This blog posting will be unlike any of my other postings. For one thing, I’m not including any images. I am including a video from the Wall Street Journal and one from a technical guru that I trust. I will encourage you to seek further information for yourself. I’m relating my personal story because I truly hope that by doing so, I might be able to prevent the same horrific experience from happening to someone else. This is meant to be a stark warning to all of my friends who utilize the apple ecosystem.
Approximately 3 weeks ago, I received a phone call from American Express. They told me over the phone that they had detected fraudulent activity on my account and that they would like to change my account number. When I protested that I had not seen any unknown charges on my account, I was told they had thwarted the charges. I told the caller that I was going to disconnect the phone call and would call the phone number listed on the back of my card. She encouraged me to do so. When I called that number, the person I spoke with said that someone had attempted adding my American Express card number to an unknown digital wallet unsuccessfully. Thus, the warning that I was receiving that I needed to deactivate my compromised card number and be issued a new number. I worriedly agreed and daily checked in on the website, which tracked the progress of a new card being mailed to me.
The iFraud.gov agency representative that I spoke with later told me that this was a sophisticated manuever by a criminal gang that had already targeted me as a potential victim. They knew that they would not be successful in attaching my card number to a digital wallet but they also knew the attempt would trigger the phone call by American Express. He told me that they were psychologically preparing me by: 1. having received a legitimate, direct call from a credit card company informing me of fraud, I would be more inclined to accept future calls from credit card companies as legitimate, and 2. by creating a low-level of anxiety for me about compromise of my credit accounts.
Three days after the call from American Express, I received a phone call from Goldman Sachs, also informing me of fraudulent activity on my credit card. The person I spoke with told me of several charges that I HAD made on my card but then began listing others, to the tune of thousands of dollars, that I HAD NOT made. By this point, I’m quite alarmed. I told him that I had received a call from another credit card company just a few days ago. He told me that the most likely source would be compromise of a digital wallet since digital wallets can hold information on multiple cards. I told him that I had an Apple digital wallet and he began to ask about details on my apple ID. At that point, I told him that I wouldn’t give him that information over the phone. He agreed and said that I should be receiving an email from Goldman Sachs with a listing of the charges on my account and further information about what to do.
Within a few minutes, I did receive an email from Goldman Sachs. It looked EXACTLY like an email I had received from them a few days earlier, thanking me for paying my account in full. The email had a listing of charges - some of which I recognized but many which I did not. The ones I did not were in the tens of thousands of dollars. After listing the charges, the email encouraged me to call immediately if I suspected fraud so that the charges could be blocked from my account. I called the number listed in the email. The call was answered with ‘Goldman Sachs Fraud Prevention.’
The person I spoke with spoke flawless English (that is important in light of information I will share in a bit) and was very professional. When I told him that I was very concerned about fraud happening on two of my credit accounts in a short period of time, he said it happened all the time if a digital wallet was compromised. He suspected that my Apple ID had been compromised and asked if I could provide him the password so he could check on it. I gave him the password (stupid, stupid, stupid but if I’m honest about everything, I was in such a state of anxiety that my normal cautions were bypassed. Even knowing what I know now, under the right circumstances of alarm and concern, I see the very distinct possibility that I could do the same again) and then he again started listing charges on my account and asking me to confirm or deny if I had made the charges. I immediately regretted having given him my password and I told him that I was uncomfortable with the phone call and that I wanted to disconnect and call the number on Goldman Sachs website
As soon as I said that, the call was disconnected and my phone and laptop screen went dark. I restarted my phone and saw a message on the screen that the phone had been reported as lost or stolen and could not be activated. It took me hours to finally bypass the activation lock on the phone and my laptop and another 12 hours before I could reach ATT to reissue another e-sim to the phone so that I could have cell service and make phone calls.
