My AppleID was stolen. 3 torturous weeks later Apple gave it back. Before anyone blames the victim, I get it. They got my password so it's my fault. I just wanted to share how they did it:
It all started with a thief in China...
1) Log into an iPhone 5S with AppleID
2) Create a "Temporary Support Pin" on Apple site
3) Call Apple China. Identification is verified by Temporary Pin and SMS to their 5S.
4) Apple Support resets security questions (CaseID Generated)
5) Thief removes devices, changes recovery email, birthdate, removes all devices and creates Security Questions in Chinese
And that's how easy it is to take over an AppleID with nothing but a password. (Note: I got emails thought out entire process but Apple US support was closed and Apple China can't be accessed by foreigners)
Now, after being told for a few weeks the account is lost because I can't prove ownership, I did eventually get it escalated and had my account returned so I'm happy. But I do have some concerns about Apple's ID Verification Process because I can easily see this happening to anyone.
A) Temporary Support Pin + iMessage = Identity???
Both a Temp Pin and iMessage Code can be acquired by simply logging in with a password. They both created a set of numbers generated minutes before a support call and were considered valid forms of personal identification. That's a huge problem because it doesn't prove identity, it only proves you have a password.
B) Proving I am Me
This is a 10yr old account with a long history of products and purchases tied to it so I was surprised how difficult it was to prove I am Me.
Much of my personal Info was verified to still be unchanged in my account:
- Physical Address
- Cellphone
- Credit Card
- iTunes Music Subscription
- Paid iCloud Subscription
- Purchase History
- Primary Email (AppleID is my Email is my AppleID)
It's a 10tr old account with a long history of product and software purchases tied to it yet out of that list the only valid form of identification to grant me access was Credit Card (which matched) AND Security Questions. Security questions that reps cant read since they're in Chinese. And that brings up the question of....
C) Foreign Language Security Questions
The purpose of Security Questions is for a representative to validate identify with obscure info.
Think about that for a second. Should an account established in one language even be allowed to write security questions in a language that support reps won't be able to read? It seems to contradict the entire purpose of creating challenge questions.
And that's it. Yup it's my fault for not using 2-factor. But still, with so much of our lives tied to cloud services then Identity is pretty important stuff and Apple may need to re-evaluate the simplicity of taking over an account and the complexity of getting it back.
It all started with a thief in China...
1) Log into an iPhone 5S with AppleID
2) Create a "Temporary Support Pin" on Apple site
3) Call Apple China. Identification is verified by Temporary Pin and SMS to their 5S.
4) Apple Support resets security questions (CaseID Generated)
5) Thief removes devices, changes recovery email, birthdate, removes all devices and creates Security Questions in Chinese
And that's how easy it is to take over an AppleID with nothing but a password. (Note: I got emails thought out entire process but Apple US support was closed and Apple China can't be accessed by foreigners)
Now, after being told for a few weeks the account is lost because I can't prove ownership, I did eventually get it escalated and had my account returned so I'm happy. But I do have some concerns about Apple's ID Verification Process because I can easily see this happening to anyone.
A) Temporary Support Pin + iMessage = Identity???
Both a Temp Pin and iMessage Code can be acquired by simply logging in with a password. They both created a set of numbers generated minutes before a support call and were considered valid forms of personal identification. That's a huge problem because it doesn't prove identity, it only proves you have a password.
B) Proving I am Me
This is a 10yr old account with a long history of products and purchases tied to it so I was surprised how difficult it was to prove I am Me.
Much of my personal Info was verified to still be unchanged in my account:
- Physical Address
- Cellphone
- Credit Card
- iTunes Music Subscription
- Paid iCloud Subscription
- Purchase History
- Primary Email (AppleID is my Email is my AppleID)
It's a 10tr old account with a long history of product and software purchases tied to it yet out of that list the only valid form of identification to grant me access was Credit Card (which matched) AND Security Questions. Security questions that reps cant read since they're in Chinese. And that brings up the question of....
C) Foreign Language Security Questions
The purpose of Security Questions is for a representative to validate identify with obscure info.
Think about that for a second. Should an account established in one language even be allowed to write security questions in a language that support reps won't be able to read? It seems to contradict the entire purpose of creating challenge questions.
And that's it. Yup it's my fault for not using 2-factor. But still, with so much of our lives tied to cloud services then Identity is pretty important stuff and Apple may need to re-evaluate the simplicity of taking over an account and the complexity of getting it back.
Last edited:
even if he knows your passwork it will ask a pin which is sent to your iPhone.