Over the weekend I received an invoice from Apple – not an unusual occurrence as I buy music, movies, apps and TV shows from the iTunes and App Stores with some frequency. However, I noticed a couple of purchases that I was certain I hadn’t made. And I checked with others who may have had access to my Apple ID via my Apple TV.
I was able to confirm that the two purchases, of content I would not have bought in any case, was not made by me.
So, I called Apple support to investigate what had happened and to get a refund for the purchases.
Getting support for iTunes Store issues
I figured, as this was potentially unauthorised use of my Apple ID, that calling Apple would be the best thing to do.
However, the recorded message on Apple’s phone system directed me to http://apple.com/au/support as that’s where Apple’s ‘dedicated’ iTunes support team worked.
So, I hung up the call, went to the website and had the option of waiting for an online chat or setting a time for a callback. Given my circumstances, I chose a callback. The next available slot was about 12 hours away.
A very polite fellow called me back, on time, as per my scheduled callback. I scheduled the call for reasonably early in the morning as I knew I’d be in transit to the airport, in a cab, and able to answer questions without interruption.
However, in order to verify my identity, Apple requires you to log in at http://appleid.apple.com and to request a one-time support PIN. I told the operator I was on my iPhone, in a car and requested some other way to prove my identity, but there is no other way.
So, I put the call on speaker, launched Safari on my iPhone and opened the site. While I was able to create a support PIN, the website is not iPhone friendly.
I’ll cut to the chase – the support person was able to cancel the purchases, refund the money to my account and, as a gesture of goodwill for “the inconvenience”, I was also given some vouchers for movie rentals.
He was also able to tell me when the purchases were made and that they were made from an Apple TV. The timing made it unlikely anyone I knew made the purchase and, as there are three Apple TVs that can use my account, there was no way to narrow things down any further.
So far, so good.
But then I hit some challenges.
Changing my Apple ID password
As I was concerned with the security of my Apple ID, I decided to change my password. What I hadn’t quite fathomed before I did this was how central your Apple ID is, even if you don’t use every iCloud service.
For example, changing your Apple ID password renders all your app-specific passwords invalid.
This is an epic pain. I have many apps on several devices that rely on access to my Apple ID. I now have to create new app-specific passwords for all those.
I also use my Apple ID as my login on my Mac. When I logged into my Mac, it took me a few goes to remember those passwords were synchronised.
How often should I change my password?
I have to admit I’m not a stickler for changing my passwords regularly. And my experience changing my Apple ID password highlights the reasons.
It’s very disruptive.
The thing about passwords is we typically operate in two different domains: business and personal. And I think the ‘rules’ should be different in those contexts.
In larger business networks, malware is a real issue that needs to be addressed. Regularly rotating passwords is an effective way of thwarting the efforts of malicious parties. Given the average time between breach and detection is around eight months, by changing passwords, you can effectively stop hackers who enter your environment using a stolen credential.
But, in our personal lives, we usually lack the tools to automate this. So, we tend to choose passwords we can easily remember, rarely change them and often use the same passwords for multiple services. And we do this because it’s convenient and changing a password is painful – as I discovered.
For personal accounts, I think we should change our passwords as soon as we think there’s a chance a service has been compromised. In my case, the mystery purchases made on my Apple ID have been a trigger for changing my password.
I know this isn’t a perfect solution, but it’s a compromise between good security and convenience.