Understand that I was alone, traveling away from home, and did not have access to a landline or another cell phone. When I was finally able to bypass the lock on my laptop (something that I suspect many people would not know how to do and which I had to educate myself on quickly), I tried to access my Apple ID and saw that the password had been changed and the phone number for 2 step verification (I was only able to see the last two digits of that phone number) was not one that I recognized. In the few minutes it took me to realize that I shouldn’t have given my password to my apple ID to anyone over the phone and to disconnect the call, the criminal gang had quickly accessed my apple account, changed the password, then changed the phone number for 2 step verification
I spent the next 12 hours communicating with apple through their chat line. I told them that I had been scammed and the criminals had access to my digital wallet, all my apple devices, all my documents backed up to the apple cloud - including my social security number, my passport number, my driver’s license number, my medical license number, my DEA drug license number - plus enough personal information that it was a total identity theft. Apple would not, could not help me. Their bottom line was the Apple ID belongs to the phone number attached to it. I begged them to please put a hold on the account and do a fraud investigation. I told them they were standing by while a crime was being committed. They would not help me. Over the next several days, I received emails notifying me that all my apple devices were being deactivated, one by one. When a device is reported as lost or stolen, it has an activation lock placed on it and only Apple can remove the lock. And they will only do so if you bring the device to an Apple store with proof of purchase and even then, they don’t guarantee that they can help you. Basically, the scammers were bricking all my Apple devices so that they would be useless to me.
I was finally able to get in touch with ATT at first light and they reactivated my e-sim so I could start calling all my credit card companies and deactivating accounts. I had placed all my credit reports on a freeze years before when Experian reported a huge identity loss but I called them all again to insure that the freeze was still active and to place a fraud warning on all my accounts.
Over the last 3 weeks, I have spent 12-18 hours a day either on the phone or on a screen, changing all my linternet log in passwords, deactivating all my credit card accounts, locking down online access to all my banking and financial entities, taking steps to protecting my social security number through e-verify, filing police reports, reporting fraud to government agencies, attempting to recover as much of my digital data as possible. On EVERY SINGLE PHONE CALL, I have to first go through an automated system of answering questions with key presses that takes at least 10 minutes before I can finally get a human to speak with me. And every time I’m told - by the human that I finally connect with - that my request has to be escalated to a supervisor and please hold while they connect me. At least 30% of the time, when they attempt to transfer my call, they inadvertently disconnect me and I have to start the process all over again. It has been so frustrating that it has driven me to tears multiple times. I have been inundated with feelings of helplessness about controlling the situation and, as a former ICU doc, being in control has been interwoven into the fabric of my being.To say this experience has been traumatic is a gross understatement.
As soon as I begin to think that I have locked all the doors to my personal identity, then another door seems to pop open. Example: American Express sent me a new card (now the 3rd one in a week) with a new number. On the day I received it, I got an email from American Express telling me that they were mailing a duplicate card, as I had requested, and if I had not made the request to please call them immediately. I did call as soon as I received the email but the duplicate card had already been sent - to my home address. Now why did a scammer think they would be able to procure the duplicate AMEX card if it was delivered to my home? Then I realized they had been following me through my Apple Tags and a another whole wave of anxieties ensued. Some of my Apple Tags were moving around in Florida (where I am temporarily housed) and some of my Apple Tags were stationary at my home in Huntsville, AL. So, they correctly deducted that I was not at home and if the card was delivered expediously by UPS (as they had requested), then it would be left on the front porch of a house that was not occupied.
That’s when I had to file a police report in my hometown. Huntsville Police requires that if you are filing a report about a stolen identity, you have to personally file the report at a local Huntsville Police station. I mentioned that I was traveling, yes? And I needed action by the Huntsville Police immediately since the criminal gang that had targeted me had arranged to do a pickup for a UPS delivered duplicate American Express card at my house in the next few hours. In addition, they knew I was not at home and might be targeting my empty house for a break-in. So, in order to get any police protection, I had to have a friend file a police report in her name but on my behalf - naming me as the victim. The police did watch my house for several hours but no attempt was made to pick up the UPS package. But my blessed neighbors, when alerted about what had happened to me, went into overdrive to protect me. To this day, they are dutifully watching my house and calling the police if they notice any irregularities. I suspect that my neighbors, in trying to be helpful by keeping a watchout on my property, probably scared the criminal away. I am still dealing with the anxieties that my house might be targeted for robbery because the scammers know where I am at all times and that I’m not at home. I have also worried about my personal safety since they can track me with my apple tags. It took me several days of sleeplessness and anxiety before I realized that I could deactivate the Apple Tags I had with me by taking out the batteries. At no time, when I was communicating with Apple, did they step me through precautions I might need to take if my Apple ID was stolen. I had a friend go into my home in Huntsville and try to locate every Apple Tag and deactivate them. I don’t know if I’ve been able to deactivate all the tags because, again, the only way to find them is to log into your Apple ID and I can’t do that.
