Posted by tosh 12/18/2025
The tendrils can run deep.
That said, keeping a backup of everything, decoupled from any account I don’t control, gives me huge peace of mind.
Doing everything and/or all-at-once is not practical, but having backups for most critical infrastructure helps a lot, and when it's rolling, it rolls without effort.
One can go step by step and call it's done when it becomes too much to bear or satisfactorily decoupled.
Just realize this: the longer you play this game, the higher your odds of getting banned. Once it hit me, I quickly decoupled from Google. It's like playing satoshi roulette for 0.5% gains. You keep winning until you get fully wiped.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
Frankly, staying away from gift cards seems the best option unless it's blast radius can be limited (e.g., redeemed in person).
Throw in gift cards all over the place to incentivize purchases.
Go to use a gift card, "Sorry, gift cards can only be used to pay for full price items, not discounted or sale items".
Conveniently, effectively everything in the store is discounted or on sale.
That would be bad enough as-is. But you move houses, or are moving out for the first time, and someone buys you a gift card, with CASH?
They're the same gift cards. And the same "rules" which are nowhere to be found, just you arguing until you're blue in the face with a store manager who "understands, but policy".
"I could have bought this item with the cash it took to buy the gift card, but because that cash 'changed form', it's now unacceptable for payment?"
A law that states you can't call it a "gift card" unless it can be exchanged for cash at 95 cents on the dollar would fix it pretty well.
There is no opportunity for the kinds of large-scale fraud you see with cards purchased elsewhere. The only risks would be the same for any other bearer instrument, e.g. wallet theft.
Specific accounts may be flagged, for sure. But a general ban on GC-related purchases would be a very big regulatory deal. Do you have links to a published source?
We're a multi-trillion dollar company and your BATNA is terrible. Don't like how we roll? Go fuck yourself.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
The scale of this work is unfathomable to those who have only been on the consumer side of it.
#1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
#2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
#3 is what small claims court is already for. We should make this easier, I agree.
> The scale of this work is unfathomable to those who have only been on the consumer side of it.
> #1 is doable but would destroy our ability to combat fraud. "Here's how not to get banned next time" is not an email anyone in this space would consider sending.
Just imagine laws would work that way.
> #2 is simply impossible. Fraudsters consume every available resource you can put into the appeals process. This is their full time job, they can afford to call repeatedly, all day long, until they find an agent they can trick. Regular users won't benefit.
That argument doesn't pass the smell test. Apple makes more profits than the scammers whole revenue, so just from a resources standpoint Apple could starve them. You just need to make the process so it can't be easily automated (e.g. require going into an apple store with your ID)
> #3 is what small claims court is already for. We should make this easier, I agree.
So in #2 you say it would overwhelm the process and now your argument is that essentially the public should pay for the process?
If small claims courts can deal with the issues than why can't a trillion dollar company.
> Just imagine laws would work that way.
This is how "tipping off" law often works in practice.
As a support agent you often lack full visibility into the treatment or history of the person on the other end of the phone, especially if they're a bad actor. You can't tell them what is or isn't fraudulent behaviour, or what might be construed as such.
I don't know what you mean by "tipping off" laws mean, but certainly if you get given a penalty in law (e.g. you get judged in court), you will be told what you have done wrong, and shown proof of it.
Still, from your perspective, do you have any opinion on this particular case, other than "you can't make an omelet without breaking some eggs"?
Why not introduce friction on both sides, like: 1/ just face to face, physical meeting? 2/ or a basic (paid, yet reasonable) insurance that account management doesn't happen over the shoulder?
I’ve tried to come up with some strawman explanation but I can’t see it.
Gift cards are the currency of modern confidence scams. Accounts that redeem a lot of high value gift cards are suspect for that reason alone. Buttfield-Addison makes it sound like this is common practice for him, so his account may have been on a shitlist already.
Apple may be so sensitive they'd close a suspect account after one failed redemption. It's also possible that card was first redeemed by an account that was closed soon after for fraud, and Buttfield-Addison's subsequent attempt linked his already-suspect account to the fraudulent one resulting in automated actioning.
Again, this is pure speculation, and is not meant to justify Apple's actions.
I could see doing a lot of card redemptions as a flag, but then I think the next step is "what are they spending the credits on?" I could see a scam where you launder cash by turning it into cards, and then buying shitty and expensive apps. Thus paying apple 30% to clean money for you.
To answer in general, aging of accounts is common as is synthetic credibility-building activity. There are marketplaces where you can buy sets of years old accounts with activity for every major platform. Anything you could come up with would either be so stringent it would exclude most users or be easy enough to become a target for account sellers.
