NHacker Next
- new
- past
- show
- ask
- show
- jobs
- submit
login
Years ago I briefly played around with "manufactured spend" (on credit cards, to earn frequent flyer miles).
There was one specific loophole, with one specific gift card provider, and it was a doozy. You could earn credit card points on spend, plus supermarket loyalty points on spend, by buying gift cards from one specific provider which could be cashed out at face value (ie no fee at all) immediately to a specific type of savings account.
So, of course, world+dog was buying these things like it was the end of the world.
As I sat in a hotel room one evening rubbing the security codes off the latest batch of cards before redeeming them one-by-one into my savings account, it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering, but it would take some time to explain exactly why not...
The loophole was closed relatively quickly, and the gift card provider gave up.
Back then, the trick was to get a generic Vanilla Visa or other prepaid credit card. A recent legal ruling meant they had to be run as a debit card for... reasons... I forget them.
But a lot of grocery stores would sell you a money order up to 500 bucks for under a dollar with a debit card (not a credit card).
So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
Subtract ~$5 for the GC and ~$1 for the MO and you could manufacter about 500 bucks in spend. And the best part? You could take that money order to your bank, deposit it, get the funds immediately, pay off your balance, then rebuy.
In one afternoon I earned enough points for a first class flight to a fancy European city, and eternal side eye from the grocery store clerks who were convinced I was up to something put couldn't put their finger on what.
Interchange fees, probably. Otherwise the credit card companies is taking a 2-3% cut.
>So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
I don't know how this ever could have worked considering that "cash-like transactions" are counted as cash advances, same as if you were to use your credit card at an ATM.
Afaik, gift cards are more like fixed balance debit cards that happen to be runnable over a specific payment network (e.g. VISA, MC, AMEX) as credit cards
But at least a fair number of them will allow you to set a PIN, which then allows their use as normal debit cards
Not really:
"I'm churning credit cards for the rewards points. Here is the receipts where I use $10k from account A to purchase $10k worth of gift cards. Here is the statements where I deposit $10k of gift cards into account B. Here is the statement for the $10k wire from B to A. And here are the receipts for the next round of gift cards I purchased. Any further questions? I have $10k of gift cards to redeem."
And many legitimate uses of gift cards may actually have been fraudulent somewhere up the chain.
Imagine a scammer which sells their cards to real users (perhaps through one or more less-than-scrupulous intermediaries willing to buy them in crypto without asking too many questions). If the victim comes to their senses and somehow gets those cards reported and blocked as fraudulent, unsuspecting users will get into trouble.
But it is money laundering, that's what manufacturing spend is. It's not money laundering to hide evidence of a crime, but it is money laundering for the purpose of hiding the fact that you didn't engage in commerce in the process of spending money on a credit card to earn a reward. It's indistinguishable, only because we criminalize behavior not only on its base but due to its intent.
Which law do you think was being broken? I think the person is pretty clearly not defrauding the bank. Maybe the credit card company doesn't like it, but they almost certainly don't have that in writing because if they'd considered this possibility, they wouldn't have allowed it to be possible in the first place.
Not engaging in commerce to earn rewards isn't illegal, it's just an oversight on their part.
For example, we feel like it is fair for credit card companies to monopolize payment systems, charge fees to businesses, and use a portion of the money from this scheme to set up this bullshit reward point system.
But to undermine this system is criminal, because the system is established, but undermining it is novel and therefore disallowed. Any new way to play the game is breaking the rules, because the purpose of the system is what it does.
It's not illegal to buy a few beers every evening from a bar you own out of your own pocket, and then book that revenue, pay taxes on it, and then ultimately collect a distribution of the profits as the owner of the business. It is illegal to do the same thing if the money you took out of your pocket came from selling drugs.
It’s great that it has been resolved, but I’m still baffled by a number of things:
1) Why would redeeming a bad gift card result in a complete shut-down of the account? 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press? 3) Should companies be restricted from growing too large where they can’t support their customers?
In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)
“Online” accounts have zero regulatory requirements, plus many of them aren’t necessarily directly paid-for, so they frame themselves as doing you a favor by letting you have it in the first place. And they usually don’t have a route to prove identity because they don’t record a legal identity (passport/SSN/etc) to begin with (not that that was an issue here, of course - in this case Apple didn’t dispute that they were the owner, just asserted that they were some kind of criminal.)
Yeah, not permanently, only near "effectively" so...
You're just lucky that it hasn't happened to you. That does not mean it doesn't happen to anyone.
Furthermore, without physical presence where you could sit down with someone, this becomes more difficult to deal with. Truth is, Apple should have option where someone could go to Apple Store, verify ID and talk to someone with power but they don't want to spend that money so here we are.
Because anything else would require them to spend resources to examine your case and claims more deeply (to find the appropriate level of response), and they don't want to spend them, plus they don't care.
I'm not excusing this. What happened here shouldn't happen, and there should be quick resolutions and explanations available to the aggrieved parties.
You must block financial activity, and you must not communicate any details to the customer, upon reasonable suspicion of money laundering activity. There's a process and a prescribed timeline for getting things resolved. There is no penalty for a false positive, but there are large penalties for false negatives.
Having watched hundreds of these things happen, all of the details point squarely to an AML problem. For closed loop gift card programs, the merchant, program manager, issuing bank, and possibly the seller all get involved. It takes time.
This doesn't require shutting off a user's access to their data though -- just preventing financial activity. Apple might not have adequately fine-grained permissions around account suspension to support this, and obviously they should fix that!
It's also unlikely there are just those two states. For many services there will be a number of factors involved, but it's purposely opaque to make it harder to circumvent.
Offline banks are increasingly phased out in many places (closing branches, limiting options, strick appointment only visits, reducing stuff, etc).
That's false, unfortunately. There's amazing levels of discretion that banks enjoy and minimal accountability to end users. The CFPB (in the USA, anyway) was a countermeasure but has been recently weakened.
Apple would be much harder to regulate, as it wouldn't even be clear what jurisdictions should be involve in the process, and what a "change of jurisdiction" would entail. It would also create the opportunity for fraudsters to choose the jurisdiction which gives them the most consumer protections but has the loosest identity verification requirements.
Because they assume you stole the gift card and are therefore a criminal. As to why they're making the assumption that you are the criminal, not the actual criminal who successfully redeemed the gift card first, you've got me. Since either situation is possible.
> 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press?
I'm as infuriated as you are.
> 3) Should companies be restricted from growing too large where they can’t support their customers?
Size has nothing to do with it. Plenty of small companies ignore their customers too. So I don't think this is the right solution.
> In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access.
There are plenty of horror stories with banks too. I'm not sure they're that much better at all.
As a sane person I would expect a mere popup saying "Voucher code was already redeemed. try another one" Nothing more.
The ONLY other thing I can currently think of why Apple straight away went to "criminal" would be that the brick and mortar store failed to activate the card when they sold it.
