Apple ID TFA disaster. Next steps?
February 25, 2018 9:49 AM Subscribe
As detailed here, my wife has permanently lost control of her Apple ID.
I have signed out of all iCloud everything everywhere that I can, but I cannot sign out of "Find My Mac" on her computer. Is there a way to do this by monkeying with plists and so forth?
My strategy and intent had been to sign out of all iCloud services on her devices, create a new Apple ID, and activate TFA. Then the plan would have been to re-sign in everywhere. However, I suspect that since I cannot sign out from this one specific iCloud service, I am going to have to wipe her machine and rebuild it from backup in order to delink it from the old account. Am I correct?
My strategy and intent had been to sign out of all iCloud services on her devices, create a new Apple ID, and activate TFA. Then the plan would have been to re-sign in everywhere. However, I suspect that since I cannot sign out from this one specific iCloud service, I am going to have to wipe her machine and rebuild it from backup in order to delink it from the old account. Am I correct?
Response by poster: Thanks!
I would dispute that the current implementation is good, as Apple's official support policy with respect to this situation is that the person who now controls my wife's Apple ID is the authenticated and recognized owner of the account, even though they are not.
I became leery of Apple's TFA when my father initiated TFA setup on one of his machines and found that the TFA implementation had spread to prevent many of his devices, including my mother's very old machine, from performing certain tasks. It turned out that while my mother's *apparent* local user ID was differentiated from my father's, her local user account was tied to my father's Apple ID in such way that she was unable to use iPhoto, for example. Deactivating TFA on his account resolved the issues.
She was running a very old version of OS X that did not have support for TFA built in, and she is determined to stay on that version of the OS because it is the last version of the OS that Microsoft's old mail client Entourage runs on and she refuses to consider moving to a modern client. She's in her eighties. I did not have the spare day or two to migrate her to a fresh user ID. I am hoping to spend a couple weeks with them later this spring and resolving this is one of my primary tasks.
In the intervening five minutes since I posted this, I attempted to sign out from her Apple ID on her iPad and iPhone. Guess what? It requires inputting the TFA code. I think we're fucked.
posted by mwhybark at 10:32 AM on February 25, 2018
I would dispute that the current implementation is good, as Apple's official support policy with respect to this situation is that the person who now controls my wife's Apple ID is the authenticated and recognized owner of the account, even though they are not.
I became leery of Apple's TFA when my father initiated TFA setup on one of his machines and found that the TFA implementation had spread to prevent many of his devices, including my mother's very old machine, from performing certain tasks. It turned out that while my mother's *apparent* local user ID was differentiated from my father's, her local user account was tied to my father's Apple ID in such way that she was unable to use iPhoto, for example. Deactivating TFA on his account resolved the issues.
She was running a very old version of OS X that did not have support for TFA built in, and she is determined to stay on that version of the OS because it is the last version of the OS that Microsoft's old mail client Entourage runs on and she refuses to consider moving to a modern client. She's in her eighties. I did not have the spare day or two to migrate her to a fresh user ID. I am hoping to spend a couple weeks with them later this spring and resolving this is one of my primary tasks.
In the intervening five minutes since I posted this, I attempted to sign out from her Apple ID on her iPad and iPhone. Guess what? It requires inputting the TFA code. I think we're fucked.
posted by mwhybark at 10:32 AM on February 25, 2018
If you have your proof of purchase Apple will help you with Apple ID issues, so I think that should (eventually) extend to them removing the activation lock associated with the hijacked Apple ID. It will probably take some time; it might take less time if you are able to go to a store with your devices and proof of purchase in hand. Make sure you do set up TFA on the new Apple ID to keep this sort of hijack from happening again.
