

Welcome to the Cloud - "Your Apple ID has been disabled." - darrenkopp
http://www.hanselman.com/blog/WelcomeToTheCloudYourAppleIDHasBeenDisabled.aspx

======
robflynn
Something similar happened to me a while back. I noticed that several smiley
face/emoticon applications had been downloaded using my account. They removed
my credit card from my account and drained my iTunes gift card.

Apple caught the problem and e-mailed me to ask if it was me. I told them no.
They disabled my account, refunded the gift card money, and asked me to write
them once I was satisfied that my computer was secure (just in case it was
key-logged [I was not].)

I wrote them back the next day and told them everything was good to go. They
enabled my account and I signed in and changed my password.

I didn't lose any of my purchased items and I could have had the account back
the same day had I chosen to.

I recall a while back that there were quite a few iTunes accounts that had
been compromised. I used a very non-trivial password, too, so I'm rather
surprised that mine was one of the compromised accounts. I'm still curious as
to how it happened.

~~~
ajross
No doubt because you reused the non-trivial password and someone read it out
of a stolen database.

Password strength is a red herring. Password reuse is a far bigger problem
then weak passwords.

~~~
robflynn
It was a password that I only used with iTunes, or at least, I thought it was.
You may be correct. I'm more vigilant with my passwords these days.

~~~
sprovoost
Only one way to find out; go through all your accounts and try that password.
Let us know...

Even if the password was unique to iTunes, a key logger on your computer could
have intercepted it.

Does Apple always use HTTPS? Otherwise it might have been intercepted when you
were on an insecure wifi network.

------
oflannabhra
Not to be un-empathetic here, but I'm more intrigued by the exploit vector
than Apple's initial response to an individual. It's interesting that your
account is getting exploited without the password being hacked. Does anyone
have more details?

~~~
troymc
That was my question too: How, exactly (technically), did this happen?

~~~
Steko
Spoilers: his password got hacked.

~~~
shanselman
Must be via reuse, as they lock out after the third fail. My concern is that
it was a site-unique password.

------
AllenKids
I don't know why he is blaming apple for the security measure. It could be
apple's fault that he was hacked, it could be otherwise. Still apple only knew
there was a new device using his account, legit or not it didn't know for
sure. I have at least 9 iDevices hooked up to my account as of late, on
average 3 more each year. And I don't think apple can do much more to validate
each and every one of them without being intrusive and annoying.

~~~
shanselman
I am blaming Apple for:

* the fact they "allow the purchase first" and "warn later." * their warning email has no fraud or dispute mechanism * I've never purchased a game like this so they my usage pattern should be a red flag

Apple should have fraud systems as powerful and convenient as VISAs.

~~~
rickmb
I have a problem with most these arguments. You're suggesting that they should
not have allowed the purchase. I would be highly annoyed if Apple didn't allow
me to purchase from a different device. I see no reason for Apple to outright
refuse this.

The same goes for purchasing something like you've never purchased before.
Hell, one of the commercial strengths of the App Store/iTunes concept is that
it gets people to do exactly that. There's nothing particularly suspicious
about that.

We don't implement such paranoid measures either in other web-services or in
real live, so I find it rather overblown to demand Apple does this.

The one thing I agree with is that there should be a better fraud reporting
mechanism.

~~~
eropple
_We don't implement such paranoid measures either in other web-services_

Yes "we" do. Steam doesn't let you authenticate, let alone buy stuff, from a
new computer without entering a code that they'll email to you. Takes all of
ten seconds--start up Steam, go to my email client, paste the code in, done.

And it works great. So what's the complaint?

~~~
gommm
Steam is the only service that I've tried to use that won't accept any of my
credit card... I'm not in a common situation living in China with a French
credit card registered with my chinese address but still, I only could pay two
times successfully (after a lot of tries) and now I can't anymore (and one
would think that it should have become easier since they didn't get any
chargebacks when I did buy)

So, in a world where customers can easily chargeback fraudulent charges, I
think having security measures that are too paranoid is a great way to lose
customers for no real advantages to the customer security.

------
RexRollman
"We'll never see this fixed until Gruber gets the error."

Awesome.

~~~
13r4v0
who is gruber.. Forgive me for being naive..

