Massachusetts Attorney General, Victim of iTunes Fraud

chicksdaddy writes "Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple's popular online music store. Coakley was herself a victim of identity theft in recent months, telling the audience that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by a Threatpost reporter) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, 201 CMR 17, Coakley said that her office would be looking into that question and demanding answers from Cupertino, which has steadfastly refused to respond to media requests regarding user reports about fraudulent iTunes purchases, and which has not reported the breaches to Massachusetts regulators."

Obviously

Only now that she was affected does she look into it. It didn't matter that everyone else was.

Re:Obviously

[kimvette]

Don't forget: Coakley maintains "Technically it's not illegal to be illegal in Massachusetts"

She needs to be removed from office ASAP.

Re:Obviously

[geekoid]

oh please, an out of context statment? do you ahve any links to the actual discussion? becasue everything in goolg links to the quote with no context.

Assuming the IMPLIED context is correct*, then she made a correct statement regards MA law.

So in any case, you've been duped by a group of people who routinely take things out of context,, and then put them in the most controversial light.

*always a risky assumption

Re:Obviously

[SmurfButcher+Bob]

Well, she has to make certain she wasn't holding the card wrong.

Re:Obviously

[OakDragon]

Also, someone is using her identity to run for U.S. Senate.

Re:Obviously

Liberals do not care about anything until it effects them.

Re:Obviously

[msauve]

She has to look into it because iPods are scary. They have batteries and wires in them!

Re:Obviously

[Xacid]

If that's the case then I suppose I'll stop being okay with wars when I'm drafted into one then. Or have a bomb dropped on me.

Re:Obviously

May all those in power suffer from identy theft, RIAA persecution, patent trolls and tribbles.

Re:Obviously

[davester666]

so it was a link to foxnews?

Re:Obviously

Unlike conservatives who have the decency not to care about anything at all, even if it does affect them.

Re:Obviously

[hey!]

OK, I'm a liberal, so I've can't let that pass. Liberals care about lots of things that don't affect them -- drowning polar bears, leaking nuclear waste a thousand years from now, educating the offspring of undocumented immigrants. Just don't ask us to do anything about them. We've signed the petition, so we've done our part.

I'll fight any injustice, so long as all I have to do is blog about it.

Re:Obviously

Unlike conservatives who have the decency not to care about anything at all, even if it does affect them.

You mean like condemning homosexuality while being secretly gay?

Could be the only way to get the law changed

[SleazyRidr]

Attack the Attornies General so they realise how the real world works and kick up enough stink to get the laws we need.

Re:Could be the only way to get the law changed

Might as well attack your senators and representatives then.

Re:Could be the only way to get the law changed

You think if they got sent a "You owe us $5000 for downloading a song" letters, then maybe someone would pay attention to the issue? I hope so.

Re:Could be the only way to get the law changed

[TheGratefulNet]

same old same old.

laws that apply to regular people don't matter to those who have influence.

but once one of 'our' laws hits them, oh boy, fire and fury follows!

what a farce our 'justice' system is...

Re:Could be the only way to get the law changed

[SeeSp0tRun]

This has to be done very delicately. Pick the wrong fight, or from the wrong angle, and we all end up with mandatory keyloggers built into every OS.
It is as much a psychological puzzle as a moral fight.

But

[Dunbal]

Apple is security! By the way, my daughter's Mac Book Pro stopped working yesterday after four months. Not bad for a $1700 computer.

Re:But

[jdpars]

Kids these days. I blame the parents.

Re:But

[firex726]

Just in time for the Mac Book Pro 2 next month. Man you really lucked out.

Re:But

[wsxyz]

She's not supposed to take it into the shower, no matter what the pop-up says when the little green light above the screen comes on.

Re:But

Apple is security! By the way, my daughter's Mac Book Pro stopped working yesterday after four months. Not bad for a $1700 computer.

She's probably holding it wrong.

Re:But

[voidptr]

There's no company on the planet that can guarantee they have a 0% mortality rate within the warranty period of something as complex as a modern laptop. That's why there's a warranty.

