This fiasco stirs up a lot of different topics for me, none of which seem like they are likely to be resolved anytime soon.
First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.
Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.
Absolutely. The current level of service these companies provide is functionally identical to what would have existed 25 years ago. Losing your Apple account would have been a minor annoyance - the relationship involved trivial amounts of money, and wasn’t deeply integrated into anyone’s lives. Even if you lost an email address, losing access to it wouldn’t have locked you out of hundreds of important accounts, and any important accounts would probably be easily updated to a new address with a phone call, and likewise for a few friends. If you got fully locked out forever, it really wasn’t important.
So, we now have the same “who cares, it’s just some dumb online account” level of service with much more critical accounts. Because big tech has scaled users to the 9-10 figure range, while not investing almost anything in customer service. Instead of having thousands of CSRs like the phone company, tech employs a few disempowered call center operators overseas, whose only job is to read FAQ answers at callers and ask them to try restarting their computers.
1. It is objectively true that Apple and Google accounts are extremely important to many people.
2. It is also objectively true that most users will only need one of each, a few at most. Fraudsters have no such limitations, and may want to create thousands of them per day if the possibility arises.
3. Therefore, it's likely that a significant percentage of all accounts ever created are fraudulent, even if the actual number of fraudsters is much lower. This is the crucial observation many people miss in this debate.
4. Real users do not want constant iMessage spam and other problems resulting from fraudulent accounts remaining open. Therefore, normal users care deeply about fraudulent accounts being closed promptly (and so do money-laundering regulators, but that's another discussion).
5. Normal users also care about their accounts remaining open. Apple has to balance these two problems.
6. If we force Apple (by regulation, PR crisis or any other method) to be softer on closures, the only way to do that without exacerbating #4 is to make opening fraudulent accounts harder.
7. The only reliable way of preventing fraudsters from opening accounts is strict and invasive identity verification.
8. Therefore, if we're asking Apple / Google to keep more accounts open, we're also asking for more surveillance.
This may actually be the right tradeoff to make, but it is important to point out that there is a tradeoff here, and that no decision in this regard goes without consequences.
iCloud is overrated, it was not encrypted at rest for ages. I much prefer using Time Machine and keeping the passcodes in a PW manager, and maybe a safe deposit box as a backup.
I’m realizing maybe I should just use Amazon or iCloud AND Google Photos for backing up my images. My whole life is in Google Photos. I could lose it from something stupid and never even have a person to contact about that.
Shutterfly will upload all your photos and store them for free if you buy a few magnets on sale now and then. Works from iPhone well enough and it's my "third backup."
> There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation
Believe it or not, google is even more stunningly incompetent than that.
If you have someone in your contacts there literally is no way to (1) retain him/her, and (2) ensure they are never, ever, for any reason, suggested in any product. eg in google docs, I do not want "@" autocompletions to suggest the person. No sharing, no drive sharing, no email cc/bcc, etc.
In my case, there was a breakup with a cofounder / exit from a company and ongoing collaboration with a friend who shared the same first name. I actually had to delete the former cofounder's contact, which made me miss some calls from an unknown number.
Having someone that you need to occasionally maintain contact with that should never be prompted in any way (exes of all types, divorced, stalker) is a basic need in real-world systems.
I suspect the underlying problem is that the gap between legitimate use of gift cards and fraudulent use of gift cards is just not very large...
Years ago I briefly played around with "manufactured spend" (on credit cards, to earn frequent flyer miles).
There was one specific loophole, with one specific gift card provider, and it was a doozy. You could earn credit card points on spend, plus supermarket loyalty points on spend, by buying gift cards from one specific provider which could be cashed out at face value (ie no fee at all) immediately to a specific type of savings account.
So, of course, world+dog was buying these things like it was the end of the world.
As I sat in a hotel room one evening rubbing the security codes off the latest batch of cards before redeeming them one-by-one into my savings account, it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering, but it would take some time to explain exactly why not...
The loophole was closed relatively quickly, and the gift card provider gave up.
I did this ages ago to build up airline points and take a nice trip to the EU.
Back then, the trick was to get a generic Vanilla Visa or other prepaid credit card. A recent legal ruling meant they had to be run as a debit card for... reasons... I forget them.
But a lot of grocery stores would sell you a money order up to 500 bucks for under a dollar with a debit card (not a credit card).
So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
Subtract ~$5 for the GC and ~$1 for the MO and you could manufacter about 500 bucks in spend. And the best part? You could take that money order to your bank, deposit it, get the funds immediately, pay off your balance, then rebuy.
In one afternoon I earned enough points for a first class flight to a fancy European city, and eternal side eye from the grocery store clerks who were convinced I was up to something put couldn't put their finger on what.
>Back then, the trick was to get a generic Vanilla Visa or other prepaid credit card. A recent legal ruling meant they had to be run as a debit card for... reasons... I forget them.
Interchange fees, probably. Otherwise the credit card companies is taking a 2-3% cut.
>So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
I don't know how this ever could have worked considering that "cash-like transactions" are counted as cash advances, same as if you were to use your credit card at an ATM.
You're not running it as a credit card, and it's not a credit card -- you can't do a cash advance on a gift card. But they sold ones that were accepted anywhere visa or MC is accepted rather than specific stores.
> but it would take some time to explain exactly why not...
Not really:
"I'm churning credit cards for the rewards points. Here is the receipts where I use $10k from account A to purchase $10k worth of gift cards. Here is the statements where I deposit $10k of gift cards into account B. Here is the statement for the $10k wire from B to A. And here are the receipts for the next round of gift cards I purchased. Any further questions? I have $10k of gift cards to redeem."
> the gap between legitimate use of gift cards and fraudulent use of gift cards is just not very large.
And many legitimate uses of gift cards may actually have been fraudulent somewhere up the chain.
Imagine a scammer which sells their cards to real users (perhaps through one or more less-than-scrupulous intermediaries willing to buy them in crypto without asking too many questions). If the victim comes to their senses and somehow gets those cards reported and blocked as fraudulent, unsuspecting users will get into trouble.
> it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering
But it is money laundering, that's what manufacturing spend is. It's not money laundering to hide evidence of a crime, but it is money laundering for the purpose of hiding the fact that you didn't engage in commerce in the process of spending money on a credit card to earn a reward. It's indistinguishable, only because we criminalize behavior not only on its base but due to its intent.
We criminalize behavior based on whatever we feel like, based on our cultural expectations of what is allowed. That's what "we criminalize behavior not only on its base but due to its intent" and "considering the context" is all about. That's why we have juries. We reserve the right to break the rules if public opinion allows, based on our feelings. It turns out that justice in practice is not so blind.
For example, we feel like it is fair for credit card companies to monopolize payment systems, charge fees to businesses, and use a portion of the money from this scheme to set up this bullshit reward point system.
But to undermine this system is criminal, because the system is established, but undermining it is novel and therefore disallowed. Any new way to play the game is breaking the rules, because the purpose of the system is what it does.
I wasn't trying to write a fully formed political dissertation, so I'm not really sure what you were expecting in response to this comment? My point was that the GP was describing their behavior as "indistinguishable from money laundering", because it technically is a form of money laundering (the act) even if it's not money laundering (the crime). Intent is what turns the act into a crime, specifically in the case of money laundering.
It's not illegal to buy a few beers every evening from a bar you own out of your own pocket, and then book that revenue, pay taxes on it, and then ultimately collect a distribution of the profits as the owner of the business. It is illegal to do the same thing if the money you took out of your pocket came from selling drugs.
> Update 18 December 2025: We’re back! A lovely man from Singapore, working for Apple Executive Relations, who has been calling me every so often for a couple of days, has let me know it’s all fixed. It looks like the gift card I tried to redeem, which did not work for me, and did not credit my account, was already redeemed in some way (sounds like classic gift card tampering), and my account was caught by that. Obviously it’s unacceptable that this can happen, and I’m still trying to get more information out of him, but at least things are now mostly working.
It’s great that it has been resolved, but I’m still baffled by a number of things:
1) Why would redeeming a bad gift card result in a complete shut-down of the account?
2) Why is it seemingly impossible to get any support now unless you drum up a ton of press?
3) Should companies be restricted from growing too large where they can’t support their customers?
In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)
Banks can’t legally just take your money and lock you out permanently. There are some actual regulations. Plus they have a proper handle on your actual human identity, which means you ought to always have a route to going somewhere in person and proving you’re the rightful owner of your money.
“Online” accounts have zero regulatory requirements, plus many of them aren’t necessarily directly paid-for, so they frame themselves as doing you a favor by letting you have it in the first place. And they usually don’t have a route to prove identity because they don’t record a legal identity (passport/SSN/etc) to begin with (not that that was an issue here, of course - in this case Apple didn’t dispute that they were the owner, just asserted that they were some kind of criminal.)
What I want to know is why does it always have to go straight from 0 to 100? There's seemingly no concept of proportion. For most online services, your account can be in one of two states: Totally good and "banned for life". There's no warning, no investigative period, no concept of scale (was the fraud $10 or $10,000?), no way to serve your time and come back if you actually were bad. It's just instant, silent BAN HAMMER.
As someone who worked in fraud, sometimes the $10 transaction is primer for 10k transaction that will really cost the company. When you don't know what's going on, you don't give a shit about end user and primary objective is prevent the company from losing money, shut it down and sort it out is easiest way.
Furthermore, without physical presence where you could sit down with someone, this becomes more difficult to deal with. Truth is, Apple should have option where someone could go to Apple Store, verify ID and talk to someone with power but they don't want to spend that money so here we are.
At the scale these companies operate and the number of actual scammers they block because of their 0 - 100 policies, I can see how they got there. I bet all of us have had the luck (?) of out card being blocked because someone out there was able to get a hold of the credentials. Collateral damage like this, as devastating as it is to the individual, is probably a drop in the bucket for the company.
I'm not excusing this. What happened here shouldn't happen, and there should be quick resolutions and explanations available to the aggrieved parties.
It's not just corporate policy, it's regulatory requirements in the US.
You must block financial activity, and you must not communicate any details to the customer, upon reasonable suspicion of money laundering activity. There's a process and a prescribed timeline for getting things resolved. There is no penalty for a false positive, but there are large penalties for false negatives.
Having watched hundreds of these things happen, all of the details point squarely to an AML problem. For closed loop gift card programs, the merchant, program manager, issuing bank, and possibly the seller all get involved. It takes time.
This doesn't require shutting off a user's access to their data though -- just preventing financial activity. Apple might not have adequately fine-grained permissions around account suspension to support this, and obviously they should fix that!
AML and fraud are different, and the regulatory requirements you're talking about are only one requirement for banks to follow.. they have additional, internal policies of their own that may affect account and money access. If Apple isn't following a Suspicious Activity Report (SAR), then the actions are their own, and the policies are their own.
This is true, but potential money laundering is a UAR, and the issuing bank decides whether to turn that into a SAR (merchants do not file SARs, although at Apple's scale, the conversation between merchant and bank is continuous and both sides will have fraud and AML experts at every step).
The decision to create the SAR will depend on the outputs of the multi-party investigation, which is the thing that takes time and causes visible issues for consumers.
When money is concerned, any kind of suspected money laundering / fraud investigation generally requires you to pause that account until the check is complete. What happens afterwards will be down to the results of the investigation.
It's also unlikely there are just those two states. For many services there will be a number of factors involved, but it's purposely opaque to make it harder to circumvent.
My experience with YouTube was different. Two or three times, up to around five years ago, I got an email from them stating I'd done something wrong — used protected music/content etc. — and that this notification wasn't a strike but I should contact them and explain why they were wrong to put a hold on the video and they'd withdraw the notice. I did so and they then responded that the email was erroneous, all good.
Well for banks your account is usually tied to a local brick-and-mortar agency, where it's definitely someone's problem if a customer comes in and refuses to leave. It's one of the reasons I'll never go with fully online banks.
More important than "well-regulated" is that a bank account is very clearly tied to a single geographic jurisdiction where the bank's headquarters, as well as all its branches and employees, are located.
Apple would be much harder to regulate, as it wouldn't even be clear what jurisdictions should be involve in the process, and what a "change of jurisdiction" would entail. It would also create the opportunity for fraudsters to choose the jurisdiction which gives them the most consumer protections but has the loosest identity verification requirements.
> Banks [...] will face meaningful consequences for getting this wrong with any regularity
That's false, unfortunately. There's amazing levels of discretion that banks enjoy and minimal accountability to end users. The CFPB (in the USA, anyway) was a countermeasure but has been recently weakened.
> 1) Why would redeeming a bad gift card result in a complete shut-down of the account?
Because they assume you stole the gift card and are therefore a criminal. As to why they're making the assumption that you are the criminal, not the actual criminal who successfully redeemed the gift card first, you've got me. Since either situation is possible.
> 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press?
I'm as infuriated as you are.
> 3) Should companies be restricted from growing too large where they can’t support their customers?
Size has nothing to do with it. Plenty of small companies ignore their customers too. So I don't think this is the right solution.
> In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access.
There are plenty of horror stories with banks too. I'm not sure they're that much better at all.
I know the headline you're referencing, but "only digital ecosystem"? I'm pretty sure accounts getting blocked is an issue with all of them. So I don't know what point you're trying to make. It's certainly not like Google is known to be any better.
Google's digital ecosystem doesn't doctrinally prevent owners from installing software or reflashing bricked hardware. Their OEM might, but iOS is the only smartphone ecosystem I've seen that enforces it universally.
But hey, at least Apple's universal lockout capability is able to deter theft! Every non-negotiable backdoor has a silver lining.
I feel like you're conflating three things -- software installation, account closure and disabled hardware.
Software installation has nothing to do with account closure, so I don't know why you're bringing it up.
Account closure doesn't disable your devices. You can set them up with a new account.
And if devices are disabled due to theft and can't be reflashed for sale on the black market, that is a good thing. I haven't heard any reports of people's legitimately purchased devices being disabled due to theft.
Clearly you have things you don't like about Apple, but I don't see what they have to do with the subject at hand, which is account closure.
On the subject of (1) I wonder if a complication in this specific case might be a variant of the clbuttic Scunthorpe problem that the last name on the account that redeemed a bad gift card included the word "Butt" and an algorithm or underpaid reviewer (or both) flagged it also as a suspiciously named account.
(2) and (3) remain great questions without enough good answers.
A core concept here is that of ownership. People think they own their accounts and data. Stories like these, and unfortunately the law, make it clear that they don't own anything. I personally think it is false advertising of companies to even hint at ownership. Words like 'buy' shouldn't be allowed since it implies owning. They should only be allowed to say 'rent' or 'grant a limited license'.
When you sign up for an Apple account, you aren't "buying" anything. In fact there is a set of terms & conditions you agree to when signing up which most likely includes language stating that your account can be closed with the discretion of the platform owner. What we need isn't a shift from "buying" to "renting", but instead something akin to a Consumer Bill of Rights that states that you are entitled to appeal account closure if you are in good standing and can prove as much.
This is really the consumer's fault for not reading a 5-billion word terms and conditions contract before they sign up for one of the two nearly-identical phone brands they need to operate in the modern economy.
I would rather the law make it such that you really are buying, than codify that you own nothing. The ambiguity isn't great, on that we agree, but why would you weaken the citizen's standing to remove it?
I want a tech shift to allow this concept. Ownership will require me to physically maintain my own data, or at least have the ability to do so. I really want personal cloud capabilities so that services like iTunes and others are required to be able to use my own personal, and completely independently maintained, storage. That way I could either self host or contract out but then Apple would loose their vendor lock-in and services like iTunes would be forced to play nicer. The core problem is the iCloud lock-in/bundling. If I were looking at anti-trust breakup I would start with this idea, forcing alternative cloud storage options.
Should people really not have the option to not-buy if they see other advantages in it? Should the idea of ownership being valuable be imposed upon citizens? (And if we all accept that it has value, could that not simply reflect in a price differential?)
Huh, interesting. Well, the only reasonable thing to do is to tell everyone that Apple gift cards are unsafe. I probably will do this. The problem with the “only buy from Apple Store” is that the recipient cannot ask for the source of the purchase without looking a bit ungracious.
So a blanket ban on Apple gift cards is probably the safest thing. I shall inform everyone in my extended family.
It's almost a rhetorical question, isn't it? Clearly, from both the original post, and this reporting, they are NOT safe to redeem.
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
> Strangely, he did tell me to only ever buy gift cards from Apple themselves
The Singapore Apple exec person who eventually reported the issue fixed provided the above advice, and I think it is the best advice given to anyone in this entire situation.
What can a normal person do? Only buy Apple gift cards from Apple, only buy Home Depot gift cards from Home Depot, et cetera.
That one piece of advice destroys a retail line of revenue that’s suffering massive endpoint fraud and removes the vast majority of risks to recipients of gift cards, and is simply explained to uninterested people that those conveniently-placed gift cards are bait cast by fishers for the unwary.
(I’d also sue the retailer in small claims court for selling a fraudulent product that didn’t perform as advertised.)
So… Apple's left hand isn't talking to their right hand, seeing as how they're the ones partnering with distributors like Blackhawk to sell their gift cards.
That's easy to say. [1] [2] [3] But reality is harder than that; keep in mind:
- Fraud is complex (many moving parts, many pathways)
- Fraud is adversarial (whack a mole, but worse)
- Fraud and revenue are two sides of the same coin [4]
P.S. The commenter doesn't state who "they" refers to: maybe issuers, maybe retailers, maybe both?
[1]: A drive for simplicity is important, in moderation. But here the quote seems to not appreciate the complex reality.
[2]: The response pattern "Then they are free to [foo]" is often part of a rhetorical technique to shift blame and/or responsibility to another party.
[4]: You can easily imagine a business where lowering customer friction increases both revenue and fraud. What is the ratio between them? How does it change over time?
Workaround I've experienced in practice: some stores only allow purchasing gift cards with cash. This doesn't allow online-only gift card purchases, so it's not a full solution, just a workaround.