~~~
Timothee
To be more verbose than molecule: Gruber is an Apple-focused blogger who
gained a lot of influence in the Apple world over time. A lot of people
interested in the Apple "world" follow his blog. So, if _he_ were to get this
problem and blog about it, Apple would make sure it'd be fixed fast…

~~~
ugh
I very much doubt that assertion. Gruber complains quite a bit, I can’t
recognize any pattern of Apple fixing specifically the problems he has faster.

~~~
Groxx
Supporting evidence: the lack of Markdown support in the Mail app

~~~
BlazingFrog
Or on Apple discussion forums.

------
YooLi
I removed my credit card from iTunes a while ago when the first of the "my
iTunes account has been stolen" stories was breaking. I just fill the account
with iTunes gift cards instead. It's a minor inconvenience to have to keep
track of how much gift card credit there is, but the cards are available
everywhere in the US (gas stations, Walmart, Walgreens, CVS, etc.) If the
account ever does somehow get compromised, the most I lose is the $30 or so I
keep in gift card credit.

~~~
troymc
I don't have an iOS device, but I do use iTunes on my Mac and Windows
desktops. About a month ago, I wanted to rent a movie on iTunes (as a test),
but my iTunes balance was $0, so I tried to figure out how to tell iTunes my
credit card information. I couldn't find any way to do that. Maybe it's not
possible? It was frustrating but my solution was just to buy a $15 iTunes gift
card when I was grocery shopping at Safeway.

After reading this story, I'm glad I couldn't give my credit card information
to iTunes.

~~~
Splines
You probably are even less interested in adding your credit card, but if you
want, there's a "Payment Information" section if you click on the "Account"
button dropdown by your apple id in iTunes.

I just changed my password to one more unique (I was reusing it elsewhere),
and finding the place to do so was surprisingly hard to find (IMO, it's harder
than adding payment information).

------
taylorbuley
I can see how a data lockdown would be offputting, but I read this as a story
about how some algo at Apple stopped a thief from stealing as much as he could
have otherwise.

One of the main gripes seems to be that Apple "let this happen" -- but
enabling app commerce is what they do. Someone gets ahold of your credit line,
they go buy stuff. Best Buy doesn't "let it happen", neither does Visa. After
the fact they are just mandated to limit the damage to which you're
responsible.

I'm not sure I could tolerate it any other way. Personally, I would not enjoy
a system where some human calls me up every time I make an app purchase. I
feel Apple's sin of omission is forgivable here and see it as laudable that
some software algo that stopped it after $40 bucks or so. I'll be interested
to read, however, whether or not Apple holds this gentleman accountable for
those purchases and whether or not they fallback onto the credit card provider
for damage limits.

------
jsz0
How would Apple know about a new iOS device or Mac signing into your iTunes
Store account? It learns of the device the first time you successfully login
on the device. Besides doing some sort of pre-registration or requiring an
iTunes Store ID to simply _buy_ the device there's no easy way around that.
They'd also have to end all used/third party sales of Apple products or
require resellers to activate every iPad, iPod Touch, iPhone and Mac they're
sold. It's completely unrealistic to do a default deny on new devices.

