Has the Apple Store Customer Database been compromised?

[jejennings]

At 11:00 AM this morning (EST) I received an automated telephone call from Discover Card Security asking if I had made a $12.97 purchase from ZAGG in Salt Lake City. When I pressed the number to indicate I indeed had not made such a purchase I was immediately transferred to a real person who asked if I had made a $1734.47 purchase from Apple Computer. When I told her that my last Apple purchase was my delightful 27" iMac in October 2009 we concluded that my card had been compromised and it was immediately shut down. The $12.97 false purchase had been a "feeler" to make sure the account was still active before the criminals tried to make me pay for a new computer. Just in case I called my dear wife to make sure she hadn't ordered me a nice gift and got the expected. "are you crazy...." reply.

I was curious and called the Apple Store Customer Service where a nice lady thanked me for purchasing a new MacBook Aire, and was quite unhappy when I told the representative that I had not made the purchase. She told me that purchase had been made at 10:34 EST and had been approved by Discover. I then asked her where it was to be shipped. To my surprise, it was to be shipped to me, in my town in Southern New Jersey, but to a six digit number on my Street that doesn't exist.

The ramifications of this hit me. Somehow someone got my credit card information (including the security code number) and ordered a Mac computer that would be returned to the Federal Express terminal where a nefarious associate would rip it off. My first thought was that perhaps my Apple Store records had been compromised, but I accessed my account and found no record of this purchase, indicating (along with the need for local interception of the package) that the credit card theft was probably on this side of the country. I will be notifying Federal Express of my suspicions, but thought that the Mac community at large might be interested in this experience.

Any comments?

 

[SilentPanda]

Is the only reason you believe Apple disclosed your account information in some fashion to somebody solely because the person that used your card used it to buy an Apple product?

 

[Consultant]

At 11:00 AM this morning (EST) I received an automated telephone call from Discover Card Security asking if I had made a $12.97 purchase from ZAGG in Salt Lake City. When I pressed the number to indicate I indeed had not made such a purchase I was immediately transferred to a real person who asked if I had made a $1734.47 purchase from Apple Computer. When I told her that my last Apple purchase was my delightful 27" iMac in October 2009 we concluded that my card had been compromised and it was immediately shut down. The $12.97 false purchase had been a "feeler" to make sure the account was still active before the criminals tried to make me pay for a new computer. Just in case I called my dear wife to make sure she hadn't ordered me a nice gift and got the expected. "are you crazy...." reply.

I was curious and called the Apple Store Customer Service where a nice lady thanked me for purchasing a new MacBook Aire, and was quite unhappy when I told the representative that I had not made the purchase. She told me that purchase had been made at 10:34 EST and had been approved by Discover. I then asked her where it was to be shipped. To my surprise, it was to be shipped to me, in my town in Southern New Jersey, but to a six digit number on my Street that doesn't exist.

The ramifications of this hit me. Somehow someone got my credit card information (including the security code number) and ordered a Mac computer that would be returned to the Federal Express terminal where a nefarious associate would rip it off. My first thought was that perhaps my Apple Store records had been compromised, but I accessed my account and found no record of this purchase, indicating (along with the need for local interception of the package) that the credit card theft was probably on this side of the country. I will be notifying Federal Express of my suspicions, but thought that the Mac community at large might be interested in this experience.

Any comments?

Fake story is fake.

 

[SilentPanda]

Fake story is fake.

How does that make the story fake? They called customer service, most likely gave them their name/info and the rep noticed the purchased computer and mentioned it.

 

[flyfish29]

Yeah, I don't see why it would be fake. And actually Discover customer service called the OP about all this. My credit card companies have almost gone too far and deny purchases that follow odd trends- such as when I bought something small at the back register in Sears, then purchased a snow blower at the front registers on the same card. I had to use a different CC for that purchase.

I had similar experiences with a credit card company but $800 in PHilly 76er b-ball tickets were purchased after a small purchase to see if account was active. However, in no way is this Apple's fault. As the OP found out no one compromised the apple account, just the credit card info which could have come from thousands of vendor uses. So this is not really an apple topic, but more of a credit card scam topic.

INteresting story though- and I would love to hear what Fed Ex finds out- hopefully the person you talked to at fed Ex is NOT the person who planned this scam!

 

[gnasher729]

Strange thing happening. So someone got enough details of your credit card to enter an order for an MBA at Apple, plus apparently had your address. Would it be possible to find your address, knowing your name only? (I know someone could find my address, being the only person in the UK phonebook with my name). Could be ripped off at a petrol station, restaurant, anywhere where you let your card out of your hand.

I don't quite know how this scam is supposed to work. I know in the UK they have done things like this if the recipient is not at home and the delivery is on a predictable date; someone waits until you leave, then stays around your home, and waits until the delivery turns up, then poses as you and accepts the computer. Not sure how this would work with the wrong address.

Yeah, I don't see why it would be fake. And actually Discover customer service called the OP about all this. My credit card companies have almost gone too far and deny purchases that follow odd trends- such as when I bought something small at the back register in Sears, then purchased a snow blower at the front registers on the same card. I had to use a different CC for that purchase.