You know, someone shoplifts such a card thinking they got it made. Even though you'd think everybody should know that the code you scratch of that card is only active after the clerk at the register did his thing.
If Apple then receives this voucher code that they must have in their databases but it has a big "not activated flag" next to it, THEN I could start to believe why they would lock down the account that tried to redeem, it.
And even then it seems iffy. Because how should I as the consumer know if the clerk did everything right with the activation?
But this breaks down for the reasons described, that thieves get the code before you do and manage to spend it first once the cashier activates it but before you get home and actually use it.
So maybe that's new and Apple hasn't updated their scam detection logic? It's the only thing I can think of.
Why the fuck couldn't it just be that you forgot and tried to redeem twice?
Just reject the card and be done with it, no action required.
But hey, at least Apple's universal lockout capability is able to deter theft! Every non-negotiable backdoor has a silver lining.
Software installation has nothing to do with account closure, so I don't know why you're bringing it up.
Account closure doesn't disable your devices. You can set them up with a new account.
And if devices are disabled due to theft and can't be reflashed for sale on the black market, that is a good thing. I haven't heard any reports of people's legitimately purchased devices being disabled due to theft.
Clearly you have things you don't like about Apple, but I don't see what they have to do with the subject at hand, which is account closure.
(2) and (3) remain great questions without enough good answers.
Apple has locked my Apple ID, and I have no recourse. A plea for help.
1730 points, 1045 comments https://news.ycombinator.com/item?id=46252114
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
The Singapore Apple exec person who eventually reported the issue fixed provided the above advice, and I think it is the best advice given to anyone in this entire situation.
What can a normal person do? Only buy Apple gift cards from Apple, only buy Home Depot gift cards from Home Depot, et cetera.
That one piece of advice destroys a retail line of revenue that’s suffering massive endpoint fraud and removes the vast majority of risks to recipients of gift cards, and is simply explained to uninterested people that those conveniently-placed gift cards are bait cast by fishers for the unwary.
(I’d also sue the retailer in small claims court for selling a fraudulent product that didn’t perform as advertised.)
So a blanket ban on Apple gift cards is probably the safest thing. I shall inform everyone in my extended family.
Gift cards are the #1 fraud vector in payments ... because it lets stolen cards be converted into a cash-like equivalent with zero traceability.
So fraud/risk system are highly sensitive to gift cards.
It's not an excuse, but I see in this thread people minimizing the problem at hand - so I just wanted to call that out.
That's easy to say. [1] [2] [3] But reality is harder than that; keep in mind:
- Fraud is complex (many moving parts, many pathways)
- Fraud is adversarial (whack a mole, but worse)
- Fraud and revenue are two sides of the same coin [4]
[1]: A drive for simplicity is important, in moderation. But here the quote seems to not appreciate the complex reality.
[2]: The response pattern "Then they are free to [foo]" is often part of a rhetorical technique to shift blame and/or responsibility to another party.
[3]: See also the "nirvana fallacy" (i.e. "if you can't do it perfectly, you shouldn't do it at all.") See https://thelogicofscience.com/2016/06/20/the-nirvana-fallacy...
[4]: You can easily imagine a business where lowering customer friction increases both revenue and fraud. What is the ratio between them? How does it change over time?
Dumb people were being scammed in Singapore, until the financial regulator here clamped down on gift cards altogether. It used to be trivial to buy Apple, Google, and Steam gift cards in Singapore convenience stores. They're no longer being sold anywhere.
I'm not sure how requiring gift cards to be bought with cash would help prevent that
McKenzie's point is more about how businesses need to accept a certain level of fraud because trying to stamp all of it out will be more expensive and more damaging than allowing some of it. But I'd go further than that: companies should be required to accept some amount of fraud in order to avoid harming their legitimate customers. It should be just another cost of doing business.
[0] https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
It can be traced, the problem that they block accounts (probably using on FP prone algorithm) even if a gift card was not purchased using a stolen credit card.
2. The normal use case for a gift card is that it is transferred to a person different than the original purchaser. Launderers also do this.
To be clear, this is their problem, not the customers.
Still, I’m curious what the scammer did in this case. If a retail worker just stole the card number it would merely be used up, not flagged as fraud. Maybe someone in the supply chain obtained the number and reported it lost/stolen? And used that to obtain a new card no one would complain about once it was used? Vs the original number which would result in a customer complaint. Idk.
The optimal amount of fraud is non-zero (2022) - https://news.ycombinator.com/item?id=38905889 - January 2024
($day_job is financial services, a component of my work is fraud mitigation)
They don’t need to fix insecurity of gift cards, they just need better access controls. Yet they have no incentive right now to tackle that.
I'm having a hard time finding much sympathy. They could always, oh I don't know.. maybe just not sell gift cards? Or have a much lower maximum amount?
I mean yeah, you could take the view that technically the blame really lies with the people trying to use gift cards for theft, but that's not going to be productive.
It's simple: they're essentially free money. The worst case for them is that the recipient of the card uses the full amount of the card. In that case, the issuer "only" makes the full profit on those sales. Often they do better: the card is used partially or not at all, then lost or forgotten about.
You can see how lucrative they are by looking at promotions. You can often find deals where you can buy a $100 card for $90, or similar. Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
As for the fraud risk... do they even care? When gift cards are used for crime, the issuer doesn't suffer. Maybe they have to deal with upset customers, but that's hardly new. Most of the time, the gift card is bought legitimately, given to criminals, resold, used by the secondary buyer, and the only one who suffers is the unfortunate scam victim who bought it.
It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover. The fact that they don't bother should tell you everything you need to know about how important fraud is for them.
The merchant wants you to use the card, in all cases, always. Because statistically, you are likely to spend 30-40% more than the card face value, when you do.
The unused portion of the card sits on the merchant's balance sheet as a liability, for years, until they decide to recognize it as revenue ("breakage"). They prefer this over NOT selling a GC, of course, and some merchants (e.g. Starbucks, high volume, low ticket) make a ton of money on breakage. But in all cases, merchants greatly prefer their cards to be used.
You're also wrong about how the fraud works. Usually, the card is not purchased but sniffed prior to legitimate sale. The mechanisms for this vary, but a common method is to literally pull armloads of cards off of display shelves, open and repackage the carriers, then surreptitiously return to shelves for legitimate sale. This is purportedly the process for large organized crime rings based in Asia, mostly China.
And you're wrong about how easy it would be to fix. Packaging costs money, retailers have to be on board for activation, this has to be integrated into POS systems, and it all has to be very easy for consumers.
This is a hard problem at scale, and smart and motivated people on the merchant side, the program manager side, the bank side, and the law enforcement side, would love a simple solution.
...
What is not a hard problem, though, is that Apple should separate "AML investigation in process" from the user's ability to access their own data. This would turn a very large problem (for all involved) into an annoying inconvenience (for the customer).
Stopping the theft you describe is very easy. Don't have actual gift cards just sitting around. Require customers to get them from the cashier at the time of purchase. Have dummy cards on display if you want them to have something to hold, or make them ask.
