Oh noez! They're on to me!

I had this happen to me a bit over a month ago. Luckily, I caught it while it was still the $1.00 pre-authorization. There were a couple other charges too. Luckily, B of A was pretty helpful in getting a new account.

I think I'll go check that one too now...

I just checked and I have a few charges from this. Thank you for running this story. I buy songs on Itunes frequently so I guess when I see a small charge from them I figure, I just purchased a few songs......

Any idea where the scumbags are getting the cc#s from?

This happened to me, too. I had a few strange charges on a WaMu account that is relatively new and rarely used for debit card purchases. They called me after being alerted to suspicious activity, 2 of the 4 being iTunes for $1 each. They cancelled my card immediately and only one of those pending charges ever made it's way to my account, which is being disputed. The WaMu fraud department suspected whoever did it was randomly generating credit card numbers until they found one that hit.

Thanks, now I'm all paranoid because there's a $1.00 pending charge and I don't know what it is through online access, seeing as it's just "pending"...

@drjayphd: Call your bank and ask, just to be safe.

It seems like there are a lot of fraudulent charges using online 3rd parties as a cover. I had a card reissued to me last week b/c of a similar thing, only "skype.com".

haha, how funny i'm in the report and didn't get to see it cause i'm in los angeles, ca. glad to see you have it!

i'm glad to see you guys are reporting it.
i sent that email the day i found out.
i actually hit all the blogs trying to get someone to post it for everyone to know about it.

i really hope that this helps get apple on the ball with this instead of telling people TOUGH

I had this happen to me in the last 2 months, to the tune of $500 in fraudulent charges. Wamu was ill prepared to deal with it and I've been fighting with them since. These thieves use iTunes $1.00 charges as a electronic form of phishing - i.e. if the charge goes through, they know it is a valid credit card number that they can charge for larger amounts. Many retailers and utilities use the "tester" $1.00 charge to verify they can charge your acct and these assholes prey on your complacency.

This happened to me some time ago - thankfully my CC company caught it quickly. The fraud department explained the same thing that TF above talked about. They use something like iTunes where they can charge a small amount to see if the card is usable or not. For whatever reason they tried this several times in a row on my card (which now has a different number, naturally) and that's why it was flagged.

Same thing happened to us a few months ago. Our credit card company caught it before we even did. There were 3 $50 charges for "Yahoo Voice" within a few hours which is what threw up a flag at Wells Fargo. There was also a $1 charge for iTunes store.

What I SUSPECT might be going on is that they are using the very high volume of iTunes to run test probes of randomly generated card numbers.

Card numbers are NOT uniformly and evenly distributed in the number space. They are bunched up in groups based on issuing bank. Once the scammers have a FEW card numbers, they can figure out a lot more most likely valid numbers.

They don't have the 3 digit verification number. So there's still some random guessing going on. But we're talking about software most likely running on big botnets making tens of thousands of purchase attempts a minute on a web site that gets tens of thousands of real purchases a minute. One in a thousand goes through.

Cha-ching! Now they ANOTHER valid number WITH 3-digit validation. It might seem like a low success rate. But that's potentially 10 WORKING card numbers every minute. That's several thousand a day. These are cards that can either be used NOW for big ticket items somewhere, or sold in bulk to other criminals without the computer smarts to generate them.

Wow! Apple and bad news in the same sentence. Amazing.

Skaperen : [[ Card numbers are NOT uniformly and evenly distributed in the number space. They are bunched up in groups based on issuing bank. Once the scammers have a FEW card numbers, they can figure out a lot more most likely valid numbers. ]]

It's worse then you think - if you know it's a Visa card issued by bank X, you then know the first 6 digits and most receipts print the last four digits anyway (including the all important check digit). That reduces the number of possible card numbers to 100,000 to test (if you know the last four digits of a HSBC Bank Nevada, NA card then - if you use the check digit validation - you've only got 1,000 possible card numbers to test).

I have a Japanese iTunes account that has never so much as seen a CC (iTunes wouldn't let me put a non-Japan CC on the account due to some stupid licensing restrictions). I should be in the clear, right?

This happened to me. $300 worth of gift cards. Apple did not provide me an e-mail address in which to pursue criminal charges against the person. I changed my apple account password, other passwords, and got a new credit card.

I think they are or were also using skype to see if cards were working, At least that was my experience.

