PayPal Addresses Fraud Involving Unauthorized iTunes Payments

The Guardian newspaper's technology blogger has been covering the recent rash of scams involving PayPal and iTunes. Consumers have reported that scammers have drained their bank accounts through unauthorized iTunes payments made using PayPal - see, "So what has been going on with iTunes and PayPal?" (link).

PayPal's Chief Information Security Officer Michael Barrett addressed users concerns on the PayPal blog on Wednesday. Barrett assured PayPal users that PayPal was not compromised and said, "if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account." He said Apple also confirmed that iTunes' servers were not compromised.

Barrett reminded users of ways to protect their accounts:

• Use a safe password: use a strong password which includes a combination of upper and lowercase letters and numbers. But don't use the same password for every online account you have. That's basically like using the same key for your house, your car, your office and your safety deposit box. If you lose that key, you're in trouble.
  
  
• Protect your computer: use a modern, supported operating system such as Windows 7 or Apple's OS X Snow Leopard. You should also use an updated Internet browser that blocks fraudulent websites, like Internet Explorer 8, Safari 5, Firefox 3 or higher. As always, keep your antivirus software updated.
  
  
• Don't click on links in email: never click on links in email and then enter your username, password or other sensitive information - even if the email looks like it's from your bank, an e-commerce site, the IRS or popular sites like PayPal.
  
  
• Use common sense: if you wouldn't do something in the offline world, don't assume it's safe online. If a stranger walked up to you at a gas station and said, "Please give me the key to your house; I need to make sure there are no burglars there," you'd probably tell him to go take a hike. Likewise, if you get an email, phone call or some other unexpected message demanding that you turn over your username and password, don't do it. Trust your instincts.

Ironically, PayPal itself includes links in its email, despite warning users not to click on links in an email to sign in to their accounts (see bullet point number three above) - here's a screenshot of an email PayPal sent me on Monday.