Last month, Apple's crazy-lax password reset protocol allowed Wired's Mat Honan to be hacked. Hard. It was a wake-up call for the company and its customers, a breach so severe it demanded an immediate solution.
What Apple came up with, though, might be just as nuts as the original problem: It's basically impossible to recover your account right now.
For the last several weeks, Apple has been dithering over how to amend its security reset protocols. That's a great and necessary idea, since it had been using just the last four digits of a customer's credit card — information that is not at all secure or private enough for that kind of verification process. But it still hasn't figured out exactly how to verify who you are, and so for now, there is no way for Apple employees to assist you in recovering your password.
Here's the full rundown on what's broken right now: There is no way for Apple support to reset your password or your security questions if you have forgotten them, and it also can't re-activate an account that has been disabled for any reason. Apple's automated system for password reset — enter your Apple ID email account, or answer a security question — is still in effect. But the only thing Apple's security team is authorised to do for disabled accounts right now is take down their information, add them to a list, and get back to them whenever this is resolved.
So, if you have access to either, you're fine. Reset your password no problem. But, if you lost both (which would be pretty irresponsible, but it definitely happens), you're totally out of luck until who knows when.
What does that mean, in practical terms, if it happens to you? You can't buy songs or movies or apps or anything else, and you can't download any updates to apps you already have. Same goes for software updates or security patches for OS X or iOS. It lands somewhere between a major pain in the arse and a breach of contract. I know this because it's happening to me.
Here's some background: I was recently charged by Apple for an iTunes movie I did not purchase. I was pretty positive it wasn't just an errant click, so I asked Apple if it could access login points and see if anyone strange had been using my account. Apple said it would look into it and temporarily disabled my account from buying apps and content or downloading software. Standard deal, no problem. I sort of forgot about it for a month, and when I remembered, after being unable to download a software update, I poked back at Apple to see if the issue had been resolved yet. It hadn't. In fact, it's become much, much worse...
Apple is totally unable to reactivate a disabled account. This doesn't only affect people who have had their accounts compromised, though that does add insult to injury. There are a bunch of ways to be flagged for a temporarily disabled account. For instance, if you use an unfamiliar credit card (your wife's, say) to buy something on iTunes, the system can catch the mismatched names and flag it as potential fraud, which has to be cleared up before you can continue shopping. Usually all that takes is a quick two-minute phone call. But now, under Apple's security holding pattern, you're going to be waiting until some unspecified time when Apple's improved security protocols are in effect. Again, it's been a month.
A disabled account can log into iTunes just fine, and play DRMed content, but it can't download updates to any software — including OS X — nor can it make any new purchases.
The security lockdown is pretty clearly due to the frenzy surrounding Mat's hack, though Apple employees aren't officially allowed to comment on what's behind the hazy procedures. But you don't need customer support to tell you that this is a the clumsiest possible way to handle the problem.
Going to an Apple Store in person doesn't help either. I walked into the Fifth Avenue store this morning fully expecting them to be able to just take a look at my driver's license or passport and laugh away the hiccup — See guys? It's me! — but apparently that's never been the case. Online iTunes Store support will always have more control over your account than Geniuses, and there is zero benefit to being at a store in person for account issues — even if you're waving government ID around.
Just for reference, Amazon had a fix for its side of the Honan Hack debacle live basically as the piece was being published. Apple has had more than a month since then. Though to be fair, Amazon's fix was merely not adding credit cards over the phone, while Apple's fix will need to involve significant rearranging of its authentication process.
Here are a few excerpts from my exchange with Apple support over the matter. This one's an excerpt from an email exchange about why my account could not be re-activated:
At present, Apple is temporarily not able to assist customers in resetting their challenge questions and password reset. That is the reason why I cannot re enable your account at this time, since it needed for a password reset. I apologise for any inconvenience, but when Apple reinstates security resets, the security measures that are required will be strengthened to further enforce customer's account security. Your understanding in this matter is greatly appreciated.
And here is the response after I asked for further clarification:
This is [redacted] from the iTunes Store.
I sincerely apologise for any inconvenience that this situation has caused you, Kyle.
I regret to inform you that we are currently unable to re enable your account at this time. Since re enabling account, need to reset the password and we are having issue right now regarding reset.
Upon checking your account based on the information that you have provided, I can see that your account has been disabled due to unauthorised purchases made in your account. We handle accidental and unauthorised purchases differently.
We are currently unable to reset passwords and security questions at this time.This is due to our increasing efforts to maximise security on the iTunes Store. Our current stage of operations dictates that we cannot comment on why we are enhancing these various security protocols; we also will not speculate on how long this security enhancement will last. We ask that you endure this rather unfortunate circumstance with stead-fast [sic] resolve as we really do want you to enjoy the iTunes Store in the safest, most enjoyable ways possible.
I will get back to you as soon as I have the resolution regarding your issue. Have a wonderful day, Kyle.
iTunes Store/Mac App Store Customer Support
Emphasis added. The Apple Store and AppleCare both confirmed that there's nothing that can be done but wait right now.
This couldn't come at a dumber time for Apple, or a less convenient time for its customers. Tomorrow, the company will finally take the lid off the iPhone 5. It's a big deal. The biggest deal for Apple, actually. And while locked out loyalists will still be able to activate their shiny new handset, they won't be able to buy any new apps or content. Leaving you with... a really expensive dumbphone. Which is, of course, so very dumb.
There are bigger problems in the world than Apple leaving its customers in a lockout limbo. Many of them! But it just seems totally, massively, completely out of whack that Apple's solution to its security problem, after more than a month, still amounts to "OUT TO LUNCH, BBL".