If you're aware of one that guarantees anything above and beyond replacement in the off chance you happen to be in the unlucky 1%, I'd love to know who it is.

Re:But

[wiedzmin]

She's not supposed to take it into the shower, no matter what the pop-up says when the little green light above the screen comes on.

I see what you did there. Trevor Harwell reference. Clever.

Re:But

[Duradin]

My MBP is doing fine going on 5.5 years old now (as my primary computer). Anecdotal evidence is fun.

Re:But

Well then, good thing it comes with a free 12 month warranty. But oh no, whine about it on the internet instead. Asshole.

Re:But

[rhook]

To quote Steve Jobs "You're holding it wrong".

Re:But

[rhook]

There is a warranty because there are consumer protection laws requiring that there be one.

Re:But

[manicb]

Mine still works after 500 years of use in sandstorms, acid rain and even deep space! Highly-recommended for time travellers. I'm hoping the next model is more Dalek-resistant though.

Re:But

[wsxyz]

Extra Dalek resistance is part of the 3-year AppleCare Extension.
I bet you wish you'd bought that now.

Re:But

[Dunbal]

it comes with a free 12 month warranty. But oh no, whine about it on the internet instead. Asshole.

I'm not whining - it's not my computer. I build my own systems and they are rock solid. As for my daughter, well, she's 20 and can deal with the consequences of her decisions.

Re:But

[cheater512]

Yeah. Who buys their daughter a $1,700 computer when a $400 one will more than suffice?

Re:But

[CapuchinSeven]

ha, that's comical. So wait wait... your systems are rock solid, so you build your own laptops do you? You mean to tell me that if you bought RAM from a company and that RAM was faulty, some how, SOME how your system wouldn't be effected, because you build rock solid systems, some how RAM becomes magical in your hands and becomes fail proof, SOME how you can assure 100% that nothing in your machines will ever fail? Oh wait wait, YOU must design and build your own memory. Shut the fuck up, she''ll take laptop back to the shop and get it replaced under warranty, like any normal human being does, be it an Apple, Sony, Dell or whatever. You on the other hand, make dumb remarks about your kid "dealing with her consequences", wow you're an ass.

Re:But

[Dunbal]

Er no, I have a desktop. I only use my laptop when I travel which is not often. I haven't had a bad RAM chip in years - I research the companies I buy from. Your argument is pathetic. You must be an Apple user.

Re:But

[sjames]

No matter what the pop-up says?

Re:But

[WCLPeter]

Yeah, here's my anecdotal evidence too!

My Mac Mini G4 has been running almost non-stop since 2005 when it replaced my K6-2 - 500. The Mini remained my primary computer until I bought a 24" iMac after the spring 2009 refresh. The Mini is whisper quiet (so is the iMac) and is currently sitting in the other room churning out work units for Rosetta@home and the World Community Grid, two distributed computing projects that strive to find cures for various diseases and model different energy and water usage patters.

Sure its slow, it can only churn out a work unit every 10-12 hours or so, but considering that the Mini doesn't use much power and would otherwise sit there doing nothing I figured I might as well use it for a good purpose. What impressed me about the Mini is that outside of power failures the machine has practically never been turned off, has been run pretty much full out the whole time and yet still keeps going. Say what you will about Apple, but their build quality is excellent and they make computers that can continue to be used long after most others would be relegated to the trash bin.

Re:But

[msauve]

Uh, cite, please. I don't believe you're correct. The Magnuson-Moss warranty act simply says that if there is a warranty, the terms have to be clear. There are lots of things sold "as-is."

Re:But

No wonder there's something wrong with her computer - with you helping her... or she gave it a coffee shampoo but won't admit it.

Re:But

[CapuchinSeven]

Hey now, don't cut yourself short here. It's not the research it's your magic powers that somehow enable you to bless HDD's to give them a 100% never fail rate. It's either that, or your "research" managed to find you a company that will, 100% assure that they don't need a warranty because their products never, EVER fail so no warranty is needed. News flash dumb ass, sometimes even new things go wrong, that's why we have warranties and companies don't employ you to sit at the end of their manufacture line, blessing hard disks with your magical powers.

