Canadian retailer Future Shop, part of the Best Buy empire, is investigating a scam where some iPad 2 devices purchased in its Vancouver stores turned out to be fake. It appears that scammers bought as many as ten iPad 2s and swapped them for modelling clay.

Future Shop said scam artists bought Apple’s popular tablet computers with cash, replaced the devices with bags of model clay, resealed the boxes and returned them. The returned fakes were then put back on the shelf and sold to unsuspecting customers. It really saddens Future Shop that people stoop to be this opportunistic and make money is this kind of organized way.

One customer gave his wife one of the iPad 2s for Christmas; she was very shocked to receive an iPad 2 box with just a lump of modelling clay inside. To make matters worse, when he returned the iPad 2, he was apparently treated like a criminal by the store’s manager. Thankfully Future Shop has now refunded the cost of the iPad 2 and given the customer a free iPad 2 as compensation for the mix up.

Source: CTV News

It seems a security hole in Paypal’s iPhone app has been discovered that would allow hackers to access user’s Paypal username and passwords over Wi-Fi. The “man-in-the-middle attack” let’s the hacker come between the user input information and Paypal’s servers. Although this is dangerous, it does require the hacker to be on the same Wi-Fi connection as the user in order to steal their information.

Airports, train stations, coffee shops, and other public Wi-Fi locations are the most susceptible. Paypal has issued a statement assuring if anyone does fall victim to this exploit, Paypal will cover 100% of all fraudulent charges. Paypal spokeswoman Amanda Pires had this to say -

“To my knowledge it has not affected anybody,” Ms. Pires said. “We’ve never had an issue with our app until now.”

Isn’t that how it typically works, though? You don’t have problems, until you do. And this is a large one. I’d highly suggest updating ASAP, the update is available via the App Store now.

via WSJ

Yesterday reports were flying in that a “major security hole” in iTunes accounts linked to PayPal was being exploited. The problem turns out not to be a “major security hole” associated with iTunes accounts but rather a phishing scam that’s actually pretty common. The scammers found a way to charge thousands of dollars to iTunes accounts through PayPal. One particular user who contacted TechCrunch reported 50 charges from PayPal of $99.99 each and luckily caught it in time before his bank distributed the funds to PayPal. Unfortunately, not everyone was able to catch the charges before funds were transferred but PayPal is reimbursing users for the fraud. An Apple spokesman did comment that the company is aware of the issue.

“Among other new security measures iTunes now requires more frequent re-entry of a customer’s credit card security code,” the spokesperson said. “But if your credit card or iTunes password is stolen and used on iTunes, we recommend that you contact your financial institution and inquire about canceling the card and issuing a charge-back for any unauthorized transactions. We also recommend that you change your iTunes account password immediately.”

So if you have not already done so, we highly recommend you check to make sure your account is safe and check out Rene’s write up on how to minimize the chance of your iTunes account being hacked.

[TechCrunch]

Apple has responded to that bizarre incident over the weekend involving a glut of Vietnamese, copyright-infringing book apps rocking to best-seller status on the backs of hacked iTunes accounts.

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.

Developers do not receive any iTunes confidential customer data when an app is downloaded.

If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.

Good advice for this incident, great advice in general. Also remember to never, not ever, click a link in an email and log into an account. That’s how social engineering attacks like Phishing scams work. Use a strong password (long, with numbers and symbols), keep it unique, and change it once and a while. Treat it as securely as you treat your credit card and cash — because that’s what it is.

UPDATE: According to Clayton Morris who followed up with Apple, about 400 users were impacted. iTunes’s servers were not hacked. In response Apple will be increasing the frequency they require you to enter your credit card verification number going forward.

[Engadget, Clayton Morris]

It looks like there’s been a sharp rise in iTunes accounts being hacked. We don’t have any solid information on this yet, but when it comes to security TiPb believes in warning first, worrying about the details later. Engadget points to a link between the hacks and the rise in popularity of some Vietnamese book apps. Sounds crazy, but it’s absolutely not funny:

As of this writing, 42 of the top 50 books by revenue are from the seller Thuat Nguyen, whose company website (“mycompany”) leads to parked site www.home.com. [...] a number of people [are] reporting up to hundreds of dollars being spent unwillingly from their account to these specific books. Coincidence? Let’s not mince words here, something is definitely amiss, and it’s not looking good. Just to be safe, might wanna check your purchase history under Apple Account information. We’ve reached out to Apple and will let you know as soon as we hear back.

Checking your account info for fraudulent charges is great advice. Using a long, strong password with numbers, symbols, and letters, and changing it regularly is also good advice.

If you’ve seen anything suspicious, report the problem to iTunes, and let us know in the comments.

UPDATE: 9to5Mac says the “mycompany” apps have been pulled from the iTunes App Store.

[Engadget, 9to5Mac]

There’s no technology that’s 100% safe from fraud or social engineering. Those are predators that walk the cyber landscape, and just like hunter gatherers had to watch out for saber-toothed tigers and dire wolves, modern consumers have to keep an eye out for scammers and spammers.

So, it comes as little surprise that Fox New York (via Consumerist) reports iTunes is among the many attack vectors Bad Guys use when committing their fraud.

The crux of this one is bogus charges on your credit card, from $1 to full on $50+ gift card purchases:

Over on GetSatisfaction, there’s a long thread about fraudulent iTunes charges, but no clear answer about what’s going on. In fact, some people seem to be getting hit with charges on their credit cards from a fake APL*ITUNES business even if they don’t have iTunes accounts, while others who do have iTunes accounts receive receipts via email for real gift card purchases that they didn’t make.

So stay informed, check your accounts and your credit card charges, and report anything fishy (or phishy).

While in the old days, this would no doubt have come from Creep McShady in a trench coat around the corner of some noir-esque alley, now its online fraudsters who’ve gamed Apple’s iTunes gift certificate generation algorithms, unable to sell directly due to fear of Apple tracing the accounts, who’ve found a new target for their schemes. Says Apple Insider:

Third party iPhone App Store developers have received propositions from a scammer offering to buy large volumes of their iPhone applications and then split the resulting revenue with them, apparently using fraudulent iTunes gift certificates to make the purchases.

Of course, the developers faces every bit as much chance for retaliation from Apple, perhaps more so because this could end their careers as iPhone developers.

Yeah. Not a good idea.

September was the last time we saw some malicious attacks on MobileMe subscribers. Well the scammers are at it again, trying to take advantage of Apple’s MobileMe subscribers. A Gizmodo reader claims to have gotten the email shown above.

If you then click the fake “Login” button you will be directed to a website the scammers have set up — to look like Apple’s web site — asking for your credit card information. It is safe to say, delete this email if you happen to find it in your inbox.

[Via Gizmodo]