I'm not unsympathetic to your parental plight (I was under strict orders not to update anything in my parents' house after my dad's cancer diagnosis and brain surgery) but using a machine so old it won't support TFA is asking for trouble. If they do any sort of online banking at all it's best to assume they are already at risk of unauthorized access. Stubborn old parents aren't fun to deal with, but neither is identity theft or a drained bank account.
posted by fedward at 11:13 AM on February 25, 2018 [1 favorite]
I'm not unsympathetic to your parental plight (I was under strict orders not to update anything in my parents' house after my dad's cancer diagnosis and brain surgery) but using a machine so old it won't support TFA is asking for trouble. If they do any sort of online banking at all it's best to assume they are already at risk of unauthorized access. Stubborn old parents aren't fun to deal with, but neither is identity theft or a drained bank account.
posted by fedward at 11:13 AM on February 25, 2018 [1 favorite]
Best answer: Just ran all this past a friend who's a consulting Mac admin, and he brought up the fact that her compromised ID could have been used to take control of her machine at any point (which means there could be malware, spyware, who knows what). He recommended that you back up her user directory and completely wipe the machine. When you set it up again, first use Setup Assistant to create an admin user with no Apple ID. Then restore her user directory and set up a new account with the same name as her old one, which should then connect the new account to the restored folder.
When you set up her new user account, make sure it's tied to an email account she actually checks and a phone number she actually uses, and you should probably add a recovery email address (maybe yours, if she doesn't have two).
posted by fedward at 11:39 AM on February 25, 2018 [1 favorite]
When you set up her new user account, make sure it's tied to an email account she actually checks and a phone number she actually uses, and you should probably add a recovery email address (maybe yours, if she doesn't have two).
posted by fedward at 11:39 AM on February 25, 2018 [1 favorite]
Response by poster: If you have your proof of purchase Apple will help you with Apple ID issues, so I think that should (eventually) extend to them removing the activation lock associated with the hijacked Apple ID. It will probably take some time; it might take less time if you are able to go to a store with your devices and proof of purchase in hand. Make sure you do set up TFA on the new Apple ID to keep this sort of hijack from happening again.
Unfortunately the fraudulent user did not set up TFA on a device we have ever owned or been in physical contact with. Apple did advise us of the proof of purchase step (which applies to secondary market purchases too, I was pleased to learn) but since we do not have proof of purchase for a unit we never bought, Apple has effectively adjudicated the issue in favor of the fraudulent user.
How can the Apple ID be used in the manner you describe? Her local user account on the machine is distinct from the Apple ID.
I certainly am planning on wiping the machine, mind!
posted by mwhybark at 12:09 PM on February 25, 2018
Unfortunately the fraudulent user did not set up TFA on a device we have ever owned or been in physical contact with. Apple did advise us of the proof of purchase step (which applies to secondary market purchases too, I was pleased to learn) but since we do not have proof of purchase for a unit we never bought, Apple has effectively adjudicated the issue in favor of the fraudulent user.
How can the Apple ID be used in the manner you describe? Her local user account on the machine is distinct from the Apple ID.
I certainly am planning on wiping the machine, mind!
posted by mwhybark at 12:09 PM on February 25, 2018
Your wife's original Apple ID is now lost to you because you (and your wife) failed to secure it and weren't paying attention when changes were made to it. Any apps (on iOS or bought from the Mac App Store) or other iTunes purchases associated with the old account are also now lost, effectively stolen with the ID. That sucks a lot. I'm sorry. I lost access to my original Apple ID years ago (because the email address associated with it went away) but I was at least lucky enough not to have too much of a purchase history on it. I'm guessing in 2018 that's not the case, and it's annoying to lose out on those purchases.
Any hardware you own and have proof of purchase for can be associated with a new Apple ID, which you should secure with TFA and up-to-date contact information. Any apps purchased from the various app stores will need to be purchased again (using the new Apple ID) unless you can get somebody at Apple to take pity on you, but it sounds like you've already tried that.
But for your followup question: in recent versions of macOS, when you set up any iCloud services at all (including Find My Mac) your local user account is indeed associated with your iCloud account. You can see this in the "Users & Groups" control panel (authenticate, then ctrl-click on a user and select "Advanced Options."). Someone with access to your Apple ID could use remote access tools and Apple ID credentials to take control of the machine, and once they have control they can do anything your wife can do.
posted by fedward at 12:40 PM on February 25, 2018
Any hardware you own and have proof of purchase for can be associated with a new Apple ID, which you should secure with TFA and up-to-date contact information. Any apps purchased from the various app stores will need to be purchased again (using the new Apple ID) unless you can get somebody at Apple to take pity on you, but it sounds like you've already tried that.