Of course these solutions aren't free. Adding friction to the purchase process will reduce sales. Retails have clearly concluded, I assume correctly, that it's not worth the cost. Nothing wrong with that.
Don't confuse something being difficult to fix with something not being worth the cost of fixing. We can put a solid upper limit on the impact of fraud by looking at what it would cost to stop it, and conclude that the impact of this sniffing fraud is less than the impact of having cashiers exchange dummy cards for real ones at the time of purchase.
Note that this isn't a "this is easy, they must be idiots not to do this" sort of thing. The current approach is probably the smartest one, given how things currently work. If the incentives changed to make retailers bear more of the cost of fraud (say, legally putting the burden of proof on the retailer to show the card was used legitimately, otherwise they have to refund it if the customer alleges fraud), things would change quickly.
The program manager is responsible for retail placement and packaging. Their share of the revenue is small, but their liability for fraud is high.
Retailers (POS card sellers e.g. Safeway, as opposed to the card-branded merchant e.g. Apple), bear zero risk for fraud. Safeway can't police card validity -- if a customer brings the card to the cashier, they will scan it and the POS will attempt to activate it according to the program manager's backend rules. If it's a new unactivated card, it will get activated. The PM knows which serial numbers were distributed to each retailer, so they will not activate a card at a different retailer (and in some cases, a different location of the same retailer).
Moving the 100+ square feet of unactivated card displays to a retail cashier would destroy sales and impose a burden on retail staff that many can't handle, and none are incentivized to create a process for handling.
FWIW, program managers have gone through a few rounds of tamper-proof packaging upgrades. Obviously, their work is not done. But it is legitimately difficult to mass produce a tamper-proof package that is also consumer-friendly and not exorbitantly expensive.
If cost of packaging were no issue, or if customer friction could be disregarded, then the problem becomes more soluble. But we do not live in that world. And, in the extreme case, the criminals could just produce identical packaging including holograms etc. This is obviously within their capabilities, and if the cost of packaging can be absorbed in the multi-party legitimate sale chain, it will also be low enough for a counterfeiter.
...
More importantly, I agree that _some_ regulation or law should prevent Apple|Google|Amazon|etc from parlaying a minor financial dispute into total lockdown of customer data! But the approach for that is not to inject the requirement into the problem of closed loop prepaid debit card management.
I think this is the only interesting problem here. The card management stuff is well-known and evolving, but also mature and ultimately just some accounting math of risk against cost.
Screwing up a customer's digital life should not be a consequence of the imperfect-by-design card management schemes. FinCEN should regulate the latter. CFPB should regulate the former. The agency doesn't matter of course, but those two groups have very different mandates, and right now merchants are letting the stronger FinCEN regulations dictate their consumer policies in ways they should not.
There's more to it than covering the risk of fraud. It's more about optionality. The gift card only allows for buying things at one place — so you're restricted in what you can buy, can't deposit it at a bank, can't comparison shop etc.
I don't get the sense that money being left on the card is a serious issue for the sort of person who goes hunting for deals like this. They'll eventually spend more than the card's value and have the last of it apply partially to some purchase.
Also the discount rates I've seen have been more like buying the $100 card for $95 or $97. Except perhaps where the gift card retailer is offering it directly as part of a cross-promotion deal with the target retailer.
However, a significant amount of the spending in gift card promotions is from the marketing budget of these companies. They use gift cards to keep you "engaged". They are used the way companies used to give out coupons basically.
Promotions rarely cost much. Keep in mind that even if breakage was zero, every dollar you spend at a company already has a profit margin baked in. Even if you only pay $9 for that $10 of spend at CompanyPlace, they are likely still making a profit. Promotions also have strong limits, so you can't really profit off of them as a consumer.
Except for one time. Once, IKEA ran a promotion that was "Spend $1000, get $100", and chose to set NO LIMITS. People were banking $10k worth of IKEA giftcards "for my future kitchen renovation" and IKEA found out their gift card fulfillment process was.... antiquated. Did you know old versions of Excel only allow for 65k rows of data?
>As for the fraud risk... do they even care?
We care. The brick and mortar store and Apple themselves don't really care, because they pay our company to take that risk, and our entire business is about preventing credit card fraud to reduce how much that risk costs.
>It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover.
What? What is your idea for better securing these cards? What "Tech" would help?
Note that I have no clue what apple is doing banning this account. We don't tend to ban victims of fraud or crime or scams, especially not for physical cards bought in a store because who knows what actually happened.
Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.
I take this to mean to sail the seas but I have apprehension over running modified binaries from random people. Is there anything that can be done to alleviate this worry?
So yeah, TLDR, vote with your wallet and give up the entertainment this time.
Some recent stats indicated most gamers buy at most two games per year, so it's not a ton of work to ensure they have a working archive.
Both GOG and Steam allow you to use local copies of games, and both would deny you access to your account to download more games once banned. Steam allows you to install games without DRM from their platform.
This was the reason why free trade was removed from RuneScape back in the day and it wasn't even a Jagex issue. People would go to 3rd party gold selling websites and then pay for gold with stolen credit cards. They could easily keep the money because the trade cannot be reversed without a moderator and what they were doing was against the rules so everyone would just get banned. The payment processors saw a bunch of fraud related to a game called RuneScape and told Jagex if they dont fix this then they will be blacklisted.
Gold farmers were paying for bot memberships using stolen credit cards, which Jagex had to refund along with a chargeback fee.
The blackmail scenario you’re describing wouldn’t make any sense since all of these gold farmers used mule accounts to launder their gold before making the trades. The changes to the trade system were intended to interfere with this laundering so that farming would no longer be profitable.
The RuneScape Documentary - 15 Years of Adventure
https://youtu.be/7RNK0YBdwko?si=sei69KmyL4hb_hj-&t=2944
Discussion begins at 49:04
I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse.
This sort of thing wasn't really possible before the internet age. We need new laws to deal with it.
Banks are nothing to do with this. You could have your Steam/Google/Apple/etc. account summarily executed for any reason; it doesn't have to be money-related.
Yes, it was and it always has been[1]
>I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse
This is par for course with every single EULA ever. I will say in the case of Steam it's hard pressed to find your account completely disabled and unable to play the games you rightfully purchased. I think the worst-case scenario is that you will be banned from engaging with the steam online community which restricts your ability to play with other users on steam
It make a lot of sense to discount all these reviews to avoid abuse. A lot of developers would abuse reviews hard otherwise.
Other than selling keys they can also be used for marketing. If you for instance have a game with multiplayer, lots of DLCs or IAP then giving away keys for base game make a lot of sense: even if only 1% of people who grab the key gonna play it they can still eventually buy other copy for a friend, etc.
If you buy a Humble Bundle, you get a set of Steam keys for the games in the bundle. If Intel/AMD/Nvidia are doing a promotion for a free game with a purchase of their product, they give you Steam keys. Etc.