To be honest this is why I got out of the space, it's sisyphean.
Most megacorps do suck - and also it's probably true that the lack of customer support is necessary to offer the products they offer at popular price points. People just don't wrap their heads around the scales involved, generally because the exact numbers are proprietary.
[1] https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
Small claims won't help you to reinstate the account. You _might_ get money for your phone back.
And a real court? You signed away that right. It's arbitration for you.
One thing I do not understand however is why wouldn't companies offer paid appeal process perhaps with refund in case the termination decision is indeed overturned. I would gladly pay $100 to have my Apple/Google/etc account properly reviewed in order to get it back once it is inevitably flagged by yet another AI. Seems like win-win all around.
These companies are critical to people's livelihood in 2025 and they should be treated at such. Many people rely on them for their life, they store sensitive information and control communication.
I'm of the opinion that if a business can't provide adequate support at scale, then it should either stay small or cease operation.
Dealing with fraud is your issue and part of your business, not citizens.
I'm sorry to inform you they work exactly like this.
https://web.archive.org/web/20231105205756/https://www.nytim...
Could it be that fully automated payment processes are just so fundamentally vulnerable that their very existence needs to be questioned because of how overwhelmed they get with fraud attempts? I'm deliberately being controversial here for the sake of discussion.
I agree there absolutely needs to be a form a habeus corpus here with arbitration to hear from both sides. And what's more, even when an account gets shut down, an export of all data must be provided, and a full refund of the purchase price of any digital licenses/credits still active. So even if a spammer takes over your account and Megacorp isn't convinced it wasn't you yourself that decided to spam, you still don't lose your data or money spent -- it's ultimately just a (very big) inconvenience.
Corporations need to be heavily regulated. They won't just do the right thing for its own sake.
https://www.simonandschuster.com/books/The-Corporation/Joel-...
I just mean that otherwise, usually competition ensures good outcomes for consumers, because the corporations that produce bad outcomes go out of business once consumers catch on.
But there are definitely exceptions, especially around rare events that are difficult to foresee or that can't reasonably be expected to be part of product comparison. The likelihood of your account being shut down without recourse and losing things you've paid for falls into that category perfectly. Predatory surprise fees with things like credit cards and bank accounts, and that change without warning, also fall into that. Also minimum warranties, since consumers can't easily inspect quality on the inside of a product.
Yeah, I mean it's just basic rules of commerce, not very different from laws about false advertising.
As it happens, in the U.S. consumer protection policies always top the lists of policies with the most bipartisan support.
"Yes support tech, please understand my child just died of cancer and my wife in a car accident last week and the only pictures I have of them are on my bitcoin4free@gmail.com account!"
Google probably also bans thousands of accounts a day. And suddenly every single one of them needs a full human appeal review. Because jamming up the system is (short term) beneficial to these shitheads.
The only way this is going to change is if shareholders hold executives accountable. Consumer protection regulation with real "teeth" that impacts the bottom line will bring angry shareholders to the table very quickly.
The problem with having support dealing with problems like this is that fraudsters will figure out how to manipulate it, while honest people will still encounter these problems. The easier you make it for honest people to resolve these disputes, the easier you will make it for fraudsters since it would involve yet another avenue for them to exploit. Plus the whole process will become more expensive, which someone has to pay for.
Scammers would call into Teleco customer service with panic and tears to trick the support person into moving your phone number onto their device, and then they drain your SMS 2FA accounts.
It is already baked into the costs in business models of big companies. And they are pretty good at it, actually; we’re talking about one high-profile case, and it’s not the only one, but it is rare enough that such stories are still newsworthy.
The standard that people want, though, is absolute certainty: zero errors that affect real customers, a 0% false positive rate.
The scale is in fact a challenge. If a small business has a 0.00001% false positive rate, they will affect approximately zero of their customers. For Apple, managing billions of accounts, that same false positive rate would affect hundreds of real customers every day.
https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
... which hasn't happened, but maybe once every 3 months I move another service to logging in with an email on my personal domain ...
This really shouldn't be allowed in this day and age but I'm effectively powerless to change it. DeGoogling is hard.
I mean, it's great to be independent, just make your infrastructure rely on the services of an US based company...
We're all worried about identity fraud, and such documents are actually used to apply for an id in some countries!
No, the real problem is that we have no reasonable alternatives when companies misbehave. There is no meaningful way to exist in society today without an Apple or Google account, and that's actually insane. It's doubly insane for people who aren't citizens of the United States (although the CCP addressed this by requiring Apple make a separate iCloud for them).
The solution isn't to legislate a right to a bank account, it's to preserve the usefulness of cash so banks don't get too far out of line.
