Easy AppleID Password & Account Theft

This afternoon I received an e-mail:

Subject: We’re Unable to Reset Your Apple Password
From: AppleID@apple.com
Date: Tue, 21 Nov 2006 02:55:15 +0000 (GMT)

Dear alec muffett,

We apologize but we were unable to verify your account information with the answers you provided to our security questions.

Because too many invalid attempts were made to answer these questions, you will not be able to reset your password for the next 8 hours.

If you need further assistance, please visit:

http://survey.info.apple.com/feedback/appleid.html

Thank You.

…which perplexed me mightily, because I have not touched my Apple Store account for several weeks. Therefore there is only one conclusion that could be drawn: someone is trying to hack into my Apple Store account to retreive my credit card details. It can’t be an accident, it’s not like my name is particularly common, or that many people with that name would share my birthday.

But that shouldn’t be possible, right?

Well, it turns out that it is possible.

You see, it used to be that if you wanted to change your Apple ID password, you would receive an e-mail which looked like:

(example from 2004)

Date: Wed, 21 Apr 2004 14:11:45 +0000 (GMT)
From: AppleID@apple.com
Subject: How to Reset Your Apple Password

Dear Alec Muffett,

To reset your Apple password, please click on the link below or copy and paste the address onto your web browser’s address window. Once you’re on the web page, you will be instructed to enter and confirm your new password.

https://iforgot.apple.com/cgi-bin/resetPassword.cgi?key=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ&language=US-EN

Please note that this link will expire 3 hours from the time it was sent.

If you require further assistance in resetting your password, please visit:

http://survey.info.apple.com/feedback/appleid.html

Thank you for contacting Apple.

…but no more.

It now appears that the dialogue merely requires you to answer your “security question” for password recovery, typically some pievce of trivia, which in association with your month and year of birth will be all that is necessary to retreive your credit card numbers and billing address.

The confirmatory e-mail and requirement to click on a password-change confirmation link has been rescinded, so unless your “password recovery” question is really really obscure, then knowing your birthdate someone can trivially get at your details and mess around, possibly stealing stuff off of your account and billing it to you.

I know this works, because I just tried it on myself as a proof-of-concept.

This is a dreadful situation, and I implore Apple to reinstate the extra HTTP security check at soonest opportunity.

If you have an Apple ID and you want to check how easy it is to change your password without any requirement for external authentication, go to http://store.apple.com/ and click on Sign in or create your own personal account.

Then click Did you forget your password? Click here for assistance.

A pop-up window will be created; either enter your Apple ID directly, or click on the Forgot your Apple ID? button which will accept any recent e-mail address of an Apple customer.

Then try guessing, or supply the answer to the Security Question. If you manage it, you can set a new password and Voila! you have access to your patsy’s credit card details.

Tell your friends: This sucks. Randomise the answer to your security question immediately, and store that answer in a safe place.

And complain to Apple. Hell, this is an old hack, it’s not far removed from the way Paris Hilton had her phone hacked. A company like Apple should be beyond this sort of thing, even in the name of usability.

UPDATE: For those who want to walk through the dialogue – or who for local circumstances or cookies will not be able to reproduce it – I’ve snapshotted the whole thing here; I reckon the only things which saved me from being ripped-off are that:

  • My cat is not a single colour
  • I lied about the colour anyway, and chose something different
  • I almost never save my credit details with a vendor

But I am paranoid. Lots of people are not.

Start At The Top Now Sign In Oops I Forgot My Password, Honest Guv... I Even Forgot My Login Name Option 2 Is The Fraudster's Route What's Your Birthday? Answer The Security Question If you choose unwisely...
…but if you guess right, you 0wn the user’s account.

23 thoughts on “Easy AppleID Password & Account Theft

  1. Jon Rosebaugh
    re: AppleID / Apple Store Credit Card Details Open To Easy Fraud

    When I log into my apple store account and try to look up my credit card info, they only show me the last four digits and expiration date. So, I don’t think it’s the end of the world just yet, especially since you still need the three-digit code from the back of the card to buy stuff.