Re:But

[Lord_Jeremy]

Yeah I've got a Mini G4 for a web host and a Power Mac G4 serving up files. My work laptop is an almost four year old MacBook Pro. Unfortunately my experience with more recently Apple hardware has been less than stellar.

What was her password?

[swebster]

She should post the password she used so we can tell if it was likely to be a brute force type attack.

Re:What was her password?

[corbettw]

Not that it'll help, all we'll see will be asterisks. Like my password on iTunes is ********, and my Slashdot password is ********.

Re:What was her password?

[swebster]

hunter2

doesnt look like stars to me

Re:What was her password?

[pjfontillas]

That's because it's your password. To me it looks like ******* but to you it's hunter2.

Re:What was her password?

I don't think it works like that...

Let me try with my iTunes password while not being logged in, you'll see it will just print it

********

This isn't going to end well.

[PeanutButterBreath]

Some day she is going to find herself wishing that she just admitted to her IT guy that she likes the Jonas Brothers and downloaded those tracks herself rather than letting this fraud story spiral out of control.

Or. . .

[PeanutButterBreath]

. . .she will use her uncommon influence to resolve her own problem and thus conclude that the legal system works "as-is".

More laws!

[Gothmolly]

Typical Democrat party shill, Coakley is advocating greater government interference.

Re:More laws!

[TheCouchPotatoFamine]

that really stretches things.. really, if you don't have anything original to troll about, maybe give it rest?

Re:More laws!

Which makes her different than Republicans how?

Im confused

[Altus]

I could see, if her identity was stolen from the records that apple has, how the new laws would apply to Apple. But her identity was stolen from elsewhere and then her credit card used to purchase stuff from Apple. I can't really see how Apple has anything to do with it. Would you go after Shell if someone used a stolen card to buy some gas?

Sure, dell stopped the purchase of a multi hundred dollar computer, but should Apple have to check ever 99 cent transaction? I don't even have to sign receipts most places if the total is under 20 bucks. If she canceled the card, isn't that her banks fault?

The data breach laws seem like a good thing, its important that Apple and others protect information about their customers against theft, but her identity was stolen during a ski trip to New Hampshire. That doesn't seem like it has anything to do at all with Apple or iTunes.

Re:Im confused

[terraformer]

You are not confused. The AG is. You are actually right that this fraud doesn't involve apple at all. But that won't matter.

Re:Im confused

[oboylet]

This happened to me as well. A series of mysterious iTunes charges popped up all over my CC statement, totaling hundreds of dollars. The charges all show up as "1800-APPLE-XYZ" or some such. Call up that number, and there's a recording that refers you to itunes.com/cc (or whatever). On that site, it refers you to the useless 1800 number. When I contacted my credit card's fraud hotline they said they had been having all sorts of problems with fraudulent charges at iTunes. Mysterious charges, and they (Chase) could get no answers from Apple. Since Apple wouldn't reverse the charges, I had to file a fraud claim, and get a new card. A big hassle for me. By the way, this was in the Spring of 2010. IANAL, but if there is a history of fraudulent activity and the vendor has ignored it, then yes, I'd say they have some responsibility "to check every 99 cent transaction."

Re:Im confused

[geekoid]

Apple is supposed to report fraud complaints. They refuse to do so.

Re:Im confused

Not only that but since when has having your credit card stolen been "identity theft"?

Using some random number off a piece of plastic has nothing to do with your identity. You're not even liable for charges past the first $50.

It's just credit card fraud, not identity theft.

Re:Im confused

[whoever57]

This happened to me as well. A series of mysterious iTunes charges popped up all over my CC statement, totaling hundreds of dollars.

You think that's a large fraudulent charge? Last month, my credit card got hit for not one, but 3 charges of $1030 each, plus the credit card's foreign exchange fees. Over $3200 in total. All three charges came from a caribbean airline.

Re:Im confused

You have to log in each time your buy from itunes.

Simply having a credit card is not enough.
Using a stolen credit card to fraudulently set up a fake account on iTunes should have been detected by Apple, when name and address verification failed on the new account when compared to the credit card.

