headWarning: This post in not about programing. It’s about an Apple ID security breach.

Updated: 07.02.09
Updated: 06.28.2009
Updated: 06.26.2009
Updated: 07.06.2010

I have always had a fascination with the idea of developing for the Mac. I guess those seeds were planted “… way back in the days of old” when I was creating custom stacks in Apple’s HyperCard, or creating custom databases in Filemaker. Developing for the Mac, or now for the iPhone, is one of those dreams many Apple Fan Boys and Girls have had. To build that one illusive application that everyone wants. Needs. Must have! Cha ching! Hey … I didn’t say my motives were altruistic.

It was with these thoughts in mind that I went out the other day and bought “Programming in Objective-C 2.0” by Stephen G Kochan and Erica Sadun’s “The iPhone Developer’s Cookbook“. Yesterday I started reading Programming in Objective-C 2.0. To get started I needed to log into my Apple Developer Connection account and download the latest version of the Apple developer tools which includes Xcode, Apple’s programing environment.

While I was there I also registered for the iPhone Dev Center. To do so I had to register with my current Apple ID. I then needed to fill out an iPhone developer questionnaire. With that done I could then download the latest version of the 2.08GB Apple iPhone SDK.

Sometimes things don’t always go as planned …

Somewhere after finishing the first program exercise of chapter 1, I needed to stop and take care of some personal finances. I went to Chase.com and had a look at my checking balance. To my surprise there were two pending transactions for $50.00 each from the iTunes store.

Charges

I knew right off … they weren’t MY charges. Immediately I went to the iTunes store and tried to log into my account with my Apple ID. “Sorry Apple ID does not exist.” (or something to that effect.) Now wait! I just used this very same Apple ID to log into the Apple Developer Connection just a few hour earlier. Hmm. Maybe I typed my password incorrectly. Type type type. “Sorry Apple ID does not exist.”

Okay. New tact. Let’s try resetting the password. I clicked on the link and was sent to this page on the Apple website. When I put in my correct eMail address I was told “Account does not exist.” I was livid! Someone had broken into my iTunes account! And they locked me out!!!!! Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr!

Like any good investigator the first thing I did was a Google search on “apple id login stolen” … and I got a bunch of hits. One was to a site called “dropsafe”. The post here was from 2006 entitled “Easy AppleID Password & Account Theft“. The second hit I looked at was from a Technorati Discussion which points to this blog post by Marko Karppinen, principal at MK&C, an eight-person software development studio in Helsinki, Finland, “Apple just gave out my Apple ID password because someone asked“. They too had a similar issue with their Apple ID being easily “hijacked” by someone other than the real owner.

With this information in hand, I tried calling Apple. “Sorry. Please call back during our normal hours of business.” I tried calling Chase. “Sorry Our systems are down. Please call our dispute department during normal business hours.” Does no one have 24 hour customer service anymore? It was now 12:30 AM and there was nothing I could do. I went to bed.

Woke up around 7:00 AM and got right back to it. I first called Apple customer support. I spoke to a very apologetic and very helpful agent named Heather Banks. I told her what happened. In our discussion of the the hijack and charges made to my Chase debit card for two iTunes electronic gift certificates, eMailed to the gMail address [email protected], she put me on hold while she spoke directly to an iTunes Store agent. They first wanted to void my account and issue me a new one. I said no. There were too many purchases and computer registrations attached to that account. They finally reset the password, restored my old eMail address & I was able to log back in. Yeah!

I then changed my Apple ID & my password, as well as my “security” question. All was right with the world. Well almost. I was still pissed off, that Apple’s security for handing over anyone’s ID was, using an eMail address, a security layer that includes your birth month, and birth day, and a question of your own devising. The first two things could be found out easily by looking at any of my blogs, my FaceBook account, or my Twitter account. But my question is … did this person know my info from my registering on the Apple Developer Connection, or is someone watching the list of “newbies” and then exploiting their Apple IDs somehow? Too many questions, and not enough security, or answers on Apple’s part.

What is still incredibly irksome is that this has been going on for YEARS!!!!! And Apple hasn’t done a thing to improve the security around their Developer Connection site or getting or resetting a password associated with an Apple ID that is just an eMail address that ANYONE can know or find out. How secure is that???? Not very … evidently!

So I filed a complaint online with the Washington state Attorney General’s office, via a very well done web page. Now I don’t know if this is the under the prevue of the AGO … but by this point … I didn’t care. My next step was to write this post, which will go up on both my blogs, to warn others. Then off to the Better Business Bureau to lodge yet another complaint against Apple for for such lax security. Then I’ll try to write to TUAW, MacWorld, MacNN etc etc and try to get this story out …. yet again!

I’m frazzled. Tired. And feeling violated. I don’t expect some grand mia culpa from Apple. But I am hoping to shed light on this problem, in the hope that others will pressure Apple to act in the best interest of their customer’s security.

Hey … APPLE … are you listening.

::::::::::::::: Joe stepping off soapbox :::::::::::::::

Updated: 06.26.2009

This is a letter I sent to Apple Developer Connection today, via a web form on the Apple website. I figured this way I might actually get something in writing from Apple. They sent a confirmation eMail with a “Follow-up” number. It’s a start to getting some real response from Apple.