    Reply
  2. Chris
    re: AppleID / Apple Store Credit Card Details Open To Easy Fraud

    I tried your test. I got a pop-up asking for my AppleID. I provided it, and got a second pop-up providing two choices:

    I could either have Apple email my password to the email address of record, or I could email enrollment@apple.com.

    I have no idea what choosing the second of these would result in, but at no point was any inquiry made about my security questions (but to be honest, I cannot recall whether I supplied any when the acct was created).

    Reply
  3. alecm
    re: AppleID / Apple Store Credit Card Details Open To Easy Fraud

    OK, then, so how does one-click ordering work, hmmm?

    Typically that does not require the card details to be entered, to operate, but then I’ve never been fool enough to enable it.

    I am sure that a) someone’s tried to break into my account, and b) they must have motivation and c) I am not aware enough of the ways to take such information and leverage it into fraud.

    Bottom line: the state of the Apple ID’s security is weak, and potentially enables identity theft and/or credit card fraud.

    That is grounds enough for complaint.

    Reply
  4. alecm
    re: AppleID / Apple Store Credit Card Details Open To Easy Fraud

    Hi Chris,

    Which Apple Store was this? USA? UK?

    Reply
  5. Chris
    re: AppleID / Apple Store Credit Card Details Open To Easy Fraud

    I simply followed your link. I am in the US, and Akamai knows it from my IP, so I figure I hit US infrastructure. All of this, except the initial “I forgot — Help!” click was off an https server running on “iforgot.apple.com”.

    I wound up getting an email very much (probably exactly) like yours from 2004.

    Reply
  6. Chris
    re: Easy AppleID Password & Account Theft

    BTW Alec,

    Looking at your photos, it is clear that I received a different Option 2. It may be that I chose no “security questions”, and thus they had no choice but to not ask them of me :^).

    Reply
  7. Chris Samuel
    re: Easy AppleID Password & Account Theft

    Hmm, I just got one of those password change emails too. Odd thing here is that it’s to a one-off email address that I created just for it.

    Reply
  8. c.gonzalez
    re: Easy AppleID Password & Account Theft

    My apple bytes was stolen from my backpack. Can they connect my Ipod to any computer and erase all my information? Can I locate it?

    Reply
  9. Franky

    When you access to your apple store account only is shown the last 4 digits of your credit card and the 3 digits SSN on the back of your card is not revealed. If you wanna buy you have to type down your full credit card information, so i dont think you have to get worried.

    Reply
  10. Marvin Kistler

    my member name is; marvkistlerme.com and the assigned emmail address: is; [DELETED]@[DELETED] and the password I established is [DELETED]!!
    is it my fault, you don’t record it properly!
    It seems this password memory system of yours is terribly flawed, because since day one I have not been able to get pass the ID name and pass word.
    I can’t really see how it is worth all the trouble and grief you create with unreliable system!
    With Best Regards

    Marvin Kistler

    Reply
  11. roydell

    …which perplexed me mightily, because I have not touched my Apple Store account for several weeks

    Reply
  12. mary

    I have been trying to sign into my account for more the ONE YEAR!!!
    and it will not let me, nor will it let me create a new password
    I can’t even listen to the songs I already PURCHASED>>>PAID FOR!!!!
    and I have sent many emails and no 24 hours response or any response in more then a year. I have spoken with live techs and they assure me that I will here from Apple in 24 hours and nothing!!!!
    I’m ready to throw everything in the trash

    Reply
  13. thomas davidson

    why did a website that that I had been using since I bought my mini mac suddenly stop recognizing me and would not let me get online even though it took my money which I finished up having to reclaim.
    my address was …….@mac.com

    Reply
  14. Tabitha Thacker

    [ comment edited. sorry but we can’t help you debug your credit card. ]

    Reply
  15. mahbub

    i want to create an apple account in my iphone but here when i apply password then it shows me use at least one uppercase letter. So in this case what should i do?

    Reply
    1. alecm Post author

      Mahbub: Add an uppercase letter to your password.

      That’s what the Shift/arrow key is for.

      Like how you typed the letter “S” above.

      Reply

Leave a Reply