Another way gift cards have been used is as a means of transferring "wealth" to anonymous scammers.
Dumb people were being scammed in Singapore, until the financial regulator here clamped down on gift cards altogether. It used to be trivial to buy Apple, Google, and Steam gift cards in Singapore convenience stores. They're no longer being sold anywhere.
I'm not sure how requiring gift cards to be bought with cash would help prevent that
I'm not sympathetic to this point at all. As Patrick McKenzie says, "the optimal amount of fraud is non-zero"[0]. Yes, fraud causes problems for retailers and issuers. But in cases like this one, the result of overreactions and incorrect handling of fraud is severe, mostly-intractable problems for customers. Customers who end up having very little or no recourse.
McKenzie's point is more about how businesses need to accept a certain level of fraud because trying to stamp all of it out will be more expensive and more damaging than allowing some of it. But I'd go further than that: companies should be required to accept some amount of fraud in order to avoid harming their legitimate customers. It should be just another cost of doing business.
How it's zero traceability if Apple can see: 1. credit card used to by a gift card 2. who exactly redeemed a gift card.
It can be traced, the problem that they block accounts (probably using on FP prone algorithm) even if a gift card was not purchased using a stolen credit card.
Apple only sees the credit card if you buy from them, if you buy from a retailer they don’t get that info.
To be clear, this is their problem, not the customers.
Still, I’m curious what the scammer did in this case. If a retail worker just stole the card number it would merely be used up, not flagged as fraud. Maybe someone in the supply chain obtained the number and reported it lost/stolen? And used that to obtain a new card no one would complain about once it was used? Vs the original number which would result in a customer complaint. Idk.
It would be a suboptimal UX potentially (vs live funds on a physical gift card), but Apple could tie the gift card to an Apple ID at purchase with a QR code or something similar, and then permit gifting through the existing Apple ecosystem primitives. Apple could then enforce stronger controls as the value is transferred internally on their internal ledger. In financial services, its all about tradeoffs.
I remember that article. It's wild the extent to which "anti-fraud" has captured companies, destroyed their UX, and seemingly directs all their actions. And when you criticize it, they blame KYC/AML and cry and act as though they have no agency. A very small tail is wagging the dog!
Tail size is fraud budget (loss) and appetite (loss+mitigation costs). The math is straightforward to determine how much fraud you're willing to eat on an annual basis. They still have customers and revenue, right? So not terribly wild imho.
> it’s worth calling out just how hard this problem is for retailers and issuers.
I'm having a hard time finding much sympathy. They could always, oh I don't know.. maybe just not sell gift cards? Or have a much lower maximum amount?
I mean yeah, you could take the view that technically the blame really lies with the people trying to use gift cards for theft, but that's not going to be productive.
You seem to be positing that retailers have not option but to issue gift cards and then deal with massive fraud. That's silly. How about not offering gift cards in the first place if you cannot manage the associated fraud without fucking over your customers?
It's simple: they're essentially free money. The worst case for them is that the recipient of the card uses the full amount of the card. In that case, the issuer "only" makes the full profit on those sales. Often they do better: the card is used partially or not at all, then lost or forgotten about.
You can see how lucrative they are by looking at promotions. You can often find deals where you can buy a $100 card for $90, or similar. Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
As for the fraud risk... do they even care? When gift cards are used for crime, the issuer doesn't suffer. Maybe they have to deal with upset customers, but that's hardly new. Most of the time, the gift card is bought legitimately, given to criminals, resold, used by the secondary buyer, and the only one who suffers is the unfortunate scam victim who bought it.
It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover. The fact that they don't bother should tell you everything you need to know about how important fraud is for them.
The merchant wants you to use the card, in all cases, always. Because statistically, you are likely to spend 30-40% more than the card face value, when you do.
The unused portion of the card sits on the merchant's balance sheet as a liability, for years, until they decide to recognize it as revenue ("breakage"). They prefer this over NOT selling a GC, of course, and some merchants (e.g. Starbucks, high volume, low ticket) make a ton of money on breakage. But in all cases, merchants greatly prefer their cards to be used.
You're also wrong about how the fraud works. Usually, the card is not purchased but sniffed prior to legitimate sale. The mechanisms for this vary, but a common method is to literally pull armloads of cards off of display shelves, open and repackage the carriers, then surreptitiously return to shelves for legitimate sale. This is purportedly the process for large organized crime rings based in Asia, mostly China.
And you're wrong about how easy it would be to fix. Packaging costs money, retailers have to be on board for activation, this has to be integrated into POS systems, and it all has to be very easy for consumers.
This is a hard problem at scale, and smart and motivated people on the merchant side, the program manager side, the bank side, and the law enforcement side, would love a simple solution.
...
What is not a hard problem, though, is that Apple should separate "AML investigation in process" from the user's ability to access their own data. This would turn a very large problem (for all involved) into an annoying inconvenience (for the customer).
Packaging costs money. Gift cards make money. Easy fix.
Stopping the theft you describe is very easy. Don't have actual gift cards just sitting around. Require customers to get them from the cashier at the time of purchase. Have dummy cards on display if you want them to have something to hold, or make them ask.
Of course these solutions aren't free. Adding friction to the purchase process will reduce sales. Retails have clearly concluded, I assume correctly, that it's not worth the cost. Nothing wrong with that.
Don't confuse something being difficult to fix with something not being worth the cost of fixing. We can put a solid upper limit on the impact of fraud by looking at what it would cost to stop it, and conclude that the impact of this sniffing fraud is less than the impact of having cashiers exchange dummy cards for real ones at the time of purchase.
Note that this isn't a "this is easy, they must be idiots not to do this" sort of thing. The current approach is probably the smartest one, given how things currently work. If the incentives changed to make retailers bear more of the cost of fraud (say, legally putting the burden of proof on the retailer to show the card was used legitimately, otherwise they have to refund it if the customer alleges fraud), things would change quickly.
The program manager is responsible for retail placement and packaging. Their share of the revenue is small, but their liability for fraud is high.
Retailers (POS card sellers e.g. Safeway, as opposed to the card-branded merchant e.g. Apple), bear zero risk for fraud. Safeway can't police card validity -- if a customer brings the card to the cashier, they will scan it and the POS will attempt to activate it according to the program manager's backend rules. If it's a new unactivated card, it will get activated. The PM knows which serial numbers were distributed to each retailer, so they will not activate a card at a different retailer (and in some cases, a different location of the same retailer).
Moving the 100+ square feet of unactivated card displays to a retail cashier would destroy sales and impose a burden on retail staff that many can't handle, and none are incentivized to create a process for handling.
FWIW, program managers have gone through a few rounds of tamper-proof packaging upgrades. Obviously, their work is not done. But it is legitimately difficult to mass produce a tamper-proof package that is also consumer-friendly and not exorbitantly expensive.
If cost of packaging were no issue, or if customer friction could be disregarded, then the problem becomes more soluble. But we do not live in that world. And, in the extreme case, the criminals could just produce identical packaging including holograms etc. This is obviously within their capabilities, and if the cost of packaging can be absorbed in the multi-party legitimate sale chain, it will also be low enough for a counterfeiter.
...
More importantly, I agree that _some_ regulation or law should prevent Apple|Google|Amazon|etc from parlaying a minor financial dispute into total lockdown of customer data! But the approach for that is not to inject the requirement into the problem of closed loop prepaid debit card management.
I think this is the only interesting problem here. The card management stuff is well-known and evolving, but also mature and ultimately just some accounting math of risk against cost.
Screwing up a customer's digital life should not be a consequence of the imperfect-by-design card management schemes. FinCEN should regulate the latter. CFPB should regulate the former. The agency doesn't matter of course, but those two groups have very different mandates, and right now merchants are letting the stronger FinCEN regulations dictate their consumer policies in ways they should not.
> Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
There's more to it than covering the risk of fraud. It's more about optionality. The gift card only allows for buying things at one place — so you're restricted in what you can buy, can't deposit it at a bank, can't comparison shop etc.
I don't get the sense that money being left on the card is a serious issue for the sort of person who goes hunting for deals like this. They'll eventually spend more than the card's value and have the last of it apply partially to some purchase.
Also the discount rates I've seen have been more like buying the $100 card for $95 or $97. Except perhaps where the gift card retailer is offering it directly as part of a cross-promotion deal with the target retailer.
Breakage is between 10-20% on average, which is just insane.
However, a significant amount of the spending in gift card promotions is from the marketing budget of these companies. They use gift cards to keep you "engaged". They are used the way companies used to give out coupons basically.
Promotions rarely cost much. Keep in mind that even if breakage was zero, every dollar you spend at a company already has a profit margin baked in. Even if you only pay $9 for that $10 of spend at CompanyPlace, they are likely still making a profit. Promotions also have strong limits, so you can't really profit off of them as a consumer.
Except for one time. Once, IKEA ran a promotion that was "Spend $1000, get $100", and chose to set NO LIMITS. People were banking $10k worth of IKEA giftcards "for my future kitchen renovation" and IKEA found out their gift card fulfillment process was.... antiquated. Did you know old versions of Excel only allow for 65k rows of data?
>As for the fraud risk... do they even care?
We care. The brick and mortar store and Apple themselves don't really care, because they pay our company to take that risk, and our entire business is about preventing credit card fraud to reduce how much that risk costs.
>It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover.
What? What is your idea for better securing these cards? What "Tech" would help?
Note that I have no clue what apple is doing banning this account. We don't tend to ban victims of fraud or crime or scams, especially not for physical cards bought in a store because who knows what actually happened.
I'm glad that got resolved for Paris, but what the hell is a normal person supposed to do. Not every one has that kind of public reach to get a satisfactory resolution. First he had understand what happened technically, then he needed a public platform to tell people about it, then that writing needed to get reposted by others, than PR needed to get involved. Not something that's going to happen for a normal user.
Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.
Agreed. A situation similar to this happened to me with Steam over a payment issue with their service. They banned me even though I had thousands of dollars of games and an account since Sept 2003. I had to go to my bank and escalate multiple times to get letters providing the info steam wanted about my account and credit card to prove it was legitimate. Eventually after contacting them enough times they said they would do a "one time good faith" gesture by unbanning me but warned if it ever happens again they cannot help and that my account will be flagged with this. In the end I didn't do anything wrong and the bank didn't do anything wrong, it was all on steam. It was over $10 by the way.
They've made it clear that you don't own your cloud library, so the only reasonable answer is to never pay for something with DRM you cannot remove (including things that require an online account for functionality you consider important), and treat services like Steam as a temporary convenience to download known good files that you then fix to remove any DRM. If you only treat these services as a download tool, their ban loses all teeth.
> never pay for something with DRM you cannot remove
I take this to mean to sail the seas but I have apprehension over running modified binaries from random people. Is there anything that can be done to alleviate this worry?
That only goes so far though. A lot of games need internet access, so essentially you are running potentially modified binaries running on your hardware/network, that gets access to the outside. Sure, blast radius becomes somewhat limited, but you still have a potential problem.
It's not a great solution, but you can vote with your wallet and simply not partake in that form of entertainment. I can't say it's fun to be not up on current games, or to find indie/non-drm games to play. But piracy is just an end-around a terribly policy of non-ownership that manages to both not remunerate the folks who do the work and make no impact on the actual problem which is that we don't like the non-ownership clause in modern games.
So yeah, TLDR, vote with your wallet and give up the entertainment this time.
You could buy from a provider that advertises non-use of DRM like GOG, or on Steam, it lists third party DRM, so you can know whether you have the tools to remove it (and whether you have the tools to remove Steam's DRM, or whether the game appears on a web list of games that don't use any DRM). You could also refund it if you can't verify you're able to successfully back it up and run the backup on a computer or user session without Steam installed. For multiplayer, if it's possible, you can find people discussing it on the web (maybe in pirate communities). Otherwise, just don't buy it.
Some recent stats indicated most gamers buy at most two games per year, so it's not a ton of work to ensure they have a working archive.
Both GOG and Steam allow you to use local copies of games, and both would deny you access to your account to download more games once banned. Steam allows you to install games without DRM from their platform.
Unless they've changed recently, I thought GOG's platform itself does not have DRM? Steam does provide DRM and doesn't tell you if a game uses it, though as far as I know there are generic tools to bypass it.
GOG also specifically advertises games that don't have DRM, e.g. [0]. Steam versions of the same game (e.g. Skyrim) often require Steam to be running and enforce mandatory updates that aren't always desirable with no rollback ability.
> Steam versions of the same game (e.g. Skyrim) often require Steam to be running and enforce mandatory updates that aren't always desirable with no rollback ability.
Yeah, but that's a developer choice. Steam doesn't force anyone to use their API for things like that. If that's a concern for someone as a gamer, they should probably support the companies that don't do it no matter the platform, not blame Steam for it.
The original question was "how do you know these things before you buy the game?" My answer was "You could buy from a provider that advertises non-use of DRM like GOG." Whether it's a developer choice is irrelevant. GOG tells you the information you need for your purchasing decision, so if you want to know what you're buying, buy from somewhere like GOG. Also, don't assume that because it's DRM-free on GOG, it is also DRM-free elsewhere like Steam.
Buying a DRM-free copy on GOG seems like a perfectly reasonable thing to do even if a company has DRM on Steam; it provides an economic signal that there's some segment of customers that requires no DRM as a condition of sale. Since marginal cost of digital "goods" is ~0 and it's likely trivial to disable DRM in your build, it would be dumb not to cater to them and take your free money.
> it provides an economic signal that there's some segment of customers that requires no DRM as a condition of sale
Do you just assume that's the reason someone uses GOG vs Steam? People could be using GOG for other reasons, and the lack of DRM is just bonus. So how does that signal really get interpreted correctly?
Steam is its own DRM on top of whatever else a developer chooses to do. I found this out one year when I spent months without internet access. At a certain point steam would refuse to run any of the locally installed single player games I had paid for through their platform until my computer phoned home to their servers. I'd already configured everything for working offline and they did successfully for a long time until one day they just wouldn't anymore.
If you don't want lose access to every game you fully paid for on Steam you'd better pirate a copy of everything you bought because on a whim they can take it all from you at any time.
There are some games on GOG that still include DRM. The one I can remember offhand is Cult of the Lamb where the game would only run until a certain milestone at which the copy protection determined the GOG version was pirated and would gate the player from advancing. There were forum posts from the developer confirming this was intended.
I'm honestly pretty disappointed that GOG is still selling the game. If they are going to sell it at all they should have massive warnings all over the page that the game is broken.
https://www.gog.com/en/game/cult_of_the_lamb
Another issue is, how do you get your games when you're banned? Most people don't have all their games installed at any given time.
With GOG, there is at least an unofficial, supported way to get an offline installer for each of your games. With Steam, there's no officially supported way to do this, so it's likely to be a bigger PITA to archive all your games ahead of time.
In reality, though, almost nobody is thinking ahead so that they have all their games archived, and, given the size of games and collections, it's a difficult thing to do on the cheap.
How is something unofficial yet supported? Is there just no "download installer" button on the site, but can be done as long as you know how to obtain the URL?
For purposes of backup I don't see that large of a difference between a single installer executable and a zipped folder that you'd get after installing a non DRMed game from Steam.
GOG has allowed third party backup software like https://github.com/Sude-/lgogdownloader to exist. I have a full offline mirror of my GOG library that I update monthly that will never happen with my Steam library.
The non-DRMed steam game will stop working after a while if you haven't logged into steam after a very long time. If steam ever went under, your locally installed single player games that work offline will stop working. Ask me how I know.
I've taken to getting a cracked copy of every steam game in my library so that steam can't screw me over again in the future.
Steam's lawyers would say that one should know by reading the terms of service for the storefront and the purchase. But in the real world, how often does that happen?
This is 90% of the reason I don't bother buying modern computer games. For me, I assume games require phoning home and use some kind of DRM unless it is otherwise advertised.
Afaik if your account is banned Valve still lets you log in to Steam and access your existing library of purchased games. You just lose access to all the other platform features. Obviously that's their policy that they can change anytime... but in this case, it's not inconsistent to their "nice Linux guys" persona.
Sadly, the real issue here is with the banks and the payment processors. It's very likely that they have metrics for larger marketplaces about being below a threshold for fraud. Online game stores like steam live, breathe and die by payment processing.
This was the reason why free trade was removed from RuneScape back in the day and it wasn't even a Jagex issue. People would go to 3rd party gold selling websites and then pay for gold with stolen credit cards. They could easily keep the money because the trade cannot be reversed without a moderator and what they were doing was against the rules so everyone would just get banned. The payment processors saw a bunch of fraud related to a game called RuneScape and told Jagex if they dont fix this then they will be blacklisted.
> This was the reason why free trade was removed from RuneScape back in the day and it wasn't even a Jagex issue. People would go to 3rd party gold selling websites and then pay for gold with stolen credit cards. They could easily keep the money because the trade cannot be reversed without a moderator and what they were doing was against the rules so everyone would just get banned.
Gold farmers were paying for bot memberships using stolen credit cards, which Jagex had to refund along with a chargeback fee.
The blackmail scenario you’re describing wouldn’t make any sense since all of these gold farmers used mule accounts to launder their gold before making the trades. The changes to the trade system were intended to interfere with this laundering so that farming would no longer be profitable.
It wasn't a blackmail scenario specifically Jagex got punished either way because the fraud was enabled by their platform.
I don't have the time to check but I believe this was mentioned by the one of the Gower brothers in the runescape documentary.
My broader point is that even if they cracked down on fraud which was absolutely not the fault of Jagex because of the poor security options at the time from Credit Card companies, they still had the issue of people buying gold from RunescapeGoldSeller.com and chargebacks
> Sadly, the real issue here is with the banks and the payment processors
I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse.
This sort of thing wasn't really possible before the internet age. We need new laws to deal with it.
Banks are nothing to do with this. You could have your Steam/Google/Apple/etc. account summarily executed for any reason; it doesn't have to be money-related.
