Friday, September 20, 2013

Apple Account part 2

So quick recap. I got an email saying a new iphone 5 has logged in to my imessage account. Problem is, I don't own an iphone, I don't know what imessage is, and the email in the salutation isn't mine. The account has someone else's name and contact information, someone from Finland, but MY EMAIL ADDRESS as the verified account.

I've gone through the find my apple id, and all the info is right when I log in that way, using MY EMAIL ADDRESS for the recovery. When I log in with the apple id it emailed me, I get my stuff in English. When I use my email address as the apple id, nothing is right.

So after I got home, I did some more digging. I found out how to at least "disable" the account even though I couldn't permanently delete it.

Going through itunes, yes I had to install it, I could see that person's information. Not all of it, but some of it. Name, address etc. Same stuff I could see via the apple site.

More checking between the two accounts, I note that my email apple ID is verified, my other one is not. But both accounts have the same email address. Ok, I'll verify it on the account where everything is in English. Only the site won't let me. It's already been verified elsewhere and in use.

WTF...

The best I can figure out, Apple is using email addresses as their primary keys for the accounts now. Something they were not doing when I first signed up in 2005. Since I first signed up they are verifying accounts as well. Once verified that becomes another account  key, secondary, or primary in a second table. The problem is, someone not me was able to get my address listed as their verified address and their account.

I ended up un-associated MY ADDRESS With the account, and sent it off in to never land. I hope they have good luck getting their information and account back. I've verified my email address, and have now set it as my account name, with a 30 character password. I'd turn on two factor auth, but I don't own an apple device and that's required.

So the short version of the story. Someone got their Apple account associated with my email address. Claimed my address as their own and got it verified somehow. I got a notification when they used a new phone to log in to the account. Took control of the account, because they had used my email address, de-associated the account with my email address, and then made sure that my account was verified with my email address.

Apple Account part 1

So today, I got a strange email. I chalked it up to a phishing attempt at first, but it actually turned out to be something way more interesting.

The way it started:
Dear Paula,Your Apple ID (my email address) was used to sign in to iMessage on an iPhone 5 named “iPhone (Paula)”If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn more.Apple Support
Well that's odd, my name isn't Puala, and while I own an IPod Color from 2005, I don't use apple products. In fact I have no idea where that IPod is.

Wait a tick, didn't I get an email a few months ago asking to to verify my apple id? The other email I thought was a phishing spam... (it's been more than 30 days and I deleted it when it came in).

Well no way this is right. I know, I'll prove it's spam. I'm not going to click shit. I'm going to go to apple.com and try to log in.

So I go there, try logging in with my email address, and told invalid password. WTF, okay lets try reset password. And Lo I get an email with the steps to reset my password, and I follow suit.

Go to the account page, some one in Finland, with a UK phone number. WTF. Well this can't be right. Someone set up an account, with a verified email address of MY EMAIL ADDRESS, but that's not me. So thinking someone popped my un-used account.

After not being able to get past the Finish security questions, I decide to call Apple Support. I open a case, and talk to a guy. He tried to help, but in the end, without my IPod or some other way to prove my account (the credit card number wasn't mine either). There was little he could do for me. I will say this for Apple, they do try to take your account security seriously, even if they won't let you delete your account.

The Apple Guy did think of one thing he could do. He walked me through the find my apple id part of the stie. It asked for my name, email address, other possible email address, home address, etc. The next page my DOB (month and day) and then the next page that asked for my security question. A question I wasn't expecting, but knew it was mine. One that only I would know the answer to. And then I was able to change my password.

Then I get an email. Saying my id, yet another one, has had it's password changed. Talk about more confusion. But it was time to leave for ISSA, and I was on my marry way, knowing that both accounts had 30 character random passwords.

to be contenuied