Welcome to the Cloud - "Your Apple ID has been disabled."
Welcome Hacker News, Slashdot, DF and TechMeme. Be sure to read the follow up post on "What Good Fraud Detection Looks Like."
So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.
The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.
I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.
I got this email out of nowhere yesterday.
Dear Scott Hanselman,
Your Apple ID, scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple
After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.
The phrasing of this email is irritating and wrong-headed. Here's why.
- They know it's a device they've never seen before.
- They let it happen anyway.
- They tell me it's for my good in a self-congratulatory way.
This email was sent as a safeguard designed to protect you against unauthorized purchases. - But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.
Stunning.
I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.
If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.
The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.
Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.
Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.
And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.
I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either.
Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.
According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.
Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.
If you have stores about fraud or hacking, tell me your stories at http://myappleidhasbeendisabled.tumblr.com
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
Whatever it is this is dang crazy and scary!
I hope this gets resolved for Scott quickly.
Hope it gets worked out and Apple isn't a douche over things. Sometimes they're pretty good but depends on the rep you talk to. However I agree it's silly they let the purchase go through when they knew it was on an unknown device. I can see the balance between customer service and privacy protection but frankly I would prefer them to deny the purchase until I called a 24 hour number or something with confirmation information.
Sebastiaan - I don't use open wifi in cafe's anymore. I use a personal mobile hotspot for this reason
Everyone - I can't imagine a keylogger but does anyone have suggestions for a detector?
http://haacked.com/archive/2011/08/12/random-friday-geek-verticals.aspx
I have never had an issue like this, but it is because I did not depend on someone protecting me. Sorry to hear that this happened to you.
Entropy-542
If the problem persists after you change your password you're generally left with:
1) The problem goes away. If this happened, perhaps they did just brute force your password or got it through some other one-time means.
2) There's still a keylogger/detection scheme active and they'll continue to make purchases.
3) There is no scheme active but whatever this exploit is allows access to game Apple's purchasing system.
I highly suspect this is will result in #3. Look at the purchases. $40 isn't cheap in iOS land and if they were smart, chances are they targeted someone that wouldn't think that much money was a discrepancy. Normal id theft (as if it's normal) of the banking variety generally results in large purchases to drain the account immediately in a one-time snatch-and-grab sort of thing. If these stayed at $1 purchases, they might have *never* been detected. This seems too calculated but the door can swing both ways there.
I didn't really want to harp on the evidence because the real issue here is what Chris touched on, that they are allowing you to make bank transactions which are at a point where it's too late to do much. Sure you may be able to get your money back but I think they hope the hassle is so great that you just don't bother. While Bryan Wood has one of the right answers, would you make those suggestions for say your mother? Could they even handle the technical hurdle? This is something that could easily be a part of their system but they're choosing not to by the tone of the email and links provided. I really hope that changes because I know a lot of people that chose iOS devices due to the simplicity and something like this is bound to hit them first. Scott's highly abnormal in this instance...
This happened to me too, but "out of nowhere" appears on my paypal account a subscription about an application for iPhone called Paymo. WHAT THE F*** IS THIS? I never heard that name before. I just cancelled that damn subscription.
WHAT'S HAPPENING APPLE? I WANNA GET MY MONEY BACK!!!!
One of the things I do that really protects my online funds is I do not Use a regular Visa/MC/Amex. I have a "Debit CC" which only contains as much cash as I ever load onto it. It's not as convenient as whipping out the Visa but almost all online sites accept them as a CC. The advantage is that if I can not lose any more on the card, than I preload onto it. If it's compromised ever, the most I'll lose is maybe $15. I can load far more than that on there but I don't. It also keeps me conscious as to how much I can/will spend online.
Sorry to hear about your hassles. This hasn't happened to me yet luckily. While the cloud is the defacto destination for consumer oriented software products today the governance of data in the cloud and lack of security and perimeterization is the reason why large enterprises have not yet adopted cloud computing as the data center architecture of choice. Most enterprise data is still stuck in their own physical data centers in private clouds. Privacy and security are still concerns for large enterprises. This will change of course as more solutions are developed to help migrate old identity and access management tools to the cloud to help bound the perimeters and secure data at rest or on the move. regulatory compliance is also a key driver; the EU is very strict about privacy for instance. But Sun Microsystems got it right a long time ago when they predicted that the network is the computer. The future is about big data in the cloud with better protections around privacy, identity and access rights and streaming services that you can use to get at your data from anywhere using just an Internet connection. Insurance companies will produce products to protect against data loss or theft like they do for banks today. It'll get better over time as the tech matures.