Still, its probably not all Apple's fault.

Re:Im confused

[slimjim8094]

Same with me, except that they did reverse the charges when I emailed them. They even found one that hadn't posted yet and reversed that. I have no complaints about how they handled it - they sent me a lengthy email with a ton of details - the accounts using my card, the email addresses used (a few; variations of my name @ovi.com), all of which I passed on to my bank.

They were fast - after spending $160 at iTunes, they spent $380 at FedEx in 12 charges of about $30. I checked my statement the next day by luck (I don't check every day, and I was in Maine to boot) and was able to cancel the card before they got away with more. This happened early August; I just finished getting this sorted out last week.

Still have no idea how they got my info. I still have the (useless) card in my possession and I didn't use it anywhere unsafe - electronically or physically. I'm guessing a site got compromised. Whoever it was had my name, billing address, and CC# (and presumably CVV)

Re:Im confused

[Altus]

that may or may not be true, but it has absolutely nothing to do with the story of what happened to her particular credit card, which is what the article is about.

Re:Im confused

[Altus]

In this case it was a debit card, which comes with far less protection than a credit card. One of the reasons I hate them, but none of my banks will give me an ATM card that is not also a debit card so I guess I'm stuck.

Re:Im confused

[wsxyz]

Using a stolen credit card to fraudulently set up a fake account on iTunes should have been detected by Apple, when name and address verification failed on the new account when compared to the credit card.

Why assume that name and address verification failed?

Re:Im confused

[Fear+the+Clam]

That happened to me after I got back from a vacation and I suddenly understood why the guy who swiped my card at the gas station "had" to use a new reader.

Funnily enough, the credit card statement not only had plane tickets on there, but also the names of the people for whom they had been issued. I did a quick search for the names in the same state as the departing airport and found their address.

If I were more of an Internet tough guy I would have called them and told them that I knew where they lived and I was going to beat my money out of them. Instead, I gave all the information to the credit card company with the fond wishes that they'd do time.

Re:Im confused

[Macgrrl]

You are not confused. The anti-Apple Slashdot trolls are. You are actually right that this fraud doesn't involve apple at all. But that won't matter.

FTFY :)

Re:Im confused

Why would Apple reverse the transaction? They provided the service. They have no evidence that it wasn't you who made the purchase. You could now just be trying to stiff them to get your money back without returning the goods.

Like it or not, dealing with fraudulent transactions is your bank's responsibility, not the vendor's.

Re:Im confused

The only required information for a CC transaction via the AuthorizeNet gateway (and probably all of the rest of them) is CC#, Name on Card, and Card Expiration Date. Address validation and CVV2 validation are optional. Some retailers take the pass/fail bit from the response for each of those validation checks and use them to decline the transaction (auth, check response, only capture if valid). It's really up to the retailer for the most part. Only a VERY small number of banks actually force full auth for CC purchases, especially online.

And for "card present" transactions, remember that the CVV2 isn't on the mag stripe (not *every* card, anyway, so it's not reliable) and the fact that they swiped a physial object bypasses the whole mechanism. Then remember that their batch posting process uses that same (or very similar) API as the "online" version above... The CVV2 is probably the most useless thing ever. And "card present" isn't secure. And the bank doesn't have your back until their flesh is involved too (which is if you file a formal complaint/notice of fraudulent activity, which is regulated by the feds).

"Caveat emptor" never applied so well anywhere else.

Re:Im confused

[Lord_Jeremy]

Hah. So true. I had thought that credit card purchases were reasonably secure, until I was hired to write drivers for a credit card swiper. I've been told by people who know more about the system than I do that there's a whole criminal business of generating random credit card numbers. When working numbers are found, dozens of counterfeit plastic cards are run off with that number and sold to people who want to use them at stores.

Re:Im confused

[sabt-pestnu]

Not so much stuck, as failing in imagination.

Plan 1) create a new account with your bank. Get a card on it, but make sure that "overdraft protection" is revoked. Limit the funds in the account. Transfer new funds as necessary via secure method (say, live teller). Strictly audit the account so you don't get denial charges. Promptly report any fraudulent activity.

