Should Apple enable exes to access their ex-spouse’s iPad?
“Hey, Apple, give me a second. Yup, now she’s dead.” (Saddboy, CC-BY-SA 3.0)
Chris Matyszczyk complains that Apple wouldn’t give a woman the password to her dead husband’s iPad, even though all she wanted to do was play card games on it.
“Even showing the company his death certificate”, reads the summary, did no good in getting his Apple ID password.
But she didn’t show his death certificate. She showed a copy of his death certificate.1 It’s a document that is easily forged, and, for that matter, varies from jurisdiction to jurisdiction. There is no way for a company in Cupertino to know what a valid death certificate in British Columbia is supposed to look like or how to verify that it’s real.
Imagine this scenario:
A man calls Apple and says that his wife recently died. He provides a copy of her death certificate and a copy of her will, and then uses this to access the iPad he stole from his ex-wife—who is not dead after all—and use her contacts list and passwords list to harass her both socially and financially, eventually driving her to poverty and death.
Apple would be excoriated, justifiably so, for having relied on such easily forged documents.2
Matyszczyk writes in the article that:
Those blessed with common sense might wonder that digital assets are no different from any other possessions. If you bequeath your things to someone else, that person should have the automatic rights to those things.
I am not familiar with Canada, but in the United States, we do in fact require courts to be involved with the distribution of physical assets after a death. That’s what an executor is for, to act as a liaison between the probate court system and the inheritors. It isn’t “extreme” for Apple to want a court to be involved in the official transfer of assets after death. It is the normal process. Apple should be wary of anyone asking them to bypass the normal process. That’s a sign that this could be a social engineering attack.
Matyszczyk suggests that creating a “legacy contact” is a solution, but a “legacy contact” is just another email address available to be hacked in order to gain access. Instead of having to research the insecurity questions of the owner, now potential abusers and thieves can also research the insecurity questions of the legacy contact.
If a person wants to transfer access to their password-protected accounts after they’re dead, the best way to do this is to make the passwords themselves available, either in the will or with a trusted third party or with the actual spouse. It should always be a red flag when someone claiming to be a spouse asks for information about their spouse that the spouse could have easily given them. That’s a classic social engineering attack.
Matyszczyk also writes that the spouse was able to transfer the title of the house and the car with just a death certificate and will. I wouldn’t be at all surprised if that’s true. It isn’t just on The Rockford Files that deaths make it easier for cons to succeed. Technically, change of ownership should also be handled through probate, but unfortunately house stealing is a real issue and this includes Canada.
The Canadian case is interesting because it uses one of the worse potential abuses that exists in the United States as well: filing a change of address with the Post Office. Technically, the Post Office sends a notice to the old address as well, but all a potential scammer has to do is keep an eye out for that notice, whose arrival time is easily predicted, and snatch it.
In one case of a house being stolen through forged documents, there is a very telling quote from the Queens official who handles title transfers:
“The old policy was designed to be customer friendly. It’s very hard to be customer friendly and super vigilant at the same time,” Fucito said.
I would argue that making it easy for thieves to steal property and passwords is not customer friendly at all, no matter how much individual customers and ill-informed journalists demand it. This applies just as much to insecurity questions on bank accounts and email accounts, where all an abuser has to do is know basic information about their ex, as it does to trusting easily forged documents.
We shouldn’t ask Apple to reduce their security to the level of banks and governments. We should require banks and governments to improve their security so that houses and accounts cannot be stolen just by social-engineering some bureaucrat into being too embarrassed to require real security.
In response to Allow men to impersonate exes, transgender activists say: Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
Hopefully, Apple can’t hand over his password because hopefully they aren’t storing it. Most likely Matyszczyk is misunderstanding the process for a manual password reset.
↑Because all the wife wants to do is play games, at one time she could have just erased the iPad and started over. However, Apple took a lot of heat for allowing this as it enabled thieves to use stolen iPads and iPhones. In response to that, Apple has made it difficult to erase an iOS device that is password protected without knowing the password.
↑
- 1Password
- “Mac OS X Password Manager with AutoFill that leverages the OS X Keychain and provides built-in support for most browsers.”
- Con artists sell homes without owners knowing
- “The perpetrators had filed a change of address with the post office to intercept mail linked to the fraudulent dealings.”
- The extraordinary ‘theft’ of a woman’s NYC home: Amber Jamieson at The New York Post
- “Merin and her lawyer soon unearthed a deed transfer filed by Darrell Beatty, claiming he obtained the house in March 2013 from an “Edith Moore.” But the address given for Moore does not exist.”
- Guide to Fighting Real Estate Deed Fraud
- “On the surface, it is counter-intuitive to think that a person can simply record a deed and steal our property, but similar scams are occurring with increasing regularity across the country… Criminals watch the death notices and can act quickly to steal the property by forging the name of the decedent on a deed, then recording the document in an attempt to secure title.”
- House Stealing at The Federal Bureau of Investigation
- “What do you get when you combine two popular rackets these days—identity theft and mortgage fraud? A totally new kind of crime: house stealing.”
- James Garner and The Rockford Files
- James Garner died Saturday; he leaves behind him millions of fans.
- Widow says Apple told her to get court order to secure dead husband’s password: Chris Matyszczyk
- “You might think that all she’d have to do is contact Apple, provide a copy of his death certificate and will, and the password would be handed over.” (Hat tip to John Gruber at Daring Fireball)
More identity theft
- Insecurity Questions enable harassment and abuse
- Insecurity questions are designed specifically to let someone who does not have your password access your account without having to talk to a human. The idea is that that person will be you after you forget your password, but the computer does not care. Anyone or anything with that information can access your account.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
More security
- On education, the left is mired in the fifties
- Why don’t schools have locked doors? Because when it comes to education, especially K-12, the left, as in so many things, is mired in the distant industrialized assembly-line past.
- How does Apple’s supposed anti-conservative bias matter?
- If you think Apple has a bias against conservatives or Christians, you definitely don’t want Apple to build a tool its employees can use to help guess an iPhone’s password.
- Form validation with in_array in PHP
- When validating form input, you often will use an array of valid responses. Watch out if some of those valid responses are integers!
- The last four digits of your social security number
- The last four digits of your social security number are the least guessable part of your SSN.
Remember: Trump reassures crowd after assassination attempt fails. (read more…)