The government agent I spoke with was kind but quite cynical. He said that in the last two years, the number of cases of cyber financial crimes against individuals had skyrocketed to the point where it was overwhelming the agencies responsible for investigating. He also said that the chances were high that the criminals were operating outside the United States and therefore not subject to the jurisdiction of the United States. I believe that is true in my case. For one thing, when I was first able to get the activation lock released on my phone, it located the phone in Algiers. In addition, in exploring back doors to access my Apple ID, I found an old address that I used on iTunes before there was an Apple ID and before there was 2 step verification. This address relied on security questions. And when I got to the security questions, they were in French.
The agent also told me that all of my personal information the criminals had accessed would probably be sold on the dark web and that I would have to be quite vigilant for the rest of my life about identity theft.
So, in this whole ordeal, in addition to loss of sleep and weeks spent in frantic activity, tears, and crushing anxiety, I have:
1. lost thousands of dollars but have been assured that it would be returned to me at some point in the future since I had reported the charges as fraudulent.
2. lost access to all my apple devices. I have had to buy a new iphone and new laptop just to be able to do the work necessary to try and recover my digital losses.
3. lost access to ~14,000 cell phone images, ~500 books in apple books, ~300 purchased apple tv or movie purchases
4. lost access to many of my personal documents. I liked the convenience of having my documents in the cloud so that I could access them with any device and at any location. Unfortunately, I had chosen to optimize local Mac storage so some of my documents were in the cloud and not on my device and would have to be downloaded for access. A download that I could not make because I don’t have access to the apple ID which controls the download.
Like many people my age, I have experienced losses in my life - people, places, things that I cared about. But this particular loss is singularly traumatic for me because I feel that I have lost myself. My entire digital identity for the last 20 years is gone. And the added insult is that the loss of all my photos and memories that I can’t access are in the hands of strangers who wish me only harm.
So, the purpose of relating this long tragic story is to pass along a recommendation to all apple users. I deeply regret that I had not done this earlier but in setting up a new apple ID (which you almost HAVE to have in order for an apple device to be functional), I changed some of the default settings. I recommend that you do the same.
1. Go to Phone settings/apple account/sign-in and security. Scroll to the bottom of the page. Click set up a recovery key. Apple will generate a 28 alphanumberic Key. You must copy that key, then re-enter it to confirm. Apple will warn you that if you lose the number, you will lose access to your account.
2. Go to Phone settings/apple account/icloud. Scroll to bottom of page and turn advanced data protection on.
3. Go to Phone settings/privacy & security. Scroll to bottom of screen and click on stolen device protection.
Without a doubt, the most important thing you can do to protect your Apple ID is to setup a recovery key. Apple will discourage you from doing this. For one thing, if you have to utilize a 28 alphanumberic key to assure yourself that your info is being protected, then you have less faith in Apple’s ability to protect your info. Apple does not want you to feel that way. In fact, they are trying to make your Apple ID such an integral part of your Apple experience that you don’t even have to consciously think about it. So, the recovery key is actively discouraged by them. And it does have a risk - if you forget the key, you can not access your account, you cannot change your password, you cannot change the phone number on your ID. Apple cannot help you. BUT UNDERSTAND THAT YOUR INFORMATION IS VULNERABLE. AND IF IT IS STOLEN, APPLE CANNOT AND WILL NOT HELP YOU RETRIEVE IT. If someone steals your phone, if someone is able to access your Apple ID password or phone number, they will not be able to change anything in your Apple ID without the recovery key. Please, please consider setting up a recovery key and then putting it in a safe environment - a third party password manager, a dropbox account not linked to your Apple cloud, a Google drive not linked to your Apple ID. I’m honestly thinking about having mine tatooed to my body
) to see how your blog looks