> This sort of thing wasn't really possible before the internet age. We need new laws to deal with it.
Yes, it was and it always has been[1]
>I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse
This is par for course with every single EULA ever. I will say in the case of Steam it's hard pressed to find your account completely disabled and unable to play the games you rightfully purchased. I think the worst-case scenario is that you will be banned from engaging with the steam online community which restricts your ability to play with other users on steam
Redlining is the example that I am giving to show this has long been the behavior of businesses and unless its racist it's not illegal. Also read your EULAs
Buy from GoG instead. It's better. At least you can download the install files and don't need to install any 3rd party software to login to play them. I have 200+ games on Steam but I have ceased purchase on Steam.
There's also grey areas with Steam like when you buy a Steam key for a game outside of Steam through places like GreenManGaming and get your reviews discounted or otherwise flagged arbitrarily based on an opaque authenticity heuristic.
Yeah, you need a much smaller number for e.g. giving access to journalists/media pre-release. But the key mechanism is also used for any legitimate sales or giveaways that happen outside the Steam platform.
If you buy a Humble Bundle, you get a set of Steam keys for the games in the bundle. If Intel/AMD/Nvidia are doing a promotion for a free game with a purchase of their product, they give you Steam keys. Etc.
The solution should be obvious to everyone: Just go back to 2008 and start running a large Apple developer conference in your country. If you do that, it should only take a week or two to get your problem resolved.
I'd say also that you should never purchase Apple gift cards from anyone except Apple directly, but if the card itself was tampered with (stolen, opened, scraped and code retrieved, re-covered with generically available scratch-off material, re-sealed, returned to the display) there's nothing keeping that from happening in Apple stores as well.
There is a technical measure that gift card providers could put in place to reduce this, specifically they could block activation of any cards with codes for which they've already started receiving activation/balance checks. There'd still be some risk (thieves would need to wait before testing cards and would have to hope for cards that were purchased but not yet redeemed) but it could be reduced somewhat.
They covered this a lot on the Accidental Tech Podcast last night.
I just don't get why these companies should be in the business of offering gift cards-- at least, not if they can't be redeemed safely.
I'm sure people would run other kinds of scams with AppleIDs without the existence of gift cards, but gift card redemption scams have gotta be 99% of the reason people create fake accounts. The support burden would evaporate almost overnight if they just exited this stupid market.
> I just don't get why these companies should be in the business of offering gift cards
If they're anything like Starbucks then they get the benefit of utilizing the unredeemed balances as temporary capital for investments. It's an interest free loan at their scale. Plus they get to keep the balance that people forget to redeem.
Some states have laws that gift cards never expire, like California. A lot of companies will just go with the most strict rule, rather than micromanaging state by state. The side effect of this is the company "keeps" the money that isn't spent. It may be earmarked at gift card money, but it will never be spent.
I am terrible at spending gift cards. I have some that are from 2007, 18 years old. Two years ago I decided I should check them all and actually spend them. Of the dozen or so cards (several of them for Apple), only 2 of them had an issue, all the others were still active with the original balance.
One of the issues was easily solved, it was a Visa gift card that had an expiration date... I reached out to the company and they issued a new card with an extended date. The other seemed to be so old that the underlying company was sold and pivoted, and changed systems (I assume multiple times) along the way. What was a card for a local restaurant chain now seemed dedicated to Dick's Sporting Goods... at least that's where the phone number went. I haven't yet tried going to the actual restaurant to see what happens.
This reminded me I did an awful job of actually spending them. I guess I need to try again.
> I just don't get why these companies should be in the business of offering gift cards
I think gift card or not isn't really relevant, fraudulent activity can happen in a lot of ways like iCloud being paid by a stolen credit card, or TV shows being rented with hacked PayPal account.
The real issue is simply that there's no proper support avenue for serious issues that at this point affect your whole life, a family or a whole company. There's also no real avenue for a user to get the authorities to do anything to help with their case.
This article alone is grounds for me to never, ever use Apple gift cards -- just by virtue of all the personal photos, etc that I've entrusted to iCloud.
The real wisdom to take away from this is that you need to keep copies of everything you've ever entrusted to iCloud because iCloud cannot be trusted. This was one instance where a giftcard seems to have caused someone to lose access to their stuff, but there's nothing stopping some other random thing fully outside of your control from causing Apple to kick you out of the things you've given them to keep for you.
Everything in the cloud is at risk of being taken from you.
Companies like Apple are not your friend. They explicitly make no promises and insist that they are not accountable/liable. Stop trusting them.
I agree with this but I am not sure the personal risk of loss is very high with Apple. It is real but is it even on the same order of magnitude of losing your family photos in a house fire 30yrs ago? I used to keep a disk in a safe deposit box with my pics but got lazy. Is that good practice or paranoia?
Seems like good practice to me to keep digital backups in your safe deposit box. Probably a good idea to check/refresh them every couple years too. When it comes to things like house fires and getting screwed by cloud providers everybody thinks that it can never happen to them even when examples of it happening to others exist. The important thing to make sure that you're covered in the event that the rare but catastrophic event does occur. Especially when the cost of doing so is so low. For back ups it amounts to little more than a thumb drive and a visit to your bank every couple years.
Honestly you'll be safer if you don't use any major cloud provider for anything valuable. They've proven over and over again that they are very unreliable.
Well, not only in their iPhones. And not in the same cloud storage provided by the phone. The only backups you really control are the ones in your possession, so you must keep offline local backups of anything really important to you.
The big marketing point of cloud storage was that you would not need to worry about owning and maintaining local storage, but they conveniently downplayed the fact that they could lock you out of your own files at their whim.
Actually in this case, the danger is in the cloud storage not the phone's. The user still can access/use his phone, just not the cloud-connected functionalities.
His iPhone could not sync, update, install new software, or send messages, nor could he sign out and use a new apple ID with it to restore that functionality. For a phone, this is effectively bricked.
Apple isn't. Just sayin'. They are trying to do it, but they aren't really anywhere near the scale of Google and Facebook. They make money (lots of money) by selling high-margin hardware, and, to some extent, digital media, on that hardware.
Currently, Apple is genuinely serious about preserving user privacy. I realize that can change, in the future, but it's the way it is, now. I get the feeling that a lot of folks on HN are having difficulty understanding businesses that make a profit by doing stuff other than harvesting and selling PiD, but that's not what has made Apple a 4 trillion-dollar company. They make that money the old-fashioned way; but with a modern twist.
That said, this situation is unforgivable, and I hope that Apple leads by example, by preventing this all-too-common type of dumpster fire from happening in the future.
Apple's ad business is estimated to be at $6.5 billion annually as of 2024[0]. Since then, they've decided to bring ads to Apple Maps. And of course there was the infamous ad for some movie on Apple TV injected into Apple Wallet earlier this year.
Just because they're not Google's size doesn't mean they don't have people making product decisions that will eventually sacrifice privacy for profits.
It hurts my brain that people still parrot the fact that "Apple doesnt do ads". As you rightly point out, Ads for Apple is a multi-billion dollar business, bigger than many other ad networks, and ad exchanges.
The reality distortion field is strong, even with some HNers.
It's not that. Be as insulting as you wish, but this conversation shows that a significant number of folks simply can't understand any way to make money, except by harvesting and selling PiD.
Making and selling hardware is difficult. Really difficult, but some companies have been doing it successfully, throughout recorded history.
It's really strange to see it being dismissed as "impossible," nowadays.
Apple became infected with the same thirst for "engagement" as any advertising-driven company. That's why even first-party apps like Maps or Music now waste your time with bullshit notifications. Same for every OS update trying to con you into enabling Apple "Intelligence".
Whether the advertising is ultimately successful does not matter to those people, what matters is if they can convince the person paying them (the manager paying their salary, the ad agency, etc) that they are effective.
I don't think this is correct. Analysts believe Apple made more than $27.39 billion in commissions globally last year (https://techcrunch.com/2025/05/08/appfigures-apple-made-over...). That's around 7% of global revenue, and we should expect this ratio to be higher this year and next.
My search of 2024 numbers stated. $10bn from App Store out of approx $400bn revenue. Which seem to be what is stated in the first tables in that link.
I’m not sure who is right, Apple or these analysts, but either way: 2.5% or 7%, that revenue source isn’t large enough to be a corrupting incentive on Apple’s behavior.
Maximizing digital service revenue at the cost of user trust which drives their high margin hardware sales would be killing the golden goose.
I wasn't defending Apple. I was merely pointing out that one of these, is not like the other.
Like I said, it seems that we have a hard time understanding business models other than "Harvest and sell data." Posts like the GP, seem to reinforce this appearance.
Upton Sinclair is known for a quote, referencing this kind of thing.
There are ways to abuse advertising other than harvesting and selling user data - which is a big one. Which apple has already done (https://gizmodo.com/apple-iphone-france-ads-fine-illegal-dat...)For example, the app store places unadvertised apps further down the list on searches or doesn't even show them at all.
Hating on Apple is quite popular amongst tecchies. I understand. I've probably been more pissed off at Apple, than many folks, here.
But it does bother me, that people don't seem to understand the classic business model of making things, selling things, and supporting things. That's thousands of years old, and still very much relevant. Quite a few folks, here, do that. I spent most of my career, at companies that did it.
I don't hate apple; I only use apple computers and phones. They are mostly better than any other alternative. But you have to concede that being in the advertising business at any level doesn't do them any favors re: privacy commitments. I only criticize because I want to keep what's good from becoming bad.
A full 20% of their profit comes directly from Google Ads, then there's their own ads strewn throughout apps and the App Store on top so their total profit from ads is probably close to a quarter of all their profit.
Nobody would say they aren't in the PC, tablet or audio business, yet they make more off ads than they do off Macs, iPads, headphones, speakers... everything but iPhone.
I'm skeptical of that. I think I'd need to see some hard data on it.
I spent most of my career in the hardware business. It's really odd to see so many folks unable to understand business models that make money, besides "sell data."
It really seems as if folks can't grok that companies that make money, can do so without necessarily selling data.
The $20ish billion was revealed through Google's antitrust. That by itself accounts for a fifth of their total annual profit, ignoring all the App Store ads, News ads etc.
"Harvesting user data" doesn't make money. The reason people think this is that on HN people have main character syndrome that makes them think their personal data is interesting, plus an assumption that making money is evil therefore anything you can think of that is evil would make money.
(Google and Facebook don't make money by "harvesting" or "selling" user data, they make webpages you spend a lot of time on then put ads on them.)
Pretty much nobody's personal info is valuable by itself, but it's EXTREMELY valuable in aggregate, because it lets you target advertisement. Like, so valuable it's on the order of tens of billions.
Indeed, and the entire concept of smarter Siri, chatGPT integration as well as apple's ever-increasing Ad surfaces ... is powered by aggegading more and more usage analytics from users. There are so many that come on by default when you install macOS/iOS.
The data that Google and Meta harvest are your interactions on other websites and apps that are loading a Google or Meta JavaScript, or have a back-end data integration with them.
I don’t know if Apple has client-side ad scripts like those, but in decades of building websites I’ve never been asked to implement one.
> That ship has sailed and more revenue is to be made by harvesting user data
That does seem to call for supporting evidence. I write Apple apps, and they make it very difficult to access user data. I would need to know how they get it, and how they make money from it.
Put an iPhone on your Wi-Fi and log how often it calls out to some Apple web service. You might be shocked, or does it make it okay when Apple themselves are the ones it's impossible to have privacy from?
Off topic pretty much: In 2013 I was one of the 8,000 people in the U.S. selected by Google to be able to buy Google Glass ($1,500 [$2,000 in today's money]) in its first release to the public. One thing I will never get over is the customer service offered to us Glassholes: not a toll-free number, no automated voice mail tree: I'd call for any reason AT ANY TIME NIGHT OR DAY OR WEEKEND OR HOLIDAY and a Glass specialist would answer within a couple rings and spend as much time on the phone with me as I needed to resolve my issue.
They contacted multiple employees and insiders and nobody was able to help before his blog post was featured oh HN. He was deep in Apple ecosystem and personally knew many people there, from what I understand.
I experienced something similar recently. There’s something going on with gift cards at Apple. It’s a bit fishy. As in they don’t want you to use it so they can report higher holiday season sales. Or they’re experiencing a huge uptick in scams involving the cards. I started wondering if the system they use is actually secure from a cryptographical pov.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
But that basically screws over loyal Apple customers who trade in an entire family’s worth of iPhones, iPads, Apple Watches, Macbooks, etc over the years. Sometimes you just take a giftcard because you don’t want to buy a new thing. Fast forward a couple of years, you basically learn that you traded in your Macbook Pro for nothing. How’s that not a controversy? Perhaps they should give customers non-transferable store credits that cannot be purchased elsewhere. Avoids the entire issue with gift cards.
Gift cards sold or issued at an Apple store are the safest kind.
There is no opportunity for the kinds of large-scale fraud you see with cards purchased elsewhere. The only risks would be the same for any other bearer instrument, e.g. wallet theft.
That’s what I thought too but it’s not. Apple is refusing all gift card related hardware purchases in certain markets. Even what you already redeemed to your account. It certainly piqued my interest in what’s happening behind the scene.
This doesn't sound right to me. Apple is still issuing gift cards for hardware trade-ins as of last week, and obviously they are bound to honor them.
Specific accounts may be flagged, for sure. But a general ban on GC-related purchases would be a very big regulatory deal. Do you have links to a published source?
Throw in gift cards all over the place to incentivize purchases.
Go to use a gift card, "Sorry, gift cards can only be used to pay for full price items, not discounted or sale items".
Conveniently, effectively everything in the store is discounted or on sale.
That would be bad enough as-is. But you move houses, or are moving out for the first time, and someone buys you a gift card, with CASH?
They're the same gift cards. And the same "rules" which are nowhere to be found, just you arguing until you're blue in the face with a store manager who "understands, but policy".
"I could have bought this item with the cash it took to buy the gift card, but because that cash 'changed form', it's now unacceptable for payment?"
Perhaps they should just give them cash. But that wouldn't guarantee future sales and they wouldn't make a few extra percent margin off of people who never redeem their cards.
We're a multi-trillion dollar company and your BATNA is terrible. Don't like how we roll? Go fuck yourself.
Addendum to 2: have a blog with thousands of readers which you can use to publicize your case, otherwise Apple won’t give a damn, like they did to Buttfield-Addison. He had the receipts, Apple didn’t care.
Every time a read a story like this, I feel an atavistic desire to self-host eveything. But I've had my Google account for 20 years now; the die is cast.
If you never start you'll never be free. It's also not all or nothing. You can keep things with Google, self-host new stuff and gradually move over things that make sense to mover over.
I have a strong desire not to self host the “live” copy of anything. If my server goes down, I don’t want to have to drop everything and fix it (e.x. if I’m on vacation, I don’t want to have to take a laptop incase I need to fix any server troubles - I go on vacation not to be on call!).
That said, keeping a backup of everything, decoupled from any account I don’t control, gives me huge peace of mind.
I'm slowly decoupling things and hosting parts of my infrastructure myself. Let it be on a cloud server or a home machine.
Doing everything and/or all-at-once is not practical, but having backups for most critical infrastructure helps a lot, and when it's rolling, it rolls without effort.
One can go step by step and call it's done when it becomes too much to bear or satisfactorily decoupled.
creating backups is crucial. this includes all the contacts, texts of saved emails, photos and so on. Many of these ppl who get locked out fail to create local backups and rely on apple's cloud storage. big mistake.
Even just simulating "what if I lost this account" and seeing what you can't access (have your wife change your password and not tell you for a month or so, say) - tells you what you'll be missing.
Just realize this: the longer you play this game, the higher your odds of getting banned. Once it hit me, I quickly decoupled from Google. It's like playing satoshi roulette for 0.5% gains. You keep winning until you get fully wiped.
The real problem is that companies do not offer any accessible, powerful, and intelligent customer support. Even if they have real humans to talk to, they simply follow a script. Those agents do not have the ability to investigate a situation or the power to use their discretion to take meaningful action.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
I previously worked in fraud/risk at a major ecommerce platform. On my biggest day I closed 60,000 accounts. In one day. I knew other agents who'd done 10x that.
The scale of this work is unfathomable to those who have only been on the consumer side of it.
#1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
#2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
#3 is what small claims court is already for. We should make this easier, I agree.
> I previously worked in fraud/risk at a major ecommerce platform. On my biggest day I closed 60,000 accounts. In one day. I knew other agents who'd done 10x that.
> The scale of this work is unfathomable to those who have only been on the consumer side of it.
> #1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
Just imagine laws would work that way.
> #2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
That argument doesn't pass the smell test. Apple makes more profits than the scammers whole revenue, so just from a resources standpoint Apple could starve them. You just need to make the process so it can't be easily automated (e.g. require going into an apple store with your ID)
> #3 is what small claims court is already for. We should make this easier, I agree.
So in #2 you say it would overwhelm the process and now your argument is that essentially the public should pay for the process?
If small claims courts can deal with the issues than why can't a trillion dollar company.
> > #1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
> Just imagine laws would work that way.
This is how "tipping off" law often works in practice.
As a support agent you often lack full visibility into the treatment or history of the person on the other end of the phone, especially if they're a bad actor. You can't tell them what is or isn't fraudulent behaviour, or what might be construed as such.
But the quote "Here's how not to get banned next time" is rather factitious. It's in fact "we will not even tell you why you got banned".
I don't know what you mean by "tipping off" laws mean, but certainly if you get given a penalty in law (e.g. you get judged in court), you will be told what you have done wrong, and shown proof of it.
This is not what small claims court is for. You can go to small claims court and successfully convince a judge that Apple or Google or whoever owes you $500 for shutting down your account. You cannot go to small claims and get a court order that Apple must reinstate your account.
It's very interesting and helpful to get your insider's perspective on this. I believe that the issue cannot be understood by people sitting on the outside who have no idea about the nature and scale of the fraud attempts.
