alt Hacker NewsAre Apple gift cards safe to redeem?
Comments
I suspect the underlying problem is that the gap between legitimate use of gift cards and fraudulent use of gift cards is just not very large...
Years ago I briefly played around with "manufactured spend" (on credit cards, to earn frequent flyer miles).
There was one specific loophole, with one specific gift card provider, and it was a doozy. You could earn credit card points on spend, plus supermarket loyalty points on spend, by buying gift cards from one specific provider which could be cashed out at face value (ie no fee at all) immediately to a specific type of savings account.
So, of course, world+dog was buying these things like it was the end of the world.
As I sat in a hotel room one evening rubbing the security codes off the latest batch of cards before redeeming them one-by-one into my savings account, it dawned on me that what I was doing was basically indistinguishable from money laundering. Of course it was NOT money laundering, but it would take some time to explain exactly why not...
The loophole was closed relatively quickly, and the gift card provider gave up.
> Update 18 December 2025: We’re back! A lovely man from Singapore, working for Apple Executive Relations, who has been calling me every so often for a couple of days, has let me know it’s all fixed. It looks like the gift card I tried to redeem, which did not work for me, and did not credit my account, was already redeemed in some way (sounds like classic gift card tampering), and my account was caught by that. Obviously it’s unacceptable that this can happen, and I’m still trying to get more information out of him, but at least things are now mostly working.
It’s great that it has been resolved, but I’m still baffled by a number of things:
1) Why would redeeming a bad gift card result in a complete shut-down of the account? 2) Why is it seemingly impossible to get any support now unless you drum up a ton of press? 3) Should companies be restricted from growing too large where they can’t support their customers?
In my personal and professional experience, banks are the only companies that seem to actually know how to handle these issues appropriately when it comes to fraud or access. Rather than move to outright banning the account, there are intermediate steps that can be taken. Personal example, my Facebook account was recently banned because a hacker accessed my account uploaded a bad ID when FB requested an ID verification. Despite the request coming from a country I have never visited and would likely be on any high-risk list, my 20 year old account was banned literally overnight without having any recourse. There’s no number or even any email to use. Maybe I can see if the Register will write it up… (I do have all the info from my Facebook account download to show how it was compromised, and any internal support should have been able to see the same… if they cared.)
Related:
Apple has locked my Apple ID, and I have no recourse. A plea for help.
1730 points, 1045 comments https://news.ycombinator.com/item?id=46252114
Huh, interesting. Well, the only reasonable thing to do is to tell everyone that Apple gift cards are unsafe. I probably will do this. The problem with the “only buy from Apple Store” is that the recipient cannot ask for the source of the purchase without looking a bit ungracious.
So a blanket ban on Apple gift cards is probably the safest thing. I shall inform everyone in my extended family.
A core concept here is that of ownership. People think they own their accounts and data. Stories like these, and unfortunately the law, make it clear that they don't own anything. I personally think it is false advertising of companies to even hint at ownership. Words like 'buy' shouldn't be allowed since it implies owning. They should only be allowed to say 'rent' or 'grant a limited license'.
It's almost a rhetorical question, isn't it? Clearly, from both the original post, and this reporting, they are NOT safe to redeem.
In addition, it just re-emphasizes how tied we all are to these "digital lives". I used to do it without a blink, but now think twice before clicking "Login with Google/Apple".
I don’t want to minimize the pain people experience here, but it’s worth calling out just how hard this problem is for retailers and issuers.
Gift cards are the #1 fraud vector in payments ... because it lets stolen cards be converted into a cash-like equivalent with zero traceability.
So fraud/risk system are highly sensitive to gift cards.
It's not an excuse, but I see in this thread people minimizing the problem at hand - so I just wanted to call that out.
I'm glad that got resolved for Paris, but what the hell is a normal person supposed to do. Not every one has that kind of public reach to get a satisfactory resolution. First he had understand what happened technically, then he needed a public platform to tell people about it, then that writing needed to get reposted by others, than PR needed to get involved. Not something that's going to happen for a normal user.
Apple, Google, and the big players are not a trustworthy place to entrust precious data. Increasingly, Apple and Google aren't very much different as they are both in the advertisement business: the great misaligner of incentives.
Every time a read a story like this, I feel an atavistic desire to self-host eveything. But I've had my Google account for 20 years now; the die is cast.
I experienced something similar recently. There’s something going on with gift cards at Apple. It’s a bit fishy. As in they don’t want you to use it so they can report higher holiday season sales. Or they’re experiencing a huge uptick in scams involving the cards. I started wondering if the system they use is actually secure from a cryptographical pov.