As is the case for many other infrastructure companies, such as your local electricity network operator (or even supplier depending on market liberalization). We also didn't solve that problem by ensuring everyone's right to run a generator in their backyard or heat their city apartment with a coal oven.
If tech companies have become essential to our day to day lives and are not willing to allow for horizontal interoperability, i.e. to split over-the-top services from infrastructure and individual elements of infrastructure from each other – because walled garden lock-in undoubtedly increases profits – why not regulate them as infrastructure entirely?
Well, to be fair, I do create an ephemeral Apple ID every time I get a new phone… But I immediately log out of iCloud after downloading the two or three apps that I use. I have no idea what my Apple ID or password is… I would have to go look them up.
Further, if I lost said Apple ID, I would lose nothing of value.
I believe, as you say, I exist meaningfully in society.
In other words, you do have an in-use apple id at (pretty much) all times.
Further: the three apps I install are not crucial - I could live just fine without them. All I really need is Safari and a working POTS endpoint for my cloud-hosted phone number ...
Not every service provider offers a web app anymore, and if they do, it's often penalized in terms of functionality or fraud screening hoops one has to jump through (since mobile apps offer device attestation and generally have a higher cost per bot action than browsers). Some even outright demand device attestation, which not only excludes non-iOS/Android devices, but even custom ROMs or non-Google-blessed phones, since they lack the necessary keys.
And yes, people could protest that by just not using these services if they're not strictly necessary to survive, but the dynamics here (tragedy of the commons etc.) just don't work in favor of individual people.
Web based online banking (since nothing related to banking requires 3D or VR/AR or camera/mic access or other fancy things that apps do) and 2FA auth. That is all I have ever seen or used.
By contrast, all European bank accounts offer outbound payments, which nowadays clear and settle instantaneously. The fraud risk is just orders of magnitude higher.
The US now has Zelle, which is actually showing just that friction and not going especially well for banks that were kind of blindsided by the sudden requirement to actually authenticate their customer, which is why you see all kinds of strange stopgap solutions mixed with proper security.
That's not the case, but SMS-OTP only counts as one "possession" factor, leaving only "knowledge" or "inherence" for the second one, and both are awkward to ask for in a payments flow. (You don't want to train users to enter their bank's password at a merchant site, and biometry/inherence isn't easily possible from an untrusted device.)
By contrast, doing biometry on a linked device provides two factors (possession of the device and inherence), and is significantly cheaper than SMS too. SMS in Europe can be pricey!
As a tangent, they are in fact banned from using email as a factor, which I find infuriating – my mailbox seems much better protected than my SIM card or phone number, which is one successful attempt at social engineering away from being swapped out or ported away. The SMS industry must be pretty good at lobbying.
https://www.wellsfargo.com/biz/online-banking/securid/
... which is quite simple and cheap ... and can be used in place of SMS 2FA.
The fact that these tokens exist and are so simple to deploy and use really deflates any claim (by banks) that banking and/or auth apps are required. It causes one to consider what the real motivation is behind the bank desperately pushing customers away from the simple and adequate web service towards the apps.
I assume the Chinese government is quite happy with this, because they have no trouble bringing their large companies to heel, unlike the US. And centralizing payments like this gives them a great deal of information and control.
Apple willingly preserves a backdoor in the e2ee of iMessage for the FBI et al in the form of effectively unencrypted iCloud Backups.
The whole “Apple won’t decrypt stuff for the FBI” narrative is farce.
Post Snowden, all the tech CEOs met in person with Obama to do damage control, as they all had some serious credibility problems once the reality of FAA702 (warrantless one click direct access, aka PRISM, aka the #1 source for the IC) came to light.
You can't keep chasing alternatives when companies misbehave
That's why there's a thick list of contract law precedents and consumer's rights and what not
When the services that a company provides gets to this level, it starts becoming like a public utility. If it's not possible to participate in society without using such a service, then the services should be governed like utilities are.
I wouldn't be opposed to having actual government-provided services for things like e-mail, text message, and discussion forums at a very basic level. Then (in the US anyway) we could apply the government restrictions on privacy and freedom of speech, with laws governing the oversight and implementation. Of course there would be major details to work out to prevent misuse, corruption, etc.; but it could solve the problem of losing your essential on-line identity -- as long as the government has any interest in you at all for something like expecting you to be able to send/receive an e-mail in order to pay your taxes, then they wouldn't ever cancel your account. 3rd-party services would still be possible, but then they could do whatever their business model supports, and caveat emptor. How people can expect businesses services like Facebook to comply with their personal expectation of free speech is beyond me.