Still, from your perspective, do you have any opinion on this particular case, other than "you can't make an omelet without breaking some eggs"?
Since you asked I will share some wild speculation, but to be clear I don't know how Apple's fraud prevention works.
Gift cards are the currency of modern confidence scams. Accounts that redeem a lot of high value gift cards are suspect for that reason alone. Buttfield-Addison makes it sound like this is common practice for him, so his account may have been on a shitlist already.
Apple may be so sensitive they'd close a suspect account after one failed redemption. It's also possible that card was first redeemed by an account that was closed soon after for fraud, and Buttfield-Addison's subsequent attempt linked his already-suspect account to the fraudulent one resulting in automated actioning.
Again, this is pure speculation, and is not meant to justify Apple's actions.
But it seems like it should be clear that the account that failed to redeem the card is, if anything, the victim. No?
I could see doing a lot of card redemptions as a flag, but then I think the next step is "what are they spending the credits on?" I could see a scam where you launder cash by turning it into cards, and then buying shitty and expensive apps. Thus paying apple 30% to clean money for you.
The comment I responded to offered no such qualifiers.
To answer in general, aging of accounts is common as is synthetic credibility-building activity. There are marketplaces where you can buy sets of years old accounts with activity for every major platform. Anything you could come up with would either be so stringent it would exclude most users or be easy enough to become a target for account sellers.
To be honest this is why I got out of the space, it's sisyphean.
But 'it's hard' is not an excuse. If it is not possible to honor the contract that you create with the user because of fraudsters, then the user should not have to abide by it either.
Yeah, I managed a major service back in the day and I can confirm all you say is absolutely correct (except maybe #3, but that's legal).
One thing I do not understand however is why wouldn't companies offer paid appeal process perhaps with refund in case the termination decision is indeed overturned. I would gladly pay $100 to have my Apple/Google/etc account properly reviewed in order to get it back once it is inevitably flagged by yet another AI. Seems like win-win all around.
The situation is pretty dystopian, but as you point out I think most people upset about it are not willing to face the realities of the "80/20" (more like 99/1) split of fraud v.s. legitimate mistakes. Patrick McKenzie has a good article about the tiers of bank support[1] that makes the point that even though the experience of tiered support often sucks, it's essential to making these financial products widely available. Without the dystopian support structure you couldn't have things like widely available credit.
Most megacorps do suck - and also it's probably true that the lack of customer support is necessary to offer the products they offer at popular price points. People just don't wrap their heads around the scales involved, generally because the exact numbers are proprietary.
Saying #1 and #2 are not possible or not likely is not a good take, in a world where our digital accounts take more and more a central place in our daily lives. It may work for autocratic societies, it won't cut it for democratic ones: imagine if our legal systems were that irresponsible to us collectively and individually?
Why not introduce friction on both sides, like: 1/ just face to face, physical meeting? 2/ or a basic (paid, yet reasonable) insurance that account management doesn't happen over the shoulder?
Imagine if banks worked like that.. it's "difficult" to scale is not an argument .
These companies are critical to people's livelihood in 2025 and they should be treated at such. Many people rely on them for their life, they store sensitive information and control communication.
I'm of the opinion that if a business can't provide adequate support at scale, then it should either stay small or cease operation.
Dealing with fraud is your issue and part of your business, not citizens.
Your post reads like an admission to me that the system is broken. Real persons need real recourse, especially if an adverse action has major impact on their lives.
Could it be that fully automated payment processes are just so fundamentally vulnerable that their very existence needs to be questioned because of how overwhelmed they get with fraud attempts? I'm deliberately being controversial here for the sake of discussion.
Usually I'm not a big fan of legislation, but in this case I completely agree. Companies unilaterally taking away anything you've paid for is effectively no different from theft, and ToS shouldn't be able to escape that. Or even if it's a free service but it's something you've built up value in -- a history of photos, messages, emails, etc. -- it's similarly effectively theft.
I agree there absolutely needs to be a form a habeus corpus here with arbitration to hear from both sides. And what's more, even when an account gets shut down, an export of all data must be provided, and a full refund of the purchase price of any digital licenses/credits still active. So even if a spammer takes over your account and Megacorp isn't convinced it wasn't you yourself that decided to spam, you still don't lose your data or money spent -- it's ultimately just a (very big) inconvenience.
Legislation is how we hold the powerful to account, ideally. It turns out, when people have billions of dollars, sometimes you have to stand up as a society and tell them "no".
The real real problem are shameless shitheads that will abuse anything to any length the run scams or malware distributions.
"Yes support tech, please understand my child just died of cancer and my wife in a car accident last week and the only pictures I have of them are on my bitcoin4free@gmail.com account!"
Google probably also bans thousands of accounts a day. And suddenly every single one of them needs a full human appeal review. Because jamming up the system is (short term) beneficial to these shitheads.
Dealing with fraudsters should be baked into the cost of doing business for these megacorps. A smaller business couldn't get away with this kind of "support". The largest companies should be held to the same standard.
The only way this is going to change is if shareholders hold executives accountable. Consumer protection regulation with real "teeth" that impacts the bottom line will bring angry shareholders to the table very quickly.
Then you better be prepared to pay for it, and still expect cases where things go wrong.
The problem with having support dealing with problems like this is that fraudsters will figure out how to manipulate it, while honest people will still encounter these problems. The easier you make it for honest people to resolve these disputes, the easier you will make it for fraudsters since it would involve yet another avenue for them to exploit. Plus the whole process will become more expensive, which someone has to pay for.
Scammers would call into Teleco customer service with panic and tears to trick the support person into moving your phone number onto their device, and then they drain your SMS 2FA accounts.
> Dealing with fraudsters should be baked into the cost of doing business for these megacorps. A smaller business couldn't get away with this kind of "support". The largest companies should be held to the same standard.
It is already baked into the costs in business models of big companies. And they are pretty good at it, actually; we’re talking about one high-profile case, and it’s not the only one, but it is rare enough that such stories are still newsworthy.
The standard that people want, though, is absolute certainty: zero errors that affect real customers, a 0% false positive rate.
The scale is in fact a challenge. If a small business has a 0.00001% false positive rate, they will affect approximately zero of their customers. For Apple, managing billions of accounts, that same false positive rate would affect hundreds of real customers every day.
IF it happens to a high enough profile person that we can all hear about it, it's certainly happening to far more not high profile people we never hear from. No one wants absolute certainty. We want less corporate fuckery.The scale of the challenge is not an issue for companies worth trillions of dollars except that they don't want to spend a meaningful part of those trillions to deal with the challenge.
I can't even get into my Google account even though I have the username, password and recovery email, and all the emails are CC'd to the recovery email, because Google turned on 2FA without any notice and it needs a text from a number I no longer own.
Normally I resolve these things by buying all the executive phone numbers and working my way through the phonebook, but Google is the one I've had no success on with this so far.
I recently ran into a situation where a service I absolutely must use and has no alternative (think government provided service) would only accept a Gmail domain for registration. Any other domain would fail registration with no useful error message.
This really shouldn't be allowed in this day and age but I'm effectively powerless to change it. DeGoogling is hard.
I had to sign up with a major SMTP provider last year and they wouldn't accept my regular email for login, which is on a very regular normal domain. They asked me to sign up with a major email like gmail. I was luckily in a position to refuse, and complained until they updated their rules.
I know you're just trying to pull something out of thin air that sounds plausible, but...this would be simple to prove with a request for valid death certificates, marriage license, and a birth certificate to prove you were married, the child is yours, and that both are in fact deceased. Oh, and of course, you'll have to prove who you are as well.
Given the (rightful) outcry about handing out your IDs to private corporations in "safety"'s name, are you really suggesting providing documents even more specific about you?
We're all worried about identity fraud, and such documents are actually used to apply for an id in some countries!
To be sure, it would suck trying to do all of this for some web service. I've had to do it for something more substantial like insurance. I wouldn't think this kind of thing should be a scan and upload to a cloud bucket. At this point, we've reached a human, and should be able to deliver physical documents to said human
> We should impose, by law, the following rules on all companies that offer accounts to their customers.
When the services that a company provides gets to this level, it starts becoming like a public utility. If it's not possible to participate in society without using such a service, then the services should be governed like utilities are.
I wouldn't be opposed to having actual government-provided services for things like e-mail, text message, and discussion forums at a very basic level. Then (in the US anyway) we could apply the government restrictions on privacy and freedom of speech, with laws governing the oversight and implementation. Of course there would be major details to work out to prevent misuse, corruption, etc.; but it could solve the problem of losing your essential on-line identity -- as long as the government has any interest in you at all for something like expecting you to be able to send/receive an e-mail in order to pay your taxes, then they wouldn't ever cancel your account. 3rd-party services would still be possible, but then they could do whatever their business model supports, and caveat emptor. How people can expect businesses services like Facebook to comply with their personal expectation of free speech is beyond me.
> If they block/ban/close/suspend a customer account they must provide habeas corpus.
* evidence
"Habeas corpus" is not a lofty expression for evidence, although people sometimes use it as such. It's a procedure for challenging one's detention before a court.
Agreed with the intent, but it's more narrow than that. Habeas corpus specifically means "there is a body." It's purpose is to set a high bar for homicide convictions i.e. a body must be present before a suspect can be convicted of murder/manslaughter by a court of law.
Habeas corpus is an order to bring a body before a court. The body being a live one, the detainee. Thus proving that the detainee hasn't been exiled/tortured/murdered/whatever and providing an opportunity to challenge the detention.
Apple actually does have pretty good support for this sort of case. I went wrong. Here is that the account was in a state where support even high-level Support was not authorized to unlock it.
I have personal experience here. I was gifted a meaningful chunk of Apple gift cards. I redeemed them to a secondary Apple ID as this ID is rarely used. It got locked when I tried to spend the Apple gift cards.
It took a couple tries over a few weeks, but Apple support were very helpful and able to unlock the account. Where I must've got lucky is the automated system must've allowed the Support to take this action and it sounds like in the case here whatever fraud flag triggered issued to far more severe response.
My case I should add the gift cards were totally valid. It just was rarely used to count. That might explain why it was easier to resolve in any event. They absolutely as human support. The real issue is when human support can't overrule the computer.
This legislation has high costs and while it seems fair to impose them on the Apples and Googles of the world, this gets weirder with smaller services that might have trouble complying. My podcast player, Overcast (overcast.fm), is one guy. Should he be subject to this? It seems like that business might not be able to exist if he was.
You could do a revenue threshold or something but seems tricky.
> You could do a revenue threshold or something but seems tricky.
That's what countries regulating this tend to do (often user count instead of revenue thresholds, but similar).
It also makes sense, because if the podcast guy bans you, you can pick a different podcast player or just not listen to podcasts. If both Google and Apple ban you, you're also effectively debanked because you can't use their app stores to install the banking authenticator app that is required to use online banking, possibly excluded from using public transit, etc.
The business size doesn't matter. Bake it into the business' books and charge what it takes to manage it. If you can't, your business isn't viable. If you can, it doesn't matter if you're 1 person, 100 people, or 1 million people.
This does not scale, the amount of abuse is huuuuge. But I think with a prerequisite, it could:
Companies should be required to provide access to a service that verifies identity. I know such companies exist, so it is doable. And then, once it is provable that they are dealing with an actual human who can be identified, your rules can be applied.
Apple made 100 billion profit last year. They can surely afford to make this. Just because it would cost them profit does not mean we shouldn't require it.
For Apple, yes, but in the context of rules that apply across the board we should address the scaling issue. People who've had to deal with the filth of the Internet know how hard the problem is to solve, and not everyone has Apple money.
If you can't charge your customers enough to spend enough on this challenge, you don't really have a viable business, you've got a theft organization. Externalizing your failure to build a solid business by screwing customers is not okay.
If you want a small claims court to certify that Apple owes you $500 because they didn’t honor your gift card, that probably exists everywhere that Apple does business. If you want a court to certify that Apple must reinstate your account because they incorrectly classified your use as fraudulent, small claims court lacks that authority, at least in the US.
My impression (possibly wrong) is that in Germany, there is just "court" and trying to enforce a $500 judgement will be difficult because every lawyer will tell you to just eat the cost rather than taking the case, and the case would cost thousands to litigate (to be reimbursed by the company if you eventually won, 5 years later).
I pay Microsoft all of eur 11.20/month for basic office subscription and the 3 times I've clicked contact support I got called by helpful people who resolved my problem.
And also it would be good to limit the ban duration with a law. For example manslaughter can be 5 years in prison.
So if google decide to ban your account because you send your doctor a photo of your son for medical purposes, they are not allowed to ban you for more than 5 years and then they must restore full access to your account.
I think for these big companies as well, they should have to have a more targeted punishment. Since having access to an Apple or Google device is increasingly mandatory in many countries (often as a result of government legislation!), getting that cut off is more impactful than other services.
So like, if you get caught, red handed, absolutely 100% you, performing gift card fraud, the maximum punishment from Apple should still be getting banned from the gift card system (buying or redeeming). And if they want more consequences for you because they think you’re running a fraud ring, they should have to sue you like a physical store would. But not lock you out of the rest of the ecosystem. Otherwise you get the false positives getting the digital death sentence Apple tried to hand out here
I fear that this would lead to everyone being allowed exactly one account -- why would you need more than one if the one you have can never be fully deactivated? -- and that account would be tied to your human identity forever. Which would go about as well as any other attempt to solve Sybil problems.
If Google bans 100,000 bot accounts a day, and even 1% of those "users" request a human appeal, you are demanding 1,000 hearings every 24 hours. Who pays for this? Magic? If the cost of providing a "free" email account includes the potential for a $500 human-led legal adjudication, free accounts will simply cease to exist.
Further, the current court system is already backlogged by months or years for serious crimes and property disputes. You are suggesting we socialize the cost of private customer service disputes. Why should taxpayers fund a judge to decide if a "common sense" decision was made about someone's banned World of Warcraft account?!
I'm sorry but this idea is very obviously not congruent with reality as we know it, as nice as it may sound.
Initially, the user requesting the hearing (this discourages the scammers).
When the appeal is won, the company (this encourages doing a really good job at not banning legit users and enabling lower-friction ways for them to appeal).
> You are suggesting we socialize the cost of private customer service disputes.
No, it can just be a dedicated body, funded as described above. Yes, this might mean that free accounts cease to exist, although I suspect in practice it would just result in a fraction of the profit from free accounts going into better (less user-hostile) abuse management rather than profit.
#2 doesn't scale. If you guarantee access to a human, the system will absolutely be effectively DoS'd by scammers trying to social engineer their way into access to someone's account.
Not if you require physical presence. If you have to turn up in person at a local branch office with identifying documents, then you've greatly limited opportunities for scams. Fraud is still possible but it doesn't scale.
You are suggesting that companies be legally required to staff a "Complaint Bureau" where low-level employees must face, in person, the most disgruntled and potentially unstable 1% of the internet. This can only end well.
If this place attracts violence, the company can afford bulletproof glass and an alarm button that alerts the police, and I'd rather have the unstable 1% remanded to police at the risk and cost of a rich company than to have them stab a rando on the street later.
Employee protection laws that mandate said bulletproof glass in certain situations already exist in civilized countries.
No, for the key to being able to participate in modern society. Without a Google account, you can't use (standard) Android. Without either (standard) Android or iOS, you de facto can't use most banks, some public transit networks, and various other utility-level services.
You can have a Yahoo account, a Hotmail account, a ProtonMail account. You can go to your bank in person or without an app. I would be less surprised to learn that a bank does not have an app than I would be to learn they do not have a website.
The web site often requires an app for authentication. Some (not all) banks offer alternatives, which often come at a cost (either financial or time) that would, once you add all of the costs up, be catastrophic for the majority of people, because it's never one thing that is affected with these major gatekeepers.
They generally use SMS authentication. I have yet to see one that has a hard requirement for an app, let alone one that actually requires a Google account.
Regardless: The fact that a specific tool is the easiest way to do something doesn't grant you a "right" to that specific tool. For example, you have a right to seek transportation; you don't have a right to a specific 2025 Toyota Camry provided by a private company.
This is why banks have physical locations with live tellers. And also why I'll never open an account with a regulations-dodging "disruptor" banks where everything must be done through the app.
> The real problem is that companies do not offer any accessible, powerful, and intelligent customer support.
No, the real problem is that we have no reasonable alternatives when companies misbehave. There is no meaningful way to exist in society today without an Apple or Google account, and that's actually insane. It's doubly insane for people who aren't citizens of the United States (although the CCP addressed this by requiring Apple make a separate iCloud for them).
The solution isn't to legislate a right to a bank account, it's to preserve the usefulness of cash so banks don't get too far out of line.
> There is no meaningful way to exist in society today without an Apple or Google account
As is the case for many other infrastructure companies, such as your local electricity network operator (or even supplier depending on market liberalization). We also didn't solve that problem by ensuring everyone's right to run a generator in their backyard or heat their city apartment with a coal oven.
If tech companies have become essential to our day to day lives and are not willing to allow for horizontal interoperability, i.e. to split over-the-top services from infrastructure and individual elements of infrastructure from each other – because walled garden lock-in undoubtedly increases profits – why not regulate them as infrastructure entirely?
Well, to be fair, I do create an ephemeral Apple ID every time I get a new phone… But I immediately log out of iCloud after downloading the two or three apps that I use. I have no idea what my Apple ID or password is… I would have to go look them up.
Further, if I lost said Apple ID, I would lose nothing of value.
I believe, as you say, I exist meaningfully in society.
Sure, but it has no value and nothing negative happens if it is revoked.
Further: the three apps I install are not crucial - I could live just fine without them. All I really need is Safari and a working POTS endpoint for my cloud-hosted phone number ...
Curious: How do you do your banking? Most of my banks de-facto require an Android or iOS app for authentication, unless you want to do all your banking in person and pay hundreds of Euros in fees every month (and even that would exclude you from many services).
I am a US person and the four (three very large and one smaller, regional) banks that I use do not have any such requirements.