My lessons were:
1) if you’re going to accrue gift cards for hardware purchases, use a separate Apple ID. Do not use that ID for anything else and especially not as family organizer.
2) save paper trails for all your gift cards. That’s your only way out of this.
3) be prepared to be treated like a scammer by Apple Support. They will even question where you got the devices you traded in at the store. Some support staff will basically say you stole them without any evidence.
The real problem is that companies do not offer any accessible, powerful, and intelligent customer support. Even if they have real humans to talk to, they simply follow a script. Those agents do not have the ability to investigate a situation or the power to use their discretion to take meaningful action.
We should impose, by law, the following rules on all companies that offer accounts to their customers.
1. If they block/ban/close/suspend a customer account they must provide habeas corpus. Explain to the customer the policies that were violated that resulted in their account being terminated. Additionally they should be required to show the customer the evidence that led the company to make the decision.
2. They company must provide an accessible live human appeals process. The human they appeal to must have the discretionary power to investigate and make a common sense decision even if it contradicts policy. This process currently only exists for people who are capable of making a lot of noise in public. How many people lose their accounts and suffer harm because they are incapable of getting attention in public? It needs to be available to all customers with a simple phone call or email. It must also be required to make a decision very quickly, 24 or 48 hours at most.
3. In the rare case that the company still makes an unjust decision, there must be a quick and accessible legal remedy. Establish some kind of small claims court where it is cheap and easy to file without a lawyer, and where cases can be heard and decided on short notice.
Would checking the Apple gift card balance first be a useful precaution? Would it have saved Paris all this hassle?
Seems like this might be a necessary step if checking the balance would reveal there's something wrong with the card. Would be frustrating to see the $500 card is worthless but better than risking the bureaucratic hell.
This is one of the reasons I picked a small, dedicated email provider [1] over Google Workspace for my corporate emails. If Google flips out and ban hammers us for no reason, my company will still be able to reach clients and work on projects. Apple, Google and Facebook are way too trigger happy with automated bans and no recourse.
So it still took four days after they were contacted by "someone from Executive Relations"? Well, that's disappointing.
I won't be redeeming any, that's for sure. I've been lucky so far, but I got a brush with this experience a couple years ago. I logged into my apple account from a web browser on my work computer. Turns out my company has pretty shitty security and our NATs were on the naughty list (I should have known better, I had been getting CAPTCHA'd every day if I browsed outside our network). Because I logged into the apple account from a naughty network, they instantly locked the account until I could prove it was really me and that everything was okay.
I did get it resolved relatively quickly, but for the next couple weeks I was randomly running into the fallout from that. It became really clear just how far reaching the impact would be if I lost the account and could not recover it. Ever since then I've tried hard to disentangle myself completely so that the blast radius will be much smaller.
At this point the biggest worry I have is what would happen to my MBP and iPhone. All of my cloud services are non-Apple, but they might be able to keep me out of my own machine and that would be devastating.
I kinda thought Apple was better about this sort of thing, what with the Genius bar and that sort of thing. I pretty much made an ass of myself by assuming that, I guess, because I switched from Google stuff straight into Apple. I should probably start to work on self-hosting now that I can see I was incorrect to trust Apple...
The risk of this happening seems low, but the impact on my life as an Apple ecosystem resident would be catastrophic. It's an easy decision for me - I won't buy or redeem an Apple gift card again.
Not an expert in the issues presented, but I see increasing numbers of single-point process failures, like what happened to Paris, being designed into our civilization.
As the age old saying goes: do not redeem it!
I feel like all these articles are writing about the wrong thing. Yeah, it sucks that the guy's account got banned, and yeah, maybe we can't trust gift cards.
But the truly troublesome issue is how an entire ecosystem of (very expensive) hardware is allowed to be tied to an identity controlled by a giant black box of a corporation.
What I mean is: you can spend thousands and thousands on devices and configure them to be almost invaluable to your everyday life, but you are ultimately completely beholden to Apple. You require their ongoing permission to continue using those devices. You are completely at their mercy.
And sure, you can argue that people willingly sign up for that kind of agreement when they make the decision to purchase Apple/Google products but that's also missing the point. Phones are now essential utilities. Accessing vital services sometimes requires an iOS or Android device.
Permitting giant, uncontactable, merciless tech corporations to control the digital lives of virtually everyone on the planet is absolute insanity.
The scenario described in the OP's article should simply never be allowed to happen.
This is such a complicated issue, because on one hand, scammers are bilking people out of a ton of money with gift cards, but on the other hand, should a user be penalized for using a gift card?
Is that the correct way to fix the fraud problem?
> It also leaves the question of... why it took the better part of a week to resolve.