But for your followup question: in recent versions of macOS, when you set up any iCloud services at all (including Find My Mac) your local user account is indeed associated with your iCloud account. You can see this in the "Users & Groups" control panel (authenticate, then ctrl-click on a user and select "Advanced Options."). Someone with access to your Apple ID could use remote access tools and Apple ID credentials to take control of the machine, and once they have control they can do anything your wife can do.
posted by fedward at 12:40 PM on February 25, 2018
Response by poster: The most annoying lost app purchase will be 1Password. Her music is fine, no iTunes match or anything, and apparently none purchased during the DRM era so I don't even have to monkey with that, thank goodness.
I will dig into U&G when I get down to the problematic machine next. I'm doing two backups, one a whole-drive and the other her home folder as advised, using CCC. The whole drive is just in case I need to revert and rerun after the wipe due to unforeseen operator error.
If you have your proof of purchase Apple will help you with Apple ID issues, so I think that should (eventually) extend to them removing the activation lock associated with the hijacked Apple ID. It will probably take some time; it might take less time if you are able to go to a store with your devices and proof of purchase in hand.
On Monday I will place a call to the Apple Advisor that was assisting us this weekend. It was not clear to me that this was something she was describing as possible but I agree it does appear to fit within the parameters of the policy as it was described. I also have reached out a very long-term and somewhat senior friend at Apple to see if he can find the right string to pull. In the meantime, I am assuming, as you note, that we have lost her Apple ID permanently.
posted by mwhybark at 3:47 PM on February 25, 2018
I will dig into U&G when I get down to the problematic machine next. I'm doing two backups, one a whole-drive and the other her home folder as advised, using CCC. The whole drive is just in case I need to revert and rerun after the wipe due to unforeseen operator error.
If you have your proof of purchase Apple will help you with Apple ID issues, so I think that should (eventually) extend to them removing the activation lock associated with the hijacked Apple ID. It will probably take some time; it might take less time if you are able to go to a store with your devices and proof of purchase in hand.
On Monday I will place a call to the Apple Advisor that was assisting us this weekend. It was not clear to me that this was something she was describing as possible but I agree it does appear to fit within the parameters of the policy as it was described. I also have reached out a very long-term and somewhat senior friend at Apple to see if he can find the right string to pull. In the meantime, I am assuming, as you note, that we have lost her Apple ID permanently.
posted by mwhybark at 3:47 PM on February 25, 2018
Just ran all this past a friend who's a consulting Mac admin, and he brought up the fact that her compromised ID could have been used to take control of her machine at any point (which means there could be malware, spyware, who knows what). He recommended that you back up her user directory and completely wipe the machine.
This would only be true if Back to My Mac was turned on in iCloud preferences, which it is not by default.
posted by D.C. at 11:54 PM on February 25, 2018
This would only be true if Back to My Mac was turned on in iCloud preferences, which it is not by default.
posted by D.C. at 11:54 PM on February 25, 2018
Response by poster: This is a relief. That was not enabled. I still will examine U&G closely.
posted by mwhybark at 10:24 AM on February 26, 2018
posted by mwhybark at 10:24 AM on February 26, 2018
I would not rely on that. Other access methods could have been used in combination to get the same effect. Assume that any web site with malicious code on it could have enabled remote execution by providing the password in a hidden window.
posted by fedward at 10:42 AM on February 26, 2018
posted by fedward at 10:42 AM on February 26, 2018
Response by poster: quick updates as we move forward.
I have reached out to the Apple Advisor, awaiting a call back.
Proof of purchase appears to be a no-go for her affected iOS devices; both were secondary-market acquisitions (eBay) in Dec 2016 and Nov 2017 respectively and none of the retained paperwork or correspondence appears to include SNs or IMEIs. I might be wrong about that. I have reached out to the vendors. It remains unclear if non-SN / IMEI transaction proof materials will be accepted by Apple as PoP. As the commercial logic and thrust of Apple's hardware marketing practices has been all about obsolescence for upwards of a decade, I have no real expectation that the Apple definition of Proof of Purchase will either meet my needs or reflect reality. I'm working it through, however. Mazes with an expected negative outcome are quite resentment provoking.
