Apple's Hacker Fix: Nuke Your iTunes Account, Refuse To Let You Back In

Last month, Apple's lax password reset protocol allowed Wired's Mat Honan to be hacked. Hard. It was a wake-up call for the company and its customers — a breach so severe it demanded an immediate solution. But what Apple came up with might be just as nuts as the original problem: it's basically impossible to recover your account right now.

Over the last several weeks, Apple has been dithering over how to amend its security reset protocols. That's a great and necessary idea, since it had been using just the last four digits of a customer's credit card — information that is not at all secure or private enough for that kind of verification process. But it still hasn't figured out exactly how to verify who you are, so for now there is no way for Apple employees to assist you in recovering your password.

Here's the full rundown on what's broken right now: There is no way for Apple support to reset your password or your security questions if you have forgotten them, and it also can't re-activate an account that has been disabled for any reason. Apple's automated system for password reset — enter your Apple ID email account or answer a security question — is still in effect. But the only thing Apple's security team is authorised to do for disabled accounts right now is take down their information, add them to a list, and get back to them whenever it's resolved.

So, if you know your Apple ID or you can correctly answer the security question, you're fine. You can reset your password without a problem. But if you lost both (unlikely, but not impossible), you're totally out of luck until who knows when.

What does that mean in practical terms if it happens to you? You can't buy songs, movies, apps or anything else that requires your Apple ID, and you can't download any updates to apps you already have. Same goes for software updates or security patches for Mac OS X or iOS. It lands somewhere between a major pain in the arse and a breach of contract. I know this because it's happening to me.

Close to Home

Here's some background: Apple recently charged me for an iTunes movie I did not purchase. I was pretty positive it wasn't just an errant click, so I asked Apple if it could access login points and see if anyone strange had been using my account. Apple said it would look into it and temporarily disabled my account from buying apps and content or downloading software. Standard deal. No problem. I sort of forgot about it for a month, and when I remembered after being unable to download a software update, I poked Apple to see if the issue had been resolved yet. It hadn't. In fact, it's become much, much worse.

Apple is totally unable to reactivate a disabled account. This doesn't only affect people who have had their accounts compromised, although that does add injury to injury. There are a bunch of ways to be flagged for a temporarily disabled account. For instance, if you use your wife's credit card to buy something on iTunes, the system can catch the mismatched names and flag it as potential fraud, which has to be cleared up before you can continue shopping. Usually all that takes is a quick two-minute phone call. But now, under Apple's security holding pattern, you're going to be waiting until some unspecified time when Apple's improved security protocols are in effect. I've been waiting for a month.

A disabled account can log into iTunes just fine and play DRM content, but it can't download updates to any software — including OS X — nor can it make any new purchases.

The security lockdown is clearly due to the frenzy surrounding Mat Honan's hacking incident, although Apple employees aren't officially allowed to comment on what's behind the hazy procedures. But you don't need customer support to tell you that this is the clumsiest possible way to handle the problem.

Going to an Apple Store in person doesn't help either. I walked into one this morning fully expecting them to be able to just take a look at my driver licence or passport and laugh away the hiccup — See guys? It's me! — but apparently that's never been the case. Online iTunes Store support will always have more control over your account than Geniuses, and there is zero benefit to being at a location in person for account issues.

Just for reference, Amazon had a fix for its side of the Honan Hack debacle live basically as news of what happened started circulating on the internet. Apple has had more than a month since then. Granted, Amazon's fix was merely not adding credit cards over the phone, while Apple's fix will need to involve significant rearranging of its authentication process.

Stead-fast [sic] Stasis

Here are a few excerpts from my exchange with Apple support over the matter. This one is an excerpt from an email exchange about why my account could not be re-activated:

At present, Apple is temporarily not able to assist customers in resetting their challenge questions and password reset. That is the reason why I cannot re enable your account at this time, since it needed for a password reset. I apologise for any inconvenience, but when Apple reinstates security resets, the security measures that are required will be strengthened to further enforce customer's account security. Your understanding in this matter is greatly appreciated.

And here is the response after I asked for further clarification:

Dear Kyle,

This is [redacted] from the iTunes Store.

...

I sincerely apologise for any inconvenience that this situation has caused you, Kyle.

I regret to inform you that we are currently unable to re enable your account at this time. Since re enabling account, need to reset the password and we are having issue right now regarding reset.

Upon checking your account based on the information that you have provided, I can see that your account has been disabled due to unauthorized purchases made in your account. We handle accidental and unauthorized purchases differently.