~~~
sprovoost
They could do something similar to what Facebook does: as soon as they detect
a new device using your account, send an email. If the new device is not in
the same country as your other devices, don't allow purchases until you've
clicked on that link in your email.

~~~
stingraycharles
And don't forget to ensure that you can't change your email unless you're
doing it from an authorized device. Otherwise a malicious person could just
change the email address where the notification emails are going to.

------
sprovoost
It's interesting to look at the companies that are mentioned. Pearl-in-palm is
based in Beijing and has been around for seven years [0]. They make games and
this one gets great ratings on the English store [1].

But very bad ratings on the Japanese store [2], saying things Google
translates as "Amount has been exploited to gain unauthorized access".

Based on this and on anto1ne's comment about Chinese "gift cards" [3], my
guess is that the company is legit and that someone sells iTunes usernames
passwords to individual gamers looking for extra points.

There's another company mentioned in these discussions: Kamagame Poker. In
fact, if you Google "Kamagame poker chip" the first two hits are people on
Apple forums complaining about unauthorized charges. Same phenoma as above:
great reviews in the US store, bad reviews in the Japanse store.

Perhaps the Japanese are not interested in these two games, so a larger
percentage of their downloads are scam related, while in the US the majority
of downloads is legitimate?

So here's an opportunity for some automated detective work:

1 - scrape all applications with in app purchases

2 - scrape US and Japanese reviews

3 - look for rating differentials (and of course terms like 'fraud', 'charge')

Follow up with more manual labor:

1 - where are most of the customers of these apps? (China?)

2 - are these companies related? (I have no reason to suspect these two, but
the bigger picture might look different)

[0]
[http://investing.businessweek.com/research/stocks/private/sn...](http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=28536716)

[1] <http://itunes.apple.com/en/app/id428912410?mt=8>

[2] <http://itunes.apple.com/en/app/id428912410?mt=8>

[3] <http://news.ycombinator.com/item?id=2879423>

------
reemrevnivek
I got that same email yesterday when I purchased Lion for a computer on which
I'd replaced the logic board. The "change your password" suggestion and lack
of a fraud reporting mechanism was strange, but I didn't have cause to tell
anyone.

Also, the "do_not_reply@apple.com" seems like a strange address for an email
like this. It should be "fraud@apple.com" (note: probably doesn't exist) or at
least provide a link to the list of phone numbers at
<http://support.apple.com/kb/HE57> or the online support system at
<https://expresslane.apple.com/>.

Unfortunately, the conclusion of this rather long thread:
[https://discussions.apple.com/thread/2178698?start=0&tst...](https://discussions.apple.com/thread/2178698?start=0&tstart=0)
seems to be that Apple isn't legally liable for this, and that you need to
take it up with your bank.

~~~
Aqua_Geek
I think this issue is orthogonal from the one mentioned on the discussion
board. My understanding is that the user on the board is complaining about
someone stealing his card number and using it to buy stuff on iTunes via the
hacker's own account; the OP is complaining about somebody using _the OP's_
iTunes account (and possibly his PayPal account?) to buy things on iTunes.

It sounds to me like the developer of the app purchased might be in on this -
there are apparently multiple reviews saying that the same thing happened to
other people. Or maybe said hacker(s) just like playing that particular game?

Edit: I completely agree that do_not_reply is the _wrong_ address from which
an email like this should be coming.

------
DannoHung
I'm confused about something here: This guy gets an email about his account
being accessed illegally, and the email's got some problems with it in how it
presents the info, okay, sure, Apple should get right on it.

Then we jump to some stuff about his AppleID being disabled? What?

------
sprovoost
Based on his story, I would guess that:

1 - someone got their hands on Apple's private encryption keys

2 - some got their hands on a list of Apple id's or device UDID's

3 - Apple knows this, but wants to fix the problem behind the scenes and keep
it under the radar.

My memory of Apple's in App Purchase system is a bit rusty, but my guess is a
combination of 1 and 2 is enough to cheat it into buying products on someone
else's behalf.

Then again, it could also just be a reused password.

~~~
shanselman
If it was a reused password, I'm an idiot. But, I'm willing to assume I am an
idiot. My point is two-fold:

1\. Allowing new devices to buy stuff without two-factor auth is weak sauce.
2\. The larger meta-point that when we rely on the cloud in a big way, it
hurts when we are locked out.

~~~
sprovoost
If someone tried to buy an app "manually" using their own device and your
account, they would need to know your email address and password. There's
plenty websites out there that store password in plain text, some of them even
email it to you so everyone can intercept it. Other sites use some encryption,
but could be still be compromised.

The possibility I hinted at is that someone just "pretends" they have an
iPhone and communicate with the Apple server directly. I don't know how their
algoritm works, but it may be the case that they only need an Apple id and
some secret key that is stored on the device. In that case asking the user for
their password is just a way to protect the user when they lose their actual
device. That would be pretty insecure from Apple's side. They should at least
use the password to generate a key pair. (This doesn't necessarily require
anyone to steal secret keys from Apple I just realize)

I completely agree with your second more general point. See also my comment on
the Paypal thread: <http://news.ycombinator.com/item?id=2880194>

------
radicalbyte
Given Apple's security practises are more Microsoft-2001 than Microsoft-2011,
I'd hazard a guess that there's some sort of 0-day exploit hitting iOS devices
themselves.

