The mysterious case of the unauthorized iTunes Store purchases

09.02.2015
On January 19, I received an email from Apple's iTunes Store containing a list of songs I had recently purchased. The only problem I hadn't bought any of them.

Now, I'm highly paranoid about account issues, and have two-step verification enabled on both of my Apple IDs. I checked to make sure no other settings had been changed and I hadn't seen any telltales of my account being cracked.

While I'm not an active target of abuse, I have waded into the GamerGate controversy, although purchasing about $8 in songs hardly seemed like something done to harass. Perhaps it was a "pilot fish," an attempt to probe at a weakness, see if it could be exploited, and then used for worse ends One of the songs was Mike Oldfield's "Tubular Bells," better known as the theme to the movie The Omen, which did seem a bit ominous.

I contacted Apple's iTunes Store through links for reporting unauthorized or unwanted purchases, explained that I hadn't bought the songs in question, and the charges were reversed. I had to schedule a call with a specialist to get my iTunes Store access unlocked, but my Apple ID remained active. So far, so good. I thought perhaps it was database corruption or some glitch in the system. With the volume Apple handles, unlikely events must occur, however infrequently.

Two weeks later, at midnight, I received a notification that a pre-order is ready to download. The trouble again I hadn't pre-ordered the song. I contacted Apple to see if something else was afoot. (It turned out the song in question was pre-ordered with the set of purchases I'd had reversed, and was delivered when available, so this wasn't a new incident.)

I gave Apple permission to rifle my records, and they were able to pinpoint the date, time, and device: an Apple TV on a Sunday evening, January 18. Curiouser and curiouser. While we own a 3rd-generation Apple TV, we rarely use it at this point, rather turning to the adequate Netflix app and terrible Amazon Instant Video app built into our Samsung HDTV, as we're Amazon Prime customers. (It's truly terrible, with a bad interface, high latency, and frequent crashes. But it's integrated!)

How did we make a purchase from a device we didn't use Then I realized the culprit: an Apple Remote.

Early that Sunday, the power had gone out for 14 hours due to a windstorm that brought down trees in our neighborhood. The power resumed mid-afternoon, and that evening, my kids and I were watching broadcast TV from a Mac mini captured by an old eyeTV tuner--which we controlled with an old white infrared Apple Remote.

Now, we've had that white Apple Remote for several years. The Apple TV is paired with a newer aluminum Apple Remote, and never the twain had met. Until now. Given that we've used both remotes separately for years, we must have hit some peculiar set of circumstances in which the white Apple Remote trained to the Apple TV. (I can't tell if the power outage was the culprit, but the command sequence to pair is "press and hold the Menu and Next/Fast-forward buttons for 6 seconds"--and I certainly didn't press that sequence!)

Then, while pausing, selecting menu items, and otherwise controlling the eyeTV software, I was also invisibly navigating the iTunes Store on the Apple TV and purchasing songs. The sequence of purchases then made sense: all M's--Mike Oldfield, "Mess Is Mine" by Vance Joy, and MisterWives. (No offense to the artists in question; I don't know their work at all, other than Oldfield.)

All that remained was to unpair the white Apple Remote from the Apple TV to get rid of the ghost in the machine.

(www.macworld.com)

Glenn Fleishman

Zur Startseite