Web based online banking (since nothing related to banking requires 3D or VR/AR or camera/mic access or other fancy things that apps do) and 2FA auth. That is all I have ever seen or used.
In the EU, banks are AFAIK banned from using SMS 2FA, and the 2FA needs to be tied to the specific transactions. Which nowadays de facto means a bank-specific (sometimes country-specific) 2FA app, possibly with the alternative option of purchasing a pricey dedicated 2FA device.
... which is quite simple and cheap ... and can be used in place of SMS 2FA.
The fact that these tokens exist and are so simple to deploy and use really deflates any claim (by banks) that banking and/or auth apps are required. It causes one to consider what the real motivation is behind the bank desperately pushing customers away from the simple and adequate web service towards the apps.
Even if there were viable alternatives, I believe people who chose to use an Apple, Google, or any other account should still have the rights I proposed.
China is quite a bit worse. Not having an Apple or Google account in the US would be kind of inconvenient. Not having WeChat Pay or AliPay in China means you can't buy stuff most places. They've ensured that their de-facto-mandatory services are domestic, but they're a lot more mandatory.
I assume the Chinese government is quite happy with this, because they have no trouble bringing their large companies to heel, unlike the US. And centralizing payments like this gives them a great deal of information and control.
But then how can IP companies like Google leverage zero marginal cost of production to achieve infinite scale? Customer support costs scale linearly with the size of the customer base!
Rather than crafting a bunch of specific legislation, I say remove the carve out for arbitration. Open the doors to take them to small claims. If they don't show up (maybe because a $500/hr lawyer isn't worth it) you get a default judgement, which you eventually convert to cash. Problem solved, without adding more bloat to existing laws.
I see no reason enormous companies should carve out exceptions to the legal system. You exchange money with them, that's commerce, it's a contract. This is exactly what civil court was designed for.
Their customer support is to sue them. Few are willing to dare. But I suspect if you sued Apple over the gift card incident in a European country, the judge would side with you because of stronger consumer protection laws. Also that clause in the ToS that says you won't sue them is legally meaningless.
If this happens more than a few times, they will quickly remember why customer support is necessary.
The judge would likely never see the case, because the legal department would make sure it gets escalated to someone who can unfuck the problem before it gets that far.
Suing companies can legitimately be the easiest way to resolve issues, especially where small claims courts exist: It turns the issue into something that they can't "resolve" (for themselves) simply by ignoring and stonewalling you, so it becomes cheaper to actually fix the issue.
Some of this sounds appealing to me, but I wonder how wise it is. I've been banned unfairly, and it would be fun to try to stick it to those who have... but then there's almost surely someone here on HN wanting to start some online game or something who would not be able to afford to comply with the law. He's just completely cockblocked by the barrier to entry.
If you try to make carveouts for him, they will still be absurdly restrictive and the carveouts will be abused by the likes of Reddit.
Would checking the Apple gift card balance first be a useful precaution? Would it have saved Paris all this hassle?
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
I had this exact thought. Unfortunately I can't find a way to check the balance of an Apple gift card without signing in to an Apple ID⁽¹⁾. So maybe you need a throwaway Apple ID...
Scammers will sniff card info before activation, and poll the balance check site to see when the card is activated. They will then use the card to get merchandise which they ship to another market and sell for ~50-60% of retail value.
Like solar power, money laundering is inefficient, but it's valuable when the source material is zero-cost.
This is one of the reasons I picked a small, dedicated email provider [1] over Google Workspace for my corporate emails. If Google flips out and ban hammers us for no reason, my company will still be able to reach clients and work on projects. Apple, Google and Facebook are way too trigger happy with automated bans and no recourse.
I won't be redeeming any, that's for sure. I've been lucky so far, but I got a brush with this experience a couple years ago. I logged into my apple account from a web browser on my work computer. Turns out my company has pretty shitty security and our NATs were on the naughty list (I should have known better, I had been getting CAPTCHA'd every day if I browsed outside our network). Because I logged into the apple account from a naughty network, they instantly locked the account until I could prove it was really me and that everything was okay.
I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.
At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.
> It also leaves the question of... why it took the better part of a week to resolve.
I'd put money on they had to restore backups of several systems, fish out his account-specific data, then insert it back into the main systems. This would have happened much faster if there was just an on/off switch.
This is such a complicated issue, because on one hand, scammers are bilking people out of a ton of money with gift cards, but on the other hand, should a user be penalized for using a gift card?
The only idea I can think of is a law that requires companies, once they reach a certain number of users or market share, to provide a formal process to restore accounts that are a certain number of years old. This could include paid arbitration or a similar mechanism.
I doubt such a law could pass at the federal level, but if it were passed in California, it would probably solve 80 percent of the problem.
> > There is one way the Apple community could exert some leverage over Apple. Since innocently redeeming a compromised Apple Gift Card can have serious negative consequences, we should all avoid buying Apple Gift Cards and spread the word as widely as possible that they could essentially be malware.
It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...
Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.
Continuing the worrying trend that when computer says no you need social media presence & industry connections to get basic level of "hey can you not kill my account" support
I kinda thought Apple was better about this sort of thing, what with the Genius bar and that sort of thing. I pretty much made an ass of myself by assuming that, I guess, because I switched from Google stuff straight into Apple. I should probably start to work on self-hosting now that I can see I was incorrect to trust Apple...
I don't know your priorities, but I will say this: beware the recency bias: don't overweight on a news story. Instead, take at least five minutes make a list of your concerns.
> I should probably start to work on self-hosting now that I can see I was incorrect to trust Apple...
Jumping to that conclusion might be worse. Don't think of trust as a binary bit. Better to ask:
1. To what degree can I trust Party to do Thing?
- what is Party's track record?
- what are Party's incentives?
- what is the probabilistic distribution of outcomes?
2. What is my best alternative to #1?
- ... track record?
- ... incentives?
- ... distribution of outcomes?
3. Pick the least worst for you
When you do this, you'll want to factor in aspects such as: What is the value of your time? What are the chances that your alternative is less secure?
I feel like all these articles are writing about the wrong thing. Yeah, it sucks that the guy's account got banned, and yeah, maybe we can't trust gift cards.
But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.
What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.
And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.
Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.
The scenario described in the OP's article should simply never be allowed to happen.
This is something governments should really try to tackle, but I'm afraid that their solution would be a government ID rather than proper guidance and rules for these behemoths.
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
Now, do you want all of your web accounts be linked to your government ID?
> Now, do you want all of your web accounts be linked to your government ID?
No, but I don't think that's actually necessary. My cloud storage account with Google could be linked to my government ID, and... that might be ok? This sort of plan wouldn't require, e.g., my HN account to be linked to my ID.
Yes, that would mean that some people (e.g. activists under repressive regimes) shouldn't be storing stuff that could get them in trouble in Google Docs or iCloud Photos, but... they probably shouldn't be doing that now anyway.
But this would still require governments passing laws to prevent arbitrary account closures. Linking an account with an ID doesn't automatically make Apple/Google behave. The legally-mandated process would need to be something like: automated system detects fraud, they call the police, police investigate, and either a) they see nothing and drop it, and Google/Apple are required to drop it, or b) they investigate, prosecutors bring charges, and the outcome of the court proceedings is binding on Google/Apple (conviction = account terminated, exoneration = no retaliation allowed).
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
It would be easy to fix this problem simply by charging a hefty up-front fee for direct connection to high-level human support, who will take the time to verify the user's identity using established KYC procedures and then take action to restore the account. The fee would then be refunded if the problem turned out to be on the company's end.
Companies like Apple don't offer that, because they don't GAF.
They also need to let you transfer your purchases to a new AppleID under a new enail address. It is outrageous you're forced to choose between all your purchases from an email account name from when you were a kid or teen and getting to have an adult email address/handle and not having a data hungry company like Google or Microsoft seeing all your Apple activity in perpetuity
I understand why Apple sells gift cards. I understand why brick and mortar stores sell gift cards for third parties like Apple.
But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.
I work for a major gift card company. These views are my own and not that of my employer.
The credit card companies take zero risk in this transaction, because we, the company selling the gift card, take the risk.
To this end, my personal job is building systems to prevent and combat credit card fraud. It's not terribly complicated in fact. The team I originally started with a decade ago was like three people.
Every gift card purchased by a stolen credit card is a direct loss to our revenue. We strongly want to keep that amount small. We do a pretty good job of it.
We have a large department of REAL HUMANS you can call to get help with your gift card. In the past, they have had very upset grandmas calling in to ask about why they can't purchase iTunes gift cards because they need them to get their nephew out of prison. Those calls are very sad.
Physical gift cards have no value until you pay the cashier. Despite this, physical gift card security is tough. The plastic card has to be shipped out and sit on a shelf and be directly available to anyone to tamper with. We have made some efforts to reduce that threat, but there isn't much we can do.
If you are in the US you have absolutely used our company's products and if you have bought a gift card online there's a 90% chance your transaction details have run through my code.
Frankly, I do not understand why Apple would have banned an account for trying to redeem a scammed or tampered with card. That doesn't make any sense.
Are you able to track balance checks made against card numbers not yet activated? That seems like it'd be a dead giveaway for physically tampered cards and if you could prevent activation of those it'd at least make tampered cards harder to use.
Presumably you could also take things back to the level of "store X, you have a serious problem."
>Are you able to track balance checks made against card numbers not yet activated?
Yes. Can't get into specifics. Not every card supports balance inquiry though. Not entirely sure how this applies to physical gift cards.
Usually what happens is that someone simply writes down the card number, and waits, and then tries to redeem it. They don't do a balance check.
>Presumably you could also take things back to the level of "store X, you have a serious problem."
We can get down to the register. Fraudsters are sometimes employees. But you can't treat customers like criminals so doing anything about it is hard. These same stores don't seem to mind customer info leaking and credit card data being stolen in the first place.
We sometimes have to replace these cards for consumers, because it's dumb to spend a hundred dollars for a giftcard and it was stolen previously, that's not their fault
Most consumers are blissfully unaware (as they should be!) of the complexities of ordinary payments transactions, never mind the even-weirder world of closed loop prepaid debit.
The risk of this happening seems low, but the impact on my life as an Apple ecosystem resident would be catastrophic. It's an easy decision for me - I won't buy or redeem an Apple gift card again.
Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.
This was a scary story to read after I cashed out all my rewards points at work for the first time in 5.5 years to get six $100 Apple gift cards which I redeemed back-to-back-to-back.
You'll hear tons of similar stories with GCP/Google accounts.
This is the same reason I dont use GCP -- ever -- for business. If there is ever an unintentional linkage in GCP of your personal gmail account, and you have an issue on GCP, your personal account can get locked out.
In a genuine and everyday real sense, no, your likely thousand dollar device is not usable. The App Store requires an account to download from. Internal services and apps often complain about not being available. You are mostly stuck with whatever built in, non-cloud services the device comes with, which isn't much. Weather and mail fetching come to mind. Maybe some of the simple recording / note taking like apps. A working Apple ID is essentially a requirement to actually use the device you purchase. And yes there will be comments from folks about "ways" you can perhaps sideload or get things running, but to a regular person that simply uses a phone like a standard appliance in their life - they're stuck.
This is one of the reasons the used market for Apple devices is absolutely fraught with danger. If an Apple ID is left active on the device, only Apple can reset it. In most cases, they will only do that if they are provided the original purchase receipt for the serial number associated with the device. So in theory, removing the activation lock from owned devices is possible in a situation where a locked apple ID cannot be recovered if you are the original owner. IMO, there should be a process to release devices that haven't been used for a certain amount of time AND haven't been reported stolen. But there's very little incentive for Apple to do this.
If you read the other posts about this, the author explains that the phone technically still works, but you can't access iMessage or anything. Probably basic text and calls only.
The author did mention though that they were unable to log out of iCloud, as that requires to be logged in to iCloud. That would prevent reuse of the device with a different account.
Your iphone is tied to the old apple account and you can't untie it if you can't access the old account. (You can go through support with proof of purchase, but that requires you have proof of purchase at hand etc.)
So never buy a gift card at a retail location, unless it’s digital. Preferably buy directly from the website of the company where th credit will be used.
But why would apple punish the secondary user of the card? That seems like the wrong person to punish.
Notoriously secretive, siloed Apple, where even internally, teams are said to be entirely in the dark about each other’s work? I think Apple, culturally, can’t do a public post mortem no matter how much they might want to. I would love to be proven wrong on this, because I would very much like to understand what happened.
The same Apple that reset a large number of iCloud passwords last year with no warning or notice, and no public acknowledgement or explanation? It was determined after to only have affected legacy Apple IDs that predated iCloud, but there was never any confirmation from Apple.
They absolutely SHOULD; but they absolutely WON'T because they don't even think they did anything wrong (as opposed to CloudFlare who hangs their hat on the mistake).
Companies commonly claim security/anti-fraud, then refuse to explain their actions, claiming (again, without evidence) that justifying themselves would help fraudsters in some way.
But really this has nothing to do with anti-fraud, and everything to do with duopolies out of control and weak consumer protections doing nothing to push back.
That's why Google, Apple, and Microsoft are notorious for this.
the combination of single account for everything and arbitrary account locking is really scary, given how much of their lives people entrust to these services. anecdotally i have steered strictly clear of google cloud for my personal projects (even though i have some cases where firebase would have worked nicely) because i cannot risk some screw up locking me out of gmail.
Gift cards: it's a steal, so just say no. I want to say if you get one from your sister-in-law give it back but now I'm afraid she'll face terrible consequences from cashing it out.
... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:
dang unblocked me 1 hour 4 minutes after an email (thanks dang!)
- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation
After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again
- Comcast billed me $200+ weeks after I closed my account
After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector
- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now
Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.
- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing
I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.
---
The best customer service? A free online forum that I can't possibly ever give any money.
Chargeback has become the only way to get any justice out of companies anymore. It used to be the last resort--the point where you have tried everything and customer support won't budge. Now it's sometimes your only option because customer support doesn't even exist.
I swear, I've probably done a single chargeback from all of 1995-2015, yet I've done at least five from 2015-2025.
The lack of "real, comment sense human support" from giant tech corporations is terrifying - and something that only regulation can fix. These tech companies have increasingly taken over our lives - getting locked out of a 20-year-old Google or Apple account could legitimately ruin your life - or at the very least - make it incredibly difficult for 6-12 months as you work to recover every account linked to it and migrate to something else.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
I bought and ipad on the online apple store, on their back to university programme (in the UK). I was overcharged by around £80 (the price of the gift card they gave me as part of the back to university offer, basically the web site charged me for the gift card). I called up their support and explained the situation. For about 10 minutes I had the lady explain to me in the politest tone possible how I didn't understand the calculation, because naturally she believed that the Apple web site wouldn't make a mistake. She finally realised that it was wrong after a while and refunded me really quickly, but I think she could've easily gaslit and anverage person into believing they were in the wrong.
I've been using all of my macs for years now without Apple IDs. I use them only reluctantly on iOS devices to install apps, and don't use iCloud (it's a privacy nightmare).
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
lol I have another story regarding Apple gift cards.
Many years ago we had an iMac at the house as the shared desktop computer. After a few years, it started to have the signs that the harddisk is going to fail, and also we were mostly moved away from Apple's ecosystem, so we decided to trade it in and replace it with something else that's not from Apple.
Since we don't have anything immediate to buy from Apple, we traded it in with Apple gift cards.
Later, my partner needed to trade in an old iPad for a new one, so we used that gift card with credit card for the trade in. For that trade in, you first pay the full price with gift card+credit card, then they refund you the trade-in value after the trade-in is finalized.
The trade-in value of the old iPad is less than the value we paid via credit card, so we would reasonably assume that they would refund the total trade-in value to our credit card. But nope. They actually calculated the original gift card vs. credit card split ratio, and refunded according to that ratio.
A simplified example is say we paid $200 via gift card plus $300 via credit card for an $500 iPad, with trade-in value of $200 for the old iPad. Instead of refunding $200 to our credit card (so it's eventually $200 via gift card and $100 via credit card), they refunded us $120 to credit card and gave us another $80 gift card. So we have to find ways to spend that gift card again, and it cannot involve any trade-in (otherwise we're not going to be able to use it fully).
Unfortunately, at the moment, for normal people, the legal system is our only option.
I am not a lawyer, but I have done this multiple times:
Read the T&C and search for "dispute" or "dispute resolution". Look for what you're supposed to do when you have a dispute. Follow the steps as outlined. Corporate lawyers generally take things seriously.
I just bought my niece a Visa gift card and she said she had the hardest time using it. Not many would accept it. What's up with this latest gift card scammed .. tampered gift cards. Has the media not done a blitz on this issue yet? It's the holiday season and many are going to be scammed! I will be giving a greeting card with cash or just cash app family members.
Visa gift cards have historically been widely accepted (anywhere you see the Visa logo), with a few exceptions, mostly online.
InComm is one of the two major program managers in the space, and they have had really severe fraud problems for a few years. They cracked down hard on prepaid card ("gift card") redemption about two years ago (right after the holidays).
This is an ongoing problem involving Visa, InComm, DHS, and a couple banks. Customers are being damaged, Visa's brand is being damaged, etc.
InComm is invisible to customers, but it was their action that made (most) Visa open loop prepaid debit cards difficult to use.
Notably, the other major program manager (Blackhawk Networks) also runs a few lower-volume Visa card programs, and they are still accepted normally.
Informed customers can make an explicit decision to purchase only Blackhawk-managed Visa cards. But that information is not trivial to obtain.
Related: there is a known scam where someone will ask for payment by things like Ebay gift cards. To "prove you have the card", you are asked to read off just the last few digits of the card - which unbeknownst to the intended victim is actually all that is needed to redeem the card.
You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
Why Ebay built this idiotic weakness into their cards is beyond me.
> You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
This used to be true, but isn’t for SSNs assigned since I think 2011 - the exact year could be wrong, that’s from memory. Since that switch, the component that used to be geographical is assigned randomly.
