Do I still feel that way? I’d be a blind zealot if I said yes. There have always been questionable calls on Apple’s part throughout the years. But at some point Apple stepped up to the plate, took responsibility and made things right. No matter what the cost. Financial or otherwise. It seems this concept gets harder and harder for Apple. For whatever reason.

It started June 25th with my post “Apple Developer {dis} Connection or … How My Apple ID Was Hijacked“. I explained how my Apple ID was hijacked by someone, after I logged into the Apple Developers Connection website. The hijacker took over my Apple ID by changing the username and password. Then they ever so kindly logged into my iTunes account and charged two $50.00 iTunes cards to my my attached debit card. For all the gory details I suggest reading the original post and coming back. It’s quite long and has several updates.

It’s almost a month later, and I finally heard back from Apple Developers Connection, Apple Inc and the Attorney General’s Office of Washington state. The Apple’s Developer Connection eMailed me yesterday July 22nd. After nearly a month this is what they had to say:

Subject: Re: Website Inquiries/Feedback
From: devprograms@apple.com
Date: July 22, 2009 10:30:37 AM PDT
To: ejo@go2jo.com

Follow-up: xxxxxxxxx

Re: Website Inquiries/Feedback

Hello Joe,

Thank you for contacting the Apple Developer Connection.

We are currently reviewing your inquiry and will get back to you very soon. We appreciate your patience.

Best regards,

Michele Owens
Apple Developer Connection
Worldwide Developer Relations

That’s it? A month to tell me they are looking at my inquiry? Now I don’t want to seem like a whiny whiny boy man. (I’ve already been accused of this in a comment on the original post. Which of course I deleted. My blog. My prerogative.) But … a month for an eMail telling me they are reviewing my inquiry? No results yet? Okay. I’ll give the the benefit of the doubt. Tap tap tap. Waiting waiting waiting.

On the same day I got this eMail from the AGO’s office.

Joseph Streno
13303 15th AVE NE
Seattle, WA 98125

RE:    Apple Computer
File #:    xxxxxxx

Dear Joseph Streno:

Our office has received the attached written response from Apple Computer.  Although they have offered to make a partial adjustment, they decline to make full adjustment of your complaint for the reasons outlined.

We realize you may disagree with their position. However, our office does not have the authority under the law to force the parties to resolve their dispute. We regret that we are unable to provide further assistance to you in this situation.

We do not have the legal authority to represent individuals as their attorney, nor may we act as a judge or arbiter in individual disputes.  If you wish to pursue the matter, you should consider either contacting an attorney or suing in Small Claims Court. You can obtain additional information about Small Claims court at:

<<<http://www.courts.wa.gov/newsinfo/resources/?altMenu=smal&fa=newsinfo_jury.scc>>>

For referrals to attorneys in King County:    206-623-2551 or 211

If you cannot afford an attorney, you may qualify for assistance from the NW Justice Project’s CLEAR Coordinated Legal Advice.  They may be reached Toll Free at 1-888-201-1014 or online at the following website:

<<http://www.nwjustice.org/about_njp/clear.html>>

In addition, if you are 60 or over, you may call CLEAR SR. at 1-888-387-7111 regardless of income.

You may also wish to contact the Dispute Resolution Center nearest you to see if they can assist in mediating your dispute.  You can obtain additional information at these websites:

<<<http://www.courts.wa.gov/court_dir/?fa=court_dir.dispute>>>

<<<http://www.resolutionwa.org/>>>.

Please be aware that the Dispute Resolution Centers do not provide attorney referrals or legal advice.

We appreciate your bringing this matter to our attention.  Your complaint will remain a part of our public record of this firm’s business practices.

DAVID FERRIS
Complaint Analyst
Consumer Protection Division

This was the fax sent to the AGO from Apple:

To which I responded back to the AGO’s office:

Subject: Re: xxxxx : A notice from the Washington State Attorney General’s Office
From: ejo@go2jo.com
Date: July 22, 2009 1:43:37 PM PDT
To: xxxxx@atg.wa.gov

Dear Mr McKenna …

Thank you for being so prompt. I did get the attached PDF of Apple’s response.

Of course Apple skirted their own security issue(s) with the iTunes Store and The Apple Developers Connection website. My identity was “stolen” because of the ease one can change a password for an Apple ID.

