OK, I had no idea that the iTunes system was so insecure, but it makes sense, it is in essence a massive new credit card system and there hasn't been 50 years of fraud detection builtin to get rid of unscrupulous merchants and it is entirely online so it is easy to skim. What happened is that when he started using iTunes for the first time, the next thing he knows, his iTunes shows zero charges, but his visa card shows all kinds of $7 and other charges. Here are some stories and the conclusion is, you really shouldn't use iTunes with any kind of credit card right now, limit your liability to the amount of a iTunes prepaid card. Here are some scary stories: 1. Make sure that you have a strong iTunes password. Unlike eBay or any bank like chase.com, there are literally no standards for your password. But to remind everyone, make sure it has a number, special characters and capitals. This makes it hard to hack. Then they logon and change your email and user name so you can't do anything. How clever. So make sure you have a tight password. For that matter, it is true on any account, but iTunes is such an easy target, unlike a bank with all kinds of secondary security. Try loggin 2. If you are hacked some other way, the bad guys have figured out how to disguise what they are doing by making it appear it comes from Apple. This is easy, just put the code APL*iTunes in the merchant string and everyone figures it is big bad Apple. So even if you see what looks like an Apple charge, go to your bank and make sure the merchant code is really from Apple. So what looks like an Apple hack is really something even worse, it is so you need to take any fraudulent charges seriously no matter how small. The thieves basically start with a$1 charge and then hammer up to whatever they can get. Clever. clever.
3. Finally, it could be that nothing was really hacked. Credit card numbers aren't random numbers, there are programs that can generate valid numbers, then it is just a matter of trying that plus an expiration date like crazy until you find a valid number, then start charging. I've had two credit cards lost this way. No skimming that I could prove, but most likely a hacker finding a bunch of valid numbers and then selling them to others. The real nuance is now using charges that look like iTunes micro-transactions to test things. This gets under the radar of the fraud software that the banks have and there you have it.

The net is for security, you can move to prepaid on iTunes because there is going to be so much testing of accounts. Remember, iTunes does not have account lockout no matter how many retries. In sum, here are your lines of defense:

1. Make sure you have an ultrastrong iTunes password. A bunch of numbers, special characters and letters. If you are ultra paranoid (like me, change it regularly)
2. Use a prepaid card on iTunes just to be sure.
3. Study your credit card bill every month and look at all transactions even the small ones. I have to admit, I'm particularly bad on iTunes transactions because they are so small, which is another reason why using a prepaid card and thus keeping small thing out makes sense
4. I have not studied it, but gift cards are a pain, maybe a better solution is to give yourself a regular monthly allowance on iTunes, so you don't have to always go to Costco to get the darn cards 🙂
5. And as usual, all the typical stuff applies, run antivirus, run a firewall, never click on anything in email. While most of the time, it is random number generators, if someone gets into your computer, it is trivial to install a keystroke logger that can get anything you type and more.
6. There are really dark side stories about Apple iPhone developers who have figured out how to scam the system and generate random charges for random people. This might be true and is really scary, so for right now, to be triply safe, try to stay in applications that are on the Apple Top 50 or ones recommended by real publications. They are called App Farms.