I guess I am what you would call an IT expert. I am fluent in both Mac and PC platforms and have some large clients which I have helped demonstrate their own security flaws on occasion. Well tonight, it was my turn in the frying pan.
It all started with a benign email message from PayPal. I get spoofed PayPal messages once or twice a day so I didn’t think anything of it. It was a message that said that I had requested a password change. To change my password, it wanted me to click the link in the email. Being an IT expert, I avoided clicking on the link and simply deleted it figuring it was a spoofed email. Then I went back to my work.
A few minutes later something caught my eye… and only because I was sitting at my computer and saw a GOWL alert that mentioned that my me.com password had been successfully changed. As I looked up at Apple mail, the message disappeared. Then another PayPal message came in. What the heck was going on. I could see messages come and go off my screen but I wasn’t doing anything in mail. While I had no idea what was happening, I knew I was in trouble.
I kicked into high gear screaming for my wife to call the Bank and issue a hold on all our accounts. She grabbed a phone and made the call. I grabbed my iPhone and the office phone. While my wife called our bank and fraud alert company, I called Paypal and ATTEMPTED to find an emergency number for me.com on the interent. I couldn’t find one, so I was force to use the general Apple Customer Service number. With one phone I dialed PayPal. With the other I dialed Apple Customer Support. While I was navigating a complex phone tree at PayPal, I kept trying to change the password on the PayPal web site, but it kept getting kicked back to a login screen. I later figured that the bad guys were in there while I was in there. Finally PayPal Answered. It was too late. On my next re-login, I saw it on the general account screen. The first charge cleared. A purchase from a website called RapidShare.com. It was a premium membership to their site costing me 54.99 EUR. I immediately informed the PayPal rep who placed a hold on the account and forwarded my phone call to a security expert. While I was on hold for the Security Expert, we finally got to someone at Apple Customer Service. While he was very nice, he was of little help. He was IM’ing someone in the me.com support area about my problem. He was waiting to hear something back. The Security Expert finally answered so I passed the Apple phone off to my wife who waited for a response. The Paypal Security Expert was great. She listened to my problem carefully and politely and assured me that my two accounts (business and personal) had been secured. She also said a full investigation would ensue and urged me to leave the accounts suspended until I was sure all was fixed. I completely agreed.
By this time, I figured that the bad guys knew I was onto to them so the race was on. I logged in the me.com account and was going to change the password. I was typing the new password in when I made the mistake of telling the Apple Rep what I was going to do. He urged me not change it as they would not be able to see what was going on and who was doing it. So I held back. In about a minute, I lost complete access to me.com and my email. The bad guys changed the password first. Then, incredibly, the Apple rep informed me that he had lost the chat with the person from me.com. So thats how they do it? iChat with each other? No back up phone numbers? You have to be kidding! He directed me to an Apple Support page where I could initiate the chat myself. So I did.
Of course it took me several minutes to establish the chat and another minute or two to explain what was going on. Who knows what these guys were doing that whole time. Eventually, I convinced the Me.com rep to change the password for me. Of course that was after I was directed to several support pages to explain how to change the password myself. I demanded an explanation on how my account was hacked into. I have always used very secure passwords… eight or more characters, mixed case, letters and numbers. She stated she couldn’t help me. I guess I made a big enough stink that she passed the chat to a “Supervisor”. I demanded to know whether the bad guys were still in there, where they were accessing the account from and what they did while they were in there. This “Supervisor” told me that he didn’t have that info. So I asked “who does”? He told me nobody would have that info. WHAT?????? I run my own mail server for my business and I can do that! Now I’m pissed! I wish I had copied the chat log so you could see the ineptness, but I closed the chat window in disgust!
I remember reading a story on one of the blogs about someone else who had their me.com account broken into, so I decided to Google it. The person who told the story swore she had never been to any questionable sites or used a weak password. I must confess… I questioned her statements too. I didn’t find the article I was looking for, but the very first article I did find, tells how to do it, in first person. Right from the bad guys mouths themselves.
The second link mentions the place where the purchase was made.
So to the other person who got hacked, my apologies for questioning your security efforts. Clearly Apple by now knows how flawed their system is, yet they choose to ignore the problem. Selma Heyeks problems began in April of 2009. It is now almost September 2009 and nothing has changed. I will admit that my security question was weak, but it was as old as my mac.com account. I used a security question I had abandoned along time ago after I realized how easy it was to find the answer to the question. What I didn’t know was that they would use the question in a web interface, showing it to the world. I though it would be the question used by a Customer Support rep to verify who I was.
So a word of warning. If you have a me.com account, you could already be hacked and not know it. The hackers delete the messages that they initiate as they come in, so you never see them… permanently. I just got lucky and caught them red-handed. They don’t change your password, otherwise you will know something is up.
So until Apple gets their SHIT TOGETHER, I will be abandoning my me.com email address. I run my own mail servers, which I know to be more secure. So maybe I will use something on there. Or there is always gmail. I used the me.com account because I wanted to keep personal stuff separated from business stuff. I’d love to go back, but for know I really worry for the millions of unsuspecting me.com mail users. I hope their new server farm has better security then their mail system.
Angry and stewing in Monroe, CT…