I see... A few weeks ago I made some small purchase on Amazon (just an MP3 album download), then shortly afterwards something more expensive, then I got a call from my bank. And I couldn't figure out why my purchase at Amazon looked suspicious. So small purchase followed by large purchase = suspicious. Makes sense now.

 

[snberk103]

...but to a six digit number on my Street that doesn't exist....

I would be interested to know if the OP's address formed part of the 6 digit fake address. It might be how the thieves bypassed the shipping/billing address check. If the legitimate address is 3 digits and if the fake address started with those 3 digits, then I suspect that when the 1st digits matched the billing computer declared the address legit, without asking "Is there more?".

Luckily I'm immune from this scam. I'm in a small community, and the know the FedEx driver. He would deliver anything addressed to me regardless of the address - probably doesn't look at the address if he recognizes the name.

 

[flyfish29]

Strange thing happening. So someone got enough details of your credit card to enter an order for an MBA at Apple, plus apparently had your address. Would it be possible to find your address, knowing your name only? (I know someone could find my address, being the only person in the UK phonebook with my name). Could be ripped off at a petrol station, restaurant, anywhere where you let your card out of your hand.

The address could be had so easily as EVERY online purchase (except dowloads) must have your address entered for delivery of products. In addition, you would be amazed at what can be found online just knowing one key piece of identifying information on someone.

Credit card companies also look for odd purchases- such as when someone stole our number and was making gas card purchases as gas companies all over Florida...every gas store purchase ended in $.00 which sent up a red flag for the CC company which prompted a call.

Remember, as long as you use a CC you are protected from paying for purchases made by fraud and there is NO impact on your available checking account funds!! That is the main problem with using a debit card- while you are protected from fraud use, your account may be depleted, checks may bounce and you may not have funds available until the issue is resolved. For instance, someone buys a Mac on a CC and you dispute the CC and your bill is reduced by that amount during the dispute. If someone buys a mac on your debit card your account loses those funds and you might bounce many checks and not have avail. cash for necessary purchases.

(For these reasons I will not use a debit card- plus I love credit card points- CC points paid for my PS3 and ver half of my 42" Sony TV and I have not paid for a PS3 game in six years!)

The worst part of credit card fraud is the hassle of paper work to complete and setting up a new CC for auto pay bills and such. I have had to do this several times because my wife travels a lot and it seems my CC fraud has stemmed from those trips.

 

[chrfr]

The address could be had so easily as EVERY online purchase (except dowloads) must have your address entered for delivery of products.

While I can't currently put my finger on the details, you'd be surprised how much credit card fraud doesn't originate online. In fact, in this case, I'd suspect it was something local, otherwise, how would it make sense that the item is getting shipped to the same town as the OP's?

 

[flyfish29]

While I can't currently put my finger on the details, you'd be surprised how much credit card fraud doesn't originate online. In fact, in this case, I'd suspect it was something local, otherwise, how would it make sense that the item is getting shipped to the same town as the OP's?

great point- I agree this must be local- but weird that there is a likely connection to the fed ex facility. Yes, I also agree that much fraud is through brick and mortar businesses. (as in the case when my wife travels example)

What doesn't make sense though is that if your addresss doesn't match your credit card then it usually won't go through which snberk103 alluded to earlier in the thread.

This one is puzzling a bit still.

 

[Consultant]

great point- I agree this must be local- but weird that there is a likely connection to the fed ex facility. Yes, I also agree that much fraud is through brick and mortar businesses. (as in the case when my wife travels example)

What doesn't make sense though is that if your addresss doesn't match your credit card then it usually won't go through which snberk103 alluded to earlier in the thread.

This one is puzzling a bit still.

The story does not make sense.

Why would the card company ask about a $12.97 purchase instead of a $1700 purchase?

Why would a $1700 order go through when shipped to an unauthorized address?

Why would a $1700 order go through without the 3 digit code (which Apple does not keep)? There are other holes too.

 

[SilentPanda]

The story does not make sense.

Why would the card company ask about a $12.97 purchase instead of a $1700 purchase?

The automated system usually asks about a few purchases.

 

[flyfish29]

The story does not make sense.

Why would the card company ask about a $12.97 purchase instead of a $1700 purchase?

Why would a $1700 order go through when shipped to an unauthorized address?

Why would a $1700 order go through without the 3 digit code (which Apple does not keep)? There are other holes too.

Because automated systems take care of this kind of stuff? And like we just talked about- it was likely someone who had access to the card itself- restaurant likely who has a roommate that works at FedEx. Servers are the people who keep your card the longest and out of sight.

I agree there are holes....but life is full of "...holes" mind you!

But it doesn't mean that this is an example of someone being one!

 

[BruiserB]

I thought the card company verification only makes sure the Zip Code matches, not the full address.

Still, it seems wierd that the made up address didn't trip up the Apple ordering system. Most companies' ordering systems check verified addresses to get the Zip+4 code and if it's not in the database, it won't take the address.

Can you tell if the person used your AppleID and password to log into the Apple Online Store, or did they order by creating a new login? Or maybe Apple's system merged it into your account because it was an on file credit card? Can you log into iTunes and see if someone changed your address under your AppleID?