I'd put money on they had to restore backups of several systems, fish out his account-specific data, then insert it back into the main systems. This would have happened much faster if there was just an on/off switch.
I remember many (many!) years ago, when some american express travelers checks were counterfeited.
They did The Right Thing™ which was to honor them, so that their reputation and brand were preserved.
lots of other examples, like new coke fiasco, the poisoned tylenol, etc...
> > There is one way the Apple community could exert some leverage over Apple. Since innocently redeeming a compromised Apple Gift Card can have serious negative consequences, we should all avoid buying Apple Gift Cards and spread the word as widely as possible that they could essentially be malware.
It's December holidays time, but I assume that most Apple gift cards that would be purchased for the holidays already have been, so...
Maybe people should also be urged to demand to return any Apple gift cards already bought. Arm people with a copy of the news story. If retailers resist, then regulators can get involved.
How can we solve this problem?
The only idea I can think of is a law that requires companies, once they reach a certain number of users or market share, to provide a formal process to restore accounts that are a certain number of years old. This could include paid arbitration or a similar mechanism.
I doubt such a law could pass at the federal level, but if it were passed in California, it would probably solve 80 percent of the problem.
Or is there a better solution?
Continuing the worrying trend that when computer says no you need social media presence & industry connections to get basic level of "hey can you not kill my account" support
They also need to let you transfer your purchases to a new AppleID under a new enail address. It is outrageous you're forced to choose between all your purchases from an email account name from when you were a kid or teen and getting to have an adult email address/handle and not having a data hungry company like Google or Microsoft seeing all your Apple activity in perpetuity
I understand why Apple sells gift cards. I understand why brick and mortar stores sell gift cards for third parties like Apple.
But what do the credit card companies get out of this arrangement? It seems like they’re taking on a whole lot of unnecessary risk and enabling these scams by allowing third party gift cards to be purchased using a credit card.
You'll hear tons of similar stories with GCP/Google accounts.
This is the same reason I dont use GCP -- ever -- for business. If there is ever an unintentional linkage in GCP of your personal gmail account, and you have an issue on GCP, your personal account can get locked out.
If CloudFlare can do public post-mortems then so can Apple.
This was a scary story to read after I cashed out all my rewards points at work for the first time in 5.5 years to get six $100 Apple gift cards which I redeemed back-to-back-to-back.
Genuine question: if your Apple account is locked, and you're unable to create a new one, is your iPhone still usable?
Recent customer service experiences:
- HN banned me for being a robot! (I'm not)
dang unblocked me 1 hour 4 minutes after an email (thanks dang!)
- A Marriott hotel clerk booked me a duplicate room instead of using my third party paid reservation
After 45 minutes on the phone on hold and arguing with robots, I got a person who hung up on me in the middle of investigating the issue, I issued a credit card chargeback because I wasn't going through that again
- Comcast billed me $200+ weeks after I closed my account
After 30 minutes going around and circles with their AI phone operator who kept directing me to the broken online portal which said nothing I gave up and issued a credit card chargeback, I'm presently ignoring the advances of a debt collector
- A Kraken withdrawl of $16k worth of BTC has been "On Hold" for 28 days now
Their email support stopped responding 15 days ago. I have filed complaints with the CFTC and my attorney general.
- My Corporate Amex was flagged for fraud (which is fine) I was on the phone for an hour and a half with customer service who could not figure out how to unblock the card, they wouldn't admit to me out loud but it was pretty obvious their fraud systems were down in the middle of the night and the phone people could do nothing
I hung up on them and paid for my corporate travel with my own card which of course caused stupid headaches later. I hate AmEx now.
---
The best customer service? A free online forum that I can't possibly ever give any money.
So never buy a gift card at a retail location, unless it’s digital. Preferably buy directly from the website of the company where th credit will be used.
But why would apple punish the secondary user of the card? That seems like the wrong person to punish.
Gift cards: it's a steal, so just say no. I want to say if you get one from your sister-in-law give it back but now I'm afraid she'll face terrible consequences from cashing it out.
... note an update on this story: Paris got his account unblocked today, thanks to the story being covered here and throughout the blogosphere. It's a good outcome but not a path open to most people:
the combination of single account for everything and arbitrary account locking is really scary, given how much of their lives people entrust to these services. anecdotally i have steered strictly clear of google cloud for my personal projects (even though i have some cases where firebase would have worked nicely) because i cannot risk some screw up locking me out of gmail.
I remember an HN post where someones google account got locked out when they tried to add funds using their Apple Card.
How and why would someone tamper an Apple Gift Card?
That’s unfortunate. I will not be buying or recommending Apple Gift Cards going forward.
