Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Stupid Apple ID security lockout

B

brutusfly

macrumors member
Original poster
Dec 3, 2006
52
24
I've grown dependent on my Apple email, calendar, find friends, etc. For the 2nd time this year, through no fault of my own, my account was locked for security reasons. Instead of beginning my work day doing actual work, I had to talk to Apple, who can only send a reset Email at this time tomorrow.

So, if a hacker wanted to make a busy person really unhappy, all they have to do is attempt to log into that account a few times a week unsuccessfully? Effectively disabling all the victims iCloud functions most of the time?
 
brutusfly said:
So, if a hacker wanted to make a busy person really unhappy, all they have to do is attempt to log into that account a few times a week unsuccessfully? Effectively disabling all the victims iCloud functions most of the time?
Click to expand...
You can replace "iCloud" with eBay, amazon, gmail, Yahoo, or pretty much any other web service, and that'd still likely be a true statement. :(

Do you have two-factor enabled on your Apple ID?

Can't you change your Apple ID to something more obscure?
 
brutusfly said:
I've grown dependent on my Apple email, calendar, find friends, etc. For the 2nd time this year, through no fault of my own, my account was locked for security reasons. Instead of beginning my work day doing actual work, I had to talk to Apple, who can only send a reset Email at this time tomorrow.

So, if a hacker wanted to make a busy person really unhappy, all they have to do is attempt to log into that account a few times a week unsuccessfully? Effectively disabling all the victims iCloud functions most of the time?
Click to expand...

It's supposed to do that to protect your account. If it never locked out, then eventually, possibly, bad guys could gain access to your account.
 
BasicGreatGuy said:
Thanks for emphasizing that important aspect. I should have. Definitely backup the recovery key to several places using several different media / written / storage options.
Click to expand...

Yep!

I store mine in a secure note in LastPass and I have an encrypted file with it stored in Dropbox as well.
 
I'll try...

I can give two-factor a shot as advised. I'm not real thrilled with two factor on Gmail right now, so I haven't jumped at the chance to implement it with Apple. With Gmail I keep needing fresh application passwords for no apparent reason.
I seem to be hitting the bad side of the security vs convenience balance scale.
 
brutusfly said:
I can give two-factor a shot as advised. I'm not real thrilled with two factor on Gmail right now, so I haven't jumped at the chance to implement it with Apple. With Gmail I keep needing fresh application passwords for no apparent reason.
I seem to be hitting the bad side of the security vs convenience balance scale.
Click to expand...

With Apple, about the only time you need to use it is when you're logging into the Apple ID website itself, or when setting up new devices. Otherwise, on a daily basis, you don't interact with it, unless you're using the web interface for iCloud.com.
 
Authentication

While I'm venting about the lack of logic in Apple allowing a D.O.S. that could be exploited by a glitch, a hacker, any primate or non-primate that can access any Apple service...

How much sense does it make for Apple to send a reset email for your AppleID to an email account managed by your AppleID that you can't get mail from?
Shouldn't Apple automatically fall back to a non iCloud/.Mac/.Me address when it's blatantly obvious your email password has been locked by Apple?
 
brutusfly said:
How much sense does it make for Apple to send a reset email for your AppleID to an email account managed by your AppleID that you can't get mail from?
Shouldn't Apple automatically fall back to a non iCloud/.Mac/.Me address when it's blatantly obvious your email password has been locked by Apple?
Click to expand...
It's up to you to set this up. There is an option at appleid.apple.com to configure a separate rescue email address if you don't have 2-factor authentication turned on. If you enable the latter, it's not needed since you have to reset the account yourself using the recovery key.
 
Rigby said:
It's up to you to set this up. There is an option at appleid.apple.com to configure a separate rescue email address if you don't have 2-factor authentication turned on. If you enable the latter, it's not needed since you have to reset the account yourself using the recovery key.
Click to expand...

I do indeed have a second address set up, but at the moment can't reassure myself it's set as the primary "rescue address". As a matter of fact, although it chose to send me a reset email to the locked address, rather than to the 2nd address, it had no problem sending an Email to that 2nd address notifying me I would receive a reset Email in 24-hours.

I'll go in tomorrow and inspect all the settings (again), while I'm trying to catch up on the work I miss the rest of today. :rolleyes:
 
brutusfly said:
I do indeed have a second address set up, but at the moment can't reassure myself it's set as the primary "rescue address". As a matter of fact, although it chose to send me a reset email to the locked address, rather than to the 2nd address, it had no problem sending an Email to that 2nd address notifying me I would receive a reset Email in 24-hours.

I'll go in tomorrow and inspect all the settings (again), while I'm trying to catch up on the work I miss the rest of today. :rolleyes:
Click to expand...
Make sure you really configured the "rescue address". There is also an "alternate address", but it's not the same thing. See:

http://support.apple.com/en-us/HT201356
 
I've been having random problems buying things through iTunes for the last month, not sure if it's related. First it asked me to confirm my payment info (despite having $30 in credits loaded). I input my code and it denied it. I re-input everything and it denied it. Eventually locked the accunt.

