Massachusetts Attorney General, Victim of iTunes Fraud

chicksdaddy writes "Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple's popular online music store. Coakley was herself a victim of identity theft in recent months, telling the audience that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by a Threatpost reporter) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, 201 CMR 17, Coakley said that her office would be looking into that question and demanding answers from Cupertino, which has steadfastly refused to respond to media requests regarding user reports about fraudulent iTunes purchases, and which has not reported the breaches to Massachusetts regulators."

Obviously

[Anonymous Coward]

Only now that she was affected does she look into it. It didn't matter that everyone else was.

Re:

[kimvette]

Don't forget: Coakley maintains "Technically it's not illegal to be illegal in Massachusetts"

She needs to be removed from office ASAP.

Re:

[geekoid]

oh please, an out of context statment? do you ahve any links to the actual discussion? becasue everything in goolg links to the quote with no context.

Assuming the IMPLIED context is correct*, then she made a correct statement regards MA law.

So in any case, you've been duped by a group of people who routinely take things out of context,, and then put them in the most controversial light.

*always a risky assumption

Re:

[davester666]

so it was a link to foxnews?

Re:

[SmurfButcher Bob]

Well, she has to make certain she wasn't holding the card wrong.

Re:

[OakDragon]

Also, someone is using her identity to run for U.S. Senate.

Re:

[Xacid]

If that's the case then I suppose I'll stop being okay with wars when I'm drafted into one then. Or have a bomb dropped on me.

Re:

[hey!]

OK, I'm a liberal, so I've can't let that pass. Liberals care about lots of things that don't affect them -- drowning polar bears, leaking nuclear waste a thousand years from now, educating the offspring of undocumented immigrants. Just don't ask us to do anything about them. We've signed the petition, so we've done our part.

I'll fight any injustice, so long as all I have to do is blog about it.

Re:

[msauve]

She has to look into it because iPods are scary. They have batteries and wires [wired.com] in them!

Could be the only way to get the law changed

[SleazyRidr]

Attack the Attornies General so they realise how the real world works and kick up enough stink to get the laws we need.

Federally preempted

[tepples]

As I understand it, state attorneys general have no influence over U.S. copyright, which is exclusively a federal issue.

Re:

[rhook]

Except for when such cases wind up in their states legal system.

Or. . .

[PeanutButterBreath]

. . .she will use her uncommon influence to resolve her own problem and thus conclude that the legal system works "as-is".

Re:

[TheGratefulNet]

same old same old.

laws that apply to regular people don't matter to those who have influence.

but once one of 'our' laws hits them, oh boy, fire and fury follows!

what a farce our 'justice' system is...

Re:

[SeeSp0tRun]

This has to be done very delicately. Pick the wrong fight, or from the wrong angle, and we all end up with mandatory keyloggers built into every OS.
It is as much a psychological puzzle as a moral fight.

Re:

[jdpars]

Kids these days. I blame the parents.

Re:

[cheater512]

Yeah. Who buys their daughter a $1,700 computer when a $400 one will more than suffice?

Re:

[firex726]

Just in time for the Mac Book Pro 2 next month. Man you really lucked out.

Re:

[wsxyz]

She's not supposed to take it into the shower, no matter what the pop-up says when the little green light above the screen comes on.

Re:

[wiedzmin]

She's not supposed to take it into the shower, no matter what the pop-up says when the little green light above the screen comes on.

I see what you did there. Trevor Harwell reference. Clever.

Re:

[sjames]

No matter what the pop-up says?

Re:

[voidptr]

There's no company on the planet that can guarantee they have a 0% mortality rate within the warranty period of something as complex as a modern laptop. That's why there's a warranty.

If you're aware of one that guarantees anything above and beyond replacement in the off chance you happen to be in the unlucky 1%, I'd love to know who it is.

Re:

[rhook]

There is a warranty because there are consumer protection laws requiring that there be one.

Re:

[msauve]

Uh, cite, please. I don't believe you're correct. The Magnuson-Moss warranty act simply says that if there is a warranty, the terms have to be clear. There are lots of things sold "as-is."

Re:

[Duradin]

My MBP is doing fine going on 5.5 years old now (as my primary computer). Anecdotal evidence is fun.

Re:

[manicb]

Mine still works after 500 years of use in sandstorms, acid rain and even deep space! Highly-recommended for time travellers. I'm hoping the next model is more Dalek-resistant though.