I just don't get why these companies should be in the business of offering gift cards-- at least, not if they can't be redeemed safely.
I'm sure people would run other kinds of scams with AppleIDs without the existence of gift cards, but gift card redemption scams have gotta be 99% of the reason people create fake accounts. The support burden would evaporate almost overnight if they just exited this stupid market.
If they're anything like Starbucks then they get the benefit of utilizing the unredeemed balances as temporary capital for investments. It's an interest free loan at their scale. Plus they get to keep the balance that people forget to redeem.
I'm not an expert here, but this is not generally true. See "giftcard escheatment laws". I think these vary by state, but see e.g. https://legalclarity.org/when-do-gift-cards-become-subject-t... The value of abandoned cards goes to the state.
I am terrible at spending gift cards. I have some that are from 2007, 18 years old. Two years ago I decided I should check them all and actually spend them. Of the dozen or so cards (several of them for Apple), only 2 of them had an issue, all the others were still active with the original balance.
One of the issues was easily solved, it was a Visa gift card that had an expiration date... I reached out to the company and they issued a new card with an extended date. The other seemed to be so old that the underlying company was sold and pivoted, and changed systems (I assume multiple times) along the way. What was a card for a local restaurant chain now seemed dedicated to Dick's Sporting Goods... at least that's where the phone number went. I haven't yet tried going to the actual restaurant to see what happens.
This reminded me I did an awful job of actually spending them. I guess I need to try again.
I think gift card or not isn't really relevant, fraudulent activity can happen in a lot of ways like iCloud being paid by a stolen credit card, or TV shows being rented with hacked PayPal account.
The real issue is simply that there's no proper support avenue for serious issues that at this point affect your whole life, a family or a whole company. There's also no real avenue for a user to get the authorities to do anything to help with their case.
I'd say also that you should never purchase Apple gift cards from anyone except Apple directly, but if the card itself was tampered with (stolen, opened, scraped and code retrieved, re-covered with generically available scratch-off material, re-sealed, returned to the display) there's nothing keeping that from happening in Apple stores as well.
There is a technical measure that gift card providers could put in place to reduce this, specifically they could block activation of any cards with codes for which they've already started receiving activation/balance checks. There'd still be some risk (thieves would need to wait before testing cards and would have to hope for cards that were purchased but not yet redeemed) but it could be reduced somewhat.
This would be a good measure assuming we’ve fully discovered all the reasons Apple might ban you for, and only reason happens to be gift cards.
Since we don’t know what other seemingly trivial actions may provoke Apple to wipe an account, I think starting a developer conference is the only way to be safe.
Everything in the cloud is at risk of being taken from you. Companies like Apple are not your friend. They explicitly make no promises and insist that they are not accountable/liable. Stop trusting them.
Not store their data in their iPhones. Period. I only store temporary data and photos I wouldn't care about.
The big marketing point of cloud storage was that you would not need to worry about owning and maintaining local storage, but they conveniently downplayed the fact that they could lock you out of your own files at their whim.
His Apple cloud account was locked until the account representative unlocked it.
The physical device was not locked, bricked, or wiped. The situation was bad, but let’s stick to the facts
Paris uses the term "bricked" in the original post: https://hey.paris/posts/appleid/
Apple isn't. Just sayin'. They are trying to do it, but they aren't really anywhere near the scale of Google and Facebook. They make money (lots of money) by selling high-margin hardware, and, to some extent, digital media, on that hardware.
Currently, Apple is genuinely serious about preserving user privacy. I realize that can change, in the future, but it's the way it is, now. I get the feeling that a lot of folks on HN are having difficulty understanding businesses that make a profit by doing stuff other than harvesting and selling PiD, but that's not what has made Apple a 4 trillion-dollar company. They make that money the old-fashioned way; but with a modern twist.
That said, this situation is unforgivable, and I hope that Apple leads by example, by preventing this all-too-common type of dumpster fire from happening in the future.
Just because they're not Google's size doesn't mean they don't have people making product decisions that will eventually sacrifice privacy for profits.
[0] https://digiday.com/marketing/when-it-comes-to-ads-apple-isn...
The reality distortion field is strong, even with some HNers.
Making and selling hardware is difficult. Really difficult, but some companies have been doing it successfully, throughout recorded history.
It's really strange to see it being dismissed as "impossible," nowadays.
Apple makes tons (read: billions of dollars) from ads. Hence, Apple is in the business of ads, have sales people working with advertisers to make targeting, personalization work.
I take no side in "ads are bad" argument, but you have to accept that Apple is in the ads business, whether you like ads or not.
Whether the advertising is ultimately successful does not matter to those people, what matters is if they can convince the person paying them (the manager paying their salary, the ad agency, etc) that they are effective.
I’m not sure who is right, Apple or these analysts, but either way: 2.5% or 7%, that revenue source isn’t large enough to be a corrupting incentive on Apple’s behavior.
Maximizing digital service revenue at the cost of user trust which drives their high margin hardware sales would be killing the golden goose.
I wasn't defending Apple. I was merely pointing out that one of these, is not like the other.
Like I said, it seems that we have a hard time understanding business models other than "Harvest and sell data." Posts like the GP, seem to reinforce this appearance.
Upton Sinclair is known for a quote, referencing this kind of thing.
Hating on Apple is quite popular amongst tecchies. I understand. I've probably been more pissed off at Apple, than many folks, here.
But it does bother me, that people don't seem to understand the classic business model of making things, selling things, and supporting things. That's thousands of years old, and still very much relevant. Quite a few folks, here, do that. I spent most of my career, at companies that did it.
They make, sell, and support physical devices.
That's what's called "classic manufacturing."
I spent most of my career in the hardware business. It's really odd to see so many folks unable to understand business models that make money, besides "sell data."
It really seems as if folks can't grok that companies that make money, can do so without necessarily selling data.
> genuinely serious about preserving user privacy
Nope, not anymore. That ship has sailed and more revenue is to be made by harvesting user data
(Google and Facebook don't make money by "harvesting" or "selling" user data, they make webpages you spend a lot of time on then put ads on them.)
I don’t know if Apple has client-side ad scripts like those, but in decades of building websites I’ve never been asked to implement one.
That does seem to call for supporting evidence. I write Apple apps, and they make it very difficult to access user data. I would need to know how they get it, and how they make money from it.
We started off talking about Apple isn't in the advertising business, and now we're at standard telemetry.
Upton Sinclair really knew what he was talking about.
You can contact an employee.
Off topic pretty much: In 2013 I was one of the 8,000 people in the U.S. selected by Google to be able to buy Google Glass ($1,500 [$2,000 in today's money]) in its first release to the public. One thing I will never get over is the customer service offered to us Glassholes: not a toll-free number, no automated voice mail tree: I'd call for any reason AT ANY TIME NIGHT OR DAY OR WEEKEND OR HOLIDAY and a Glass specialist would answer within a couple rings and spend as much time on the phone with me as I needed to resolve my issue.
