First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.

Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.

It’s great that it has been resolved, but I’m still baffled by a number of things:

1) Why would redeeming a bad gift card result in a complete shut-down of the account? 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press? 3) Should companies be restricted from growing too large where they can’t support their customers?

In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)

Years ago I briefly played around with "manufactured spend" (on credit cards, to earn frequent flyer miles).

There was one specific loophole, with one specific gift card provider, and it was a doozy. You could earn credit card points on spend, plus supermarket loyalty points on spend, by buying gift cards from one specific provider which could be cashed out at face value (ie no fee at all) immediately to a specific type of savings account.

So, of course, world+dog was buying these things like it was the end of the world.

As I sat in a hotel room one evening rubbing the security codes off the latest batch of cards before redeeming them one-by-one into my savings account, it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering, but it would take some time to explain exactly why not...

The loophole was closed relatively quickly, and the gift card provider gave up.

Apple has locked my Apple ID, and I have no recourse. A plea for help.

1730 points, 1045 comments https://news.ycombinator.com/item?id=46252114

- HN banned me for being a robot! (I'm not)

dang unblocked me 1 hour 4 minutes after an email (thanks dang!)

- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation

After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again

- Comcast billed me $200+ weeks after I closed my account

After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector

- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now

Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.

- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing

I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.

---

The best customer service? A free online forum that I can't possibly ever give any money.

In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".

So a blanket ban on Apple gift cards is probably the safest thing. I shall inform everyone in my extended family.

Gift cards are the #1 fraud vector in payments ... because it lets stolen cards be converted into a cash-like equivalent with zero traceability.

So fraud/risk system are highly sensitive to gift cards.

It's not an excuse, but I see in this thread people minimizing the problem at hand - so I just wanted to call that out.

Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.

My lessons were:

1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.

2) save paper trails for all your gift cards. That’s your only way out of this.

3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.

We should impose, by law, the following rules on all companies that offer accounts to their customers.

1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.

2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.

3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.

One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.

What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?

Scary, scary world.

Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.

[1] https://mxroute.com/

Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.

I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.

At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.

Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.

But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.

What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.

And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.

Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.

The scenario described in the OP's article should simply never be allowed to happen.

Is that the correct way to fix the fraud problem?

It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...

Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.

Silver bullets almost never beat fraud. Better to steel yourself for a never-ending grind against a horde of nameless adversaries.

I asked Gemini for some follow-ups, and lo! they are interesting to consider:

- "fraud is an evolutionary arms race fought in the trenches."

- "fraud is a siege where the attacker has infinite attempts, and the defender must succeed every time."

- "fighting fraud is not a battle, it is industrial waste management."

The only idea I can think of is a law that requires companies, once they reach a certain number of users or market share, to provide a formal process to restore accounts that are a certain number of years old. This could include paid arbitration or a similar mechanism.

I doubt such a law could pass at the federal level, but if it were passed in California, it would probably solve 80 percent of the problem.

Or is there a better solution?

Reasons:

1. Gift cards artificially tie-up value into a company that cannot be effectively converted into something else.

2. The value can disappear.

3. Weird other hassles like this can happen.

I am not a lawyer, but I have done this multiple times:

Read the T&C and search for "dispute" or "dispute resolution". Look for what you're supposed to do when you have a dispute. Follow the steps as outlined. Corporate lawyers generally take things seriously.

But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.

I'd put money on they had to restore backups of several systems, fish out his account-specific data, then insert it back into the main systems. This would have happened much faster if there was just an on/off switch.

This is the same reason I dont use GCP -- ever -- for business. If there is ever an unintentional linkage in GCP of your personal gmail account, and you have an issue on GCP, your personal account can get locked out.

They did The Right Thing™ which was to honor them, so that their reputation and brand were preserved.

lots of other examples, like new coke fiasco, the poisoned tylenol, etc...

But why would apple punish the secondary user of the card? That seems like the wrong person to punish.

... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:

https://hey.paris/posts/appleid/

Many years ago we had an iMac at the house as the shared desktop computer. After a few years, it started to have the signs that the harddisk is going to fail, and also we were mostly moved away from Apple's ecosystem, so we decided to trade it in and replace it with something else that's not from Apple.

Since we don't have anything immediate to buy from Apple, we traded it in with Apple gift cards.

Later, my partner needed to trade in an old iPad for a new one, so we used that gift card with credit card for the trade in. For that trade in, you first pay the full price with gift card+credit card, then they refund you the trade-in value after the trade-in is finalized.

The trade-in value of the old iPad is less than the value we paid via credit card, so we would reasonably assume that they would refund the total trade-in value to our credit card. But nope. They actually calculated the original gift card vs. credit card split ratio, and refunded according to that ratio.

A simplified example is say we paid $200 via gift card plus $300 via credit card for an $500 iPad, with trade-in value of $200 for the old iPad. Instead of refunding $200 to our credit card (so it's eventually $200 via gift card and $100 via credit card), they refunded us $120 to credit card and gave us another $80 gift card. So we have to find ways to spend that gift card again, and it cannot involve any trade-in (otherwise we're not going to be able to use it fully).

Apple does not dispute they locked this man’s entire digital life without recourse because he suffered a fraud, and he only recovered because famous people intervened. You’d be insane to risk that.

You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.

Why Ebay built this idiotic weakness into their cards is beyond me.