They have outright avoided answering the question put before them. How did someone get access to my iTunes account? How, and at what time was the Apple ID changed? And in what manner was it changed, via a phone call, eMail, or the Apple website form?

The hijacker did not steal my identity to use my debit card, but stole my Apple ID and was able to log into iTunes which had my debit card attached to make purchases. There is a huge difference. And puts the onus on Apple to answer how that happened, not the credit card company. My iTunes account could have had ANY card attached to it, the responsibility is Apple’s because someone was able to hijack my Apple ID and log into iTunes at all. Without that step none of this would have happened.

That and only that is the issue! How did that happen? Apple has not answered that question at all.

I wasn’t concerned with getting the charges credited back. They were. The debit card was canceled and a new one issued. I was more concerned that no one has legally called Apple’s security issues to task. Apple’s “Apple ID” is the only way to log into ANY of Apple’s (supposedly) secure websites, or any of their electronic stores (to make a purchase.)

If this type of thing does not fall under the purvey of the AGO, I guess it’s time to try to start a class action suit against Apple.

If you have any further comments please send them along.

Thank you for all your help.

Joe Streno

And that pretty much says it all. Apple won’t admit there is a problem with their security in respect to changing a password for their Apple ID. This one item, the Apple ID is used to sign into any Apple related website, and to purchase anything on the iTunes and Apple Store. Apple could solve the entire issue by devising another more secure way to change a password and gain access to another person’s account. It’s a problem that has gone on for years, yet Apple turns a (not so) blind eye and let’s the problem continue. The other piece of the unsolved puzzle is … are there hackers out there that are intercepting an Apple ID as one is logging into a Developers Connection account? Or is it when someone is joining an Apple website for the first time. All unanswered questions seemingly unimportant to Apple.

So Apple …. is Apple ID security bulletproof? I think not! So the question remains … what to do next. I’ll wait to see what Apple reports back.

Updated: 07.02.09
Updated: 06.28.2009
Updated: 06.26.2009
Updated: 07.06.2010

I have always had a fascination with the idea of developing for the Mac. I guess those seeds were planted “… way back in the days of old” when I was creating custom stacks in Apple’s HyperCard, or creating custom databases in Filemaker. Developing for the Mac, or now for the iPhone, is one of those dreams many Apple Fan Boys and Girls have had. To build that one illusive application that everyone wants. Needs. Must have! Cha ching! Hey … I didn’t say my motives were altruistic.

It was with these thoughts in mind that I went out the other day and bought “Programming in Objective-C 2.0” by Stephen G Kochan and Erica Sadun’s “The iPhone Developer’s Cookbook“. Yesterday I started reading Programming in Objective-C 2.0. To get started I needed to log into my Apple Developer Connection account and download the latest version of the Apple developer tools which includes Xcode, Apple’s programing environment.

While I was there I also registered for the iPhone Dev Center. To do so I had to register with my current Apple ID. I then needed to fill out an iPhone developer questionnaire. With that done I could then download the latest version of the 2.08GB Apple iPhone SDK.

Sometimes things don’t always go as planned …

Somewhere after finishing the first program exercise of chapter 1, I needed to stop and take care of some personal finances. I went to Chase.com and had a look at my checking balance. To my surprise there were two pending transactions for $50.00 each from the iTunes store.

I knew right off … they weren’t MY charges. Immediately I went to the iTunes store and tried to log into my account with my Apple ID. “Sorry Apple ID does not exist.” (or something to that effect.) Now wait! I just used this very same Apple ID to log into the Apple Developer Connection just a few hour earlier. Hmm. Maybe I typed my password incorrectly. Type type type. “Sorry Apple ID does not exist.”

Okay. New tact. Let’s try resetting the password. I clicked on the link and was sent to this page on the Apple website. When I put in my correct eMail address I was told “Account does not exist.” I was livid! Someone had broken into my iTunes account! And they locked me out!!!!! Grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr!

Like any good investigator the first thing I did was a Google search on “apple id login stolen” … and I got a bunch of hits. One was to a site called “dropsafe”. The post here was from 2006 entitled “Easy AppleID Password & Account Theft“. The second hit I looked at was from a Technorati Discussion which points to this blog post by Marko Karppinen, principal at MK&C, an eight-person software development studio in Helsinki, Finland, “Apple just gave out my Apple ID password because someone asked“. They too had a similar issue with their Apple ID being easily “hijacked” by someone other than the real owner.