That said, keeping a backup of everything, decoupled from any account I don’t control, gives me huge peace of mind.
Doing everything and/or all-at-once is not practical, but having backups for most critical infrastructure helps a lot, and when it's rolling, it rolls without effort.
One can go step by step and call it's done when it becomes too much to bear or satisfactorily decoupled.
The tendrils can run deep.
Just realize this: the longer you play this game, the higher your odds of getting banned. Once it hit me, I quickly decoupled from Google. It's like playing satoshi roulette for 0.5% gains. You keep winning until you get fully wiped.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
Frankly, staying away from gift cards seems the best option unless it's blast radius can be limited (e.g., redeemed in person).
There is no opportunity for the kinds of large-scale fraud you see with cards purchased elsewhere. The only risks would be the same for any other bearer instrument, e.g. wallet theft.
Specific accounts may be flagged, for sure. But a general ban on GC-related purchases would be a very big regulatory deal. Do you have links to a published source?
Throw in gift cards all over the place to incentivize purchases.
Go to use a gift card, "Sorry, gift cards can only be used to pay for full price items, not discounted or sale items".
Conveniently, effectively everything in the store is discounted or on sale.
That would be bad enough as-is. But you move houses, or are moving out for the first time, and someone buys you a gift card, with CASH?
They're the same gift cards. And the same "rules" which are nowhere to be found, just you arguing until you're blue in the face with a store manager who "understands, but policy".
"I could have bought this item with the cash it took to buy the gift card, but because that cash 'changed form', it's now unacceptable for payment?"
A law that states you can't call it a "gift card" unless it can be exchanged for cash at 95 cents on the dollar would fix it pretty well.
We're a multi-trillion dollar company and your BATNA is terrible. Don't like how we roll? Go fuck yourself.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
The scale of this work is unfathomable to those who have only been on the consumer side of it.
#1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
#2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
#3 is what small claims court is already for. We should make this easier, I agree.
> The scale of this work is unfathomable to those who have only been on the consumer side of it.
> #1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
Just imagine laws would work that way.
> #2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
That argument doesn't pass the smell test. Apple makes more profits than the scammers whole revenue, so just from a resources standpoint Apple could starve them. You just need to make the process so it can't be easily automated (e.g. require going into an apple store with your ID)
> #3 is what small claims court is already for. We should make this easier, I agree.
So in #2 you say it would overwhelm the process and now your argument is that essentially the public should pay for the process?
If small claims courts can deal with the issues than why can't a trillion dollar company.
> Just imagine laws would work that way.
This is how "tipping off" law often works in practice.
As a support agent you often lack full visibility into the treatment or history of the person on the other end of the phone, especially if they're a bad actor. You can't tell them what is or isn't fraudulent behaviour, or what might be construed as such.
I don't know what you mean by "tipping off" laws mean, but certainly if you get given a penalty in law (e.g. you get judged in court), you will be told what you have done wrong, and shown proof of it.
Still, from your perspective, do you have any opinion on this particular case, other than "you can't make an omelet without breaking some eggs"?
I’ve tried to come up with some strawman explanation but I can’t see it.
Gift cards are the currency of modern confidence scams. Accounts that redeem a lot of high value gift cards are suspect for that reason alone. Buttfield-Addison makes it sound like this is common practice for him, so his account may have been on a shitlist already.
Apple may be so sensitive they'd close a suspect account after one failed redemption. It's also possible that card was first redeemed by an account that was closed soon after for fraud, and Buttfield-Addison's subsequent attempt linked his already-suspect account to the fraudulent one resulting in automated actioning.
Again, this is pure speculation, and is not meant to justify Apple's actions.
I could see doing a lot of card redemptions as a flag, but then I think the next step is "what are they spending the credits on?" I could see a scam where you launder cash by turning it into cards, and then buying shitty and expensive apps. Thus paying apple 30% to clean money for you.
To answer in general, aging of accounts is common as is synthetic credibility-building activity. There are marketplaces where you can buy sets of years old accounts with activity for every major platform. Anything you could come up with would either be so stringent it would exclude most users or be easy enough to become a target for account sellers.
To be honest this is why I got out of the space, it's sisyphean.
Most megacorps do suck - and also it's probably true that the lack of customer support is necessary to offer the products they offer at popular price points. People just don't wrap their heads around the scales involved, generally because the exact numbers are proprietary.
[1] https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
One thing I do not understand however is why wouldn't companies offer paid appeal process perhaps with refund in case the termination decision is indeed overturned. I would gladly pay $100 to have my Apple/Google/etc account properly reviewed in order to get it back once it is inevitably flagged by yet another AI. Seems like win-win all around.
Why not introduce friction on both sides, like: 1/ just face to face, physical meeting? 2/ or a basic (paid, yet reasonable) insurance that account management doesn't happen over the shoulder?
These companies are critical to people's livelihood in 2025 and they should be treated at such. Many people rely on them for their life, they store sensitive information and control communication.
I'm of the opinion that if a business can't provide adequate support at scale, then it should either stay small or cease operation.
Dealing with fraud is your issue and part of your business, not citizens.
I'm sorry to inform you they work exactly like this.
https://web.archive.org/web/20231105205756/https://www.nytim...
Small claims won't help you to reinstate the account. You _might_ get money for your phone back.
And a real court? You signed away that right. It's arbitration for you.
Could it be that fully automated payment processes are just so fundamentally vulnerable that their very existence needs to be questioned because of how overwhelmed they get with fraud attempts? I'm deliberately being controversial here for the sake of discussion.
I agree there absolutely needs to be a form a habeus corpus here with arbitration to hear from both sides. And what's more, even when an account gets shut down, an export of all data must be provided, and a full refund of the purchase price of any digital licenses/credits still active. So even if a spammer takes over your account and Megacorp isn't convinced it wasn't you yourself that decided to spam, you still don't lose your data or money spent -- it's ultimately just a (very big) inconvenience.
Corporations need to be heavily regulated. They won't just do the right thing for its own sake.
https://www.simonandschuster.com/books/The-Corporation/Joel-...
I just mean that otherwise, usually competition ensures good outcomes for consumers, because the corporations that produce bad outcomes go out of business once consumers catch on.
But there are definitely exceptions, especially around rare events that are difficult to foresee or that can't reasonably be expected to be part of product comparison. The likelihood of your account being shut down without recourse and losing things you've paid for falls into that category perfectly. Predatory surprise fees with things like credit cards and bank accounts, and that change without warning, also fall into that. Also minimum warranties, since consumers can't easily inspect quality on the inside of a product.
Yeah, I mean it's just basic rules of commerce, not very different from laws about false advertising.
As it happens, in the U.S. consumer protection policies always top the lists of policies with the most bipartisan support.
"Yes support tech, please understand my child just died of cancer and my wife in a car accident last week and the only pictures I have of them are on my bitcoin4free@gmail.com account!"