I finally had to go onto my laptop to unlock it and make sure everything was ok there. Got it working again, couple weeks later, go to download a free app and start the mess all over again.

Today I downloaded a few songs for once didn't have to input my cc info so I'm hoping it's resolved. Really drove me nuts - and it seemed to hit every one of my devices.
 
brutusfly said:
I do indeed have a second address set up, but at the moment can't reassure myself it's set as the primary "rescue address". As a matter of fact, although it chose to send me a reset email to the locked address, rather than to the 2nd address, it had no problem sending an Email to that 2nd address notifying me I would receive a reset Email in 24-hours.

I'll go in tomorrow and inspect all the settings (again), while I'm trying to catch up on the work I miss the rest of today. :rolleyes:
Click to expand...
1. sounds like you have pissed somebody, not really surprised :roll eyes:
2. sounds like you didn't set up the system correctly. Why not?
3. became entertaining on the internet from sounding rather petulant.
Well played sir!
 
SandboxGeneral said:
It's supposed to do that to protect your account. If it never locked out, then eventually, possibly, bad guys could gain access to your account.
Click to expand...

Practically, if you had a randomly generated password like #THFh8"T)3t910#"T~@ it wouldn't be feasible to brute force the password. The lock-out mechanism only protects things with easy passwords such as 4 digit pins.
 
Fzang said:
Practically, if you had a randomly generated password like #THFh8"T)3t910#"T~@ it wouldn't be feasible to brute force the password. The lock-out mechanism only protects things with easy passwords such as 4 digit pins.
Click to expand...

That's true. But most people don't use strong passwords.
 
SandboxGeneral said:
That's true. But most people don't use strong passwords.
Click to expand...

Well they should.

In theory this mechanism allows a directed attack, not against the servers, but against all the users, simply by spamming wrong passwords, potentially paralyzing a large number of users. You don't even need a security breach, just knock at the doors down the whole street.
 
Fzang said:
Well they should.

In theory this mechanism allows a directed attack, not against the servers, but against all the users, simply by spamming wrong passwords, potentially paralyzing a large number of users. You don't even need a security breach, just knock at the doors down the whole street.
Click to expand...

And really, that's my main point of this topic. I'm up and running again, but it would be trivial for any script-kiddie, anywhere, to lock out millions of icloud users with a simple script that fakes a few password attempts. A DDOS attack on a massive scale is probably not far off in our future.
:(
 
brutusfly said:
So, if a hacker wanted to make a busy person really unhappy, all they have to do is attempt to log into that account a few times a week unsuccessfully? Effectively disabling all the victims iCloud functions most of the time?
Click to expand...

I never thought of it frm that stand point...

Basically, it would just make it too easy for a hacker keep pondering on an account till its locked out.

No wonder why most others don't do this....

Its would so dam easy, and annoying as hell.

As for a recovery key, security questions, and any "backup" Apple just likes to make their customer feel happy, "just in case u loose one, this is another way in"type of moment, personally I don't worry about any of these.. "safe guards" because I'm the safe guard..... if you loose your house key, then you should be the one responsible... You could argue if you only had a second one made, but at the end of the day, its still in your possession..

Apple shouldn't be locking anyone out, "for security reasons" becasue it also prevents you from getting back in.


While this may have some positive effect, it also has its drawbacks, just in case a wanna be hacker just decides to go ferel on your account for no apparent reason.

I only wish, when Apple introduces a feature, they would only stop and think *all* the way through, not partial.... "What impact would this have on you" Trouble is most companies only think YOUR protection only. which is a mistake, since if it protects you, its also an advantage for anyone.
 
Last edited:
brutusfly said:
And really, that's my main point of this topic. ...it would be trivial for any script-kiddie, anywhere, to lock out millions of icloud users with a simple script that fakes a few password attempts. A DDOS attack on a massive scale is probably not far off in our future.
:(
Click to expand...

I got a barrage of "Reset your password or unlock your Apple ID" emails again just now. I think I'm ok this time with the ability to receive my own reset emails at an alternate address. Thanks to Rigby for the heads-up on recovery addresses. Would be good to warn all new iCloud users to have an Email address outside the Apple ecosystem set up for recovery (not just "alternate", otherwise D.O.S. of their iCloud accounts is trivial.
 
iphone 4s apple id locked

Today i reset my son's iphone 4s because got a new one so i was having his old one but i want to have my own apple id but after when the phone came back on it was saying that the phone is still currently linked to an apple id which is still my son's but when i put the password in it says that the id can not be uesd to unlock the phone even tho i have not changed it and also the phone id is no longer on his icloud can anyone help .
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back