Apple’s Hacker Fix: Nuke Your iTunes Account, Refuse To Let You Back In

Apple’s Hacker Fix: Nuke Your iTunes Account, Refuse To Let You Back In

Last month, Apple’s lax password reset protocol allowed Wired’s Mat Honan to be hacked. Hard. It was a wake-up call for the company and its customers — a breach so severe it demanded an immediate solution. But what Apple came up with might be just as nuts as the original problem: it’s basically impossible to recover your account right now.

Over the last several weeks, Apple has been dithering over how to amend its security reset protocols. That’s a great and necessary idea, since it had been using just the last four digits of a customer’s credit card — information that is not at all secure or private enough for that kind of verification process. But it still hasn’t figured out exactly how to verify who you are, so for now there is no way for Apple employees to assist you in recovering your password.

Here’s the full rundown on what’s broken right now: There is no way for Apple support to reset your password or your security questions if you have forgotten them, and it also can’t re-activate an account that has been disabled for any reason. Apple’s automated system for password reset — enter your Apple ID email account or answer a security question — is still in effect. But the only thing Apple’s security team is authorised to do for disabled accounts right now is take down their information, add them to a list, and get back to them whenever it’s resolved.

So, if you know your Apple ID or you can correctly answer the security question, you’re fine. You can reset your password without a problem. But if you lost both (unlikely, but not impossible), you’re totally out of luck until who knows when.

What does that mean in practical terms if it happens to you? You can’t buy songs, movies, apps or anything else that requires your Apple ID, and you can’t download any updates to apps you already have. Same goes for software updates or security patches for Mac OS X or iOS. It lands somewhere between a major pain in the arse and a breach of contract. I know this because it’s happening to me.

Close to Home

Here’s some background: Apple recently charged me for an iTunes movie I did not purchase. I was pretty positive it wasn’t just an errant click, so I asked Apple if it could access login points and see if anyone strange had been using my account. Apple said it would look into it and temporarily disabled my account from buying apps and content or downloading software. Standard deal. No problem. I sort of forgot about it for a month, and when I remembered after being unable to download a software update, I poked Apple to see if the issue had been resolved yet. It hadn’t. In fact, it’s become much, much worse.

Apple is totally unable to reactivate a disabled account. This doesn’t only affect people who have had their accounts compromised, although that does add injury to injury. There are a bunch of ways to be flagged for a temporarily disabled account. For instance, if you use your wife’s credit card to buy something on iTunes, the system can catch the mismatched names and flag it as potential fraud, which has to be cleared up before you can continue shopping. Usually all that takes is a quick two-minute phone call. But now, under Apple’s security holding pattern, you’re going to be waiting until some unspecified time when Apple’s improved security protocols are in effect. I’ve been waiting for a month.

A disabled account can log into iTunes just fine and play DRM content, but it can’t download updates to any software — including OS X — nor can it make any new purchases.

The security lockdown is clearly due to the frenzy surrounding Mat Honan’s hacking incident, although Apple employees aren’t officially allowed to comment on what’s behind the hazy procedures. But you don’t need customer support to tell you that this is the clumsiest possible way to handle the problem.

Going to an Apple Store in person doesn’t help either. I walked into one this morning fully expecting them to be able to just take a look at my driver licence or passport and laugh away the hiccup — See guys? It’s me! — but apparently that’s never been the case. Online iTunes Store support will always have more control over your account than Geniuses, and there is zero benefit to being at a location in person for account issues.

Just for reference, Amazon had a fix for its side of the Honan Hack debacle live basically as news of what happened started circulating on the internet. Apple has had more than a month since then. Granted, Amazon’s fix was merely not adding credit cards over the phone, while Apple’s fix will need to involve significant rearranging of its authentication process.

Stead-fast [sic] Stasis

Here are a few excerpts from my exchange with Apple support over the matter. This one is an excerpt from an email exchange about why my account could not be re-activated:

At present, Apple is temporarily not able to assist customers in resetting their challenge questions and password reset. That is the reason why I cannot re enable your account at this time, since it needed for a password reset. I apologise for any inconvenience, but when Apple reinstates security resets, the security measures that are required will be strengthened to further enforce customer’s account security. Your understanding in this matter is greatly appreciated.

And here is the response after I asked for further clarification:

Dear Kyle,

This is [redacted] from the iTunes Store.

I sincerely apologise for any inconvenience that this situation has caused you, Kyle.

I regret to inform you that we are currently unable to re enable your account at this time. Since re enabling account, need to reset the password and we are having issue right now regarding reset.

Upon checking your account based on the information that you have provided, I can see that your account has been disabled due to unauthorized purchases made in your account. We handle accidental and unauthorized purchases differently.

We are currently unable to reset passwords and security questions at this time.This is due to our increasing efforts to maximize security on the iTunes Store. Our current stage of operations dictates that we cannot comment on why we are enhancing these various security protocols; we also will not speculate on how long this security enhancement will last. We ask that you endure this rather unfortunate circumstance with stead-fast [sic] resolve as we really do want you to enjoy the iTunes Store in the safest, most enjoyable ways possible.

I will get back to you as soon as I have the resolution regarding your issue. Have a wonderful day, Kyle.



iTunes Store/Mac App Store Customer Support

Emphasis added. The Apple Store and AppleCare both confirmed that there’s nothing that can be done but to wait.

This couldn’t come at a less convenient time for Apple and its customers. Tomorrow, the company will finally take the lid off the iPhone 5. And while locked out loyalists will still be able to activate their shiny new handset, they won’t be able to buy any new apps or content. Leaving you with… a really expensive dumbphone.

There are bigger problems in the world than Apple leaving its customers in a lockout limbo. Many of them! But it just seems totally, massively, completely out of whack that Apple’s solution to its security problem, after more than a month, still amounts to “OUT TO LUNCH, BBL”.