Re:

[wsxyz]

Extra Dalek resistance is part of the 3-year AppleCare Extension.
I bet you wish you'd bought that now.

Re:

[WCLPeter]

Yeah, here's my anecdotal evidence too!

My Mac Mini G4 has been running almost non-stop since 2005 when it replaced my K6-2 - 500 [wikipedia.org]. The Mini remained my primary computer until I bought a 24" iMac after the spring 2009 refresh. The Mini is whisper quiet (so is the iMac) and is currently sitting in the other room churning out work units for Rosetta@home [bakerlab.org] and the World Community Grid [worldcommunitygrid.org], two distributed computing projects that strive to find cures for various diseases and model different energy and water usage pat

Re:

[Lord_Jeremy]

Yeah I've got a Mini G4 for a web host and a Power Mac G4 serving up files. My work laptop is an almost four year old MacBook Pro. Unfortunately my experience with more recently Apple hardware has been less than stellar.

Re:

[Dunbal]

it comes with a free 12 month warranty. But oh no, whine about it on the internet instead. Asshole.

I'm not whining - it's not my computer. I build my own systems and they are rock solid. As for my daughter, well, she's 20 and can deal with the consequences of her decisions.

Re:

[CapuchinSeven]

ha, that's comical. So wait wait... your systems are rock solid, so you build your own laptops do you? You mean to tell me that if you bought RAM from a company and that RAM was faulty, some how, SOME how your system wouldn't be effected, because you build rock solid systems, some how RAM becomes magical in your hands and becomes fail proof, SOME how you can assure 100% that nothing in your machines will ever fail? Oh wait wait, YOU must design and build your own memory. Shut the fuck up, she''ll take l

Re:

[Dunbal]

Er no, I have a desktop. I only use my laptop when I travel which is not often. I haven't had a bad RAM chip in years - I research the companies I buy from. Your argument is pathetic. You must be an Apple user.

Re:

[CapuchinSeven]

Hey now, don't cut yourself short here. It's not the research it's your magic powers that somehow enable you to bless HDD's to give them a 100% never fail rate. It's either that, or your "research" managed to find you a company that will, 100% assure that they don't need a warranty because their products never, EVER fail so no warranty is needed. News flash dumb ass, sometimes even new things go wrong, that's why we have warranties and companies don't employ you to sit at the end of their manufacture lin

Re:

[rhook]

To quote Steve Jobs "You're holding it wrong".

What was her password?

[swebster]

She should post the password she used so we can tell if it was likely to be a brute force type attack.

Re:

[corbettw]

Not that it'll help, all we'll see will be asterisks. Like my password on iTunes is ********, and my Slashdot password is ********.

Re:

[swebster]

hunter2

doesnt look like stars to me

Re:

[pjfontillas]

That's because it's your password. To me it looks like ******* but to you it's hunter2.

This isn't going to end well.

[PeanutButterBreath]

Some day she is going to find herself wishing that she just admitted to her IT guy that she likes the Jonas Brothers and downloaded those tracks herself rather than letting this fraud story spiral out of control.

Re:

[TheCouchPotatoFamine]

that really stretches things.. really, if you don't have anything original to troll about, maybe give it rest?

Im confused

[Altus]

I could see, if her identity was stolen from the records that apple has, how the new laws would apply to Apple. But her identity was stolen from elsewhere and then her credit card used to purchase stuff from Apple. I can't really see how Apple has anything to do with it. Would you go after Shell if someone used a stolen card to buy some gas?

Sure, dell stopped the purchase of a multi hundred dollar computer, but should Apple have to check ever 99 cent transaction? I don't even have to sign receipts most places if the total is under 20 bucks. If she canceled the card, isn't that her banks fault?

The data breach laws seem like a good thing, its important that Apple and others protect information about their customers against theft, but her identity was stolen during a ski trip to New Hampshire. That doesn't seem like it has anything to do at all with Apple or iTunes.

Re:

[terraformer]

You are not confused. The AG is. You are actually right that this fraud doesn't involve apple at all. But that won't matter.

The reporter is confused.

[PeanutButterBreath]

The reporter posed a non-sequitur question, to which the AG provided a boilerplate "uh, we'll probably be looking in to that" response.

Re:

[Macgrrl]

You are not confused. The anti-Apple Slashdot trolls are. You are actually right that this fraud doesn't involve apple at all. But that won't matter.