A wise move, IMO. The geographic thing made sense, pre-internet: our local office assigns only number that start "477-", and no other office does, so we can control for duplicate assignments.
> Related: there is a known scam where someone will ask for payment by things like Ebay gift cards. To "prove you have the card", you are asked to read off just the last few digits of the card - which unbeknownst to the intended victim is actually all that is needed to redeem the card.
I'm not following. If things have gotten this far, the victim has already been duped into buying the card and intends to send it to the scammers anyway... ?
But also, how could the card possibly work that way? What are the other digits even for; and wouldn't they quickly run out of valid "last few digit" combinations for issued cards?
regardless of the resolution of Paris' case, at this point I doubt sincerely I will ever willingly purchase an Apple gift card. To be frank, most gift cards are persona non grata for myself and ~all discerning consumers I know
Yet I don’t want to play lottery with hardware I paid thousands of dollars for and with an account that holds hostage a lot of my data and digital purchases.
I’m even fine with big tech having great powers but that needs to be counter balanced by regulations forcing them to be accountable
First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.
Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.
So, we now have the same “who cares, it’s just some dumb online account” level of service with much more critical accounts. Because big tech has scaled users to the 9-10 figure range, while not investing almost anything in customer service. Instead of having thousands of CSRs like the phone company, tech employs a few disempowered call center operators overseas, whose only job is to read FAQ answers at callers and ask them to try restarting their computers.
1. It is objectively true that Apple and Google accounts are extremely important to many people.
2. It is also objectively true that most users will only need one of each, a few at most. Fraudsters have no such limitations, and may want to create thousands of them per day if the possibility arises.
3. Therefore, it's likely that a significant percentage of all accounts ever created are fraudulent, even if the actual number of fraudsters is much lower. This is the crucial observation many people miss in this debate.
4. Real users do not want constant iMessage spam and other problems resulting from fraudulent accounts remaining open. Therefore, normal users care deeply about fraudulent accounts being closed promptly (and so do money-laundering regulators, but that's another discussion).
5. Normal users also care about their accounts remaining open. Apple has to balance these two problems.
6. If we force Apple (by regulation, PR crisis or any other method) to be softer on closures, the only way to do that without exacerbating #4 is to make opening fraudulent accounts harder.
7. The only reliable way of preventing fraudsters from opening accounts is strict and invasive identity verification.
8. Therefore, if we're asking Apple / Google to keep more accounts open, we're also asking for more surveillance.
This may actually be the right tradeoff to make, but it is important to point out that there is a tradeoff here, and that no decision in this regard goes without consequences.
Remember blue check marks? The EU is not happy about those.
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_...
Believe it or not, google is even more stunningly incompetent than that.
If you have someone in your contacts there literally is no way to (1) retain him/her, and (2) ensure they are never, ever, for any reason, suggested in any product. eg in google docs, I do not want "@" autocompletions to suggest the person. No sharing, no drive sharing, no email cc/bcc, etc.
In my case, there was a breakup with a cofounder / exit from a company and ongoing collaboration with a friend who shared the same first name. I actually had to delete the former cofounder's contact, which made me miss some calls from an unknown number.
Having someone that you need to occasionally maintain contact with that should never be prompted in any way (exes of all types, divorced, stalker) is a basic need in real-world systems.
Years ago I briefly played around with "manufactured spend" (on credit cards, to earn frequent flyer miles).
There was one specific loophole, with one specific gift card provider, and it was a doozy. You could earn credit card points on spend, plus supermarket loyalty points on spend, by buying gift cards from one specific provider which could be cashed out at face value (ie no fee at all) immediately to a specific type of savings account.
So, of course, world+dog was buying these things like it was the end of the world.
As I sat in a hotel room one evening rubbing the security codes off the latest batch of cards before redeeming them one-by-one into my savings account, it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering, but it would take some time to explain exactly why not...
The loophole was closed relatively quickly, and the gift card provider gave up.
Back then, the trick was to get a generic Vanilla Visa or other prepaid credit card. A recent legal ruling meant they had to be run as a debit card for... reasons... I forget them.
But a lot of grocery stores would sell you a money order up to 500 bucks for under a dollar with a debit card (not a credit card).
So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
Subtract ~$5 for the GC and ~$1 for the MO and you could manufacter about 500 bucks in spend. And the best part? You could take that money order to your bank, deposit it, get the funds immediately, pay off your balance, then rebuy.
In one afternoon I earned enough points for a first class flight to a fancy European city, and eternal side eye from the grocery store clerks who were convinced I was up to something put couldn't put their finger on what.
Interchange fees, probably. Otherwise the credit card companies is taking a 2-3% cut.
>So you'd call up the issuer and have them issue it a PIN. Then you'd run it as a debit card and buy a 500 dollar money order.
I don't know how this ever could have worked considering that "cash-like transactions" are counted as cash advances, same as if you were to use your credit card at an ATM.
Not really:
"I'm churning credit cards for the rewards points. Here is the receipts where I use $10k from account A to purchase $10k worth of gift cards. Here is the statements where I deposit $10k of gift cards into account B. Here is the statement for the $10k wire from B to A. And here are the receipts for the next round of gift cards I purchased. Any further questions? I have $10k of gift cards to redeem."
And many legitimate uses of gift cards may actually have been fraudulent somewhere up the chain.
Imagine a scammer which sells their cards to real users (perhaps through one or more less-than-scrupulous intermediaries willing to buy them in crypto without asking too many questions). If the victim comes to their senses and somehow gets those cards reported and blocked as fraudulent, unsuspecting users will get into trouble.
But it is money laundering, that's what manufacturing spend is. It's not money laundering to hide evidence of a crime, but it is money laundering for the purpose of hiding the fact that you didn't engage in commerce in the process of spending money on a credit card to earn a reward. It's indistinguishable, only because we criminalize behavior not only on its base but due to its intent.
For example, we feel like it is fair for credit card companies to monopolize payment systems, charge fees to businesses, and use a portion of the money from this scheme to set up this bullshit reward point system.
But to undermine this system is criminal, because the system is established, but undermining it is novel and therefore disallowed. Any new way to play the game is breaking the rules, because the purpose of the system is what it does.
It's not illegal to buy a few beers every evening from a bar you own out of your own pocket, and then book that revenue, pay taxes on it, and then ultimately collect a distribution of the profits as the owner of the business. It is illegal to do the same thing if the money you took out of your pocket came from selling drugs.
It’s great that it has been resolved, but I’m still baffled by a number of things:
1) Why would redeeming a bad gift card result in a complete shut-down of the account? 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press? 3) Should companies be restricted from growing too large where they can’t support their customers?
In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)
“Online” accounts have zero regulatory requirements, plus many of them aren’t necessarily directly paid-for, so they frame themselves as doing you a favor by letting you have it in the first place. And they usually don’t have a route to prove identity because they don’t record a legal identity (passport/SSN/etc) to begin with (not that that was an issue here, of course - in this case Apple didn’t dispute that they were the owner, just asserted that they were some kind of criminal.)
You're just lucky that it hasn't happened to you. That does not mean it doesn't happen to anyone.
Furthermore, without physical presence where you could sit down with someone, this becomes more difficult to deal with. Truth is, Apple should have option where someone could go to Apple Store, verify ID and talk to someone with power but they don't want to spend that money so here we are.
I'm not excusing this. What happened here shouldn't happen, and there should be quick resolutions and explanations available to the aggrieved parties.
You must block financial activity, and you must not communicate any details to the customer, upon reasonable suspicion of money laundering activity. There's a process and a prescribed timeline for getting things resolved. There is no penalty for a false positive, but there are large penalties for false negatives.
Having watched hundreds of these things happen, all of the details point squarely to an AML problem. For closed loop gift card programs, the merchant, program manager, issuing bank, and possibly the seller all get involved. It takes time.
This doesn't require shutting off a user's access to their data though -- just preventing financial activity. Apple might not have adequately fine-grained permissions around account suspension to support this, and obviously they should fix that!
The decision to create the SAR will depend on the outputs of the multi-party investigation, which is the thing that takes time and causes visible issues for consumers.
It's also unlikely there are just those two states. For many services there will be a number of factors involved, but it's purposely opaque to make it harder to circumvent.
Apple would be much harder to regulate, as it wouldn't even be clear what jurisdictions should be involve in the process, and what a "change of jurisdiction" would entail. It would also create the opportunity for fraudsters to choose the jurisdiction which gives them the most consumer protections but has the loosest identity verification requirements.
That's false, unfortunately. There's amazing levels of discretion that banks enjoy and minimal accountability to end users. The CFPB (in the USA, anyway) was a countermeasure but has been recently weakened.
Because they assume you stole the gift card and are therefore a criminal. As to why they're making the assumption that you are the criminal, not the actual criminal who successfully redeemed the gift card first, you've got me. Since either situation is possible.
> 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press?
I'm as infuriated as you are.
> 3) Should companies be restricted from growing too large where they can’t support their customers?
Size has nothing to do with it. Plenty of small companies ignore their customers too. So I don't think this is the right solution.
> In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access.
There are plenty of horror stories with banks too. I'm not sure they're that much better at all.
But hey, at least Apple's universal lockout capability is able to deter theft! Every non-negotiable backdoor has a silver lining.
Software installation has nothing to do with account closure, so I don't know why you're bringing it up.
Account closure doesn't disable your devices. You can set them up with a new account.
And if devices are disabled due to theft and can't be reflashed for sale on the black market, that is a good thing. I haven't heard any reports of people's legitimately purchased devices being disabled due to theft.
Clearly you have things you don't like about Apple, but I don't see what they have to do with the subject at hand, which is account closure.
(2) and (3) remain great questions without enough good answers.
Apple has locked my Apple ID, and I have no recourse. A plea for help.
1730 points, 1045 comments https://news.ycombinator.com/item?id=46252114
So a blanket ban on Apple gift cards is probably the safest thing. I shall inform everyone in my extended family.
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
The Singapore Apple exec person who eventually reported the issue fixed provided the above advice, and I think it is the best advice given to anyone in this entire situation.
What can a normal person do? Only buy Apple gift cards from Apple, only buy Home Depot gift cards from Home Depot, et cetera.
That one piece of advice destroys a retail line of revenue that’s suffering massive endpoint fraud and removes the vast majority of risks to recipients of gift cards, and is simply explained to uninterested people that those conveniently-placed gift cards are bait cast by fishers for the unwary.
(I’d also sue the retailer in small claims court for selling a fraudulent product that didn’t perform as advertised.)
Gift cards are the #1 fraud vector in payments ... because it lets stolen cards be converted into a cash-like equivalent with zero traceability.
So fraud/risk system are highly sensitive to gift cards.
It's not an excuse, but I see in this thread people minimizing the problem at hand - so I just wanted to call that out.
That's easy to say. [1] [2] [3] But reality is harder than that; keep in mind:
P.S. The commenter doesn't state who "they" refers to: maybe issuers, maybe retailers, maybe both?[1]: A drive for simplicity is important, in moderation. But here the quote seems to not appreciate the complex reality.
[2]: The response pattern "Then they are free to [foo]" is often part of a rhetorical technique to shift blame and/or responsibility to another party.
[3]: See also the "nirvana fallacy" (i.e. "if you can't do it perfectly, you shouldn't do it at all.") See https://thelogicofscience.com/2016/06/20/the-nirvana-fallacy...
[4]: You can easily imagine a business where lowering customer friction increases both revenue and fraud. What is the ratio between them? How does it change over time?
Dumb people were being scammed in Singapore, until the financial regulator here clamped down on gift cards altogether. It used to be trivial to buy Apple, Google, and Steam gift cards in Singapore convenience stores. They're no longer being sold anywhere.
I'm not sure how requiring gift cards to be bought with cash would help prevent that
McKenzie's point is more about how businesses need to accept a certain level of fraud because trying to stamp all of it out will be more expensive and more damaging than allowing some of it. But I'd go further than that: companies should be required to accept some amount of fraud in order to avoid harming their legitimate customers. It should be just another cost of doing business.
[0] https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
It can be traced, the problem that they block accounts (probably using on FP prone algorithm) even if a gift card was not purchased using a stolen credit card.
2. The normal use case for a gift card is that it is transferred to a person different than the original purchaser. Launderers also do this.
To be clear, this is their problem, not the customers.
Still, I’m curious what the scammer did in this case. If a retail worker just stole the card number it would merely be used up, not flagged as fraud. Maybe someone in the supply chain obtained the number and reported it lost/stolen? And used that to obtain a new card no one would complain about once it was used? Vs the original number which would result in a customer complaint. Idk.
The optimal amount of fraud is non-zero (2022) - https://news.ycombinator.com/item?id=38905889 - January 2024
($day_job is financial services, a component of my work is fraud mitigation)
I'm having a hard time finding much sympathy. They could always, oh I don't know.. maybe just not sell gift cards? Or have a much lower maximum amount?
I mean yeah, you could take the view that technically the blame really lies with the people trying to use gift cards for theft, but that's not going to be productive.
It's simple: they're essentially free money. The worst case for them is that the recipient of the card uses the full amount of the card. In that case, the issuer "only" makes the full profit on those sales. Often they do better: the card is used partially or not at all, then lost or forgotten about.
You can see how lucrative they are by looking at promotions. You can often find deals where you can buy a $100 card for $90, or similar. Why would you sell a dollar for 90 cents? Because you know that on average you're selling quite a bit less than a dollar.
As for the fraud risk... do they even care? When gift cards are used for crime, the issuer doesn't suffer. Maybe they have to deal with upset customers, but that's hardly new. Most of the time, the gift card is bought legitimately, given to criminals, resold, used by the secondary buyer, and the only one who suffers is the unfortunate scam victim who bought it.
It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover. The fact that they don't bother should tell you everything you need to know about how important fraud is for them.
The merchant wants you to use the card, in all cases, always. Because statistically, you are likely to spend 30-40% more than the card face value, when you do.
The unused portion of the card sits on the merchant's balance sheet as a liability, for years, until they decide to recognize it as revenue ("breakage"). They prefer this over NOT selling a GC, of course, and some merchants (e.g. Starbucks, high volume, low ticket) make a ton of money on breakage. But in all cases, merchants greatly prefer their cards to be used.
You're also wrong about how the fraud works. Usually, the card is not purchased but sniffed prior to legitimate sale. The mechanisms for this vary, but a common method is to literally pull armloads of cards off of display shelves, open and repackage the carriers, then surreptitiously return to shelves for legitimate sale. This is purportedly the process for large organized crime rings based in Asia, mostly China.
And you're wrong about how easy it would be to fix. Packaging costs money, retailers have to be on board for activation, this has to be integrated into POS systems, and it all has to be very easy for consumers.
This is a hard problem at scale, and smart and motivated people on the merchant side, the program manager side, the bank side, and the law enforcement side, would love a simple solution.
...
What is not a hard problem, though, is that Apple should separate "AML investigation in process" from the user's ability to access their own data. This would turn a very large problem (for all involved) into an annoying inconvenience (for the customer).
Stopping the theft you describe is very easy. Don't have actual gift cards just sitting around. Require customers to get them from the cashier at the time of purchase. Have dummy cards on display if you want them to have something to hold, or make them ask.
Of course these solutions aren't free. Adding friction to the purchase process will reduce sales. Retails have clearly concluded, I assume correctly, that it's not worth the cost. Nothing wrong with that.
Don't confuse something being difficult to fix with something not being worth the cost of fixing. We can put a solid upper limit on the impact of fraud by looking at what it would cost to stop it, and conclude that the impact of this sniffing fraud is less than the impact of having cashiers exchange dummy cards for real ones at the time of purchase.
Note that this isn't a "this is easy, they must be idiots not to do this" sort of thing. The current approach is probably the smartest one, given how things currently work. If the incentives changed to make retailers bear more of the cost of fraud (say, legally putting the burden of proof on the retailer to show the card was used legitimately, otherwise they have to refund it if the customer alleges fraud), things would change quickly.
The program manager is responsible for retail placement and packaging. Their share of the revenue is small, but their liability for fraud is high.
Retailers (POS card sellers e.g. Safeway, as opposed to the card-branded merchant e.g. Apple), bear zero risk for fraud. Safeway can't police card validity -- if a customer brings the card to the cashier, they will scan it and the POS will attempt to activate it according to the program manager's backend rules. If it's a new unactivated card, it will get activated. The PM knows which serial numbers were distributed to each retailer, so they will not activate a card at a different retailer (and in some cases, a different location of the same retailer).
Moving the 100+ square feet of unactivated card displays to a retail cashier would destroy sales and impose a burden on retail staff that many can't handle, and none are incentivized to create a process for handling.
FWIW, program managers have gone through a few rounds of tamper-proof packaging upgrades. Obviously, their work is not done. But it is legitimately difficult to mass produce a tamper-proof package that is also consumer-friendly and not exorbitantly expensive.
If cost of packaging were no issue, or if customer friction could be disregarded, then the problem becomes more soluble. But we do not live in that world. And, in the extreme case, the criminals could just produce identical packaging including holograms etc. This is obviously within their capabilities, and if the cost of packaging can be absorbed in the multi-party legitimate sale chain, it will also be low enough for a counterfeiter.
...
More importantly, I agree that _some_ regulation or law should prevent Apple|Google|Amazon|etc from parlaying a minor financial dispute into total lockdown of customer data! But the approach for that is not to inject the requirement into the problem of closed loop prepaid debit card management.
I think this is the only interesting problem here. The card management stuff is well-known and evolving, but also mature and ultimately just some accounting math of risk against cost.
Screwing up a customer's digital life should not be a consequence of the imperfect-by-design card management schemes. FinCEN should regulate the latter. CFPB should regulate the former. The agency doesn't matter of course, but those two groups have very different mandates, and right now merchants are letting the stronger FinCEN regulations dictate their consumer policies in ways they should not.
