Security Alert! If you buy online from Apple, check your e-mail carefully…

Just to let you know, I have started getting spurious and unexpected “you have failed to change your AppleID Password” mails again:

Subject: We’re Unable to Reset Your Apple Password
From: AppleID@apple.com
Date: Thu, 26 Jul 2007 13:29:05 +0000 (GMT)

Dear alec muffett,

We apologize but we were unable to verify your account information with the answers you provided to our security questions.

Because too many invalid attempts were made to answer these questions, you will not be able to reset your password for the next 8 hours.

If you need further assistance, please visit:

http://survey.info.apple.com/feedback/appleid.html

Thank You.

…and although it is hard to prove, the last time this happened was immediately prior to the one and only incident of “Identity Theft” that I have ever suffered – a bill for $38 from Verizon Wireless turned up on my VISA card a few weeks later.

I phoned them up to be greeted with a dialogue “If you are telephoning to query a debit on your credit card and you are not a Verizon customer, please press *2″ – or somesuch, which filled me with dread.

My theory is that the crooks are milking AppleIDs – with their oh-so-friendly password recovery mechanism – for card meta-information, correlating it with stuff elsewhere, and then using it on the handful of traders who’ll accept dubious data for anonymous services.

I systematically randomised (eh?) all the information on my AppleID, so they’ll have a problem repeating that trick, but really:

If you receive an e-mail like the one above, if you’re an Apple customer then go and delete or randomise your personal information on their website ASAP. And complain to Apple.

Or watch your credit card bill; it’s your choice.

8 thoughts on “Security Alert! If you buy online from Apple, check your e-mail carefully…

  1. Pingback: Geoff Arnold » Blog Archive » Warning from Alec for those of us that buy stuff online from Apple

  2. Pingback: dropsafe : Apple just gave out my Apple ID password because someone asked - MK&C

  3. alecm Post author

    UPDATE FOR READERS OF THE REGISTER

    Hi All,

    If you are wondering what I mean by “randomise your personal information” in the above, for instance I mean:

    Set your mother’s maiden name to something like “GzDweWN”

    Set your favourite colour to something like “47splatbong”

    Set your school name to something like “WazongaBoz”

    …and make note of that information should you ever need it, keeping said data offline and safe.

    You should never use personal descriptive information for authentication. Ever. Really really bad idea.

    Also: this is the posting with the pretty pictures, which you probably wanted to read.

    Reply
  4. Cyn

    When I logged into my account in iTunes this week, somebody had hacked it, changed my name and telephone number. After several emails with an Apple rep, they have determined that my apple ID and info were “compromised”…The name of the hackster was supposedly fictitious but I did a reverse 411 search and found the person/address, although Apple says that there’s nothing they can do…Even though this person hacked into my account, they have his name and phone number. They are not forthcoming on how this could happen, nor can they assure me that it will not happen again. I’m very disappointed in their system! How could this happen?

    Reply
  5. Pingback: Puppies, Flowers, Rainbows and Kittens » Blog Archive » iTunes hack warning!

  6. Rahle

    I too have had issues with fraud on my credit card on the iTunes App store.
    From the day after I registered my credit card on the app store (3 Aug ) till 12 Aug there were 14 fraudulent transactions on my card.

    What makes my case slightly different is that I had no fraudulent activity on my actual iTunes account but rather various declined authorisation fees from lastminute. Some successful transactions for EasyJet and some online telephony service safebillinc.com (ironic I know). I live in South Africa – these were all UK based transactions. Then there were 3 transactions from Telkom ADSL – our local telephone service company.
    How that happened is beyond me.

    Apple’s response to my problem was laughable and unhelpful.
    After looking online for about an hour to find a PHONE number to speak to a PERSON – after holding for 10 mins – I got redirected to the website to send an email.
    The response I got was:
    “I understand you are concerned about iTunes Store purchases that were made with your credit card on someone else’s account. I can certainly see how disappointing this would be and I’d be happy to provide any information I can to help.

    I’m glad to hear that you have cancelled your credit card and disputed the unauthorized transactions. A member of your credit card company’s fraud department will contact the iTunes Store directly to resolve this issue. I am sorry, but I cannot reverse those charges for you.”

    Seems like a standard response since they are addressing some other issue other than mine.

    I have changed my itunes account to reflect no card – only free apps for me for now.

    I have cancelled the card – moaned to my bank but I guess other than waiting for all the charges to be reversed (once the letters of dispute have been assessed) it’s out of my hands now.

    I think Apple really need to wake up and take these security issues seriously.

    Reply
  7. a

    I have had issues with apple. They have been mixing up serial numbers and attaching my name to other people’s items. When these other people have brought in their items for repair, all my personal information has come up on their receipt. I have been contacted by some of these people wondering why my information is on their equipment. I have tried to talk with apple but they seem clueless on why this is happening and don’t offer any solutions.

    Reply
  8. Pingback: Andy Smith of the #CabinetOffice is a Epic Fucking #Security Hero – #socialmedia #cyberbullying #dailyfail – dropsafe

Leave a Reply