With this information in hand, I tried calling Apple. “Sorry. Please call back during our normal hours of business.” I tried calling Chase. “Sorry Our systems are down. Please call our dispute department during normal business hours.” Does no one have 24 hour customer service anymore? It was now 12:30 AM and there was nothing I could do. I went to bed.

Woke up around 7:00 AM and got right back to it. I first called Apple customer support. I spoke to a very apologetic and very helpful agent named Heather Banks. I told her what happened. In our discussion of the the hijack and charges made to my Chase debit card for two iTunes electronic gift certificates, eMailed to the gMail address rosianhotmailcom568@gmail.com, she put me on hold while she spoke directly to an iTunes Store agent. They first wanted to void my account and issue me a new one. I said no. There were too many purchases and computer registrations attached to that account. They finally reset the password, restored my old eMail address & I was able to log back in. Yeah!

I then changed my Apple ID & my password, as well as my “security” question. All was right with the world. Well almost. I was still pissed off, that Apple’s security for handing over anyone’s ID was, using an eMail address, a security layer that includes your birth month, and birth day, and a question of your own devising. The first two things could be found out easily by looking at any of my blogs, my FaceBook account, or my Twitter account. But my question is … did this person know my info from my registering on the Apple Developer Connection, or is someone watching the list of “newbies” and then exploiting their Apple IDs somehow? Too many questions, and not enough security, or answers on Apple’s part.

What is still incredibly irksome is that this has been going on for YEARS!!!!! And Apple hasn’t done a thing to improve the security around their Developer Connection site or getting or resetting a password associated with an Apple ID that is just an eMail address that ANYONE can know or find out. How secure is that???? Not very … evidently!

So I filed a complaint online with the Washington state Attorney General’s office, via a very well done web page. Now I don’t know if this is the under the prevue of the AGO … but by this point … I didn’t care. My next step was to write this post, which will go up on both my blogs, to warn others. Then off to the Better Business Bureau to lodge yet another complaint against Apple for for such lax security. Then I’ll try to write to TUAW, MacWorld, MacNN etc etc and try to get this story out …. yet again!

I’m frazzled. Tired. And feeling violated. I don’t expect some grand mia culpa from Apple. But I am hoping to shed light on this problem, in the hope that others will pressure Apple to act in the best interest of their customer’s security.

Hey … APPLE … are you listening.

::::::::::::::: Joe stepping off soapbox :::::::::::::::

This is a letter I sent to Apple Developer Connection today, via a web form on the Apple website. I figured this way I might actually get something in writing from Apple. They sent a confirmation eMail with a “Follow-up” number. It’s a start to getting some real response from Apple.

I’ll try to keep this post updated as I get more info.

As of right now, I have not been contacted by Apple yet. Maybe tomorrow.

The Good news is, the two $50.00 charges disappeared from my Chase.com online account. Which means Apple must have canceled them, though they still show up in my iTunes purchase history.

Here are the the iTunes Gift Certificates that the “bandit” purchased. Now I wonder if the person is stupid enough to actually cash them, or if s/he did cash them while I was locked out of my account. But then again, I didn’t see any purchases other than the cards. So honestly … what good are the cards, unless someone this person tries to sell them on Craig’s List or something. It makes no sense.

So we’ll see what happens tomorrow, Monday. I really do want to hear from Apple. We’ll see.

Called Apple customer support yesterday (07.01.09) spoke to customer service agent Bob Henderson. I asked him why Apple did not credit back the charges for the two iTunes cards charged to my debit card. He informed me that the procedure was to file a dispute with Chase and then Chase would contact Apple. I also asked him why no one at Apple (iTunes Store, or Developer Connection) has contacted me yet. He said he did not know. I then asked him why Apple has not fixed this gaping hole in password security? He said Apple has been looking into it (yeah right), but if I’d like to write an eMail to him outlining what I’d like to see happen to make things more secure, he’d be happy to pass it along to “the powers that be.” I’m in the process of doing this.

On the Attorney General front …

Got a reply back from the Washington State Attorney Generals office in response to my filing a complaint against Apple. Color me amazed!

Now we’ll see what will happen. This may be part of the reason no one from Apple has contacted me. Or not. I’ll tell you this post is getting a LOT of traffic. Don’t know what that means, other than people are interested.

I’ll keep adding to this post unless, something major happens & requires me to start a new one.

New Post: My Hijacked Apple ID … continued …