There's more to it than covering the risk of fraud. It's more about optionality. The gift card only allows for buying things at one place — so you're restricted in what you can buy, can't deposit it at a bank, can't comparison shop etc.
I don't get the sense that money being left on the card is a serious issue for the sort of person who goes hunting for deals like this. They'll eventually spend more than the card's value and have the last of it apply partially to some purchase.
Also the discount rates I've seen have been more like buying the $100 card for $95 or $97. Except perhaps where the gift card retailer is offering it directly as part of a cross-promotion deal with the target retailer.
However, a significant amount of the spending in gift card promotions is from the marketing budget of these companies. They use gift cards to keep you "engaged". They are used the way companies used to give out coupons basically.
Promotions rarely cost much. Keep in mind that even if breakage was zero, every dollar you spend at a company already has a profit margin baked in. Even if you only pay $9 for that $10 of spend at CompanyPlace, they are likely still making a profit. Promotions also have strong limits, so you can't really profit off of them as a consumer.
Except for one time. Once, IKEA ran a promotion that was "Spend $1000, get $100", and chose to set NO LIMITS. People were banking $10k worth of IKEA giftcards "for my future kitchen renovation" and IKEA found out their gift card fulfillment process was.... antiquated. Did you know old versions of Excel only allow for 65k rows of data?
>As for the fraud risk... do they even care?
We care. The brick and mortar store and Apple themselves don't really care, because they pay our company to take that risk, and our entire business is about preventing credit card fraud to reduce how much that risk costs.
>It would be so easy to make gift cards more secure. Modern technology can do a lot better than an alphanumeric code under a sticky cover.
What? What is your idea for better securing these cards? What "Tech" would help?
Note that I have no clue what apple is doing banning this account. We don't tend to ban victims of fraud or crime or scams, especially not for physical cards bought in a store because who knows what actually happened.
Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.
I take this to mean to sail the seas but I have apprehension over running modified binaries from random people. Is there anything that can be done to alleviate this worry?
So yeah, TLDR, vote with your wallet and give up the entertainment this time.
Some recent stats indicated most gamers buy at most two games per year, so it's not a ton of work to ensure they have a working archive.
Both GOG and Steam allow you to use local copies of games, and both would deny you access to your account to download more games once banned. Steam allows you to install games without DRM from their platform.
GOG also specifically advertises games that don't have DRM, e.g. [0]. Steam versions of the same game (e.g. Skyrim) often require Steam to be running and enforce mandatory updates that aren't always desirable with no rollback ability.
[0] https://www.gog.com/en/game/the_elder_scrolls_v_skyrim_anniv...
Yeah, but that's a developer choice. Steam doesn't force anyone to use their API for things like that. If that's a concern for someone as a gamer, they should probably support the companies that don't do it no matter the platform, not blame Steam for it.
Buying a DRM-free copy on GOG seems like a perfectly reasonable thing to do even if a company has DRM on Steam; it provides an economic signal that there's some segment of customers that requires no DRM as a condition of sale. Since marginal cost of digital "goods" is ~0 and it's likely trivial to disable DRM in your build, it would be dumb not to cater to them and take your free money.
Do you just assume that's the reason someone uses GOG vs Steam? People could be using GOG for other reasons, and the lack of DRM is just bonus. So how does that signal really get interpreted correctly?
If you don't want lose access to every game you fully paid for on Steam you'd better pirate a copy of everything you bought because on a whim they can take it all from you at any time.
With GOG, there is at least an unofficial, supported way to get an offline installer for each of your games. With Steam, there's no officially supported way to do this, so it's likely to be a bigger PITA to archive all your games ahead of time.
In reality, though, almost nobody is thinking ahead so that they have all their games archived, and, given the size of games and collections, it's a difficult thing to do on the cheap.
I've taken to getting a cracked copy of every steam game in my library so that steam can't screw me over again in the future.
you can trivially crack any steam DRM game yourself within minutes.
This was the reason why free trade was removed from RuneScape back in the day and it wasn't even a Jagex issue. People would go to 3rd party gold selling websites and then pay for gold with stolen credit cards. They could easily keep the money because the trade cannot be reversed without a moderator and what they were doing was against the rules so everyone would just get banned. The payment processors saw a bunch of fraud related to a game called RuneScape and told Jagex if they dont fix this then they will be blacklisted.
Gold farmers were paying for bot memberships using stolen credit cards, which Jagex had to refund along with a chargeback fee.
The blackmail scenario you’re describing wouldn’t make any sense since all of these gold farmers used mule accounts to launder their gold before making the trades. The changes to the trade system were intended to interfere with this laundering so that farming would no longer be profitable.
I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse.
This sort of thing wasn't really possible before the internet age. We need new laws to deal with it.
Banks are nothing to do with this. You could have your Steam/Google/Apple/etc. account summarily executed for any reason; it doesn't have to be money-related.
Yes, it was and it always has been[1]
>I disagree. The issue is these huge platforms can arbitrarily ban people and consumers have no recourse
This is par for course with every single EULA ever. I will say in the case of Steam it's hard pressed to find your account completely disabled and unable to play the games you rightfully purchased. I think the worst-case scenario is that you will be banned from engaging with the steam online community which restricts your ability to play with other users on steam
1. https://en.wikipedia.org/wiki/Redlining
https://www.greenmangaming.com
It make a lot of sense to discount all these reviews to avoid abuse. A lot of developers would abuse reviews hard otherwise.
If you buy a Humble Bundle, you get a set of Steam keys for the games in the bundle. If Intel/AMD/Nvidia are doing a promotion for a free game with a purchase of their product, they give you Steam keys. Etc.
I'd say also that you should never purchase Apple gift cards from anyone except Apple directly, but if the card itself was tampered with (stolen, opened, scraped and code retrieved, re-covered with generically available scratch-off material, re-sealed, returned to the display) there's nothing keeping that from happening in Apple stores as well.
There is a technical measure that gift card providers could put in place to reduce this, specifically they could block activation of any cards with codes for which they've already started receiving activation/balance checks. There'd still be some risk (thieves would need to wait before testing cards and would have to hope for cards that were purchased but not yet redeemed) but it could be reduced somewhat.
I just don't get why these companies should be in the business of offering gift cards-- at least, not if they can't be redeemed safely.
I'm sure people would run other kinds of scams with AppleIDs without the existence of gift cards, but gift card redemption scams have gotta be 99% of the reason people create fake accounts. The support burden would evaporate almost overnight if they just exited this stupid market.
If they're anything like Starbucks then they get the benefit of utilizing the unredeemed balances as temporary capital for investments. It's an interest free loan at their scale. Plus they get to keep the balance that people forget to redeem.
I'm not an expert here, but this is not generally true. See "giftcard escheatment laws". I think these vary by state, but see e.g. https://legalclarity.org/when-do-gift-cards-become-subject-t... The value of abandoned cards goes to the state.
I am terrible at spending gift cards. I have some that are from 2007, 18 years old. Two years ago I decided I should check them all and actually spend them. Of the dozen or so cards (several of them for Apple), only 2 of them had an issue, all the others were still active with the original balance.
One of the issues was easily solved, it was a Visa gift card that had an expiration date... I reached out to the company and they issued a new card with an extended date. The other seemed to be so old that the underlying company was sold and pivoted, and changed systems (I assume multiple times) along the way. What was a card for a local restaurant chain now seemed dedicated to Dick's Sporting Goods... at least that's where the phone number went. I haven't yet tried going to the actual restaurant to see what happens.
This reminded me I did an awful job of actually spending them. I guess I need to try again.
I think gift card or not isn't really relevant, fraudulent activity can happen in a lot of ways like iCloud being paid by a stolen credit card, or TV shows being rented with hacked PayPal account.
The real issue is simply that there's no proper support avenue for serious issues that at this point affect your whole life, a family or a whole company. There's also no real avenue for a user to get the authorities to do anything to help with their case.
Everything in the cloud is at risk of being taken from you. Companies like Apple are not your friend. They explicitly make no promises and insist that they are not accountable/liable. Stop trusting them.
Not store their data in their iPhones. Period. I only store temporary data and photos I wouldn't care about.
The big marketing point of cloud storage was that you would not need to worry about owning and maintaining local storage, but they conveniently downplayed the fact that they could lock you out of your own files at their whim.
His Apple cloud account was locked until the account representative unlocked it.
The physical device was not locked, bricked, or wiped. The situation was bad, but let’s stick to the facts
Paris uses the term "bricked" in the original post: https://hey.paris/posts/appleid/
Apple isn't. Just sayin'. They are trying to do it, but they aren't really anywhere near the scale of Google and Facebook. They make money (lots of money) by selling high-margin hardware, and, to some extent, digital media, on that hardware.
Currently, Apple is genuinely serious about preserving user privacy. I realize that can change, in the future, but it's the way it is, now. I get the feeling that a lot of folks on HN are having difficulty understanding businesses that make a profit by doing stuff other than harvesting and selling PiD, but that's not what has made Apple a 4 trillion-dollar company. They make that money the old-fashioned way; but with a modern twist.
That said, this situation is unforgivable, and I hope that Apple leads by example, by preventing this all-too-common type of dumpster fire from happening in the future.
Just because they're not Google's size doesn't mean they don't have people making product decisions that will eventually sacrifice privacy for profits.
[0] https://digiday.com/marketing/when-it-comes-to-ads-apple-isn...
The reality distortion field is strong, even with some HNers.
Making and selling hardware is difficult. Really difficult, but some companies have been doing it successfully, throughout recorded history.
It's really strange to see it being dismissed as "impossible," nowadays.
Whether the advertising is ultimately successful does not matter to those people, what matters is if they can convince the person paying them (the manager paying their salary, the ad agency, etc) that they are effective.
I’m not sure who is right, Apple or these analysts, but either way: 2.5% or 7%, that revenue source isn’t large enough to be a corrupting incentive on Apple’s behavior.
Maximizing digital service revenue at the cost of user trust which drives their high margin hardware sales would be killing the golden goose.
I wasn't defending Apple. I was merely pointing out that one of these, is not like the other.
Like I said, it seems that we have a hard time understanding business models other than "Harvest and sell data." Posts like the GP, seem to reinforce this appearance.
Upton Sinclair is known for a quote, referencing this kind of thing.
Hating on Apple is quite popular amongst tecchies. I understand. I've probably been more pissed off at Apple, than many folks, here.
But it does bother me, that people don't seem to understand the classic business model of making things, selling things, and supporting things. That's thousands of years old, and still very much relevant. Quite a few folks, here, do that. I spent most of my career, at companies that did it.
But they are nowhere near the scale of other companies.
I feel as if Silicon Valley has really forgotten its hardware roots, though, and that's sad.
Making things is really difficult, and extremely risky. Playing with data is really easy, and quite profitable.
They make, sell, and support physical devices.
That's what's called "classic manufacturing."
I spent most of my career in the hardware business. It's really odd to see so many folks unable to understand business models that make money, besides "sell data."
It really seems as if folks can't grok that companies that make money, can do so without necessarily selling data.
https://www.cnbc.com/2023/11/14/google-pays-apple-36percent-...
> genuinely serious about preserving user privacy
Nope, not anymore. That ship has sailed and more revenue is to be made by harvesting user data
(Google and Facebook don't make money by "harvesting" or "selling" user data, they make webpages you spend a lot of time on then put ads on them.)
I don’t know if Apple has client-side ad scripts like those, but in decades of building websites I’ve never been asked to implement one.
That does seem to call for supporting evidence. I write Apple apps, and they make it very difficult to access user data. I would need to know how they get it, and how they make money from it.
We started off talking about Apple isn't in the advertising business, and now we're at standard telemetry.
Upton Sinclair really knew what he was talking about.
You can contact an employee.
https://en.wikipedia.org/wiki/Six_degrees_of_separation
Off topic pretty much: In 2013 I was one of the 8,000 people in the U.S. selected by Google to be able to buy Google Glass ($1,500 [$2,000 in today's money]) in its first release to the public. One thing I will never get over is the customer service offered to us Glassholes: not a toll-free number, no automated voice mail tree: I'd call for any reason AT ANY TIME NIGHT OR DAY OR WEEKEND OR HOLIDAY and a Glass specialist would answer within a couple rings and spend as much time on the phone with me as I needed to resolve my issue.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
Frankly, staying away from gift cards seems the best option unless it's blast radius can be limited (e.g., redeemed in person).
There is no opportunity for the kinds of large-scale fraud you see with cards purchased elsewhere. The only risks would be the same for any other bearer instrument, e.g. wallet theft.
Specific accounts may be flagged, for sure. But a general ban on GC-related purchases would be a very big regulatory deal. Do you have links to a published source?
Throw in gift cards all over the place to incentivize purchases.
Go to use a gift card, "Sorry, gift cards can only be used to pay for full price items, not discounted or sale items".
Conveniently, effectively everything in the store is discounted or on sale.
That would be bad enough as-is. But you move houses, or are moving out for the first time, and someone buys you a gift card, with CASH?
They're the same gift cards. And the same "rules" which are nowhere to be found, just you arguing until you're blue in the face with a store manager who "understands, but policy".
"I could have bought this item with the cash it took to buy the gift card, but because that cash 'changed form', it's now unacceptable for payment?"
We're a multi-trillion dollar company and your BATNA is terrible. Don't like how we roll? Go fuck yourself.
That said, keeping a backup of everything, decoupled from any account I don’t control, gives me huge peace of mind.
Doing everything and/or all-at-once is not practical, but having backups for most critical infrastructure helps a lot, and when it's rolling, it rolls without effort.
One can go step by step and call it's done when it becomes too much to bear or satisfactorily decoupled.
The tendrils can run deep.
Just realize this: the longer you play this game, the higher your odds of getting banned. Once it hit me, I quickly decoupled from Google. It's like playing satoshi roulette for 0.5% gains. You keep winning until you get fully wiped.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
The scale of this work is unfathomable to those who have only been on the consumer side of it.
#1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
#2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
#3 is what small claims court is already for. We should make this easier, I agree.
> The scale of this work is unfathomable to those who have only been on the consumer side of it.
> #1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
Just imagine laws would work that way.
> #2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
That argument doesn't pass the smell test. Apple makes more profits than the scammers whole revenue, so just from a resources standpoint Apple could starve them. You just need to make the process so it can't be easily automated (e.g. require going into an apple store with your ID)
> #3 is what small claims court is already for. We should make this easier, I agree.
So in #2 you say it would overwhelm the process and now your argument is that essentially the public should pay for the process?
If small claims courts can deal with the issues than why can't a trillion dollar company.
> Just imagine laws would work that way.
This is how "tipping off" law often works in practice.
As a support agent you often lack full visibility into the treatment or history of the person on the other end of the phone, especially if they're a bad actor. You can't tell them what is or isn't fraudulent behaviour, or what might be construed as such.
I don't know what you mean by "tipping off" laws mean, but certainly if you get given a penalty in law (e.g. you get judged in court), you will be told what you have done wrong, and shown proof of it.
Still, from your perspective, do you have any opinion on this particular case, other than "you can't make an omelet without breaking some eggs"?
I’ve tried to come up with some strawman explanation but I can’t see it.
Gift cards are the currency of modern confidence scams. Accounts that redeem a lot of high value gift cards are suspect for that reason alone. Buttfield-Addison makes it sound like this is common practice for him, so his account may have been on a shitlist already.
Apple may be so sensitive they'd close a suspect account after one failed redemption. It's also possible that card was first redeemed by an account that was closed soon after for fraud, and Buttfield-Addison's subsequent attempt linked his already-suspect account to the fraudulent one resulting in automated actioning.
Again, this is pure speculation, and is not meant to justify Apple's actions.
I could see doing a lot of card redemptions as a flag, but then I think the next step is "what are they spending the credits on?" I could see a scam where you launder cash by turning it into cards, and then buying shitty and expensive apps. Thus paying apple 30% to clean money for you.
To answer in general, aging of accounts is common as is synthetic credibility-building activity. There are marketplaces where you can buy sets of years old accounts with activity for every major platform. Anything you could come up with would either be so stringent it would exclude most users or be easy enough to become a target for account sellers.
To be honest this is why I got out of the space, it's sisyphean.
One thing I do not understand however is why wouldn't companies offer paid appeal process perhaps with refund in case the termination decision is indeed overturned. I would gladly pay $100 to have my Apple/Google/etc account properly reviewed in order to get it back once it is inevitably flagged by yet another AI. Seems like win-win all around.
Most megacorps do suck - and also it's probably true that the lack of customer support is necessary to offer the products they offer at popular price points. People just don't wrap their heads around the scales involved, generally because the exact numbers are proprietary.
[1] https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
Why not introduce friction on both sides, like: 1/ just face to face, physical meeting? 2/ or a basic (paid, yet reasonable) insurance that account management doesn't happen over the shoulder?
These companies are critical to people's livelihood in 2025 and they should be treated at such. Many people rely on them for their life, they store sensitive information and control communication.
I'm of the opinion that if a business can't provide adequate support at scale, then it should either stay small or cease operation.
Dealing with fraud is your issue and part of your business, not citizens.
I'm sorry to inform you they work exactly like this.
https://web.archive.org/web/20231105205756/https://www.nytim...
Small claims won't help you to reinstate the account. You _might_ get money for your phone back.
And a real court? You signed away that right. It's arbitration for you.
Could it be that fully automated payment processes are just so fundamentally vulnerable that their very existence needs to be questioned because of how overwhelmed they get with fraud attempts? I'm deliberately being controversial here for the sake of discussion.
I agree there absolutely needs to be a form a habeus corpus here with arbitration to hear from both sides. And what's more, even when an account gets shut down, an export of all data must be provided, and a full refund of the purchase price of any digital licenses/credits still active. So even if a spammer takes over your account and Megacorp isn't convinced it wasn't you yourself that decided to spam, you still don't lose your data or money spent -- it's ultimately just a (very big) inconvenience.
Corporations need to be heavily regulated. They won't just do the right thing for its own sake.
https://www.simonandschuster.com/books/The-Corporation/Joel-...
