
The Strange Case of John Dillinger and the Fraudulent Apple ID - duck
http://programmingzen.com/2012/01/12/john-dillinger-apple-id/
======
pvarangot
Welcome to the modern "usable" internet, where mail validation "spoils the
user experience" and "is bad for conversion rate". I guess Apple has a valid
way to subscribe without e-mail verification somewhere.

Let me tell you a story, sorry if it is somewhat OTish, but I really feel
related to the programmingzen guy. Back when I got my Gmail address I got a 6
char username account of the form name+surname initial. My name is Pedro, its
not that common but neither is it a bizarre name. At the moment, I can count 5
different people who sometimes think they own my e-mail address, or have
e-mail addresses that are similar enough to mine so that people usually mails
me instead of them.

About a month ago, one Pedro subscribed to Redbox. It seems Redbox has kiosks
where you can instantly subscribe and order your first DVDs there, those
kiosks do no mail validation. Someone used my e-mail on the kiosk, and ordered
his first DVD. I got the receipt in my inbox.

At first I thought he would realize he did something wrong and fix his Redbox
account from his computer later. He didn't. In fact, he somehow managed to
order more DVDs, so I got more receipts in my inbox. I used the password
recovery feature and logged to his (or mine?) Redbox account. There was no way
to delete it, neither was it possible to avoid getting receipts by e-mail.

I contacted Redbox support asking them to close the account, or at least stop
sending me receipts. This was their proposed solution to my problem:

 _As long as he or she keeps using your email address, you’ll continue to get
receipts. To avoid receiving them, please block the sender’s email address or
mark the messages as spam. If those options don’t work, you might need to
contact your email provider._

So yeah, Apple is not the only one who doesn't care about people who by chance
get subscribed to their services.

Fortunately, after about three weeks, Redbox started mailing me and asking me
for e-mail validation with big red banners and all caps subjects. I didn't
reply to any of those e-mails, and it seems they finally deleted the account.

Free anecdote: Once, one of the other Pedros mom died. That week my inbox was
completely surreal, and sad.

PD: I live in Argentina. So no, free DVDs where not an option for me.

~~~
tlrobinson
I have the same problem. Most recently someone signed up for a _DirecTV_
account with my email. I went back and forth with DirecTV customer service
about 5 times before they removed my address.

I have to wonder if these companies are violating the CAN-SPAM act by not
giving us an easy way to opt out...

~~~
wahnfrieden
IANAL but you don't need opt-out for transactional emails.

~~~
tlrobinson
A lot of times they'll sign you up for their marketing emails as well.

------
ghurlman
The fact that not only will Apple not delete the account, but also not do so
much as flag it as potentially fraudulent blows me away.

What positive purpose could that possibly serve?

~~~
Samuel_Michon
I'm just as puzzled by this. If a customer makes it clear that he wants to
pack up and go, why wouldn't you just let him?

It reminds me of the way Facebook treats its users. I've tried to get rid of
an old account, and I found it's nigh impossible. The most a mere mortal can
hope for is for the account to be put in hibernation mode -- but if you ever
make the mistake of logging into the account ever again, bam! You're back.

I've had the same Apple ID since the day iTools launched (in 2000), and I've
never felt the need to cancel or delete an account, but I assumed they would
let me! I see no good reason Apple would keep around every account that was
ever created.

~~~
BrandonMTurner
You really shouldn't be puzzled at this. It is actually pretty easy to explain
if you have ever worked on a large scale website before. The problem is you
begin to accrue large amounts of data and metadata (data about your data). And
just "getting rid" of that data is actually hard at scale for a few reasons:

1) Lets say I post on your wall and then I delete my account. Does that mean
the message should be removed from your wall? What if you really liked the
conversation in the comments that took place after I posted the comment, you
are just out of luck? This gets trickier and tricker to handle these types of
problems as things like groups, forums, and tagging get added to the social
network feature set. All of a sudden is very confusing and unclear what
exactly should happen with this type of data. Let's say you do keep that
message, when how much of the deleted account is required to keep alive to
maintain your database relations (this assumes you are using a normalized
relational database to manage your site).

2) The site I work on gets a lot of data from users. It isn't uncommon to have
~5MB from a single user in our database. The actual delete operation on that
tables is really rough. If 4 users all tried to delete their account at the
same time doing a straight DELETE on the tables would be horrible. Not to
mention it leaves holes in your tables in some cases.

3) Is it actually legal to delete the data? Can Apple just delete an account
where charges can be placed? I would think they need to keep a history of who
used what credit card and so on. I am guessing that medical records and emails
for large companies have some kind of restrictions about data retention.

4) The backup issue. If a user deletes their account, does the user expect
that the company also goes through all their backups and delete their
information from there as well.

All of these things add up to a pretty big burden pretty quick and I think it
is logical to see why companies might choose to not allow people to delete
their own data. I can also understand why people disagree with that decision,
but it really shouldn't be puzzling.

~~~
VikingCoder
It should be just as puzzling as any other security / privacy issue. No more,
no less.

If a website doesn't take security and privacy as high priority concerns, then
they don't want me as a user. I hope to educate more people to feel the same
as I do.

------
rshm
If US has equivalent of Data Protection Act, author could demand the
addressees and other history of the account from apple.

~~~
toyg
no, they only have CAN-SPAM. As long as Apple doesn't actually send emails, I
believe they can keep the address indefinitely; however, the minute they shoot
out a promo email, they have to obey CAN-SPAM, so the user would have a right
to be removed from the database.

------
flomincucci
I thought it was an Apple mistake. At least five of the people I follow on
Twitter received this John Dillinger mail, and there's a person in the
comments saying he/she received the same mail. (And all these persons have
nothing to do with each other)

------
_rs
Maybe I'm on the wrong trail here, but might this have something to do with
the transition of AppleID/MobileMe -> iCloud?

If this email was (a) an Apple ID, or, more likely in this case, (b) an email
address associated with an old Apple ID (that wasn't already in the form of
a@b.c) then Apple could have just converted it to their new form of "every
apple id should be in email address form", which I've noticed has been pushed
far more with the transition to iCloud.

Though what throws me off is "Welcome to the Apple Online Store". Very
specific. Too specific.

Has this email been used for purchases from Apple, at the very least?

~~~
acangiano
> Has this email been used for purchases from Apple, at the very least?

Not that I can remember.

------
mrgoldenbrown
I'm not sure I would have contacted Apple about this, given their penchant for
punishing security researchers who bring problems to their attention.

What I don't fully understand is if the attacker doesn't need access to the
email account in question, why would they even use valid email addresses?
Wouldn't it be less risky to use bogus addresses?

~~~
jon2512chua
It's because most registration form not only checks that the email address you
entered is valid but also whether it exists. This is done by using nslookup to
query for a domain's MX record and then checking the specific address.

Here's a post I found detailing how to use it:
[http://www.webdigi.co.uk/blog/2009/how-to-check-if-an-
email-...](http://www.webdigi.co.uk/blog/2009/how-to-check-if-an-email-
address-exists-without-sending-an-email/)

------
joshaidan
They must have some system of auditing the email verification to see where it
came from, or if it even took place.

------
spiritplumber
No Tron references?