Plan 2) get a disposable or one-use credit card. Repeat as necessary. Best you look those up yourself than rely on me, as I don't hold with credit cards much in the first place.

Either way, I wouldn't recommend you attach significant excess funds to an account with a card. That includes using a "savings account" as overdraft protection.

Re:Im confused

[Altus]

I basically already do that, but the amount I could loose from the checking account if I lost the card is kind of high. On the other hand, if I kept less money in there, I would be spending more time shuffling money around. I have chosen my level of risk vs my level of convenience, but I would rather not have too.

All of this could be solved with a simple ATM card that is not a debit card. I don't need a debit card, I have credit cards for purchases where cash is not practical. Certainly for some people a debit card is a useful tool, but I am not one of those people.

Re:Im confused

[sabt-pestnu]

So... a bank card that worked in ATM machines, but did not work for POS purchases? Your bank was not able to offer a solution to this that worked for you?

Does it even fall under the data breach laws?

[Richard_at_work]

Apple maintain the position that it is end users that are being compromised, and not their servers - so why should they need to report anything if there is no evidence to the contrary?

Breach by Apple???

[superdave80]

...her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino,...

Huh? How is this a 'breach' by Apple? Her credit card was stolen by somebody, and then used to buy something from iTunes. Apple wasn't hacked into; they processed what looked to be a valid credit card transaction.

Hymns

All there is to do in Heaven is write hymns. Angels are pretty good, believe it or not. Retards don't know why Greeks said "muse".

unavoidable

[Device666]

The problem for apple is that because it has become such a popular provider of these services, at some point some powerful people get the same problems as everyone else, and then it's a problem. But no matter how politically incorrect that may be, it's is plain stupid of Apple to be totally ignorant on Murphy's law. That lawyer might just know how to peel an Apple... And if he doesn't then someone else might. So let's all wait for the inevitable. I think this whole Itunes problem is clearly something Apple finds hard to fix, otherwise it would be fixed already.

not the iTune problem

So the A.G. herself is credited for "telling the audience that her stolen credit card information was used to make fraudulent iTunes purchases. So that seems completely different than if she had an iTunes account that had been hacked, as is the commonly reported problem that Apple avoids talking about. In her case it seems like she had here credit card info stolen and the thieves happened to use the stolen cards to create an iTunes account (and likely other things). and her problem needs to be resolved by dealing with her credit card provider, not Apple.

Re:not the iTune problem

[Macgrrl]

I see a flaw with your theory. It involves common sense. Which we all know is rarer than kryptonite both here on /. and in the wider world.

Federally preempted

[tepples]

As I understand it, state attorneys general have no influence over U.S. copyright, which is exclusively a federal issue.

Re:Federally preempted

[rhook]

Except for when such cases wind up in their states legal system.

Re:Federally preempted

Which they never do, being federal issues and all.

The reporter is confused.

[PeanutButterBreath]

The reporter posed a non-sequitur question, to which the AG provided a boilerplate "uh, we'll probably be looking in to that" response.

The Apple fan boi

[geekoid]

and apologists are out early.

"Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn't aware of the larger pattern, but that it could be a reportable offense under the State's data privacy law. She promised her office would be contacting Apple for more information that very afternoon - a statement that received hearty applause from the audience."

Apple is being compromised, Apple hasn't reported as required.

Apple seems to be in the wrong here in that the have violated MA privacy laws.

Re:The Apple fan boi

You're a moron.

Apple wasn't compromised. A credit card that was stolen on her ski trip was used to purchase items from Apple. The card was compromised long before Apple had anything to do with it, and long before it ever got entered into Apple's systems.

Don't call them "apologists" when they're the ones who bother to read and comprehend the story, and you're just out to bash Apple.

Re:The Apple fan boi

How has Apple been compromised?

So far, the only evidence points to Ms. Coakley and some iTunes account holders as the parties that have been compromised.

Re:The Apple fan boi

[tlhIngan]

Apple is being compromised, Apple hasn't reported as required.

