Identity Theft: A Wetbook Pro and Apple Security

When it comes to cyber security, people are the weakest link.  Several years ago I served on a team which designed and launched a cyber security field training exercise (FTX) for an organization with 1,100 employees.  The organization developed several online courses to help employees identify spam, malware, and potentially malicious files and links embedded or attached to emails.  Employees were required to complete the online training during the three months leading up to the exercise.  Finally the day arrived and we launched our attacks.

During one stage of the FTX we sent a series of emails to employees to determine how many would click on links that could be malicious.  One of the emails included an offer for free tickets to a local NFL team game, along with a link to click to claim the tickets.  In the real world, clicking on the link would download malware to the user’s computer and allow the attacker to compromise the company’s system.

We accidentally tested Apple’s security.

Wetbook
Even with their metallic bodies, the Macbook Pro is not waterproof. (Macbook Pro courtesy of wikimedia.org. Graphic of water and depiction shown courtesy of the author.)

I recently described spilling half a liter of water on my laptop.  After the initial traumatic and highly emotional reaction subsided—along with the tidal wave of water—the search was on for a replacement.

Living in India presents several challenges to the unemployed expat spouse.  We do not own a PS4 or Xbox, nor do we have cable television—by choice—and as much as I’ve tried, it is actually quite tiring working out for ten hours a day every day.  Finding other ways to fill time is a matter of sanity.

Accordingly, I have a schedule (as noted in this post, and this one).  Days are filled with reading and writing: this blog, two book projects, and at least one other article each week.  These activities make up the bulk of any given day and all require a computer—lest I go insane.

I’d taken precautions against data loss, employing both local and cloud-based backups.  But I didn’t have a backup computer.  After all, Macs are expensive enough, a second one as a backup is ridiculous.  To make matters worse, my book projects are in Scrivener, which rules out hacking through with our iPad for a month.  Plus, what if they were unable to repair the water logged Mac—which is now affectionately referred to as a Wetbook Pro?  Finally, solid state drives (SSD) can be finicky; the data may not be retrievable from the one I bathed.  There was no way around it, I needed a replacement laptop.

There are many advantages to living in India. 

Hyderabad
A view of Hyderabad from a time before there were laptops.

As noted, living in Hyderabad has many advantages:  the food is awesome and inexpensive, fresh vegetables and groceries in general are comparatively cheap, and there is always something to do.  One of the disadvantages, however, is electronics—Macs, PCs, tablets, phones—if available, they are usually one or more generations behind the most recent model and more expensive than in the West.  The latest model Macbook Pro (MBP) costing $1,800 in the US is not available in Hyderabad; however, a mid-2014 model with half the RAM can be had for about $2,500 US.

As a threat analyst and techie snob, I have no problem investing in good quality hardware and software, but I draw the line at spending more for less—however, I would gladly spend more for the same, which is sometimes necessary in expat life.  Luckily, there was an option: our super son and daughter-in-law (DiL) due to arrive on Friday.

Dustin and Rowan, were scheduled to depart the US on Wednesday, July 6.

Flight to India
The new Macbook Pro travelled from the US to India via Emirates, one of the best airlines in the world.

It was Tuesday, July 5, in India when I created the Wetbook, which meant it was Monday, July 4 in the US.  I just needed to purchase a new laptop online and they could pick it up the following day at the local Apple store.  A quick online check confirmed the availability of a MBP, so I placed the order, received the confirmation email, and texted Rowan and Dustin.

The apple store opened at 10:00 AM central US time.  The confirmation email informed us to pick up the laptop only after a notification from Apple.  Not wanting to leave anything to chance, I planned to wait until 8:30 PM our Tuesday—10:00 AM their Tuesday—and call the store to expedite the request.  I was starting to think this might actually work.

At 8:30 PM I dialed up the local Apple store—I’ve done a LOT of business with Apple and at that store in particular and didn’t anticipate any issues.  The representative who answered wasn’t at the local store, but elsewhere.  Israel—that was his name, not his location—at Apple sales, informed me the order I placed was cancelled.  “Well, my son will be at the store any minute.  How do we un-cancel it?” I asked.

As it turns out, the only option Israel could suggest to un-hose this issue was if Dustin could find a couple thousand dollars somewhere and buy the laptop himself.  While the suggestion made sense, most college students are not globe trotting with $1,800 dollars in spare cash and credit.  Israel said there was nothing else he could do—this despite pleading, sobbing, and highlighting my long-term commitment to Apple products; even though I believe there’s been a noticeable decrease in Apple’s innovativeness, quality, and customer service since Steve Jobs’ passing. 

Apple_No
The Soup Nazi’s voice echoed through my head, “No Macbook for you!” (Seinfeld, episode 116, November 1995)

My heart sank at the thought of spending the next month without a computer.  I skipped over the first four stages of grief and went right to acceptance.

As near as I could figure based on the conversation with Israel, Apple cancelled the order because there were too many anomalies in their ordering algorithm.  In other words, I logged into Apple from an Indian Internet Protocol (IP) address, placed the order with a US credit card, which is linked to a Florida-based address, and listed another person to pick it up in the Midwest.  This totally made Siri’s head pop right the flock off.

Another problem: Apple failed to inform me the order was cancelled.  I asked Israel about this very issue, to which he replied, “We don’t send cancellation emails because the email account could be compromised.”  This is where it broke slightly bad.

The next part of the conversation was less than cordial.