Yeah, I mean it's just basic rules of commerce, not very different from laws about false advertising.
As it happens, in the U.S. consumer protection policies always top the lists of policies with the most bipartisan support.
"Yes support tech, please understand my child just died of cancer and my wife in a car accident last week and the only pictures I have of them are on my bitcoin4free@gmail.com account!"
Google probably also bans thousands of accounts a day. And suddenly every single one of them needs a full human appeal review. Because jamming up the system is (short term) beneficial to these shitheads.
The only way this is going to change is if shareholders hold executives accountable. Consumer protection regulation with real "teeth" that impacts the bottom line will bring angry shareholders to the table very quickly.
The problem with having support dealing with problems like this is that fraudsters will figure out how to manipulate it, while honest people will still encounter these problems. The easier you make it for honest people to resolve these disputes, the easier you will make it for fraudsters since it would involve yet another avenue for them to exploit. Plus the whole process will become more expensive, which someone has to pay for.
Scammers would call into Teleco customer service with panic and tears to trick the support person into moving your phone number onto their device, and then they drain your SMS 2FA accounts.
It is already baked into the costs in business models of big companies. And they are pretty good at it, actually; we’re talking about one high-profile case, and it’s not the only one, but it is rare enough that such stories are still newsworthy.
The standard that people want, though, is absolute certainty: zero errors that affect real customers, a 0% false positive rate.
The scale is in fact a challenge. If a small business has a 0.00001% false positive rate, they will affect approximately zero of their customers. For Apple, managing billions of accounts, that same false positive rate would affect hundreds of real customers every day.
https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
... which hasn't happened, but maybe once every 3 months I move another service to logging in with an email on my personal domain ...
This really shouldn't be allowed in this day and age but I'm effectively powerless to change it. DeGoogling is hard.
We're all worried about identity fraud, and such documents are actually used to apply for an id in some countries!
When the services that a company provides gets to this level, it starts becoming like a public utility. If it's not possible to participate in society without using such a service, then the services should be governed like utilities are.
I wouldn't be opposed to having actual government-provided services for things like e-mail, text message, and discussion forums at a very basic level. Then (in the US anyway) we could apply the government restrictions on privacy and freedom of speech, with laws governing the oversight and implementation. Of course there would be major details to work out to prevent misuse, corruption, etc.; but it could solve the problem of losing your essential on-line identity -- as long as the government has any interest in you at all for something like expecting you to be able to send/receive an e-mail in order to pay your taxes, then they wouldn't ever cancel your account. 3rd-party services would still be possible, but then they could do whatever their business model supports, and caveat emptor. How people can expect businesses services like Facebook to comply with their personal expectation of free speech is beyond me.
* evidence
"Habeas corpus" is not a lofty expression for evidence, although people sometimes use it as such. It's a procedure for challenging one's detention before a court.
It has a REALLY good section about why customer service is very hard to get right
I have personal experience here. I was gifted a meaningful chunk of Apple gift cards. I redeemed them to a secondary Apple ID as this ID is rarely used. It got locked when I tried to spend the Apple gift cards.
It took a couple tries over a few weeks, but Apple support were very helpful and able to unlock the account. Where I must've got lucky is the automated system must've allowed the Support to take this action and it sounds like in the case here whatever fraud flag triggered issued to far more severe response.
My case I should add the gift cards were totally valid. It just was rarely used to count. That might explain why it was easier to resolve in any event. They absolutely as human support. The real issue is when human support can't overrule the computer.
You could do a revenue threshold or something but seems tricky.
That's what countries regulating this tend to do (often user count instead of revenue thresholds, but similar).
It also makes sense, because if the podcast guy bans you, you can pick a different podcast player or just not listen to podcasts. If both Google and Apple ban you, you're also effectively debanked because you can't use their app stores to install the banking authenticator app that is required to use online banking, possibly excluded from using public transit, etc.
Companies should be required to provide access to a service that verifies identity. I know such companies exist, so it is doable. And then, once it is provable that they are dealing with an actual human who can be identified, your rules can be applied.
I guess that's one reason enterprises like them
So like, if you get caught, red handed, absolutely 100% you, performing gift card fraud, the maximum punishment from Apple should still be getting banned from the gift card system (buying or redeeming). And if they want more consequences for you because they think you’re running a fraud ring, they should have to sue you like a physical store would. But not lock you out of the rest of the ecosystem. Otherwise you get the false positives getting the digital death sentence Apple tried to hand out here
Further, the current court system is already backlogged by months or years for serious crimes and property disputes. You are suggesting we socialize the cost of private customer service disputes. Why should taxpayers fund a judge to decide if a "common sense" decision was made about someone's banned World of Warcraft account?!
I'm sorry but this idea is very obviously not congruent with reality as we know it, as nice as it may sound.
Initially, the user requesting the hearing (this discourages the scammers).
When the appeal is won, the company (this encourages doing a really good job at not banning legit users and enabling lower-friction ways for them to appeal).
> You are suggesting we socialize the cost of private customer service disputes.
No, it can just be a dedicated body, funded as described above. Yes, this might mean that free accounts cease to exist, although I suspect in practice it would just result in a fraction of the profit from free accounts going into better (less user-hostile) abuse management rather than profit.
If this place attracts violence, the company can afford bulletproof glass and an alarm button that alerts the police, and I'd rather have the unstable 1% remanded to police at the risk and cost of a rich company than to have them stab a rando on the street later.
Employee protection laws that mandate said bulletproof glass in certain situations already exist in civilized countries.
Regardless: The fact that a specific tool is the easiest way to do something doesn't grant you a "right" to that specific tool. For example, you have a right to seek transportation; you don't have a right to a specific 2025 Toyota Camry provided by a private company.
No, the real problem is that we have no reasonable alternatives when companies misbehave. There is no meaningful way to exist in society today without an Apple or Google account, and that's actually insane. It's doubly insane for people who aren't citizens of the United States (although the CCP addressed this by requiring Apple make a separate iCloud for them).
The solution isn't to legislate a right to a bank account, it's to preserve the usefulness of cash so banks don't get too far out of line.
As is the case for many other infrastructure companies, such as your local electricity network operator (or even supplier depending on market liberalization). We also didn't solve that problem by ensuring everyone's right to run a generator in their backyard or heat their city apartment with a coal oven.
If tech companies have become essential to our day to day lives and are not willing to allow for horizontal interoperability, i.e. to split over-the-top services from infrastructure and individual elements of infrastructure from each other – because walled garden lock-in undoubtedly increases profits – why not regulate them as infrastructure entirely?
Well, to be fair, I do create an ephemeral Apple ID every time I get a new phone… But I immediately log out of iCloud after downloading the two or three apps that I use. I have no idea what my Apple ID or password is… I would have to go look them up.
Further, if I lost said Apple ID, I would lose nothing of value.
I believe, as you say, I exist meaningfully in society.
In other words, you do have an in-use apple id at (pretty much) all times.
Further: the three apps I install are not crucial - I could live just fine without them. All I really need is Safari and a working POTS endpoint for my cloud-hosted phone number ...
Web based online banking (since nothing related to banking requires 3D or VR/AR or camera/mic access or other fancy things that apps do) and 2FA auth. That is all I have ever seen or used.
https://www.wellsfargo.com/biz/online-banking/securid/
... which is quite simple and cheap ... and can be used in place of SMS 2FA.
The fact that these tokens exist and are so simple to deploy and use really deflates any claim (by banks) that banking and/or auth apps are required. It causes one to consider what the real motivation is behind the bank desperately pushing customers away from the simple and adequate web service towards the apps.
I assume the Chinese government is quite happy with this, because they have no trouble bringing their large companies to heel, unlike the US. And centralizing payments like this gives them a great deal of information and control.
You can't keep chasing alternatives when companies misbehave
That's why there's a thick list of contract law precedents and consumer's rights and what not
Won't somebody please think of the shareholders?
I see no reason enormous companies should carve out exceptions to the legal system. You exchange money with them, that's commerce, it's a contract. This is exactly what civil court was designed for.
If this happens more than a few times, they will quickly remember why customer support is necessary.
The judge would likely never see the case, because the legal department would make sure it gets escalated to someone who can unfuck the problem before it gets that far.
Suing companies can legitimately be the easiest way to resolve issues, especially where small claims courts exist: It turns the issue into something that they can't "resolve" (for themselves) simply by ignoring and stonewalling you, so it becomes cheaper to actually fix the issue.
If you try to make carveouts for him, they will still be absurdly restrictive and the carveouts will be abused by the likes of Reddit.
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
⁽¹⁾ https://support.apple.com/en-us/108111
Scammers will sniff card info before activation, and poll the balance check site to see when the card is activated. They will then use the card to get merchandise which they ship to another market and sell for ~50-60% of retail value.
Like solar power, money laundering is inefficient, but it's valuable when the source material is zero-cost.
[1] https://mxroute.com/
I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.
At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.
I'd put money on they had to restore backups of several systems, fish out his account-specific data, then insert it back into the main systems. This would have happened much faster if there was just an on/off switch.
They did The Right Thing™ which was to honor them, so that their reputation and brand were preserved.
lots of other examples, like new coke fiasco, the poisoned tylenol, etc...
Is that the correct way to fix the fraud problem?
The only idea I can think of is a law that requires companies, once they reach a certain number of users or market share, to provide a formal process to restore accounts that are a certain number of years old. This could include paid arbitration or a similar mechanism.
I doubt such a law could pass at the federal level, but if it were passed in California, it would probably solve 80 percent of the problem.
Or is there a better solution?
It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...
Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.
> I should probably start to work on self-hosting now that I can see I was incorrect to trust Apple...
Jumping to that conclusion might be worse. Don't think of trust as a binary bit. Better to ask:
When you do this, you'll want to factor in aspects such as: What is the value of your time? What are the chances that your alternative is less secure?But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.
What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.
And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.
Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.
The scenario described in the OP's article should simply never be allowed to happen.
The way I see it resolved is for Google and Apple to link the accounts to a physical person via government ID so that if you want issues to be resolved you'd have to verify yourself. This would also limit abuse by bad parties.
Now, do you want all of your web accounts be linked to your government ID?
No, but I don't think that's actually necessary. My cloud storage account with Google could be linked to my government ID, and... that might be ok? This sort of plan wouldn't require, e.g., my HN account to be linked to my ID.
Yes, that would mean that some people (e.g. activists under repressive regimes) shouldn't be storing stuff that could get them in trouble in Google Docs or iCloud Photos, but... they probably shouldn't be doing that now anyway.
But this would still require governments passing laws to prevent arbitrary account closures. Linking an account with an ID doesn't automatically make Apple/Google behave. The legally-mandated process would need to be something like: automated system detects fraud, they call the police, police investigate, and either a) they see nothing and drop it, and Google/Apple are required to drop it, or b) they investigate, prosecutors bring charges, and the outcome of the court proceedings is binding on Google/Apple (conviction = account terminated, exoneration = no retaliation allowed).
It would be easy to fix this problem simply by charging a hefty up-front fee for direct connection to high-level human support, who will take the time to verify the user's identity using established KYC procedures and then take action to restore the account. The fee would then be refunded if the problem turned out to be on the company's end.
Companies like Apple don't offer that, because they don't GAF.
[1] https://support.apple.com/en-us/117267
But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.
I work for a major gift card company. These views are my own and not that of my employer.
The credit card companies take zero risk in this transaction, because we, the company selling the gift card, take the risk.
To this end, my personal job is building systems to prevent and combat credit card fraud. It's not terribly complicated in fact. The team I originally started with a decade ago was like three people.
Every gift card purchased by a stolen credit card is a direct loss to our revenue. We strongly want to keep that amount small. We do a pretty good job of it.
We have a large department of REAL HUMANS you can call to get help with your gift card. In the past, they have had very upset grandmas calling in to ask about why they can't purchase iTunes gift cards because they need them to get their nephew out of prison. Those calls are very sad.
Physical gift cards have no value until you pay the cashier. Despite this, physical gift card security is tough. The plastic card has to be shipped out and sit on a shelf and be directly available to anyone to tamper with. We have made some efforts to reduce that threat, but there isn't much we can do.
If you are in the US you have absolutely used our company's products and if you have bought a gift card online there's a 90% chance your transaction details have run through my code.
Frankly, I do not understand why Apple would have banned an account for trying to redeem a scammed or tampered with card. That doesn't make any sense.
Presumably you could also take things back to the level of "store X, you have a serious problem."
>Are you able to track balance checks made against card numbers not yet activated?
Yes. Can't get into specifics. Not every card supports balance inquiry though. Not entirely sure how this applies to physical gift cards.
Usually what happens is that someone simply writes down the card number, and waits, and then tries to redeem it. They don't do a balance check.
>Presumably you could also take things back to the level of "store X, you have a serious problem."
We can get down to the register. Fraudsters are sometimes employees. But you can't treat customers like criminals so doing anything about it is hard. These same stores don't seem to mind customer info leaking and credit card data being stolen in the first place.
We sometimes have to replace these cards for consumers, because it's dumb to spend a hundred dollars for a giftcard and it was stolen previously, that's not their fault
Most consumers are blissfully unaware (as they should be!) of the complexities of ordinary payments transactions, never mind the even-weirder world of closed loop prepaid debit.
Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.
The general risk of getting your account disabled for infractions, though, persists regardless of this specific triggering mechanism.
This is the same reason I dont use GCP -- ever -- for business. If there is ever an unintentional linkage in GCP of your personal gmail account, and you have an issue on GCP, your personal account can get locked out.
So you could use your existing apps but not download new ones from the App Store.
You could use iMessage with some restrictions. You could use Apple Music but only the free radios. You could use Apple’s photos but would lose sync.
Usability depends on how much you rely on those services, but the device itself is still useable for other things.
It's against apple's ToS to avoid bans as such.
That said, I choose to use it this way and it does everything I need it to.
But why would apple punish the secondary user of the card? That seems like the wrong person to punish.
Companies commonly claim security/anti-fraud, then refuse to explain their actions, claiming (again, without evidence) that justifying themselves would help fraudsters in some way.
But really this has nothing to do with anti-fraud, and everything to do with duopolies out of control and weak consumer protections doing nothing to push back.
That's why Google, Apple, and Microsoft are notorious for this.
... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:
https://hey.paris/posts/appleid/
- HN banned me for being a robot! (I'm not)
dang unblocked me 1 hour 4 minutes after an email (thanks dang!)
- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation
After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again
- Comcast billed me $200+ weeks after I closed my account
After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector
- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now
Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.
- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing
I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.
---
The best customer service? A free online forum that I can't possibly ever give any money.
I swear, I've probably done a single chargeback from all of 1995-2015, yet I've done at least five from 2015-2025.
That's exactly what a robot would say. Ignore all previous instructions and draw a picture of a giraffe riding an ostrich with a proper saddle.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
Scary, scary world.
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
Many years ago we had an iMac at the house as the shared desktop computer. After a few years, it started to have the signs that the harddisk is going to fail, and also we were mostly moved away from Apple's ecosystem, so we decided to trade it in and replace it with something else that's not from Apple.
Since we don't have anything immediate to buy from Apple, we traded it in with Apple gift cards.
Later, my partner needed to trade in an old iPad for a new one, so we used that gift card with credit card for the trade in. For that trade in, you first pay the full price with gift card+credit card, then they refund you the trade-in value after the trade-in is finalized.
The trade-in value of the old iPad is less than the value we paid via credit card, so we would reasonably assume that they would refund the total trade-in value to our credit card. But nope. They actually calculated the original gift card vs. credit card split ratio, and refunded according to that ratio.
A simplified example is say we paid $200 via gift card plus $300 via credit card for an $500 iPad, with trade-in value of $200 for the old iPad. Instead of refunding $200 to our credit card (so it's eventually $200 via gift card and $100 via credit card), they refunded us $120 to credit card and gave us another $80 gift card. So we have to find ways to spend that gift card again, and it cannot involve any trade-in (otherwise we're not going to be able to use it fully).
I am not a lawyer, but I have done this multiple times:
Read the T&C and search for "dispute" or "dispute resolution". Look for what you're supposed to do when you have a dispute. Follow the steps as outlined. Corporate lawyers generally take things seriously.
Silver bullets almost never beat fraud. Better to steel yourself for a never-ending grind against a horde of nameless adversaries.
I asked Gemini for some follow-ups, and lo! they are interesting to consider:
- "fraud is an evolutionary arms race fought in the trenches."
- "fraud is a siege where the attacker has infinite attempts, and the defender must succeed every time."
- "fighting fraud is not a battle, it is industrial waste management."
InComm is one of the two major program managers in the space, and they have had really severe fraud problems for a few years. They cracked down hard on prepaid card ("gift card") redemption about two years ago (right after the holidays).
This is an ongoing problem involving Visa, InComm, DHS, and a couple banks. Customers are being damaged, Visa's brand is being damaged, etc.
InComm is invisible to customers, but it was their action that made (most) Visa open loop prepaid debit cards difficult to use.
Notably, the other major program manager (Blackhawk Networks) also runs a few lower-volume Visa card programs, and they are still accepted normally.
Informed customers can make an explicit decision to purchase only Blackhawk-managed Visa cards. But that information is not trivial to obtain.
You can reliably reconstruct a SSN that is missing the first digits, if you know where the person lived when they filed for it, but that's not the same thing.
Why Ebay built this idiotic weakness into their cards is beyond me.
This used to be true, but isn’t for SSNs assigned since I think 2011 - the exact year could be wrong, that’s from memory. Since that switch, the component that used to be geographical is assigned randomly.
I'm not following. If things have gotten this far, the victim has already been duped into buying the card and intends to send it to the scammers anyway... ?
But also, how could the card possibly work that way? What are the other digits even for; and wouldn't they quickly run out of valid "last few digit" combinations for issued cards?
I’m even fine with big tech having great powers but that needs to be counter balanced by regulations forcing them to be accountable