Google probably also bans thousands of accounts a day. And suddenly every single one of them needs a full human appeal review. Because jamming up the system is (short term) beneficial to these shitheads.
The only way this is going to change is if shareholders hold executives accountable. Consumer protection regulation with real "teeth" that impacts the bottom line will bring angry shareholders to the table very quickly.
The problem with having support dealing with problems like this is that fraudsters will figure out how to manipulate it, while honest people will still encounter these problems. The easier you make it for honest people to resolve these disputes, the easier you will make it for fraudsters since it would involve yet another avenue for them to exploit. Plus the whole process will become more expensive, which someone has to pay for.
Scammers would call into Teleco customer service with panic and tears to trick the support person into moving your phone number onto their device, and then they drain your SMS 2FA accounts.
It is already baked into the costs in business models of big companies. And they are pretty good at it, actually; we’re talking about one high-profile case, and it’s not the only one, but it is rare enough that such stories are still newsworthy.
The standard that people want, though, is absolute certainty: zero errors that affect real customers, a 0% false positive rate.
The scale is in fact a challenge. If a small business has a 0.00001% false positive rate, they will affect approximately zero of their customers. For Apple, managing billions of accounts, that same false positive rate would affect hundreds of real customers every day.
https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
... which hasn't happened, but maybe once every 3 months I move another service to logging in with an email on my personal domain ...
We're all worried about identity fraud, and such documents are actually used to apply for an id in some countries!
When the services that a company provides gets to this level, it starts becoming like a public utility. If it's not possible to participate in society without using such a service, then the services should be governed like utilities are.
I wouldn't be opposed to having actual government-provided services for things like e-mail, text message, and discussion forums at a very basic level. Then (in the US anyway) we could apply the government restrictions on privacy and freedom of speech, with laws governing the oversight and implementation. Of course there would be major details to work out to prevent misuse, corruption, etc.; but it could solve the problem of losing your essential on-line identity -- as long as the government has any interest in you at all for something like expecting you to be able to send/receive an e-mail in order to pay your taxes, then they wouldn't ever cancel your account. 3rd-party services would still be possible, but then they could do whatever their business model supports, and caveat emptor. How people can expect businesses services like Facebook to comply with their personal expectation of free speech is beyond me.
* evidence
"Habeas corpus" is not a lofty expression for evidence, although people sometimes use it as such. It's a procedure for challenging one's detention before a court.
It has a REALLY good section about why customer service is very hard to get right
You could do a revenue threshold or something but seems tricky.
That's what countries regulating this tend to do (often user count instead of revenue thresholds, but similar).
It also makes sense, because if the podcast guy bans you, you can pick a different podcast player or just not listen to podcasts. If both Google and Apple ban you, you're also effectively debanked because you can't use their app stores to install the banking authenticator app that is required to use online banking, possibly excluded from using public transit, etc.
I have personal experience here. I was gifted a meaningful chunk of Apple gift cards. I redeemed them to a secondary Apple ID as this ID is rarely used. It got locked when I tried to spend the Apple gift cards.
It took a couple tries over a few weeks, but Apple support were very helpful and able to unlock the account. Where I must've got lucky is the automated system must've allowed the Support to take this action and it sounds like in the case here whatever fraud flag triggered issued to far more severe response.
My case I should add the gift cards were totally valid. It just was rarely used to count. That might explain why it was easier to resolve in any event. They absolutely as human support. The real issue is when human support can't overrule the computer.
Companies should be required to provide access to a service that verifies identity. I know such companies exist, so it is doable. And then, once it is provable that they are dealing with an actual human who can be identified, your rules can be applied.
I guess that's one reason enterprises like them
So like, if you get caught, red handed, absolutely 100% you, performing gift card fraud, the maximum punishment from Apple should still be getting banned from the gift card system (buying or redeeming). And if they want more consequences for you because they think you’re running a fraud ring, they should have to sue you like a physical store would. But not lock you out of the rest of the ecosystem. Otherwise you get the false positives getting the digital death sentence Apple tried to hand out here
No, the real problem is that we have no reasonable alternatives when companies misbehave. There is no meaningful way to exist in society today without an Apple or Google account, and that's actually insane. It's doubly insane for people who aren't citizens of the United States (although the CCP addressed this by requiring Apple make a separate iCloud for them).
The solution isn't to legislate a right to a bank account, it's to preserve the usefulness of cash so banks don't get too far out of line.
As is the case for many other infrastructure companies, such as your local electricity network operator (or even supplier depending on market liberalization). We also didn't solve that problem by ensuring everyone's right to run a generator in their backyard or heat their city apartment with a coal oven.
If tech companies have become essential to our day to day lives and are not willing to allow for horizontal interoperability, i.e. to split over-the-top services from infrastructure and individual elements of infrastructure from each other – because walled garden lock-in undoubtedly increases profits – why not regulate them as infrastructure entirely?
Well, to be fair, I do create an ephemeral Apple ID every time I get a new phone… But I immediately log out of iCloud after downloading the two or three apps that I use. I have no idea what my Apple ID or password is… I would have to go look them up.
Further, if I lost said Apple ID, I would lose nothing of value.
I believe, as you say, I exist meaningfully in society.
In other words, you do have an in-use apple id at (pretty much) all times.
Further: the three apps I install are not crucial - I could live just fine without them. All I really need is Safari and a working POTS endpoint for my cloud-hosted phone number ...
I assume the Chinese government is quite happy with this, because they have no trouble bringing their large companies to heel, unlike the US. And centralizing payments like this gives them a great deal of information and control.
Apple willingly preserves a backdoor in the e2ee of iMessage for the FBI et al in the form of effectively unencrypted iCloud Backups.
The whole “Apple won’t decrypt stuff for the FBI” narrative is farce.
Post Snowden, all the tech CEOs met in person with Obama to do damage control, as they all had some serious credibility problems once the reality of FAA702 (warrantless one click direct access, aka PRISM, aka the #1 source for the IC) came to light.
You can't keep chasing alternatives when companies misbehave
That's why there's a thick list of contract law precedents and consumer's rights and what not
Further, the current court system is already backlogged by months or years for serious crimes and property disputes. You are suggesting we socialize the cost of private customer service disputes. Why should taxpayers fund a judge to decide if a "common sense" decision was made about someone's banned World of Warcraft account?!
I'm sorry but this idea is very obviously not congruent with reality as we know it, as nice as it may sound.
Initially, the user requesting the hearing (this discourages the scammers).
When the appeal is won, the company (this encourages doing a really good job at not banning legit users and enabling lower-friction ways for them to appeal).
> You are suggesting we socialize the cost of private customer service disputes.
No, it can just be a dedicated body, funded as described above. Yes, this might mean that free accounts cease to exist, although I suspect in practice it would just result in a fraction of the profit from free accounts going into better (less user-hostile) abuse management rather than profit.
Won't somebody please think of the shareholders?
I see no reason enormous companies should carve out exceptions to the legal system. You exchange money with them, that's commerce, it's a contract. This is exactly what civil court was designed for.