Cash Gift Cards all the way (except for steam and amazon, I have no choice in both)
It's apparently been going on since at least December 2010, and with 590 replies I'm guessing there are thousands of people who have been hacked.
They let it happen anyway."
This is the message you get when you first use a new computer to purchase from iTunes/app store.
Piet - Nope. ;)
Also re: losing access... Tried reaching out to Apple? Maybe with a few of your Web Fame credits to cash in they'll give you a reasonable response :-)
It's insane these days what you have to do in order to protect your accounts and money when you're online. I had an iphone for about a year and had so many issues with the app store and itunes, I simply gave up and went to Android. I've had a LOT less problems since switching over. It seems Apple has been complacent in allowing the amount of fraud continue for so long. I'm really shocked they haven't done more to protect their users.
I'd be more likely to return to using Apple products if they made a better commitment to security and did a better job of protecting their users.
And no, it doesn't help to have a strong password any more, the whole system is simply wrong. Username/password style of authentication simply doesn't scale in the Cloud era, it's simply outdated. We need to go back to the drawing board and invent something totally new and much harder to crack, with full support for deprovisioning of your online identity at any time and yet practical for daily use. Fingerprint, digital signature, genetic recognition, something on that line.
Robert - You nailed it. Auth has to change. I vote for eyes or fingerprints. Stuff I don't have to carry around.
Crash - What's different on Android with regard to payments?
Chris - They have no online presence! No blogger, no twitter, nothing but a support form. :(
http://connect.microsoft.com/systemsweeper
Glen
I The best solution would be to login with a paswword confirm via phone then confirm via your e-id with code after that the would send you a letter to ask for your autograph which you can fax to a secure number at the whitehouse.
SImple really.
@Scott - do you type in the password or paste? Curious what password manager you use - as some the "popular" ones have more holes than Swiss cheese. Next, do you use a browser "remember my password" or some other mechanism to make it all easier/ quicker?
Finally - with the "cloud" there are so many attack vectors, with devices like the phones and whether you have the passwords on there, or services like Dropbox (which you use right) and so on, one wrong move can open it up.
I can't tell specifically what's different, but I have yet to have the experience I had on Apple, where I had the same experience you had. On Apple, I used to have mysterious app payments and got a few of those emails before using a limited fund credit card. Even after resetting my passwords, and changing to this type of credit card, it STILL happened. It took several months of diligent follow up emails and calls before I was reimbursed.
I haven't had any issues with the Android app store and mysterious apps getting purchased.
Scott, sorry you got hacked. I can't say that I would have expected Apple to deny the purchase simply because it was on a device you hadn't used before; usability would suffer too much for the average user (although I can certainly see it being an account option).
It is ridiculous that the only thing they tell you to do if you didn't make the purchase is changes your password and "protect your account". There needs to be a direct link to the dispute process.
As an iPhone user I would be interested in knowing how this happened if you ever figure it out.
"I vote for eyes or fingerprints. Stuff I don't have to carry around" - Scott
Where do you put your eyes and fingers when you're travelling?
Make this public, go to the media. One thing I've noticed is that Apple only takes care of the problem when The Guys With The Money, a.k.a. investors, do some gentle (but effective) pressure.
Remember the iPhone 4's antenna, the mac security breach...
They are very good on production and innovation, but very lazy in the maintenance of their flaws.
Ever thought about emailing BBC or CNN about this?
I'm pretty sure they will like it!
https://expresslane.apple.com/GetproductgroupList.do
Tell them whats wrong, supply an email address and they will get back to within 24hrs. In my opinion they have some of the best tech support out there.
They seem to bend over backwards to make sure you are happy with the outcome.
Apple is impossible to reach. Their advise is to email them and wait 24 hours for an email response. Quite useless. Thankfully Paypal was extremely helpful. They told me they had hundreds of similar calls and would suspend my account immediately. They reversed the charges although it took about 10 days to get my money back.
I have since disconnected iTunes from Paypal and therefore my bank account and only use iTunes giftcards. I don't trust Apple at all and it's obvious they could care less what happened to me.
- What did Apple Support say about it? Did you contact them? Did they not refund?
- Were you able to use your already downloaded apps/music/email/movies in your phone after your ID was disabled?
