Stupid Apple ID security lockout

Discussion in 'Apple Music, Apple Pay, iCloud, Apple Services' started by brutusfly, Dec 11, 2014.

  1. brutusfly macrumors member

    Joined:
    Dec 3, 2006
    #1
    I've grown dependent on my Apple email, calendar, find friends, etc. For the 2nd time this year, through no fault of my own, my account was locked for security reasons. Instead of beginning my work day doing actual work, I had to talk to Apple, who can only send a reset Email at this time tomorrow.

    So, if a hacker wanted to make a busy person really unhappy, all they have to do is attempt to log into that account a few times a week unsuccessfully? Effectively disabling all the victims iCloud functions most of the time?
     
  2. aristobrat macrumors G4

    Joined:
    Oct 14, 2005
    #2
    You can replace "iCloud" with eBay, amazon, gmail, Yahoo, or pretty much any other web service, and that'd still likely be a true statement. :(

    Do you have two-factor enabled on your Apple ID?

    Can't you change your Apple ID to something more obscure?
     
  3. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #3
    It's supposed to do that to protect your account. If it never locked out, then eventually, possibly, bad guys could gain access to your account.
     
  4. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #4
    Turn on two-step authentication. As long as you have your password, recovery key, and trusted device, you should be able to get everything in order without having to wait on Apple tech.
     
  5. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #5
    And whatever you do, do not lose your Recovery Key!
     
  6. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #6
    Thanks for emphasizing that important aspect. I should have. Definitely backup the recovery key to several places using several different media / written / storage options.
     
  7. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #7
    Yep!

    I store mine in a secure note in LastPass and I have an encrypted file with it stored in Dropbox as well.
     
  8. brutusfly thread starter macrumors member

    Joined:
    Dec 3, 2006
    #8
    I'll try...

    I can give two-factor a shot as advised. I'm not real thrilled with two factor on Gmail right now, so I haven't jumped at the chance to implement it with Apple. With Gmail I keep needing fresh application passwords for no apparent reason.
    I seem to be hitting the bad side of the security vs convenience balance scale.
     
  9. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #9
    With Apple, about the only time you need to use it is when you're logging into the Apple ID website itself, or when setting up new devices. Otherwise, on a daily basis, you don't interact with it, unless you're using the web interface for iCloud.com.
     
  10. brutusfly thread starter macrumors member

    Joined:
    Dec 3, 2006
    #10
    Authentication

    While I'm venting about the lack of logic in Apple allowing a D.O.S. that could be exploited by a glitch, a hacker, any primate or non-primate that can access any Apple service...

    How much sense does it make for Apple to send a reset email for your AppleID to an email account managed by your AppleID that you can't get mail from?
    Shouldn't Apple automatically fall back to a non iCloud/.Mac/.Me address when it's blatantly obvious your email password has been locked by Apple?
     
  11. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #11
    It's up to you to set this up. There is an option at appleid.apple.com to configure a separate rescue email address if you don't have 2-factor authentication turned on. If you enable the latter, it's not needed since you have to reset the account yourself using the recovery key.
     
  12. brutusfly thread starter macrumors member

    Joined:
    Dec 3, 2006
    #12
    I do indeed have a second address set up, but at the moment can't reassure myself it's set as the primary "rescue address". As a matter of fact, although it chose to send me a reset email to the locked address, rather than to the 2nd address, it had no problem sending an Email to that 2nd address notifying me I would receive a reset Email in 24-hours.

    I'll go in tomorrow and inspect all the settings (again), while I'm trying to catch up on the work I miss the rest of today. :rolleyes:
     
  13. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #13
    Make sure you really configured the "rescue address". There is also an "alternate address", but it's not the same thing. See:

    http://support.apple.com/en-us/HT201356
     
  14. diane143 macrumors 6502a

    Joined:
    Oct 25, 2008
    #14
    I've been having random problems buying things through iTunes for the last month, not sure if it's related. First it asked me to confirm my payment info (despite having $30 in credits loaded). I input my code and it denied it. I re-input everything and it denied it. Eventually locked the accunt.