I’ve been in India for almost nine months, logging into iCloud and the App Store, and purchasing songs and software.  My account reflects my Florida address, my Indian and US telephone numbers are both linked to my account, and I get two-factor authentication texts on my Indian mobile phone.  Plus, I’ve been an Apple customer since the introduction of the first Macintosh, and you’re telling me that the great Apple couldn’t figure out a way to notify me that my order was cancelled?  Oh, and by the way, this policy of not sending an email because my account might be compromised?  Who the flock cares if the bad guy knows that he isn’t getting a new MBP?

Israel said he would put in a request to review the order, but it probably wouldn’t work and would take several days.  I was not confident.

Totally dejected, it was time for a drink.  I poured myself a rum, lime juice, and agave cocktail—email me for the recipe, it’s quite good.

Then, Rowan and Dustin had an idea:  Why not have Dustin call from his US mobile phone, pretend to be me, place the order for a new MBP, list himself as the pick-up person, and pick it up from the same store?

“This can’t possibly work,” I thought, “Apple’s security is too good, especially with this latest order fiasco, their past issues, and my recent conversation.”

Then the text messages started to arrive.

My phone started to light up with texts from Rowan—I’ve cleaned up the language in order to maintain our ‘G’ rating.

We have all day!! I am getting you a laptop. D can call Apple Online and pretend to be you and follow up on order.

😊😊😊😊😊 You know I haven’t given up yet!! Robert Richey is on hold with the Apple Store.

They said they don’t reinstate orders, it would have to be new order.

So whatever arshat you talked to did not reinstate order.

I will let you know, the freaking arsholes just disconnected us accidentally – MAKING ME EVEN MORE DETERMINED.

DnR
Rowan and Dustin, ready to tackle another of life’s challenges.

It should be noted that Rowan is as tenacious as they come; when she gets her hands on something, it is going to relent or die.  Dustin is the more calm and methodical of the two; slowly wearing down his prey until they simply beg to be taken.  They are both fighters, willing to go as far as it takes to help others.  If the two of them were on The Amazing Race, they would easily become America’s heroes in the first episode and take home the grand prize.

The texts continued…

LMMAAO I got D riled up, he just swore at them “Be angry babe” hahaha.

Standby for more details.

I am dying laughing, D is totally channeling me and having a heart to heart with this guy on the phone😂😂😂😂 he apologized for swearing to him and now the Apple online person is trying to find you a free accessory, but the stupid Apple Store was out of laptop covers .

No accessories in stock.

Supposedly it will be ready for pickup in about an hour.

Off they went back to the store.  Dustin previously checked with the Apple store about the original order, so they recognized him.  They looked a little like nomads, sporting all of their luggage for the trip to India—backpacks, neck pillows, checked luggage—everything one needs for 20 hours in an airplane and four weeks in India.  They were formidable.

The last few texts were like icing on a big, fat, security-less cake.

Soooo I think they are giving us free beats headphones – what color do you want?

Lmao we don’t freak around when it comes to getting stuff from giant corporations.

And we got you 100$ off [the cost of the laptop]

Yaaaay! We didn’t even have to swear at people, there was a student deal for the 100$ and the free beats👍👍👍👍👍.

Dustin, pretending to be Robert Richey, placed the order and listed himself as the pick up person.  

Dustin had our Florida address, credit card information, and my email address.  He didn’t have my Apple ID, passwords, or answers to security questions.  Not only was he able to order an $1,800 laptop, he received a $100 student discount—he is a student—and received a very nice pair of headphones for free.

Apple’s world class security resulted in the cancellation of an order which they could easily have followed up on by calling my Indian mobile number, through a text, via email, or during my telephone call to them the following day.  Instead, they approved an order placed over the telephone, accepting information easily garnered on the Internet, and confirmed none of the security details.

Well, in the words of our amazing DiL, thank the sweet baby Jesus for Apple’s crappy security!

Employees proved to be the weakest link.

Although things worked in our favor this time, such is not always the case.  The Internet Crime Complaint Center (IC3) noted in it’s 2015 Internet Crime Report that it received 288,012 complaints during the reporting period, including 127,145 complaints reporting a loss; losses to consumers and businesses associated with the report in 2015 exceeded $1 billion US dollars.  Identity theft is a real-world threat and security is not always up to par.

The company that participated in the cyber FTX a few years ago entered into the first round of “spam” emails confident in their employees.  Certainly, after all of the investment in training, nobody would click on the less sophisticated, malicious looking emails.

The NFL-themed emails were a huge hit from a security researcher’s perspective.  Three percent of the 1,100 employees clicked the link in the suspicious emails to claim their NFL game tickets, theoretically compromising their computers and giving us access to the company’s data.

When Dustin arrived in India we talked about the trip and the events of the last couple days.  Dustin, relaying a story during his conversation with the Apple representative, said, “The funny thing was, while I was talking to him [the Apple representative], he said, ‘I see your calling from India.’  I said, ‘Yeah, my son is going to pick it [the laptop] up and bring it with him.’”  Dustin called from his US phone, a number not listed on my account.

Just like during the FTX, Apple employees proved to be the weakest link—thank the sweet baby Jesus.


If you enjoyed one of my articles or you’re just feeling left out, please subscribe to be notified as new material becomes available.

Follow me on Facebook and Twitter.

Images of Emirates airplanes and Macbook Pro courtesy of wikimedia.org. Unless otherwise noted, all other photos, drawings, and modifications to images are those of the author.  Copyright can be found here.

Don't let the noisy interweb stifle your voice. Leave a comment.