identity theft scams use an email with an erroneous iTunes account statement to lure victims to a website that asks for your credit card number, social security number, mother’s maiden name and other critical information used to establish identity. Phishing scams might also ask for your account information by offering deals on bogus iTunes gift cards.

Williams cautions that a recent Mozilla Firefox browser extension, Firesheep, which can intercept unencrypted information from certain websites, might be used to read login credentials on iTunes.

How to Protect Your iTunes Account
You should protect your iTunes information the same way you protect any other sensitive personal information online, says Steve Santorelli, a former Scotland Yard computer-crime detective who now works as director of global outreach for Team Cymru, a nonprofit Internet security research group. These steps should help keep your account secure:

  • Use strong antivirus software. Install and regularly update security software that protects against viruses and other malicious code. Also, regularly install updates to all components, such as your operating system and Adobe software, notes Santorelli. “This might help hinder criminals who try to install keylogger code on your machine to harvest your usernames and passwords for online accounts like iTunes.”
  • Review billing statements. Pay attention to charges posted to your accounts and review them often. Hooper’s vigilance helped him stop the criminal activity on his account.
  • Practice smart password usage. “Change your password regularly, make it very hard to guess and don’t reuse it with other sites,” advises Santorelli. “Or at least have a different password for financial accounts, email accounts and social networking accounts.” Hooper suggests using password management software, which generates stored passwords and manages your secure login to online accounts.
  • Don’t fall for phishing scams. Recognize that legitimate companies won’t ask for your personal information through emails. Special offers and amazing deals online may be efforts to acquire your personal information, cautions Santorelli.
  • Look for the https. When you open a site where you’ll be using a login, make sure the browser shows “https” rather than “http,” Williams suggests. “You should see the yellow lock at the right of the address bar,” he explains. “If it is not there, you must add the ‘https’ yourself. Once you have done that, then a secure login can take place.” Also, make sure you log out when you are finished on iTunes and other secure sites. “Most Internet browsers have a feature that will hold your login credentials available for a new session if you don’t log out. This leaves your iTunes account ready to open if you pass your computer over to someone else to share.”

Lastly, Hooper suggests segregating iTunes management. For instance, he dedicates an email address just for use with his iTunes account and uses a different birth date in the iTunes system. “Fortunately, I caught the problem early,” Hooper says.


Kim Boatman is a journalist based in Silicon Valley, Calif. She writes frequently about personal technology and security. She spent more than 15 years writing about a variety of topics for San Jose Mercury News.