[citation needed]

Apple being compromised would be a big deal, as it would basically reveal probably 200+M accounts and credit card details. That's a huge breach, probably the largest to date, outdoing Sony.

Problem is, is it true? Or is it because almost everyone has an account with Apple that there will always be some group compromised?

And there are people who find iTunes charges without ever using iTunes Store or buying a single thing at Apple. I like to know how Apple being compromised people get charged without ever having an account...

After all, people use easy passwords, reuse passwords, or fall for some really interesting phishes. Like one I got for Adobe Photoshop being on sale at the Apple Store. Which phished your Apple ID and password.

Re:The Apple fan boi

The haters are just slightly later.

Why would apple need to report phished/keylogged/badly passworded accounts that were used as an intermediary in an unrelated scheme? Why would that apply to a specific state's data privacy law? Perhaps if said compromised accounts belonged to people that lived in that particular state, but again that's unrelated to the people who's financial credentials have been compromised. There is nothing special about apple here, other than fraudsters have found that itunes gift cards/codes are a high value item that's good for laundering stolen credentials. Compromised itunes accounts are merely used because it lets the fraudsters have an easier time making the transactions.

This could happen with pretty much anyone else that sells services or goods online.

Re:The Apple fan boi

Last I checked, Cupertino is in California, not Massachusetts. Insane Massachusetts laws don't apply to California companies. (There's a reason there are no tech companies left in Massachusetts.)

So even if Apple did violate some Massachusetts law, it doesn't matter: they aren't a Masschusetts company, they have no (non-Internet) presence in Massachusetts, the law does not affect them. End of story, Apple fan or hater.

And I'm not an Apple fan, mind you. But no matter how much I dislike Apple, I dislike attorney generals pulling bullshit political stunts like this even more.

(Also, isn't this the Democrat that blew replacing Ted Kennedy? I suspect that all Apple is really guilty of is failing to donate enough campaign funds.)

Re:The Apple fan boi

[UnknowingFool]

And the Apple haters can't bother to read the article or even the summary. The AG card's was stolen. Would it be any different if her stolen card was used to buy Amazon MP3s? What you are interjecting are rumors that there might be an iTunes breach; however, there isn't any evidence that it is a breach. Judged by the relatively small numbers, it may be a case of easily guessed passwords or compromised username/password info when people use the same ones for multiple sites.

Re:The Apple fan boi

[guruevi]

People use way too simple passwords too. I was recently informed that one of my passwords was too simple (although it's 8 characters long and I thought pretty unique).

They had took their own password database to analyze it (the passwords were encrypted) as well as a multi-lingual dictionary and fed it into a GPU system. In a few seconds they had cracked all the standard dictionary words for about 300,000 passwords. They then went through all the combinations and variations (1337 speak etc.) of their dictionary words (about half a billion variations) and in a few minutes had cracked half of their accounts.

Re:The Apple fan boi

however, there isn't any evidence that it is a breach. Judged by the relatively small numbers, it may be a case of easily guessed passwords or compromised username/password info when people use the same ones for multiple sites.

Correct me if I'm wrong, but if somebody unauthorized logs into your account, is that not a security breach?

Just because it's a breach that only affects a single custoner, not all customers of the account operator, doesn't change the nature of what it is.

From the relevant Massachusetts law:

“Breach of security”, the unauthorized acquisition or unauthorized use of unencrypted data [...] maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.

This doesn't specify any limitations on how the breach occurs. If somebody guesses your password, that's unauthorized, so it's a breach. Same for phishing. Now, does somebody accessing your iTunes account represent a risk of identity theft or fraud? I would say yes, it does -- it allows the perpetrator to impersonate you and convince Apple to allow them to download new copies of anything you've purchased.

The question now arises, does Apple have any good reason to believe the AG's account was compromised? Lacking that, they are not required to do anything about it, which is I suspect where this entire thing falls down... yes, they had a breach, no they don't have to report it., because they didn't know about it.