If this happens more than a few times, they will quickly remember why customer support is necessary.
The judge would likely never see the case, because the legal department would make sure it gets escalated to someone who can unfuck the problem before it gets that far.
Suing companies can legitimately be the easiest way to resolve issues, especially where small claims courts exist: It turns the issue into something that they can't "resolve" (for themselves) simply by ignoring and stonewalling you, so it becomes cheaper to actually fix the issue.
If you try to make carveouts for him, they will still be absurdly restrictive and the carveouts will be abused by the likes of Reddit.
If this place attracts violence, the company can afford bulletproof glass and an alarm button that alerts the police, and I'd rather have the unstable 1% remanded to police at the risk and cost of a rich company than to have them stab a rando on the street later.
Employee protection laws that mandate said bulletproof glass in certain situations already exist in civilized countries.
You can't launch your boutique credit card and refuse to refund fraudulent charges with the excuse that you are too small to do so.
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
Scammers will sniff card info before activation, and poll the balance check site to see when the card is activated. They will then use the card to get merchandise which they ship to another market and sell for ~50-60% of retail value.
Like solar power, money laundering is inefficient, but it's valuable when the source material is zero-cost.
I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.
At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.
Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.
The general risk of getting your account disabled for infractions, though, persists regardless of this specific triggering mechanism.
> I should probably start to work on self-hosting now that I can see I was incorrect to trust Apple...
Jumping to that conclusion might be worse. Don't think of trust as a binary bit. Better to ask:
1. To what degree can I trust Party to do Thing?
- what is Party's track record?
- what are Party's incentives?
- what is the probabilistic distribution of outcomes?
2. What is my best alternative to #1?
- ... track record?
- ... incentives?
- ... distribution of outcomes?
3. Pick the least worst for you
But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.
What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.
And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.
Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.
The scenario described in the OP's article should simply never be allowed to happen.
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
Now, do you want all of your web accounts be linked to your government ID?
No, but I don't think that's actually necessary. My cloud storage account with Google could be linked to my government ID, and... that might be ok? This sort of plan wouldn't require, e.g., my HN account to be linked to my ID.
Yes, that would mean that some people (e.g. activists under repressive regimes) shouldn't be storing stuff that could get them in trouble in Google Docs or iCloud Photos, but... they probably shouldn't be doing that now anyway.
But this would still require governments passing laws to prevent arbitrary account closures. Linking an account with an ID doesn't automatically make Apple/Google behave. The legally-mandated process would need to be something like: automated system detects fraud, they call the police, police investigate, and either a) they see nothing and drop it, and Google/Apple are required to drop it, or b) they investigate, prosecutors bring charges, and the outcome of the court proceedings is binding on Google/Apple (conviction = account terminated, exoneration = no retaliation allowed).
It would be easy to fix this problem simply by charging a hefty up-front fee for direct connection to high-level human support, who will take the time to verify the user's identity using established KYC procedures and then take action to restore the account. The fee would then be refunded if the problem turned out to be on the company's end.
Companies like Apple don't offer that, because they don't GAF.
Is that the correct way to fix the fraud problem?
It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...
Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.
The only idea I can think of is a law that requires companies, once they reach a certain number of users or market share, to provide a formal process to restore accounts that are a certain number of years old. This could include paid arbitration or a similar mechanism.
I doubt such a law could pass at the federal level, but if it were passed in California, it would probably solve 80 percent of the problem.
Or is there a better solution?
I'd put money on they had to restore backups of several systems, fish out his account-specific data, then insert it back into the main systems. This would have happened much faster if there was just an on/off switch.
But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.
I work for a major gift card company. These views are my own and not that of my employer.
The credit card companies take zero risk in this transaction, because we, the company selling the gift card, take the risk.
To this end, my personal job is building systems to prevent and combat credit card fraud. It's not terribly complicated in fact. The team I originally started with a decade ago was like three people.
Every gift card purchased by a stolen credit card is a direct loss to our revenue. We strongly want to keep that amount small. We do a pretty good job of it.
We have a large department of REAL HUMANS you can call to get help with your gift card. In the past, they have had very upset grandmas calling in to ask about why they can't purchase iTunes gift cards because they need them to get their nephew out of prison. Those calls are very sad.
Physical gift cards have no value until you pay the cashier. Despite this, physical gift card security is tough. The plastic card has to be shipped out and sit on a shelf and be directly available to anyone to tamper with. We have made some efforts to reduce that threat, but there isn't much we can do.
If you are in the US you have absolutely used our company's products and if you have bought a gift card online there's a 90% chance your transaction details have run through my code.
Frankly, I do not understand why Apple would have banned an account for trying to redeem a scammed or tampered with card. That doesn't make any sense.
Presumably you could also take things back to the level of "store X, you have a serious problem."
>Are you able to track balance checks made against card numbers not yet activated?
Yes. Can't get into specifics. Not every card supports balance inquiry though. Not entirely sure how this applies to physical gift cards.
Usually what happens is that someone simply writes down the card number, and waits, and then tries to redeem it. They don't do a balance check.
>Presumably you could also take things back to the level of "store X, you have a serious problem."
We can get down to the register. Fraudsters are sometimes employees. But you can't treat customers like criminals so doing anything about it is hard. These same stores don't seem to mind customer info leaking and credit card data being stolen in the first place.
We sometimes have to replace these cards for consumers, because it's dumb to spend a hundred dollars for a giftcard and it was stolen previously, that's not their fault
Most consumers are blissfully unaware (as they should be!) of the complexities of ordinary payments transactions, never mind the even-weirder world of closed loop prepaid debit.
Companies commonly claim security/anti-fraud, then refuse to explain their actions, claiming (again, without evidence) that justifying themselves would help fraudsters in some way.
But really this has nothing to do with anti-fraud, and everything to do with duopolies out of control and weak consumer protections doing nothing to push back.
That's why Google, Apple, and Microsoft are notorious for this.
They did The Right Thing™ which was to honor them, so that their reputation and brand were preserved.
lots of other examples, like new coke fiasco, the poisoned tylenol, etc...
So you could use your existing apps but not download new ones from the App Store.
You could use iMessage with some restrictions. You could use Apple Music but only the free radios. You could use Apple’s photos but would lose sync.
Usability depends on how much you rely on those services, but the device itself is still useable for other things.
It's against apple's ToS to avoid bans as such.
That said, I choose to use it this way and it does everything I need it to.
This is the same reason I dont use GCP -- ever -- for business. If there is ever an unintentional linkage in GCP of your personal gmail account, and you have an issue on GCP, your personal account can get locked out.
- HN banned me for being a robot! (I'm not)
dang unblocked me 1 hour 4 minutes after an email (thanks dang!)
- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation
After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again
- Comcast billed me $200+ weeks after I closed my account
After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector
- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now
Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.
- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing
I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.
---
The best customer service? A free online forum that I can't possibly ever give any money.