* evidence
"Habeas corpus" is not a lofty expression for evidence, although people sometimes use it as such. It's a procedure for challenging one's detention before a court.
It has a REALLY good section about why customer service is very hard to get right
You could do a revenue threshold or something but seems tricky.
That's what countries regulating this tend to do (often user count instead of revenue thresholds, but similar).
It also makes sense, because if the podcast guy bans you, you can pick a different podcast player or just not listen to podcasts. If both Google and Apple ban you, you're also effectively debanked because you can't use their app stores to install the banking authenticator app that is required to use online banking, possibly excluded from using public transit, etc.
I have personal experience here. I was gifted a meaningful chunk of Apple gift cards. I redeemed them to a secondary Apple ID as this ID is rarely used. It got locked when I tried to spend the Apple gift cards.
It took a couple tries over a few weeks, but Apple support were very helpful and able to unlock the account. Where I must've got lucky is the automated system must've allowed the Support to take this action and it sounds like in the case here whatever fraud flag triggered issued to far more severe response.
My case I should add the gift cards were totally valid. It just was rarely used to count. That might explain why it was easier to resolve in any event. They absolutely as human support. The real issue is when human support can't overrule the computer.
Companies should be required to provide access to a service that verifies identity. I know such companies exist, so it is doable. And then, once it is provable that they are dealing with an actual human who can be identified, your rules can be applied.
I guess that's one reason enterprises like them
I see no reason enormous companies should carve out exceptions to the legal system. You exchange money with them, that's commerce, it's a contract. This is exactly what civil court was designed for.
If you try to make carveouts for him, they will still be absurdly restrictive and the carveouts will be abused by the likes of Reddit.
If this happens more than a few times, they will quickly remember why customer support is necessary.
The judge would likely never see the case, because the legal department would make sure it gets escalated to someone who can unfuck the problem before it gets that far.
Suing companies can legitimately be the easiest way to resolve issues, especially where small claims courts exist: It turns the issue into something that they can't "resolve" (for themselves) simply by ignoring and stonewalling you, so it becomes cheaper to actually fix the issue.
So like, if you get caught, red handed, absolutely 100% you, performing gift card fraud, the maximum punishment from Apple should still be getting banned from the gift card system (buying or redeeming). And if they want more consequences for you because they think you’re running a fraud ring, they should have to sue you like a physical store would. But not lock you out of the rest of the ecosystem. Otherwise you get the false positives getting the digital death sentence Apple tried to hand out here
Further, the current court system is already backlogged by months or years for serious crimes and property disputes. You are suggesting we socialize the cost of private customer service disputes. Why should taxpayers fund a judge to decide if a "common sense" decision was made about someone's banned World of Warcraft account?!
I'm sorry but this idea is very obviously not congruent with reality as we know it, as nice as it may sound.
Initially, the user requesting the hearing (this discourages the scammers).
When the appeal is won, the company (this encourages doing a really good job at not banning legit users and enabling lower-friction ways for them to appeal).
> You are suggesting we socialize the cost of private customer service disputes.
No, it can just be a dedicated body, funded as described above. Yes, this might mean that free accounts cease to exist, although I suspect in practice it would just result in a fraction of the profit from free accounts going into better (less user-hostile) abuse management rather than profit.
Won't somebody please think of the shareholders?
If this place attracts violence, the company can afford bulletproof glass and an alarm button that alerts the police, and I'd rather have the unstable 1% remanded to police at the risk and cost of a rich company than to have them stab a rando on the street later.
Employee protection laws that mandate said bulletproof glass in certain situations already exist in civilized countries.
Regardless: The fact that a specific tool is the easiest way to do something doesn't grant you a "right" to that specific tool. For example, you have a right to seek transportation; you don't have a right to a specific 2025 Toyota Camry provided by a private company.
You can't launch your boutique credit card and refuse to refund fraudulent charges with the excuse that you are too small to do so.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
Scary, scary world.
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
Scammers will sniff card info before activation, and poll the balance check site to see when the card is activated. They will then use the card to get merchandise which they ship to another market and sell for ~50-60% of retail value.
Like solar power, money laundering is inefficient, but it's valuable when the source material is zero-cost.
Companies commonly claim security/anti-fraud, then refuse to explain their actions, claiming (again, without evidence) that justifying themselves would help fraudsters in some way.
But really this has nothing to do with anti-fraud, and everything to do with duopolies out of control and weak consumer protections doing nothing to push back.
That's why Google, Apple, and Microsoft are notorious for this.
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
My computer files aren’t on my phone or vice versa.
I use IMAP email so it’s accessible on both.
I use Signal instead of iMessage.
I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.
At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.