FTFY :)

Re:Im confused

[oboylet]

This happened to me as well. A series of mysterious iTunes charges popped up all over my CC statement, totaling hundreds of dollars. The charges all show up as "1800-APPLE-XYZ" or some such. Call up that number, and there's a recording that refers you to itunes.com/cc (or whatever). On that site, it refers you to the useless 1800 number. When I contacted my credit card's fraud hotline they said they had been having all sorts of problems with fraudulent charges at iTunes. Mysterious charges, and they (Chase) could get no answers from Apple. Since Apple wouldn't reverse the charges, I had to file a fraud claim, and get a new card. A big hassle for me. By the way, this was in the Spring of 2010. IANAL, but if there is a history of fraudulent activity and the vendor has ignored it, then yes, I'd say they have some responsibility "to check every 99 cent transaction."

Re:

[whoever57]

This happened to me as well. A series of mysterious iTunes charges popped up all over my CC statement, totaling hundreds of dollars.

You think that's a large fraudulent charge? Last month, my credit card got hit for not one, but 3 charges of $1030 each, plus the credit card's foreign exchange fees. Over $3200 in total. All three charges came from a caribbean airline.

Re:

[Fear the Clam]

That happened to me after I got back from a vacation and I suddenly understood why the guy who swiped my card at the gas station "had" to use a new reader.

Funnily enough, the credit card statement not only had plane tickets on there, but also the names of the people for whom they had been issued. I did a quick search for the names in the same state as the departing airport and found their address.

If I were more of an Internet tough guy I would have called them and told them that I knew where they lived and

Re:

[slimjim8094]

Same with me, except that they did reverse the charges when I emailed them. They even found one that hadn't posted yet and reversed that. I have no complaints about how they handled it - they sent me a lengthy email with a ton of details - the accounts using my card, the email addresses used (a few; variations of my name @ovi.com), all of which I passed on to my bank.

They were fast - after spending $160 at iTunes, they spent $380 at FedEx in 12 charges of about $30. I checked my statement the next day by lu

Re:

[Lord_Jeremy]

Hah. So true. I had thought that credit card purchases were reasonably secure, until I was hired to write drivers for a credit card swiper. I've been told by people who know more about the system than I do that there's a whole criminal business of generating random credit card numbers. When working numbers are found, dozens of counterfeit plastic cards are run off with that number and sold to people who want to use them at stores.

Re:

[geekoid]

Apple is supposed to report fraud complaints. They refuse to do so.

Re:

[Altus]

that may or may not be true, but it has absolutely nothing to do with the story of what happened to her particular credit card, which is what the article is about.

Re:

[Altus]

In this case it was a debit card, which comes with far less protection than a credit card. One of the reasons I hate them, but none of my banks will give me an ATM card that is not also a debit card so I guess I'm stuck.

Re:

[sabt-pestnu]

Not so much stuck, as failing in imagination.

Plan 1) create a new account with your bank. Get a card on it, but make sure that "overdraft protection" is revoked. Limit the funds in the account. Transfer new funds as necessary via secure method (say, live teller). Strictly audit the account so you don't get denial charges. Promptly report any fraudulent activity.

Plan 2) get a disposable or one-use credit card. Repeat as necessary. Best you look those up yourself than rely on me, as I don't hold with c

Re:

[Altus]

I basically already do that, but the amount I could loose from the checking account if I lost the card is kind of high. On the other hand, if I kept less money in there, I would be spending more time shuffling money around. I have chosen my level of risk vs my level of convenience, but I would rather not have too.

All of this could be solved with a simple ATM card that is not a debit card. I don't need a debit card, I have credit cards for purchases where cash is not practical. Certainly for some people

Re:

[sabt-pestnu]

So... a bank card that worked in ATM machines, but did not work for POS purchases? Your bank was not able to offer a solution to this that worked for you?

Re:

[wsxyz]

Using a stolen credit card to fraudulently set up a fake account on iTunes should have been detected by Apple, when name and address verification failed on the new account when compared to the credit card.

Why assume that name and address verification failed?

Does it even fall under the data breach laws?

[Richard_at_work]

Apple maintain the position that it is end users that are being compromised, and not their servers - so why should they need to report anything if there is no evidence to the contrary?

Breach by Apple???

[superdave80]

...her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino,...

