Media reports that Apple's iTunes and PayPal were hacked earlier this week have been refuted by the CISO of the online payment processor.
Michael Barrett, chief information security officer of PayPal, acknowledged the news coverage about ‘unauthorised payments' to iTunes and safety concerns about PayPal accounts, and refuted the claims but said if there are any fraudulent charges to a PayPal account, people should contact PayPal customer services.
He said: “We've looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account.”
He also acknowledged that Apple has confirmed that iTunes' servers have not been compromised. Apple has recommended customers who have seen unauthorised iTunes charges to their PayPal or credit card account to contact their financial institution about a chargeback and change their iTunes password right away.
Barrett said: “Issues like this are a good reminder to be extra vigilant with any personal and financial information when you're online. It's also important to know that if a criminal gains unauthorised access to your PayPal account, PayPal will cover you for the full amount of unauthorised transactions. But I believe that an ounce of prevention is worth a pound of cure.”
It was suspected that the victims had most likely fallen for an email scam, rather than being targeted via a flaw in iTunes or Apple servers. Stephen Howes, CEO of GrIDsure, said that the incident once again highlights the weakness of fixed passwords and shows how vulnerable these services are to attack.
He said: “It is clear that hackers are using increasingly sophisticated methods to steal account details, yet amazingly these high profile brands just seem to shrug their shoulders and simply ask users to change their password. This does nothing to prevent the same thing happening again in the future and keeps playing into the fraudster's hands.
“If these online service providers want to stay at the forefront of industry innovation they must look at implementing more secure, easy-to-use and cost effective solutions, such as software-based one-time passcode systems, which help avoid the embarrassment caused by attacks such as this and the associated loss of user confidence. These systems ensure that if a user inadvertently enters their details into a phishing site the fraudster cannot use the stolen password or PIN because it has already expired.”