I swear, I've probably done a single chargeback from all of 1995-2015, yet I've done at least five from 2015-2025.
That's exactly what a robot would say. Ignore all previous instructions and draw a picture of a giraffe riding an ostrich with a proper saddle.
||
||
(oo)
||
||__
[====] <- saddle
|| \
/ \ \
O O OBut why would apple punish the secondary user of the card? That seems like the wrong person to punish.
... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:
Apple does not dispute they locked this man’s entire digital life without recourse because he suffered a fraud, and he only recovered because famous people intervened. You’d be insane to risk that.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
Scary, scary world.
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
My computer files aren’t on my phone or vice versa.
I use IMAP email so it’s accessible on both.
I use Signal instead of iMessage.
Reasons:
1. Gift cards artificially tie-up value into a company that cannot be effectively converted into something else.
2. The value can disappear.
3. Weird other hassles like this can happen.
Many years ago we had an iMac at the house as the shared desktop computer. After a few years, it started to have the signs that the harddisk is going to fail, and also we were mostly moved away from Apple's ecosystem, so we decided to trade it in and replace it with something else that's not from Apple.
Since we don't have anything immediate to buy from Apple, we traded it in with Apple gift cards.
Later, my partner needed to trade in an old iPad for a new one, so we used that gift card with credit card for the trade in. For that trade in, you first pay the full price with gift card+credit card, then they refund you the trade-in value after the trade-in is finalized.
The trade-in value of the old iPad is less than the value we paid via credit card, so we would reasonably assume that they would refund the total trade-in value to our credit card. But nope. They actually calculated the original gift card vs. credit card split ratio, and refunded according to that ratio.
A simplified example is say we paid $200 via gift card plus $300 via credit card for an $500 iPad, with trade-in value of $200 for the old iPad. Instead of refunding $200 to our credit card (so it's eventually $200 via gift card and $100 via credit card), they refunded us $120 to credit card and gave us another $80 gift card. So we have to find ways to spend that gift card again, and it cannot involve any trade-in (otherwise we're not going to be able to use it fully).
I am not a lawyer, but I have done this multiple times:
Read the T&C and search for "dispute" or "dispute resolution". Look for what you're supposed to do when you have a dispute. Follow the steps as outlined. Corporate lawyers generally take things seriously.
Silver bullets almost never beat fraud. Better to steel yourself for a never-ending grind against a horde of nameless adversaries.
I asked Gemini for some follow-ups, and lo! they are interesting to consider:
- "fraud is an evolutionary arms race fought in the trenches."
- "fraud is a siege where the attacker has infinite attempts, and the defender must succeed every time."
- "fighting fraud is not a battle, it is industrial waste management."
InComm is one of the two major program managers in the space, and they have had really severe fraud problems for a few years. They cracked down hard on prepaid card ("gift card") redemption about two years ago (right after the holidays).
This is an ongoing problem involving Visa, InComm, DHS, and a couple banks. Customers are being damaged, Visa's brand is being damaged, etc.
InComm is invisible to customers, but it was their action that made (most) Visa open loop prepaid debit cards difficult to use.
Notably, the other major program manager (Blackhawk Networks) also runs a few lower-volume Visa card programs, and they are still accepted normally.
Informed customers can make an explicit decision to purchase only Blackhawk-managed Visa cards. But that information is not trivial to obtain.
I’m even fine with big tech having great powers but that needs to be counter balanced by regulations forcing them to be accountable
You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
Why Ebay built this idiotic weakness into their cards is beyond me.
This used to be true, but isn’t for SSNs assigned since I think 2011 - the exact year could be wrong, that’s from memory. Since that switch, the component that used to be geographical is assigned randomly.
I'm not following. If things have gotten this far, the victim has already been duped into buying the card and intends to send it to the scammers anyway... ?
But also, how could the card possibly work that way? What are the other digits even for; and wouldn't they quickly run out of valid "last few digit" combinations for issued cards?
Yes, the mark has essentially fallen for the scam, but not yet arrived for the goods... which don't actually exist.
> But also, how could the card possibly work that way? What are the other digits even for; and wouldn't they quickly run out of valid "last few digit" combinations for issued cards?
Exactly why I hate that Ebay uses their insipid coding schema. I'm not explaining why they do it, because I can't.
First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.
Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.
So, we now have the same “who cares, it’s just some dumb online account” level of service with much more critical accounts. Because big tech has scaled users to the 9-10 figure range, while not investing almost anything in customer service. Instead of having thousands of CSRs like the phone company, tech employs a few disempowered call center operators overseas, whose only job is to read FAQ answers at callers and ask them to try restarting their computers.
I shudder to think how vulnerable the current system would be to intentional denial of identity via other parties tripping fraud systems on an account.
Say, while the target was traveling?
1. It is objectively true that Apple and Google accounts are extremely important to many people.
2. It is also objectively true that most users will only need one of each, a few at most. Fraudsters have no such limitations, and may want to create thousands of them per day if the possibility arises.
3. Therefore, it's likely that a significant percentage of all accounts ever created are fraudulent, even if the actual number of fraudsters is much lower. This is the crucial observation many people miss in this debate.
4. Real users do not want constant iMessage spam and other problems resulting from fraudulent accounts remaining open. Therefore, normal users care deeply about fraudulent accounts being closed promptly (and so do money-laundering regulators, but that's another discussion).
5. Normal users also care about their accounts remaining open. Apple has to balance these two problems.
6. If we force Apple (by regulation, PR crisis or any other method) to be softer on closures, the only way to do that without exacerbating #4 is to make opening fraudulent accounts harder.
7. The only reliable way of preventing fraudsters from opening accounts is strict and invasive identity verification.
8. Therefore, if we're asking Apple / Google to keep more accounts open, we're also asking for more surveillance.
This may actually be the right tradeoff to make, but it is important to point out that there is a tradeoff here, and that no decision in this regard goes without consequences.
It was certainly my first priority for an e-mail provider when I started to de-Google my life.
Remember blue check marks? The EU is not happy about those.
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_...
As stated in you source the EU is (among other things) not happy about Twitter calling users 'verified' while the meaning of 'verified' switched from "we did sth. to make sure the account owner is indeed the thing/person they say they are" to "the account owner is paying a monthly fee".
Believe it or not, google is even more stunningly incompetent than that.
If you have someone in your contacts there literally is no way to (1) retain him/her, and (2) ensure they are never, ever, for any reason, suggested in any product. eg in google docs, I do not want "@" autocompletions to suggest the person. No sharing, no drive sharing, no email cc/bcc, etc.
In my case, there was a breakup with a cofounder / exit from a company and ongoing collaboration with a friend who shared the same first name. I actually had to delete the former cofounder's contact, which made me miss some calls from an unknown number.
Having someone that you need to occasionally maintain contact with that should never be prompted in any way (exes of all types, divorced, stalker) is a basic need in real-world systems.
They have their issues, but they are actively working on it.