February 12th, 2013 • 3:45 pm
Many readers probably remember the harrowing tale of the hacking of the Apple ID account of Wired’s Mat Honan from August 2012.
While my own experience qualifies as a tiny blip compared to his situation, I would still like to share it, because I cannot help but worry about it, especially since I myself was a victim of a hacker back in 2008. (The hacking was thankfully limited to this blog.)
Like many Mac users, I have an Apple ID account, which is a direct descendant of my MobileMe account, itself a descendant of my .Mac account. It is an
@mac.com address, and it is also my account for iTunes purchases, and my account for Apple Store purchases, and my account for Mac App Store purchases, and my account for various other Apple-related memberships.
I am also a 1Password user and I treat my passwords seriously. I find it quite difficult to use a very complex password for my Apple ID/iCloud account, because Apple keeps asking for my password again and again, not just on my Mac, where I can easily copy it from within 1Password if needed, but also on my iOS devices, where things are far less straightforward.
But I try to keep my password reasonably complex, and I have changed it a few times over the years — probably not as often as I should have, but…
My current situation is the following. Six days ago, out of the blue, I received an automated e-mail from
email@example.com, with the subject line “Redefenir sua senha ou desbloquear seu Apple ID.” According to Google Translate, this is Portuguese for “Reset your password or unlock your Apple ID.” And the contents of the e-mail was of the usual variety, starting with “Prezado(a) Pierre Igot” (“Dear Pierre Igot” in Portuguese) and inviting me (still in Portuguese) to “click the link below if you want to reset your password or unlock your Apple ID. This link will expire in three hours after sending this message.”
The e-mail itself was clearly legitimate, with headers indicating its provenance and links to the Apple web site. And it’s not exactly the very first time I have received an e-mail from Apple asking me to confirm that I wanted to reset my password. But why was it in Portuguese? I have only ever used my Apple ID account in English, so it makes no sense for Apple to send me a communication about it in Portuguese.
Still, I didn’t worry too much. I assumed that maybe there was a flaw in Apple’s servers that caused them to send such correspondence in the language used at the time of browsing by the person (or robot) requesting a password reset. I just ignored the message (but kept it on file).
Then four days later I received another automated e-mail from the same legitimate Apple account, this time with a subject line in English saying “Please verify the contact email address for your Apple ID.” The really worrying part this time, however, was that the body of the message itself started with “Dear Carlos. De. Pedro” and not “Dear Pierre Igot” as expected. The rest of the e-mail looked normal and asked me to confirm my
@icloud.com address as “the contact email address for [my] Apple ID”.
I can imagine a flaw in Apple’s servers causing them to accidentally use the wrong language when sending out the automated e-mail for a password request. But a flaw causing them to use the wrong first name and last name for the account holder? That’s something else…
My first reflex was to:
- go to appleid.apple.com, log in, check all my account settings (including the security questions) and change my password to something entirely new
- check my current credit card statement (there was nothing suspicious there, but things can take a few days to show up) and remove my credit card information from the Apple ID account (I was not planning on making any purchases in the following days)
I managed to do both, although now I cannot remember how I found the credit card information, since it’s far from obvious on the Apple ID web site in what section the credit card information is actually stored. (At the iTunes Store in iTunes, for my payment information, it says “No card on file”, so it seems that my credit card information is indeed gone.)
Then I decided to try and contact Apple about this. I didn’t really want to spend tons of time on the phone, so I tried the on-line facility to “contact Apple Support”, at www.apple.com/ca/support/contact/. It took me to the “Express Lane” web site and I found a section for “Apple ID” under “More Products & Services”. Under “Other Apple ID Topics”, I found an option labeled “Apple ID account security”, so I selected that option, and it took me to a page with a Knowledge Base note about “Security and your Apple ID”, which was of course useless to me, and then, under “More Options”, “Talk to Apple Support Now”, “Schedule a Call” and “Call Apple Support Later”. (I cannot give you direct links here, because it’s all part of a web app.)
But when I clicked on “Talk to Apple Support Now”, the first thing that the system said was: “Your serial number is required for this solution.” And it asked for a serial number!
How on earth can I give a serial number for an Apple ID-related issue? It makes no sense. I only have serial numbers for my devices, none of which is under warranty any longer.
If Apple really takes Apple ID security issues seriously, as it claims, why does it ask for a serial number for a hardware product at this stage? I could “cheat” and enter the serial number for my out-of-warranty Mac Pro, but what good would that do me? It would take me to a page asking me either to choose a $59 + tax per-incident support option or to “request an exception”, even though neither of the two reasons given as options for requesting an exception is applicable.
At this stage, I gave up. But as a last-ditch attempt, I went to the “Product Security” section of Apple Support at www.apple.com/ca/support/security/ and used the e-mail address that appears on the very first line:
To report security issues that affect Apple products, please contact: firstname.lastname@example.org
I composed and sent an e-mail describing what had happened and telling them what I had done, and asking for further advice.
I did not have much hope for this. I did get an automated reply right away with a follow-up number, but within 24 hours, I also got this reply:
Thank you for contacting us. Apple takes all reports of potential security issues very seriously.
You took a reasonable step by resetting your Apple ID password. You may also wish to confirm your account details are correct by logging into
https://appleid.apple.com. If your account details are correct, we recommend deleting the message you referenced.
Apple Product Security
I appreciate the fact that they actually replied to my request, but basically, if I understand correctly, they are telling me to ignore the message(s). Their answer addresses neither the fact that the first automated e-mail was sent in Portuguese nor the fact that the second automated e-mail had a different name associated with my Apple ID.
What am I supposed to think here? I don’t find the situation particularly reassuring. (I’ve replied and told them as much.) It really does not help one feel that Apple is taking security issues seriously when (1) the procedure to submit queries/concerns about Apple ID security issues is far from obvious and (2) the reply you get does not address the main concerns you have about a particular issue.
If nothing else happens in the next little while, I will eventually buy something else and enter my credit card information again, but I simply do not like this way of not addressing perfectly valid concerns about identity theft and Apple ID security.