There are actually several Steps To Scammer Profit (R) at work here:

1. Use iTunes to ensure stolen numbers they bought are legit (the $1.00 "test charges").

2. Use iTunes to make larger purchases to see if the card holder is paying attention or if they hit a credit limit (meaning minimal clearance, thus lesser value).

3. Run up the cards.

4. Resell those "test" iTunes authorizations on message boards for a little extra gravy on their turkey.

What it all means is Apple has their iTunes account and IP address monitoring set too lax to head this off. A simple "5 bad credit charge attempts and you're out" policy per account would probably go a long way to preventing these shenanigans...

@jamar0303: Not necessarily. It happened to me, and I don't even have an iTunes account.

Just had to cancel my card because of this, and it was easy to catch because I hardly use the card. I suspected it was randomly guessed.

Oh, and anyone who has e-mail notifications, turn them on. Make sure you get an e-mail for every on-line purchase. That's how I caught mine within an hour of the $1.00 test charge showing up.

Our household had to cancel a credit and a debit card within the last couple of weeks because of fraudulent APL ITUNES "Pending" $1.00 charges that we found when we checked our accounts online. Neither of us has an ITUNES account so this was pretty easy to spot. Neither of the card issuers raised a peep in warning or seemed terribly surprised when we called to cancel the cards.

One of my coworkers told me that he recently had over $400 siphoned out of his debit card account this way--when the initial $1.00 charges went through, then the account was used to purchase stereo equipment.

About 2 months ago, i got a $1.00 charge for Napster UK. I'm in NJ. I had the card cancelled and got a new one. I think that that's absolutely right about the pre-charging to see if it was valid.

Yeeks. Thanks for posting this. As soon as I get home I'll check mine. (Can't check it here because my bank site is blocked at work.)

This happened to me, too, except that the criminals involved didn't purchase anything for themselves. They purchased plenty for me!

I saw the iTunes charge in my pending purchases and was perplexed, since I had never made an actual purchase via iTunes before. Naive as I was, I thought very little of it... until a few days later, when several acai berry pill charges and "govtfundedgrant" charges appeared in my pending purchases, with a combined total of about $65. I had to stamp "Return To Sender" on three or four unwanted packages, change my debit card number, and wait around for just under a month before everything was resolved.

I wondered how I could have slipped and fell victim to fraudulence, but thanks to my fellow Consumerists, I have additional knowledge on the situation. Fantastic.

@OmniZero: My CC company also didn't bother to pursue the fictitious charge against a spoofed company (skype in my case).
Email addresses can easily be created, so it's cheaper for them to simply reverse charges and print you out a new card.
I don't blame skype or Apple, it's a cost/benefit thing from their end. So long as the evil-doers aren't making the $$$, I'm okay with that.

Is it me or not: isn't it impossible to actually purchase gift cards at Itunes without an ITunes account? Then they should be able to figure out the account ship to address which bought the cards.

I remember my spouse trying to buy a couple of Itunes gift cards to be sent to a relative and you had to sign up for an Itunes account plus download all of their software. As she didn't want to do this, she had to goto a brick and mortor store to buy the cards and send them via stamp mail to the relative. I researched it and it seemed that Apple/Itunes got rid of the no-account purchase ability around 2006(?).

a similar thing happened to us last month. someone got our CC # and charged $10K to "Yahoo Marketing" in $500 chunks. my wife noticed the first one on our on-line statement and called CitiBank who shut them down before the other charges cleared.

@Shoelace: Probably another compromised processor.

Heartland credit card processing was hacked late last year and hundreds of thousands of accounts were compromised. The hackers sold the info and many test charges were made to see if the info was good. Anytime I see an iTunes charge for 1.00 I know they've got my account details and need to cancel the card and get a replacement. It's happened 3 times now.

I had an Itunes charge for $1 and a bunch of acaiburn, ultragreen, and netdetective things sent to me just a few days a agao. I had to dispute the charges, send all the packages back. I hear that Affilaite fraud is big where they get commision for selling items. They buy them with your stolen credit card and get commission for your fraudulant purhcases.

I didn't get why they would buy stuff and send it to me....but the affiliate fraud made the most sense to me. This was my debit card, I am very careful and don't use it online so it freaks me out how someone got hold of it.

@jamar0303:

Same here. I'm one of the few who can't stand paying for overhyped apple products. Never had an ipod, or an iTunes account. I got hit with a $25 charge last November, disputed it, then got hit with another on in December. I had to get a new credit card #. What a pain having to rememorize it.