Scott's not dumb though to fly without antivirus/firewalls on his own PCs.

Your iPad/iPhone, on the other hand, are almost certainly running no antivirus
and no firewall. Because who needs such inconveniences, eh?

~~~
m0nastic
Apple's security practices for Mac OS X could arguably be described
historically as Microsoft-2006 (Lion would seem to be approaching
Microsoft-2011), but to conflate that with IOS's security practices is
disingenuous.

Here's a fairly recent presentation outlining some of the security practices
around IOS 4:

<http://trailofbits.com/2011/08/10/ios-4-security-evaluation/>

------
dasil003
Since this apparently came from China, has anyone considered the possibility
that it could be an inside exploit?

~~~
glhaynes
While Apple's hardware is built in China, iTunes and the App Store are not.

~~~
dasil003
So you don't think hardware knowledge could provide vectors for software
exploits?

~~~
psykotic
Could you give a realistic scenario for the present case? Safari exploit that
installs a keylogger on the victim's iOS device? It seems much more likely
someone was hit by an exploit on their desktop machine with iTunes installed.

------
anto1ne
Well, his account was probably sold in china, it's common (at least it still
was a few months ago) on taobao (the chinese ebay), they sell you "gift cards"
to be used within 12h after purchase, it's in fact accounts. I guess that's
why Apple started to ask CCV for purchases.

There's also a practice in China to use apps as a kind of fraud, or maybe
money laundering. I've seen once a chinese wallpaper app, with each wallpaper
for sale at $99, making thousands on the appstore.. when you think about it,
it's easy to post an wallpaper app, set the price, and you get money through
Apple, without any traces.

What I really hate about all this is that Apple still force you (or make it
very difficult not to) to have a CC linked to your itunes account, even though
you plan to never buy anything.

~~~
shanselman
This seems plausible, but I don't use the same passsword between sites. Hm...

------
cmsj
Note the comment about credit card security codes. This dude is all the way
hacked.

~~~
shanselman
No, there are no credit cards attached to my account. The commenter is
mistaken. I also haven't received an emailed receipt so I suspect a larger
backend hack. My systems are secure.

~~~
shadowfiend
Depending on when this happened, keep in mind that Apple often delays receipt
emails for up to a day (in my experience) and bundles the purchases of that
day into one receipt.

So again, depending on when it happened, you may simply not have received the
receipt _yet_.

~~~
shanselman
Good to know. Thanks!

~~~
shanselman
Ironically, the receipt JUST showed up now.

------
jonknee
I had a friend receive an email thanking him for his gift card purchase (that
he didn't make). Even more strange, it was a different name _and_ not on his
credit card, but apparently from his account. There's a ton of iTunes Store
fraud out there.

------
alexyoung
There seems to be other people talking about unauthorised purchases:

[https://discussions.apple.com/thread/3031164?start=45&ts...](https://discussions.apple.com/thread/3031164?start=45&tstart=0)

------
shanselman
OK, let's make this a movement. Tell me your stories:
<http://myappleidhasbeendisabled.tumblr.com>

~~~
pheroku
Is this paid for by your employer, Microsoft or are you just doing this for
fun?

Apologies for the blunt question, but you've often run anti-Google, anti-Apple
stories and are well known as a 'kept blogger'.

~~~
chadgeidel
Scott is one of the rare biased, objective posters in the blogging world. He
never tries to hide his love of Microsoft and its products, however he _never_
makes unfounded, baseless accusations and _always_ backs up his claims with
real data.

Consider these posts in recent history:
[http://www.hanselman.com/blog/ReviewMicrosoftTouchMouseForWi...](http://www.hanselman.com/blog/ReviewMicrosoftTouchMouseForWindows7.aspx)
(critical of MS hardware)

[http://www.hanselman.com/blog/HackersCanKillDiabeticsWithIns...](http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPumpsFromAHalfMileAwayUmNoFactsVsJournalisticFearMongering.aspx)
(well-researched article)

[http://www.hanselman.com/blog/RequestForCommentsIssuesWithNE...](http://www.hanselman.com/blog/RequestForCommentsIssuesWithNETAndMicrosoftProductVersioning.aspx)
(a common question raised among .Net developers)

~~~
chadgeidel
What? Am I wrong? Was this post perceived as "too fanboyish"?

