AppleID Stolen - Here's What to Look Out For

urkel

macrumors 68030
Original poster
Nov 3, 2008
2,783
864
My AppleID was stolen. 3 torturous weeks later Apple gave it back. Before anyone blames the victim, I get it. They got my password so it's my fault. I just wanted to share how they did it:

It all started with a thief in China...
1)
Log into an iPhone 5S with AppleID

2) Create a "Temporary Support Pin" on Apple site

3) Call Apple China. Identification is verified by Temporary Pin and SMS to their 5S.

4) Apple Support resets security questions (CaseID Generated)

5) Thief removes devices, changes recovery email, birthdate, removes all devices and creates Security Questions in Chinese

And that's how easy it is to take over an AppleID with nothing but a password. (Note: I got emails thought out entire process but Apple US support was closed and Apple China can't be accessed by foreigners)



Now, after being told for a few weeks the account is lost because I can't prove ownership, I did eventually get it escalated and had my account returned so I'm happy. But I do have some concerns about Apple's ID Verification Process because I can easily see this happening to anyone.


A) Temporary Support Pin + iMessage = Identity???



Both a Temp Pin and iMessage Code can be acquired by simply logging in with a password. They both created a set of numbers generated minutes before a support call and were considered valid forms of personal identification. That's a huge problem because it doesn't prove identity, it only proves you have a password.

B) Proving I am Me
This is a 10yr old account with a long history of products and purchases tied to it so I was surprised how difficult it was to prove I am Me.

Much of my personal Info was verified to still be unchanged in my account:
- Physical Address
- Cellphone
- Credit Card
- iTunes Music Subscription
- Paid iCloud Subscription
- Purchase History
- Primary Email (AppleID is my Email is my AppleID)

It's a 10tr old account with a long history of product and software purchases tied to it yet out of that list the only valid form of identification to grant me access was Credit Card (which matched) AND Security Questions. Security questions that reps cant read since they're in Chinese. And that brings up the question of....

C) Foreign Language Security Questions
The purpose of Security Questions is for a representative to validate identify with obscure info.

Think about that for a second. Should an account established in one language even be allowed to write security questions in a language that support reps won't be able to read? It seems to contradict the entire purpose of creating challenge questions.




And that's it. Yup it's my fault for not using 2-factor. But still, with so much of our lives tied to cloud services then Identity is pretty important stuff and Apple may need to re-evaluate the simplicity of taking over an account and the complexity of getting it back.
 
Last edited:

Tech198

macrumors G5
Mar 21, 2011
14,918
1,923
Australia, Perth
That's a good way, however there is a flaw in this...

a temporary pin is good form of security for support since its unique. *but only providing* no one has access to your password but you...

If someone else has your password the rest is not secure,, and thus you do not have a valid form of any issues because u let your password get out in the first place... that caused your pin to "not be secure"

Basically like a pile of dominos (being your password)... Push one, and the rest (other info) will topple over.
 

ardchoille50

macrumors 68020
Feb 6, 2014
2,142
1,216
My AppleID has two-step authentication enabled. I wonder how that would affect things. I can't even log into my own iCloud account without that second step of authentication and I like it that way.
 

Tavicu

macrumors regular
Jul 25, 2013
152
83
Romania
Two-step authentification and resolve all problems :) even if he knows your passwork it will ask a pin which is sent to your iPhone.
 
  • Like
Reactions: M. Gustave

JackieInCo

Suspended
Jul 18, 2013
5,178
1,598
Colorado
I trued two-step and used it for about a week then gave up. My ATV2 does not support this so I could not login to my account on the ATV2. Haven't used two-step since.
 

Peepo

macrumors 65816
Jun 18, 2009
1,003
423
Two step is old and is now called two factor authentication and works with everything now.
I have AppleTV, Apple Watch, iPhone, two iPads, MacBook Pro, and iMac. Everything works fine, HomeKit works (I can turn on/off lights remotely via AppleTV as hub) and I can also unlock my MacBook with my Apple Watch.

If someone manages to get ahold of one of my devices, is able unlock that device or gain access to my trusted phone and/or SIM, then along with my iCloud password they could gain access to my account. I don't believe that is the goal or intent of two factor to prevent all possible scenarios (if someone close to you has physical access to your stuff and motivated, then that is a different situation). It is designed so people cannot remotely hack your password.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.