Check it out here
I never got an email from Apple when it happened. I had to contact them when I discovered my well-funded account (with iTunes gift cards) had been drained. They quickly disabled the account, refunded the charges, had me change the password, etc. So they made me whole... but you don't have to do much work on Google to find a LOT of other people this has happened to.
It's not an isolated problem... Apple might argue that their system is secure (and it may very well be) and there's nothing they could do. But they COULD educate users about the problem and provide guidance on how to avoid it.
In the meantime, I (still) only fund my account using gift cards and recommend to friends and family that they remove their credit cards/paypal from their iTunes account.
My suspicious mind has failed me again :-)
Do yourself a favor and sell anything Apple and go Android.
That seems out of proper sequence.
Besides, if you truly do use a difficult password, and someone can "guess" it (which I suppose means brute force it), then that means Apple is letting someone try what is basically an infinite amount of guesses till they get it, which I still have problems with. This could take years in some cases... especially if your password is very long with lots of good entropy. I make similarly good passwords. but alas, I have never installed iTunes. I don't have an iPod. So I can't compare there.
There is something mysterious going on OR Scott is just making it up that he uses a strong password. I don't think it can be both or neither, can it?
The two bloggers are way too quick to simply dismiss it. When MSFT does something wrong we call it out. I guess when Apple does something wrong we call you the liar or dismiss it.
Especially anyone that thinks 8-10 random characters means much of anything at all.
Basically my story is such (it's going to be long, it needs to be to describe fully the situation i was put in):
i used to own and love my iphone, and i'd happily make many purchases in the app store. angry birds had not long been released and after trying the demo i was keen to purchase the full game. i tried and it failed. "ok", i thought to myself, "i must have typed my password incorrectly". so i tried again. and again. and again! i soon realised i was not going to be getting angry birds that day.
so after a simple google search i found apple's password reset functionality online, and attempted to regain control of my account. again i was met with difficulties - none of my details were being accepted as matching any account.
my next thought was to email apple's customer support to get to the source of my issues. by this time i was growing very suspicious, and concluded that my account had been hijacked, and the password had been changed by the assailant. i had no idea how this could have happened: my original password was unique to my itunes account and i had only ever entered it once on my computer when i initially set up the account (upon receiving my iphone) 18 months prior. the password was a 10 characters long alphanumeric non-word (i.e. reasonably strong). So i expressed my concern in an email to customer support, stating i was suspicious of what has happened and that i had tried to reset my password.
when i got a reply, the customer service rep asked me to try resetting my password! as you can imagine this was frustrating, i had already explained i had tried this, so it felt like i got a stock response. crucially, the email did mention that account was registered to some unfamiliar email address - indirect confirmation that it had been hijacked.
i reply to the email expressing my annoyance with the previous communication, and demanded more than a stock response. after sending this, i checked my bank account statement online and spotted a number of itunes purchases made the previous day - after i had initially noticed my account was inaccessible. i quickly send another email informing the representative of this and how imperative it is that action is quickly taken on this.
over 24 hours later and no reply, i was on edge - my bank balance was in the hands of somebody who has forcibly gained control of my itunes account. so i then go back to apple's website, thoroughly irate, and use their contact form to explain that i have not had any follow up on my issue, and that i wished the account be completely locked down to stop any further fraudulent purchases. i also expressed my concern that i was not alerted to any changes of my account details (every single piece of information associated with my account had been - email address, password, security questions - changed) and raised questions around their lax security policies. after all, apple's policy is that you can only link a limited number of computers to a single itunes account. I postulated that common sense dictates that bank account details should have to be re-entered whenever a a new computer is linked to an account - this would instantly stop, or severely inhibit one's ability to commit this kind of fraud.
another 24 hours passed and a different customer services rep gets in touch with me via email. thankfully, this time - 3 days after realising something was amiss with my account - i am informed that my account has been locked down and no purchases could be made until i re-enable the account; if i can prove ownership of the account. as proof, they asked for:
- the last four digits of the credit card used for your iTunes Store account
- the order number of your most recent purchase
- or the name of any item you've purchased using this account
i was astounded to read this! to re-enable my account all i had to supply was information that is viewable when logged into itunes! anyone with access to my account could have very easily attained this information and re-enabled the account. the customer services rep rounded off the email by explaining that the itunes store cannot issue refunds and that i should question my bank over the security of my bank account. the general feeling was that i was being blamed for the breaching of my account and that it was my bank's problem, not theirs.
