A tale of iCloud account recovery
Please prove your identity with a CC neither you or us have ever seen
tl;dr: During account recovery, iCloud might ask you for the details of a credit card you’ve been using with the account. But it doesn’t just check whether the data matches their records — it tries to actually run the card. And if the live check is rejected by your payment processor for some reason then it doesn’t matter that you got all the card’s details right.
It finally happened! The personal crisis of the digital age that everyone is scared of but nearly nobody really prepares for. Through a series of events that deserve their own Netflix show, I’ve lost all of my mobile devices.
It’s not an epitome of digital death — after all, I still have access to my email. And therein lies the rub: the reason I still have access to the cornerstone of my online life is that its security is entirely up to me. Not so much with iCloud though. The iCloud account has been made “secure” for me by usurpers.
How is my email account secured? Nothing special, really. User/pasword + 2FA with a physical token. An attacker would have to tear that dongle out from my cold, dead pants. What if I lose it? There’s a backup token stashed somewhere safe. What if I lose that one too? Recovery codes hidden in plain sight.
Whatever you may think of this setup, the important part is that I DECIDE. I can add a TOTP authenticator or a dozen Yubikeys. I can add a recovery phone number or not. My threat model — my rules.
iCloud on the other hand, that is a beast from another tale. iCloud won’t let you have a much of a say. After all, 99,999% of its customers are not expected to have any clue about security — they need to be protected from themselves. Thus by default (or through a nagging popup) you’re likely to have the following 2FA scheme (at least in my country):
you need to provide the second factor when logging in from a new device / browser
the default second factor is a 6-digit code displayed on one of your devices already associated with the iCloud account
alternatively you can have a code sent to your main phone number
(Yes, I know they added support for FIDO keys last year. I found out after this adventure.)
With my iPhone and my iPad out of reach, the SMS code remains. Oh shoot! The SIM card was in that damn phone. And yeah, I will get a new SIM for that phone number, but it will take day or two or five. I need my dog’s selfies NOW.
Well, there is in fact an account recovery procedure. Weirdly enough, it’s hidden behind “I forgot my password”, but in the end you can request a recovery through your main email address (AKA “Apple ID"). Buuut, just to make sure you are really you, there are some things that could be asked of you. For example, the number, expiry date and CVV of your main payment method. No problemo! I have that on file, you have that on file — so I’ll show you mine, you show me yours and then my identity should no longer be in question.
I proceed to type in the deets, clickety-click…nope. “The CVV is invalid.” Huh? But that’s what I have in the password manager! And I remember those 3 digits well — no way they aren’t right. I spent a minute scratching my head over there…and then I noticed the expiry date. April 2024. Well, “April 2024” was “right now”. Revolut, bless their heart, issued a new virtual card — with the same number…same CVV and new expiry date? The notification in Revolut’s app says “Incorrect expiry date”. But that’s not what Apple said. Nobody likes being lied to.
Listen, Apple, I’ll happily tell you the details of my primary CC in that account. I’ll also tell you the details of the other CC connected to it. Hell, I’ll even throw in the email address of the connected PayPal account! But why, oh why do you have to actually run the card? It worked when I added it! Whether or not it still works is completely irrelevant to verifying my identity! The fact that it just happened to stop working yesterday shouldn’t make me any more sus. And don’t get me started about the misleading error message.
Alright, alright, have it your way. I’ll just wait a bit more and use the phone. In the meantime, the joke’s on you — you’ll realize as soon as you try to charge a subscription to that expired card.