I froze our local OSX deployment on Sierra in July of last year. Sierra installers are not tied to Apple IDs for deployment, unlike a few years of prior installers. Yay! But when Apple released High Sierra, Apple deliberately removed any iteration of Sierra from direct-Apple-sourced download. The stated Apple justification was that High Sierra is Apple-appproved to run on the exact same set of machines as Sierra, which is most certainly not sufficient justification to convince me that I should move forward. Over the past few years, Apple-released installers had a 30-day download expiry associated such that one could not launch and utilize them after the expiry. I do have a download of the Sierra installer from last June. We shall see if it is operable.
posted by mwhybark at 4:53 PM on February 26, 2018
I have reached out to the Apple Advisor, awaiting a call back.
Proof of purchase appears to be a no-go for her affected iOS devices; both were secondary-market acquisitions (eBay) in Dec 2016 and Nov 2017 respectively and none of the retained paperwork or correspondence appears to include SNs or IMEIs. I might be wrong about that. I have reached out to the vendors. It remains unclear if non-SN / IMEI transaction proof materials will be accepted by Apple as PoP. As the commercial logic and thrust of Apple's hardware marketing practices has been all about obsolescence for upwards of a decade, I have no real expectation that the Apple definition of Proof of Purchase will either meet my needs or reflect reality. I'm working it through, however. Mazes with an expected negative outcome are quite resentment provoking.
I froze our local OSX deployment on Sierra in July of last year. Sierra installers are not tied to Apple IDs for deployment, unlike a few years of prior installers. Yay! But when Apple released High Sierra, Apple deliberately removed any iteration of Sierra from direct-Apple-sourced download. The stated Apple justification was that High Sierra is Apple-appproved to run on the exact same set of machines as Sierra, which is most certainly not sufficient justification to convince me that I should move forward. Over the past few years, Apple-released installers had a 30-day download expiry associated such that one could not launch and utilize them after the expiry. I do have a download of the Sierra installer from last June. We shall see if it is operable.
posted by mwhybark at 4:53 PM on February 26, 2018
Response by poster: Sierra install went fine. However Migration Assistant choked on moving the old user directory as the old Sierra intall was 10.10.12, I believe, and the new install is 10.10.5. I am uncertain if the point-release installers remain available or if they were pulled when Apple pulled Sierra. In the meantime, I am using CCC to dupe the user folder over. Next steps will be to assess the point releases and perform some base sw reinstalls (MS Office, Dropbox, 1PW [for now], etc). After that will be new Apple ID etc.
No response yet from Apple on establishing PoP on the iOS devices. I beleive I'll take a drill to them by Friday on no word.
posted by mwhybark at 10:44 AM on February 27, 2018
No response yet from Apple on establishing PoP on the iOS devices. I beleive I'll take a drill to them by Friday on no word.
posted by mwhybark at 10:44 AM on February 27, 2018
Response by poster: Verbal contact with our assigned Apple advisor yesterday, who advised me that yes, on establishing proof-of-purchase for the affected devices in our possession there is an accommodation for removing the affected Apple ID from the devices. She also noted, to my surprise, that a purchase-related piece of paper documenting the serial number and or IMEI of the device originating with the seller is not a requirement.
She had previously indicated there was NOT an accommodation for re-associating my wife's iTunes and app purchases, but I figure if they are gonna make me dig through years of paperwork and email I might as well clearly document that the affected Apple ID is my wife's and ask for the DLC anyway.
Weirdly, there have been *no* explicit instructions regarding what sort of documentation they want to see.
posted by mwhybark at 6:52 AM on February 28, 2018
She had previously indicated there was NOT an accommodation for re-associating my wife's iTunes and app purchases, but I figure if they are gonna make me dig through years of paperwork and email I might as well clearly document that the affected Apple ID is my wife's and ask for the DLC anyway.
Weirdly, there have been *no* explicit instructions regarding what sort of documentation they want to see.
posted by mwhybark at 6:52 AM on February 28, 2018
Response by poster: tl;dr: my bad. it's been a valuable learning experience! self-initiated security audits are preferable to other kinds! groannnn
/FACEPALM
I sent my dad my wife's old iPad last fall. I had thought I had wiped it, but apparently I was inattentive and sent it with her stuff still on it. My dad needed my help to get into the device and I was patient and encouraging to him, suggesting that he, as a man with an engineering degree, would be able to wipe it on his own and that he would surely not be able to break anything badly enough that it was unrecoverable.