in my response i made an analogy to help convey how broken their security model was. i explained that linking a new computer to an itunes account (in this case, the new computer being that of the hijacker) is comparable to adding a new delivery address on an e-commerce website, for example's sake, amazon. on amazon, when you add a new delivery address, you cannot instantly start paying for items to be delivered to this address; you must first re-enter all credit card details. this is a final security step that means a hacker must have gained access to both your account details and your credit card details. this security step alone massively limits the likelihood of fraudulent purchases being made from any amazon account. i demanded to know why apple didn't have a similar security measure.
furthermore, i wrote how i was left incredulous that i was not able to contact anyone dealing with account matters by phone. if i could have spoke to someone in person, i could have instantly had my account locked down, instead of waiting 24 hours for every email reply (by now 3 days in total). it is interesting to note that they do provide a phone number for technical issues with itunes. it was astounding that itunes technical support issues were seen to be more deserving of phone support than fraudulent purchases being made via a stolen itunes account. at one point i phoned technical support demanding to speak to someone about my account. i was politely told that account support is not provided over the phone.
during my 3 days of emails with customer support, i decided to take a different tack and email apple's PR department explaining the situation. someone from PR phoned me, leaving an answerphone message telling me i would receive further correspondence shortly. as you may have expected, the further correspondence never materialised. so i email them again, 5 days later (i was giving up hope by now), demanding further explanation.
eventually i get a phone call from a PR person explaining that they will not refund the purchases, and that my bank must refund me. i contact my bank, and the bank also refuses to refund because the security breach is made on apple's end of things. i phone the PR person explaining this, and after much arguing the rep decides they will refund me - in the form of an equivalent amount of money in itunes credit. i was seething!! i could not believe they considered this a satisfactory refund - i was never going to use itunes again after all of this, why would i want itunes credit?!
the next day the customer service rep gets back to me (a week after their last correspondence), apologising for the delay in reply. apparently they'd had "a bit of a backlog". it was comforting to read that my hijacked account was prioritised amongst this backlog such that it takes a week to get a reply! helpfully, the rep also carefully detailed how i could go about re-enabling my account. of course, after this farce, i still had full trust in apple to continue to keep my credit card details secure - the credit card details that they store on their server (hint: sarcasm ;-))
that was the final piece of communication i received. i was left out of pocket, with nobody willing to refund the fraudulent purchases. heck, i was even willing to accept responsibility for the initial fraudulent purchases (despite still not understanding how my password had been stolen), but surely i was not to blame for purchases which were only possible because of the incredibly slow turnaround time on emails from the customer services reps. for these i was sure i should get a full refund (i.e. the money put back in my bank account!)
but alas, it was not to be. to this day i have never received any sort of refund from my bank or apple. personally i felt it would be more appropriate for apple to issue a refund, being as they didn't take due care to protect my credit card details (not that they were directly stolen, but that app store purchasing via my credit card was made capable by apple's security measures). after this whole affair i never re-enabled my account and i never learnt how my account could have been hijacked.
apple also refused to accept that their security measures were lacklustre. these simple measures would make it incredibly difficult (and thus incredibly unattractive) for people to go down the line of making fraudulent purchases on itunes.
+ require all credit card details be re-entered when any new computer is linked to an itunes account
+ offer phone support for issues regarding stolen accounts and fraud
+ whenever any itunes account details (password, email address, security questions are changed) send an email to the customer (or to the customer's previous email address if the email address itself is changed)
+ to re-enable a disabled account, require more than some information that is readily available to the hijacker of an account
TL;DR: apple has crap customer support for issues regarding stolen accounts and fraudulent purchases, apple refuse to accept responsibility for their lax security measures, apple refuse to offer refunds for fraudulent purchases
Hope this has been an interesting read - it took me a long while to type up the tale!
EVERY time I attempt to buy, update, or even view the marketplace, my account is disabled, I've changed my password so many times I've given up on the device all together.
Windows Phone 7 is where it's at.
Now that has been fixed, but I guess some new security leak has been found by crackers, maybe just Chinese high school students, as what you bought is a game in Chinese.
You got your password hacked. You screwed up. Deal with it.
In the end, I figured out that I was phished. Even though, like you, I'm very careful and have unique passwords for every service, I did something careless one time which resulted in my account being used in to buy crappy Chinese music, videos and apps. The phishing came at me via a Facebook app that promised to show your iTunes plays on your profile or wall -- can't remember exactly.