We are currently unable to reset passwords and security questions at this time.This is due to our increasing efforts to maximize security on the iTunes Store. Our current stage of operations dictates that we cannot comment on why we are enhancing these various security protocols; we also will not speculate on how long this security enhancement will last. We ask that you endure this rather unfortunate circumstance with stead-fast [sic] resolve as we really do want you to enjoy the iTunes Store in the safest, most enjoyable ways possible.

I will get back to you as soon as I have the resolution regarding your issue. Have a wonderful day, Kyle.

Sincerely,

[redacted]

iTunes Store/Mac App Store Customer Support

http://www.apple.com/support/itunes/ww/

Emphasis added. The Apple Store and AppleCare both confirmed that there's nothing that can be done but to wait.

This couldn't come at a less convenient time for Apple and its customers. Tomorrow, the company will finally take the lid off the iPhone 5. And while locked out loyalists will still be able to activate their shiny new handset, they won't be able to buy any new apps or content. Leaving you with... a really expensive dumbphone.

There are bigger problems in the world than Apple leaving its customers in a lockout limbo. Many of them! But it just seems totally, massively, completely out of whack that Apple's solution to its security problem, after more than a month, still amounts to "OUT TO LUNCH, BBL".


Comments

    I don't understand why people don't just use itunes cards. A minimum 20% saving pretty much all the time and you can get them almost anywhere.

      @gadget Ummm you still need an account to use those itunes cards?

    I am all for good security measures. Not a week goes by where I don't get a email saying someone tried to reset your password.

      Yes but if you put 10 dollars the worst thing that can happened is you lose the 10 dollars instead of having you credit card being seen by hackers

    And now they've locked people out of iCloud mail it seems!! It's been down for hours. Really poor form for a major email service!!! I've got important emails coming through to that address - gimme an iphone5 now apple and I miiight forgive you.

    I don't understand why people use Apple products. This is what happens when you lock yourself into Apple's fascist clutches - no other option but to wait for them to fix the problem.

    same thing happened to my google account. even emailed all the details and the useless email trail to google tech support to gizmodo editors. when an apple product is anything less than perfect or industry leading, it gets more attention than a terrorist attack. i wouldn't touch android with a 10 foot pole so don't care about the stuff i lost. if android fails, there's a company with no phone support, a couple scripted monkeys giving you useless support and it's not even newsworthy.

    I could care....but since i dont use iTunes (saw the writing on the wall years ago), i feel kinda good that i dont have to put up with this crap.

    I see people who use Apple products the same way that i see people who smoke - eventually it will come back to bite them, but by that time it will be too late.

      Really? Use hyperbole much?

      I agree with the author that this is crap service, and compares badly to Amazon's reaction to the problem, but it aint gonna give you cancer.

      Also, how is it that different in level of crapness from the cosplayers who got their accounts deleted from Facebook, or the Gmail outages that occur every so often?

      Any service is prone to crap corporate decisions, poor customer service and outages. This isn't just an Apple thing, it is a 'large company' thing.

    I understand that the individual (author) is in a tough spot, but I do question about how big a deal it is.
    The scenario's to being affected are pretty specific, and it's better to safe-guard the majority with (as I see it) appropriate action.

    My itunes account has been locked out and repeated emails to support is not helping me regain access to my account.

    Apple's naivety when it comes to security issues is hilarious.

    " We ask that you endure this rather unfortunate circumstance with stead-fast [sic] resolve as we really do want you to enjoy the iTunes Store in the safest, most enjoyable ways possible."

    Account frozen without access or real recovery forecast and little help on the way ,
    Maybe they'll help soon but keep up that "Steadfast resolve" while everything goes downhill as you wait for that secure Apple experience.
    I had imagined after all the hype surrounding Apple they would have this under control , but it seems not .

    Hang on a sec...
    "And while locked out loyalists will still be able to activate their shiny new handset, they won’t be able to buy any new apps or content. Leaving you with… a really expensive dumbphone."
    Do you mean to say that when you get a new Apple handset, you have to buy your apps all over again?

      You don't have to pay for them again but you do have to install them on the new device, and installations/updates require a login to verify that the account owns access to the item (even if it's 'free').

    But apple products are tops..

    Have you tried to manage your account at appleid.apple.com? No? What about reset your password at iforgot.apple.com? So you forgot your birthday and security answers and didn't set up a recovery email?...

    Yo bro, wouldn't be happening if you remembered your security question! Even the banks and government won't let know do anything without setting them online. Just set a good one next time :)

    This comment has been deemed inappropriate and has been deleted.

Join the discussion!

Trending Stories Right Now