Somehow, he managed to enable 2FA on new year's day, immediately prior to SUCCESSFULLY WIPING THE iPAD.
/HEADDESK
My parents were on the road for most of February, so I couldn't email them to ask if they could check the iPad (which, in any case, I had completely forgotten about), and my dad's domestic cell number, which was the backup number the 2FA codes were being sent to, was off from about February 7 until today, as they were out of the country.
Thankfully, when he had initiated the post-wipe boot at New Years, he was buffaloed by the confusing language concerning iCloud and Cloud drive, and just turned the machine off. So tonight I was able to authenticate in two of my wife's devices and then de-authenticate the iPad that my Dad still had not yet set up.
I called a friend out of a bottomless need to rant tonight and he pointed out that I did this, actually, to myself. My wife didn't get spoofed or hacked. My dad didn't do anything I hadn't encouraged him to do.
I... I think I'm going to go have a lie down.
posted by mwhybark at 6:18 PM on February 28, 2018 [2 favorites]
/FACEPALM
I sent my dad my wife's old iPad last fall. I had thought I had wiped it, but apparently I was inattentive and sent it with her stuff still on it. My dad needed my help to get into the device and I was patient and encouraging to him, suggesting that he, as a man with an engineering degree, would be able to wipe it on his own and that he would surely not be able to break anything badly enough that it was unrecoverable.
Somehow, he managed to enable 2FA on new year's day, immediately prior to SUCCESSFULLY WIPING THE iPAD.
/HEADDESK
My parents were on the road for most of February, so I couldn't email them to ask if they could check the iPad (which, in any case, I had completely forgotten about), and my dad's domestic cell number, which was the backup number the 2FA codes were being sent to, was off from about February 7 until today, as they were out of the country.
Thankfully, when he had initiated the post-wipe boot at New Years, he was buffaloed by the confusing language concerning iCloud and Cloud drive, and just turned the machine off. So tonight I was able to authenticate in two of my wife's devices and then de-authenticate the iPad that my Dad still had not yet set up.
I called a friend out of a bottomless need to rant tonight and he pointed out that I did this, actually, to myself. My wife didn't get spoofed or hacked. My dad didn't do anything I hadn't encouraged him to do.
I... I think I'm going to go have a lie down.
posted by mwhybark at 6:18 PM on February 28, 2018 [2 favorites]
Response by poster: THE 2FA IS COMING FROM INSIDE THE HOUSE
posted by mwhybark at 6:51 PM on February 28, 2018 [1 favorite]
posted by mwhybark at 6:51 PM on February 28, 2018 [1 favorite]
Haha! This was an exciting read! Thanks for the follow-up, mwhybark. (Any updates to your 1Password saga?)
posted by LuckySeven~ at 6:04 PM on November 2, 2018
posted by LuckySeven~ at 6:04 PM on November 2, 2018
Response by poster: I never did move on, but the older versions have a UI bug that causes crashes when a user clicks in the interface in aome circumstances, and Apple has made some changes to Safari that mean one can't even hack the menubar extension into place any more.
One possibility is that it being well more than five years past our initial use of 1PW and all, Apple's distributed password services might be sufficient to our family's needs. We've certainly paid for it already in hardware over the years many times over.
At any rate, it's time.
posted by mwhybark at 7:03 PM on November 3, 2018
One possibility is that it being well more than five years past our initial use of 1PW and all, Apple's distributed password services might be sufficient to our family's needs. We've certainly paid for it already in hardware over the years many times over.
At any rate, it's time.
posted by mwhybark at 7:03 PM on November 3, 2018
« Older Oticon hearing aids: minirite vs minirite-T: value... | Buy me a couch and then manuever it into an... Newer »
This thread is closed to new comments.
And this isn't what you asked, but I don't understand why you instructed your wife not to set up TFA. The old "two step" implementation with SMS messages could be hijacked easily enough, but the current TFA implementation is good.
posted by fedward at 10:14 AM on February 25, 2018 [1 favorite]