Apple was cool about the whole thing, reversed all the charges, and allowed me to de-authorize every device on my account and start over, although, I must say, it was *very* difficult to get started on the whole process. Finding the right contact, getting a response, etc. took well over 2 days.
It is my understanding that this was one of the primary causes of security weaknesses on earlier versions of Windows. The move to developing code in a more managed environment seems to be not only more productive but also more secure since developers are less likely to misallocate memory, which could cause some security loopholes. In some senses therefore delegation of responsibility to a centralised authority, in this case the CLR is perhaps not a bad thing.
Obviously the issues you are experiencing go far beyond OS security loopholes and into the realm of Organisational issues and Customer Experience Management at large. I think you have raised many important and valid points. I hope someone at Apple will appreciate, understand and take action to resolve your issue. If they don't it would seem mad!
I couldn't track my iPhone from the police station, since Apple for some reason doesn't enable this feature on a iPhone 3GS, which is just bullshit. So I used Time Machine setup my new laptop. When I tried to setup my new iPhone with a backup, I got the notice that non of the apps were transferred since my Apple ID hasn't been activated on the new laptop. (Notice: the happy news were provided AFTER the lengthy restore process.) After authorizing my new laptop, the restore worked. But I had to wait for my new credit card to arrive before being able to access the App Store since I didn't have my security number. (Which I noticed upon wanting to update some apps.)
In short: the whole user experience about activating computers etc. is designed badly. I need to enter my main Apple ID password every time, even if I want only want to update apps or install a free app. Its a bad thing, since someone only needs to film my screen behind my back and he gets both, my ID and my password. All secure measures seem to make the life of regular users harder without actually preventing fraud.
Luckily, my insurance payed for a new laptop and iPhone.
PS: How and when exactly did your account get disabled and when did you get the notice on your iPhone? You don't seem to have mentioned it inside your article.
I have 10 app's total, no random purchases, i activate my ID, leave my phone turned off for a MONTH. Turn it on, update the apps, OH SHIT LOOK, MY ID IS DISABLED AGAIN.
Apple's system is as retarded as Microsofts LiveID implementation that prevents me from being a Windows Phone 7 Developer without creating yet another Live ID account, to go with the other 4 I already have.
My gut tells me: Not a hack, but a serious bug. I've seen such bugs.
Originally I thought your thesis was: "There's a few problems with how Apple is doing things. One is how the heck did anyone purchase something as me and the other is why would Apple do things in this insecure order (sell app, disable id, notify you)."
So yes, I "missed" the point as well. But your clarified thesis does apply to anyone and anything. The more you start using that Live ID and get a Gamertag and Gold account and a WP7 and use SkyDrive and so on and so on... everything is wrapped up in that one ID. As as we've seen recently in the news, you had BETTER have both a great password AND you have to wonder how seriously your vendors are working to protect it.
Not quite. I am, indeed, familiar with the cloud, which is why all my valuable stuff is on my own PC, backed up to a pair of offline external HDDs. And that is where it's going to remain. As far as I'm concerned the cloud is severely affected by Emperor's New Clothes Syndrome, and I want nothing to do with it.
As as we've seen recently in the news, you had BETTER have both a great password AND you have to wonder how seriously your vendors are working to protect it.
Scott I think I know the solution of ypur problem: What was the password you where using sir?
I do not think they had complete access at your accout as they could have changed the password.
I would also try to contact the company that got the in app purchases ( Pearl in Palm) and ask them if they have any further evidence sending the detail of the fraudolent purchases.: may be you can get something like the ip address, name etc of the client iphone that at that time connected to their game server (I know, difficult but...)
As a general rule for security I have sms notifications for every use of my credit card.
As authentication I find the two way (pass + changing token on device) secure enough. Google is implementig that and I enabled it and every time I connect on a new device it ask the verification code.
These warnings are always for a free app that I actually do have. I don't think Apple is able to accurately keep track of the devices (our family has several). And iTunes keeps making me re-enter the 3-digit "security" code for my credit card, even to download free stuff. I usually end up just removing my credit card information entirely and re-entering it when I want to make a purchase.
When I was investigating this, Apple was unable to tell me anything about the device that was supposedly used to purchase these free apps. IP address? Nope. Name of the iOS device? Nope. Serial number? Nope. I was hoping they could, because I strongly suspected that it really was one of my devices and not a new, unknown device.