Huh? How is this a 'breach' by Apple? Her credit card was stolen by somebody, and then used to buy something from iTunes. Apple wasn't hacked into; they processed what looked to be a valid credit card transaction.

unavoidable

[Device666]

The problem for apple is that because it has become such a popular provider of these services, at some point some powerful people get the same problems as everyone else, and then it's a problem. But no matter how politically incorrect that may be, it's is plain stupid of Apple to be totally ignorant on Murphy's law. That lawyer might just know how to peel an Apple... And if he doesn't then someone else might. So let's all wait for the inevitable. I think this whole Itunes problem is clearly something Apple

Re:

[Macgrrl]

I see a flaw with your theory. It involves common sense. Which we all know is rarer than kryptonite both here on /. and in the wider world.

The Apple fan boi

[geekoid]

and apologists are out early.

"Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn't aware of the larger pattern, but that it could be a reportable offense under the State's data privacy law. She promised her office would be contacting Apple for more information that very afternoon - a statement that received hearty applause from the audience."

Apple is being compromised, Apple hasn't reported as required.

Apple seems to be in the wrong here in that the have violated MA privacy laws.

Re:

[BrianRoach]

Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General's account.

You may be considering learning to read.

Re:

[tlhIngan]

Apple is being compromised, Apple hasn't reported as required.

[citation needed]

Apple being compromised would be a big deal, as it would basically reveal probably 200+M accounts and credit card details. That's a huge breach, probably the largest to date, outdoing Sony.

Problem is, is it true? Or is it because almost everyone has an account with Apple that there will always be some group compromised?

And there are people who find iTunes charges without ever using iTunes Store or buying a single thing at Apple.

Re:

[UnknowingFool]

And the Apple haters can't bother to read the article or even the summary. The AG card's was stolen. Would it be any different if her stolen card was used to buy Amazon MP3s? What you are interjecting are rumors that there might be an iTunes breach; however, there isn't any evidence that it is a breach. Judged by the relatively small numbers, it may be a case of easily guessed passwords or compromised username/password info when people use the same ones for multiple sites.

Re:

[UnknowingFool]

If you read the summary, the AG's iTunes account wasn't compromised; her credit card info was.

Re:

[guruevi]

People use way too simple passwords too. I was recently informed that one of my passwords was too simple (although it's 8 characters long and I thought pretty unique).

They had took their own password database to analyze it (the passwords were encrypted) as well as a multi-lingual dictionary and fed it into a GPU system. In a few seconds they had cracked all the standard dictionary words for about 300,000 passwords. They then went through all the combinations and variations (1337 speak etc.) of their diction

Sounds like a bad law

[chrismcb]

The issue really isn't about Apple (from what I can tell) Really the issue is how bad this law is.

From TFA:

"the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data" that creates a "substantial risk of identity theft or fraud against a resident of the commonwealth"

So it sounds like, if someone steals a credit card. Then uses it to purchase an item from a store. The store is supposed to report this "unauthorized use." How is the store supposed to know the transaction is not authorized?

Seems like a pretty dumb law to me.

Am I missing something?

[Internetuser1248]

Why would anyone steal credit card details, and then use them to buy mp3s? It boggles the mind, given that mp3s are so much easier to steal and harder to trace. It would lead me to a conspiracy theory if it weren't for the fact that I really don't care enough about the issue to waste my time thinking one up.

Re:

[tlhIngan]

Why would anyone steal credit card details, and then use them to buy mp3s? It boggles the mind, given that mp3s are so much easier to steal and harder to trace. It would lead me to a conspiracy theory if it weren't for the fact that I really don't care enough about the issue to waste my time thinking one up.

Easy, to test credit cards.

Say you've just broken into a CC processor and gotten a list of names, addresses, CC numbers and CVV codes. You need to find out if those numbers are working, and the easiest w

It would be cool if

[hesaigo999ca]

This story lets me in on some idea...It would be cool if a big official judge or senator were to have some illegal copyright music on their machine and get nabbed by the RIAA, and wanting to make an example of them just like they did that grandmother, and let that judge or senator be the victim of the RIAA's witch hunt, and bring about change to their practices....the latest I saw was a guy being charged 600k for songs....until it happens to an official, they do what they want...guaranteed that a judge or s

Stolen credit card?

[Relayman]

In other news, a stolen credit card was used to buy a new car today. The car dealer is under investigation for allowing it to happen...