I just had my mom purchase a $100 gift card for my son. Now I have to go to the Apple Store to redeem it… how fun
The answer to the question is NO. Unless you don't care at all about your Apple account.
The lack of "real, comment sense human support" from giant tech corporations is terrifying - and something that only regulation can fix. These tech companies have increasingly taken over our lives - getting locked out of a 20-year-old Google or Apple account could legitimately ruin your life - or at the very least - make it incredibly difficult for 6-12 months as you work to recover every account linked to it and migrate to something else.
One problem is that even if you can reach a real human - they have to follow a script and have strict limits on the problem solving they can do. If something falls outside of the normal support algorithm they are stuck.
What do you do if you're an average Joe without a popular tech blog and connections to the Apple community? How many people has this happened to that have just given up entirely?
Scary, scary world.
I've been using all of my macs for years now without Apple IDs. I use them only reluctantly on iOS devices to install apps, and don't use iCloud (it's a privacy nightmare).
Relying on Apple to remain benevolent when the incentives are so misaligned is a fool's errand.
I bought and ipad on the online apple store, on their back to university programme (in the UK). I was overcharged by around £80 (the price of the gift card they gave me as part of the back to university offer, basically the web site charged me for the gift card). I called up their support and explained the situation. For about 10 minutes I had the lady explain to me in the politest tone possible how I didn't understand the calculation, because naturally she believed that the Apple web site wouldn't make a mistake. She finally realised that it was wrong after a while and refunded me really quickly, but I think she could've easily gaslit and anverage person into believing they were in the wrong.
lol I have another story regarding Apple gift cards.
Many years ago we had an iMac at the house as the shared desktop computer. After a few years, it started to have the signs that the harddisk is going to fail, and also we were mostly moved away from Apple's ecosystem, so we decided to trade it in and replace it with something else that's not from Apple.
Since we don't have anything immediate to buy from Apple, we traded it in with Apple gift cards.
Later, my partner needed to trade in an old iPad for a new one, so we used that gift card with credit card for the trade in. For that trade in, you first pay the full price with gift card+credit card, then they refund you the trade-in value after the trade-in is finalized.
The trade-in value of the old iPad is less than the value we paid via credit card, so we would reasonably assume that they would refund the total trade-in value to our credit card. But nope. They actually calculated the original gift card vs. credit card split ratio, and refunded according to that ratio.
A simplified example is say we paid $200 via gift card plus $300 via credit card for an $500 iPad, with trade-in value of $200 for the old iPad. Instead of refunding $200 to our credit card (so it's eventually $200 via gift card and $100 via credit card), they refunded us $120 to credit card and gave us another $80 gift card. So we have to find ways to spend that gift card again, and it cannot involve any trade-in (otherwise we're not going to be able to use it fully).
do not redeem!
DO NOT REDEEEEEEEEM
Unfortunately, at the moment, for normal people, the legal system is our only option.
I am not a lawyer, but I have done this multiple times:
Read the T&C and search for "dispute" or "dispute resolution". Look for what you're supposed to do when you have a dispute. Follow the steps as outlined. Corporate lawyers generally take things seriously.
I offer some metaphors bundled into a claim:
Silver bullets almost never beat fraud. Better to steel yourself for a never-ending grind against a horde of nameless adversaries.
I asked Gemini for some follow-ups, and lo! they are interesting to consider:
- "fraud is an evolutionary arms race fought in the trenches."
- "fraud is a siege where the attacker has infinite attempts, and the defender must succeed every time."
- "fighting fraud is not a battle, it is industrial waste management."
This fiasco stirs up a lot of different topics for me, none of which seem like they are likely to be resolved anytime soon.
First, with so much importance placed on an Apple/iCloud account in our current era it's not good that they can be shutdown so trivially. Someone can be shut out from using Messages, Apple Wallet, Digital Identification (depending on where they live) and all their subscriptions and media purchases without any recourse, in an instant. It's not hard to imagine someone being put into a pretty bad situation as a result of this with just a little bad luck and bad timing. It's easy to point out that you shouldn't be overly reliant on these technologies but I think it's more important that there be ways to safe guard people from this scenario. Apple should do more to handle these scenarios given the importance of an account now.
Second, there are other recent events that point out the failure modes and gaps that Apple (and Google?) need to address. There apparently is no way to cleanly divide purchases in a Divorce or separation, even if the person was fleeing an abusive situation. There's also no way to leave a "family" account even as an adult or how to assign children to multiple families. Again we can trot out the easy "Just don't use these things, use FOSS, Nextcloud, etc..." but I think Apple should do more to address these types of scenarios regardless of what people choose to use.