According to Apple:
"[...] when a new device is added iTunes create a separate identity number for the device. This is an auto generated number and do not store any details on the device, this is just to indicate that a new device was added. This is why I am unable determine anything about the details of the device used."
I'd like to have the option to "officially" register my devices, associate them with my account, and prevent other devices from accessing my account at all. Or at least have it log the details about the device used to make any purchases.
Your Apple ID, [removed], was just used to purchase 123D Sculpt from the App Store on a computer or device that had not previously been associated with that Apple ID.
I just downloaded 123D Sculpt on my PC using iTunes, the same "device" that I've used to access the iTunes store about a billion times. Like I suspected, their method of keeping track of your devices simply doesn't work.
Here's what I've figured out/learned:
1) You are apparently safer using a credit card in iTunes because Apple removes that information from the account when someone attempts to access the account from an unknown device. It's not the hacker/thief changing your information and deleting your credit card, it's Apple. However, Paypal and Gift Cards are left attached to the account. This is what the hackers are draining.
2) Almost everyone who's had their account hacked has had a download of a Chinese app by one of a select few vendors. The app downloaded from my account was Lakoo's Empire Online. The app is free, but the in-app purchases drain the balance.
3) Strangely, there's at least one iTunes user who's had the problem and downloaded an app that was bought on his hacked account and then used to make to in-app purchases. He wanted to see what was going on. Strangely, he could find no way to make purchases thru the app.
4) There are several Apple Support Discussion threads about the problem, including one (https://discussions.apple.com/message/12670235#12670235) that is currently 40 pages long and started in November 2010. Apple has made no official reply and sends out the same form response to each inquiry about that problem.
So far, I've had many people who've had the problem tell me that with a gift card balance, that they now create a Wishlist that totals the full amount of their gift card, then apply the card and spend it all at once, rather than leave it in their account.
Do Apple's various cloud services suffer from massive security holes? Unknown, but it's at least as likely (being generous to you here) that the breach occurred on your end. However, we do and we should expect more from Apple in getting this problem ironed out. The request that you reset your password is actually the best first step that YOU can take and Apple was right in suggesting it. It might resolve the issue at best, and at worst will help troubleshoot the issue.
I think your most valid complaint is that Apple needs to make it easier to resolve the problem. Like many other online services, the Apple's process is arcane.
Apple does need to take security more seriously, even if the original problem is not on their end. The safeguards they have in place, while good fwiw, are not good enough or clear enough. It's especially troubling that PayPal seems to be the weak link. I hope that Apple doesn't do that buck passing dance and merely blame PayPal, but takes ownership of the problem. Both vendors need to work together or they will both suffer, not to mention that the client is suffering.
I suspect you got phished via a PayPal purchase or you've got malware on your PC. Your anti-malware software is only as good as its updated signatures.
Repeating for emphasis: This is not an Apple only problem, but Apple needs to step up their game. Their reputation for "it just works" must extend to security, whether in helping to prevent exploits, or that reputation is going to suffer. A lot of these schemes are exploiting the seams of the cloud, where services from different companies meet. In this case, Apple and PayPal could potentially point fingers at each other, leaving us all vulnerable. Or they could both do the right thing and work together. If one or the other refuses responsibilty, then the other needs to bite the bullet and take full responsibility. That one, in this case, should be Apple.
I don't think this contradicts your main points, but a few of your commenters seem to totally miss this and see this as an exercise in Apple bashing.
A quick google of "GSM security issues" will bring you a plethora of information, including a link to a presentation given at the recently held Black Hat Conference on how easy it is to intercept GSM based cellular data. If you are security conscious, I would recommend getting away from GSM.
I was thinking about the possibility of a Cydia tweak or other apps not approved by apple to make purchases with my account or use a method similar to phising.
My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy.
This reminds me the recent xkcd comic about strong passwords http://xkcd.com/936/
Without some forensic investigation of the apparently multiple exploited accounts to look at the commonalities, there really is no way to determine what the situation is. It could be an exploit in iTunes, the methods that the victims used, the OSs in place...
Or, maybe their cloud has been seeded to cause some rain (aka, they got bugs)
My experiences with Droid/Google are still pretty short - about 1 year now. Both my wife and I had "suspicious" activity on our email accounts (about 4 weeks apart from each other) and Google just switched them off. Had to do the song and dance of resetting passwords to get them back on. I have also discovered that people are targeting mobile apps with Trojans, viruses, etc. I now run Lookout on my Droid. Past that, my trust level is much closer to ZERO with cloud/mobile/passwords/etc. I don't have an answer and most of the things I have seen on Cloud Security are from a software perspective. Think about it on a hardware level some time...
