Apple is prompting some of its iTunes/App Store/iOS customers to set up three new security questions and an alternate email, in an attempt to smother a growing wave of phishing and fraud.
Media reports state that the request to set up three security questions, apparently implemented on Wednesday, is being asked when a user downloads an app from the App Store.
Apple is also requiring a backup email address, presumably in case a user’s primary address and associated Apple ID become compromised.
While it’s a welcome move toward stronger security for the increasingly targeted venues, users have been caught off-guard, unsure if the messages themselves are the work of phishers or scammers.
After all, the messages bear the scam stamp: they’re unsolicited, they were unannounced by the characteristically tight-lipped Apple, and they solicit information.
Some quotes from the baffled, from a discussion forum on the Apple Support Communities site, collected by MSNBC in a report published Thursday:
fiasko5k: "iPhone 4s: why does app store keep popping up 'security info required'? This happens after I put in my password. Is this something to be concerned about?"
Chris0973: "I had the same issue on my iPhone 4 today and also was worried that it might be a virus or phishing exercise. It is certainly worded like one."
Although it made no public announcement about the security move, Apple did confirm to CNet that the messages are, indeed, legitimate.
CNet’s Lance Whitney reported that the additional security is apparently aimed at accounts that may have triggered a flag for one reason or another. Whitney said he got no additional security requests when he logged in and out of his iPhone and iTunes accounts.
Neither did I when I logged out of iTunes, but I did get an expired certificate warning from Chrome when I tried the “forgot password” function in iTunes. That’s enough security exploration for a Friday afternoon, thank you – I backed off.
There are reportedly over a quarter billion iTunes accounts. Many have credit card information associated with Apple IDs. It’s easy to see why iTunes and the App Store are increasingly targeted by crooks.
And compromised iTunes accounts have certainly caused headaches in the past.
In January 2011, 50,000 stolen iTunes accounts linked to stolen credit cards were being sold on a Chinese auction site.
About a year before that, a large number of iTunes users reported that they had received unauthorized charges of up to $1,000 after a security breach.
As Sophos’s Chester Wisniewski has noted, Apple has previously failed to put in measures to better secure iTunes accounts or purchases made from iOS devices.
Up to now, users have tended to choose feeble passwords for iTunes and the App Store when they’re entering the password from a mobile device.
No mystery there: it’s no fun to enter a long, complex password, complete with punctuation, when you’re poking at a phone keypad.
And as many have pointed out, password re-use is an issue. All it takes to crack an overused password is a data loss at one organization in a chain of redundant password use.
iTunes’s security is moot if somebody’s using the same password to buy tunes and also to get into Facebook, and/or Twitter, and/or Gmail, ad nauseum – at that point, it’s not just iTunes security that’s relevant, but the security of every place a redundant password is entered.
It’s good to see that Apple’s finally doing more to secure iTunes and App Store.
It would have been nice if Apple had actually told us what it was doing, but hey. We’ll take whatever incremental improvements we can get.
“Security info required” image credit: The Next Web