Re:The Apple fan boi

It's actually the fault of system administrators who have been enforcing weak passwords. All that crap about capital letters and numbers and special characters is a waist. you get much better results out of just making the password longer by a word. Also it's easier to remember a sentance than a string of characters so people will be less inclined to reuse their passwords.

http://xkcd.com/936/

Re:The Apple fan boi

[UnknowingFool]

If you read the summary, the AG's iTunes account wasn't compromised; her credit card info was.

I am an Apple hater...

And even I think this is stupid sensationalism. She got her credit card stolen during a ski trip, how the hell is that Apple's fault? She should have canceled it and issued a chargeback. Apple doesn't even come into play.

There are plenty of things Apple does wrong, but this is not one of them.

Sounds like a bad law

[chrismcb]

The issue really isn't about Apple (from what I can tell) Really the issue is how bad this law is.

From TFA:

"the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data" that creates a "substantial risk of identity theft or fraud against a resident of the commonwealth"

So it sounds like, if someone steals a credit card. Then uses it to purchase an item from a store. The store is supposed to report this "unauthorized use." How is the store supposed to know the transaction is not authorized?

Seems like a pretty dumb law to me.

Re:Sounds like a bad law

Welcome to Massachusetts... we have lots of dumb laws around here but that's how it's written. Apple and every other vendor who does business with a Mass resident takes the responsibility for the transactions if they are fraudulent. I guess the idea is to expand that responsibility from the credit card companies and banks to EVERY "online business". Gee, it seemed like a good idea on paper but practical? Ask Martha once she gets this mess straightened out. lol

Not according to the actual complaint

In the actual complaint, the details were retrieved from a compromised iTunes account, not a ski trip.

You may be considering a different person.

Re:Not according to the actual complaint

[BrianRoach]

Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General's account.

You may be considering learning to read.

Am I missing something?

[Internetuser1248]

Why would anyone steal credit card details, and then use them to buy mp3s? It boggles the mind, given that mp3s are so much easier to steal and harder to trace. It would lead me to a conspiracy theory if it weren't for the fact that I really don't care enough about the issue to waste my time thinking one up.

Re:Am I missing something?

[tlhIngan]

Why would anyone steal credit card details, and then use them to buy mp3s? It boggles the mind, given that mp3s are so much easier to steal and harder to trace. It would lead me to a conspiracy theory if it weren't for the fact that I really don't care enough about the issue to waste my time thinking one up.

Easy, to test credit cards.

Say you've just broken into a CC processor and gotten a list of names, addresses, CC numbers and CVV codes. You need to find out if those numbers are working, and the easiest way is to run charges through them. Now, you need to find something that most people won't bat an eye about seeing on their bills - after all, a fraudulent charge to some company in the Azores will bring up scrutiny.

So you need someplace that charges small amounts (easier to be missed), and appears legitimate. iTunes fits both - a 99 cent song or app is easily missed in a bill, and a lot of people have iTunes accounts and would overlook an iTunes charge.

As Amazon and Google Marketplace get more prominent (i.e., more people buy Android apps/music/movies), you can bet they'll be targets next for 99 cent digital thing.

Cards that don't work (either because the user noticed something odd and cancelled, or expired, or foreign) are simply discarded. When you have a list of millions, losing 30% is no big deal, especially if you can verify the rest.

Check you spam sometimes. You see people spamming spamming services ("32000000 Euro accounts $200!") and "verified credit cards+CVV".

It would be cool if

[hesaigo999ca]

This story lets me in on some idea...It would be cool if a big official judge or senator were to have some illegal copyright music on their machine and get nabbed by the RIAA, and wanting to make an example of them just like they did that grandmother, and let that judge or senator be the victim of the RIAA's witch hunt, and bring about change to their practices....the latest I saw was a guy being charged 600k for songs....until it happens to an official, they do what they want...guaranteed that a judge or senator would put them in their place, and set a precedent.

Same as this story, I am sure it is getting all this attention only because of who was victimized, but put some grandmother who gets her account hacked and identity stolen, bah...who cares... I hope this case leads to setting better laws to protect the people over all, instead of just the big time officials.

Stolen credit card?

[Relayman]

In other news, a stolen credit card was used to buy a new car today. The car dealer is under investigation for allowing it to happen...