He's the one above who said, "As far as I'm concerned the cloud is severely affected by Emperor's New Clothes Syndrome, and I want nothing to do with it."
I was at a friend house, and he ask me to buy something from Amazon and send it to his brother's home. Since I was on the iPhone I tried to made the purchase just there. But Amazon don't let me do it because I was on a device never used before to buy (I usually made my purchases from my PC) and sending to an address never user before.
Little annoying at the time, but I least I know that I was covered by Amazon
Apparently iTunes is not very secure.
I'm stumped but this seems to keep happening over and over again with increasing frequency. I'm at the point where I'm about ready to cut up all my credit cards and say goodbye to the bold digital future. It's getting ridiculous.
and then you will notice a rash of reports the year before, and the year before that and a year before that...
this happens daily, probably 30 accounts are "stolen" daily...
however that is not what is really going on. the 30 accounts are stolen, but they are sold into a black market in china, that will resale those maybe even a year later.
it is not iTunes that is being hacked, it actually is the PC that is hacked.... it does not matter how strong your password is, when you have a virus/keylogger just simply taking all that info and sending it off to a server in China.
and the reason people can not figure out what is going on, is for two reasons, your personal information was stolen A YEAR AGO...... and 2. Virus checkers on PC's are worthless, unless you like to catch old viruses... they do not show you the new Virus or keylogger going around... which isn't the point, because your ID WAS STOLEN A YEAR AGO anyway.... maybe even two years ago... then sold into a black market,
where people buy your id months or years later.....
do some Googling, and you will find that people can buy stolen id's (in china) for something like $3, (the bidding varies) and they are advised to do all their buying with the stolen id in the next 24 hours... (which is good advice, since apple used to not check every hour for weird purchases)....
what you do to prevent this? BUY A MAC. that will eliminate 99% of the problem, for the other 1%, simply be smarter than average PC user and don't download questionable content from some website or email....
then you will be virus free/malware free...
again, this is a fact, it is not a iTunes being hacked... it is the personal Computer being hacked.... every single year, people first thing out of their mouth is my iTunes account was hacked... wrong... second thing out of their mouth, apple iTunes is hacked.... wrong....
it is your PC, worse it was your PC from a year ago....... have fun tracking that down.....
and if they are legit, YOU STILL ARE GOING TO BE SCREWED someday, because every single year, a legit anti-Virus software package accidentally destroys the persons data that it was supposed to protect, through one of their constant updates to that software that had a bug in it...
Phishing of your information is a good source of stolen ID's too.. and you always here the person later... "but I don't know what went wrong"?? i didn't get a virus? I checked my computer?
the thing is your Phishing episode was done months ago.... your virus/keylogger was installed months ago, took your information, then deleted itself....
yes, it is a huge problem. (for PC users) Companies can do very very little for people who just give their passwords away.... block the bad app now, and a new app pops up... block purchases from IP addresses, and new ones appear, block from new devices, and have a logistic nightmare on your hands...
I doubt that your iphone/ipad has been hackend, but most probably your PC/Mac might be controlled by a Trojan, if your passwords seems to reveal to persons you dont know at places you haven't been, buying stuff you haven't ordered.
Lots of other people having the same problem doesn't need to mean Apple is bad, but could also mean that other people have infected PCs aswell. Trojans are there to spread spam, steal computing power and especially take your CC numbers and passwords and make em to money.
You might want to run a clean installation of you iTunes host.....
And avoid using admin accounts for surfing the web.
And another good choice is to run a virtualized OS installation for iTunes that you don't use for surfing the web.
The same thing has happened to me recently, cant get blinking iphone to stop saying
YOUR APPLE ID HAS BEEN DISABLED
friends are all smug laughing at me with their HTC windows devices....:-(
Helen uk
Comments are closed.
Every time I make a purchase with a new device using my Apple ID it asks me to enter the security code on my credit card. Otherwise the transaction from within the App Store or iTunes Store never completes. Once I enter my CC security code and finalize the purchase I also get the email you mention. In your case I think the person doing the fraudulent purchases has both your Apple ID and you CC info.
Hope you can solve this soon.
Regards,
- Michel