    I finally had to go onto my laptop to unlock it and make sure everything was ok there. Got it working again, couple weeks later, go to download a free app and start the mess all over again.

    Today I downloaded a few songs for once didn't have to input my cc info so I'm hoping it's resolved. Really drove me nuts - and it seemed to hit every one of my devices.
     
  15. burgman macrumors 65816

    burgman

    Joined:
    Sep 24, 2013
    #15
    1. sounds like you have pissed somebody, not really surprised :roll eyes:
    2. sounds like you didn't set up the system correctly. Why not?
    3. became entertaining on the internet from sounding rather petulant.
    Well played sir!
     
  16. Fzang macrumors 65816

    Fzang

    Joined:
    Jun 15, 2013
    #16
    Practically, if you had a randomly generated password like #THFh8"T)3t910#"T~@ it wouldn't be feasible to brute force the password. The lock-out mechanism only protects things with easy passwords such as 4 digit pins.
     
  17. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #17
    That's true. But most people don't use strong passwords.
     
  18. Fzang macrumors 65816

    Fzang

    Joined:
    Jun 15, 2013
    #18
    Well they should.

    In theory this mechanism allows a directed attack, not against the servers, but against all the users, simply by spamming wrong passwords, potentially paralyzing a large number of users. You don't even need a security breach, just knock at the doors down the whole street.
     
  19. brutusfly thread starter macrumors member

    Joined:
    Dec 3, 2006
    #19
    And really, that's my main point of this topic. I'm up and running again, but it would be trivial for any script-kiddie, anywhere, to lock out millions of icloud users with a simple script that fakes a few password attempts. A DDOS attack on a massive scale is probably not far off in our future.
    :(
     
  20. impaler macrumors 6502

    Joined:
    Feb 20, 2006
    Location:
    FL
    #20
    Definitely - I print a hard copy and keep in my desk at my house.
     
  21. Tech198, Dec 31, 2014
    Last edited: Dec 31, 2014

    Tech198 macrumors G4

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #21
    I never thought of it frm that stand point...

    Basically, it would just make it too easy for a hacker keep pondering on an account till its locked out.

    No wonder why most others don't do this....

    Its would so dam easy, and annoying as hell.

    As for a recovery key, security questions, and any "backup" Apple just likes to make their customer feel happy, "just in case u loose one, this is another way in"type of moment, personally I don't worry about any of these.. "safe guards" because I'm the safe guard..... if you loose your house key, then you should be the one responsible... You could argue if you only had a second one made, but at the end of the day, its still in your possession..

    Apple shouldn't be locking anyone out, "for security reasons" becasue it also prevents you from getting back in.


    While this may have some positive effect, it also has its drawbacks, just in case a wanna be hacker just decides to go ferel on your account for no apparent reason.

    I only wish, when Apple introduces a feature, they would only stop and think *all* the way through, not partial.... "What impact would this have on you" Trouble is most companies only think YOUR protection only. which is a mistake, since if it protects you, its also an advantage for anyone.
     
  22. brutusfly thread starter macrumors member

    Joined:
    Dec 3, 2006
    #22
    I got a barrage of "Reset your password or unlock your Apple ID" emails again just now. I think I'm ok this time with the ability to receive my own reset emails at an alternate address. Thanks to Rigby for the heads-up on recovery addresses. Would be good to warn all new iCloud users to have an Email address outside the Apple ecosystem set up for recovery (not just "alternate", otherwise D.O.S. of their iCloud accounts is trivial.
     
  23. ladymuck79 macrumors newbie

    Joined:
    Feb 2, 2015
    #23
    iphone 4s apple id locked

    Today i reset my son's iphone 4s because got a new one so i was having his old one but i want to have my own apple id but after when the phone came back on it was saying that the phone is still currently linked to an apple id which is still my son's but when i put the password in it says that the id can not be uesd to unlock the phone even tho i have not changed it and also the phone id is no longer on his icloud can anyone help .
     

Share This Page