Possible vulnerability. Bypassing both 2FA and device list

Let me try again.

I have an Apple Account.

I use this on my iPad, which is the only Apple device I own.

I had Paypal as a saved payment method in my Apple Account to pay for regular subscriptions that I had.

Someone, let's call him John, somehow bypassed APPLEs 2FA and set up my account on their iPhone 8. (I have NEVER owned an iPhone at all FYI)

John did this without:

1. Triggering 2FA to verify my account being set up on a new device, which was John's iPhone 8. This means that my iPad did not get the normal popup asking for approval or my cell phone getting a text for approval. (NOTE: I do NOT have email password recovery setup just in case my email gets compromised somehow)
2. This new device showing up in my authorized devices list in my Apple account on my iPad.

John then used my account to purchase 6 Pokemon card bundles (only 4 went through). He did this by using my saved payment method of Paypal that was on my Apple account.

PayPal then paid for them using my bank account.

John did NOT log in to my PayPal account and use it there. If so, it would have been much easier to get a refund through them.

The purchases were DEFINATLY done through my Apple account because..

1. They showed up in my purchase history as an itemized list in my apple Account. PayPal only showed a single purchase for the total.
2. They showed up in my purchase list when I went to the report an issue website for Apple.

I am 100% positive at this point that the purchase was done through my Apple Account and not directly through my PayPal account.

As for 2FA, I fully understand that neither PayPal nor Apple uses it for every communication; however, they are BOTH supposed to use it to verify ANY new sign-in on an unrecognized device. That's the whole point of 2FA. To prevent someone from accessing your account if they somehow get a hold of your account password. So even IF I said, Hey, John, here's my Apple password, they still should not have been able to actually access that account on THEIR device without triggering 2FA and without me either approving the request on my iPad or giving him the code from my text, they should not be able to access it.

Jeff Donald wrote:

Do what you feel you have to do to make yourself whole. I have everything but the one thing I asked for. I don’t have a way communicating my question any simpler. I asked two questions and heard everything but answers to my questions. Sorry that you and I don’t seem to be able to communicate.

I wish you well.

I'm not sure where the disconnect is.

Possiblly in the way that this forum shows responses. They don't seem to be in a particular order on my end and don't seem to always be parsed under which post I replied to.\

Maybe I should have used quotes, but I belive I answered your 2 questions a couple of times.

You previously asked:

"My two questions are if PayPal is not involved why was it brought up? What payment method was used? "

1. PayPal was involved but your post made it look like you were saying that my PayPal account was compromised but it wasn't. At no point did the other person access my PayPal account directly.
2. PayPal was my saved payment method in my Apple Account. If I buy an app in the App store lets say, they automatically charge PayPal, then PayPal gets the payment request and pulls the money directly from my bank.

I had PayPal on my Apple account as my payment method. I only used it for subscriptions to Apple TV, Shonen Jump, and iCloud (all of which has now been canceled and PayPal was removed as a payment method)

Somehow, someone was able to use my account without going through 2FA or having their iPhone 8 listed as a device on my Apple account.

Nope. It's been home with me. We only use it to watch videos when we go out to eat. Half the time, it's dead, and I need to recharge it ahead of time.

As soon as it happened, I already changed my password and passcode. This one and the last one were pretty complicated and at least 14 characters long. I also did the other stuff mentioned above (cancel everything and remove PayPal which was my only payment method saved. I will miss Apple TV, I didn't really need a paid icloud account, and can pay for Shonen Jump directly.)

I'm no longer concerned with the security issue on my end. I'm never going to buy anything through my Apple account (or anything related to Apple) again.

I'm SUPER ****** that they just dismissed my refund request without a real explanation as to why other than "it doesn't meet our criteria" without even saying what specific criteria they mean.

I'm mainly posting this here to help get the word out that Apple security is SEVERLY lacking and when it fails, the end user is on their own, even if it means a hacker uses the account to buy things through Apple. To bad they spent $200 of your money, oh well...

For context, I was in IT for over 30 years and have a pretty good understanding of security.

I cannot see anything I could have done on my end to prevent this.

I had a secure password and 2FA (via my iPad's popup notification and via text to my cell. No email verification and no recovery key. (Side note: the 1st supervisor told me that I could have made it more secure by generating a recovery key, and I had to explain that this was the opposite of making it secure. Recovery keys basically make it so that you can bypass all the security in case you no longer have access to anything.)

This REALLY seems like someone bypassed Apple security somehow, which means that Apple security is highly insecure. If there was some other possibility, then Apple was unable or unwilling to tell me. Based on my last interaction with their supervisor, he was SUPER tight-lipped about everything and didn't even want to escalate my issue or refund denial up the chain. He made the decision to just blow me off. That is HORRIBLE customer service. It's also possible that this was their first defense with denying wrong doing. Gaslight the end user so they don't catch on to an internal security issue.

Sorry for venting there. I really am SUPER ****** at Apple right now.

Not sure if anyone here can help determine what actually happened so this may just be a warning to everyone else to be SUPER careful and it's probably a good idea to remove all payment methods from their Apple account and just don't buy anything through their Apple account ever again. Or at least until they publicly acknowledge the issue and that a fix has been made.

That is not correct.

1st off my PapyPal account also has 2FA enabled.

2nd, they didn't pay through my PayPal account. These purchases were made on their Apple device using my Apple account. That's why the itemized charges showed up in my Apple account. On Payal, I just have a single $42 charge that says it was from Apple. The same way that my Apple TV, Shoen Jump, and cloud subs showed up in my PayPal account. Nothing was changed on my PayPal account

For context, I was in IT for over 30 years. I'm very familiar with the various tricks. In fact, when I first got the alert for this, I thought it was one of those scam things that say call here to fix it. I went straight to my PayPal app to confirm it first. From there I went directly to my iPad and started the verification process which showed the itemized list on my account purchases and in the Report an issue website.

Even if they somehow had my password for PayPal or Apple, the 2FA should have kicked in and asked for verification before just allowing anyone to access my account. That's the whole point of 2FA.

Thanks for the email suggestion. I will try that next.!

I tried reporting it through your 2nd link before posting in this discussion and got a response of something like "we didn't find any security issue" or something like that. I responded but I can't seem to go back to see the actual response for some reason

Please read my longer reply, but I see your confusion.

When I say that they did not pay with my PayPal account, I mean that they did not access my PayPal account directly to make the payment. If they had, it would have just shown up on my PayPal account, and Apple wouldn't have a record of the purchases under my Apple Account.

They paid by accessing my Apple Account. Once they were in they just paid via the Apple App store using my saved payment method of PayPal.

Mac Jim ID wrote:

Punisher2006 wrote:

Possiblly in the way that this forum shows responses. They don't seem to be in a particular order on my end and don't seem to always be parsed under which post I replied to.

Just to help with the sort order, under the original post on the right site, it is usually best to Sort By: Newest, so you get a chronological order of posts with the newest on top.

Crap! I completly missed that! That is much better, thanks!

Final answer from security report.

We’re unable to identify a security issue in your report.

We reviewed your report and were unable to identify a security issue. If you have new information that you didn’t include in your report, providing it now may allow us to review your report further.

ME: The security iss ue is that someone was able to bypass Apple's 2-factor authentication AND the security of the device list. Nobody should be able to use your account without going through the 2FA or leaving a trail. That is the security issue/breach.