After signing up for the iPhone Developer Program on 6/24/09 my Apple ID was hijacked by someone, somehow. They then logged into my iTunes account and charged 2 $50.00 iTunes cards. They also had locked me out of my own account.

I called Apple support on 6/25/09 and this is now under investigation. Whatever that means. They also gave me access to my account where I had to change my Apple ID, my password, and my security question.

I’m writing this to let the Developer Connection know that ID hijacking is STILL going on when people sign up via your website. And I’d like to know what Apple is doing about this?????

I know that Apple has been aware of this problem for SEVERAL years, because it has happened to many people, and it’s been documented all over the Internet. I myself have documented this incident on my blog go2jo.com. < http://is.gd/1dr2e >

There is an ongoing problem here, and I want to know what Apple is doing about it, in real terms? When will you change how easy it is to change an Apple ID password? You even have a request item on this very mail form!

You need to:

STOP using eMail addresses as the primary ID. Let people create usernames that are ONLY used for the ID and nowhere else. At least that’s another layer of security beyond an eMail address that easy to find out.

STOP using the birth month & birth day as the first question asked. In a world of blogs, Twitter, social website et al, it’s quite easy to find out.

How about a series of 4 questions of the users making that need to be filled answered. Then an eMail to the account on record with a link back to the website, that then logs you in & takes you to a page where you can then change the password etc. This is similar to how Apple use to do it. Does Apple think people are THAT stupid not to be able to click on a link in an eMail?

Sorry … I’m just angry that this has been going on for years, and you CHOOSE to do nothing about it.

I’d really like a response from Apple Developer Connection about this issue, and about the fact that someone broke into my account because of Apple’s lax security.

BTW … the eMail address above use to be my old Apple ID, but is still my main eMail address. I wont send my new ID address because this form is not secure. But then again … is your entire website? Evidently not.

Yours truly (frustrated) …. Joe Streno

I’ll try to keep this post updated as I get more info.

Updated: 06.28.2009

As of right now, I have not been contacted by Apple yet. Maybe tomorrow.

The Good news is, the two $50.00 charges disappeared from my Chase.com online account. Which means Apple must have canceled them, though they still show up in my iTunes purchase history.

iTunes Charges
Here are the the iTunes Gift Certificates that the “bandit” purchased. Now I wonder if the person is stupid enough to actually cash them, or if s/he did cash them while I was locked out of my account. But then again, I didn’t see any purchases other than the cards. So honestly … what good are the cards, unless someone this person tries to sell them on Craig’s List or something. It makes no sense.
iTunes Gift Certificate 1 iTunes Gift Certificate 2

So we’ll see what happens tomorrow, Monday. I really do want to hear from Apple. We’ll see.

Updated: 07.02.09

Called Apple customer support yesterday (07.01.09) spoke to customer service agent Bob Henderson. I asked him why Apple did not credit back the charges for the two iTunes cards charged to my debit card. He informed me that the procedure was to file a dispute with Chase and then Chase would contact Apple. I also asked him why no one at Apple (iTunes Store, or Developer Connection) has contacted me yet. He said he did not know. I then asked him why Apple has not fixed this gaping hole in password security? He said Apple has been looking into it (yeah right), but if I’d like to write an eMail to him outlining what I’d like to see happen to make things more secure, he’d be happy to pass it along to “the powers that be.” I’m in the process of doing this.

On the Attorney General front …

Got a reply back from the Washington State Attorney Generals office in response to my filing a complaint against Apple. Color me amazed!

Rob McKenna
ATTORNEY GENERAL OF WASHINGTON
Consumer Protection Division
1220 Main Street, Suite 549 – Vancouver, WA 98660 – (360) 759-2152

7/1/2009

Joseph Streno
[redacted]
[redacted]

RE: Apple Computer
File #: [redacted]

Dear Joseph Streno:

Your complaint submitted to our office regarding Apple Computer has been assigned to me. I have contacted the business and requested a response to your complaint within 21 business days. A copy of your complaint was provided to the Business. I will contact you and inform you of the response. Normal complaint processing time is approximately 6-8 weeks due to the complexity and number of complaints our office receives, however, processing time may be longer during times when the volume of incoming complaints increases. Your patience is very much appreciated.

Our office obtains valuable information from individual consumer complaints. We maintain complaint files of business practices that may be useful if enforcement action is warranted in the future.

If we are not able to resolve your complaint or if the business does not respond, I will inform you of the alternatives. If you need to contact me, please have your complaint number [redacted] available for reference. Thank you for contacting our office and I will contact you when more information is available.

Sincerely,

[redacted]
[redacted]

Now we’ll see what will happen. This may be part of the reason no one from Apple has contacted me. Or not. I’ll tell you this post is getting a LOT of traffic. Don’t know what that means, other than people are interested.

I’ll keep adding to this post unless, something major happens & requires me to start a new one.

Updated: 07.06.2010

New Post: My Hijacked Apple ID … continued …