Sophos Cloud Optix
Apple is prompting some of its iTunes/App Store/iOS customers to set up three new security questions and an alternate email, in an attempt to smother a growing wave of phishing and fraud.
Media reports state that the request to set up three security questions, apparently implemented on Wednesday, is being asked when a user downloads an app from the App Store.
Apple is also requiring a backup email address, presumably in case a user’s primary address and associated Apple ID become compromised.
While it’s a welcome move toward stronger security for the increasingly targeted venues, users have been caught off-guard, unsure if the messages themselves are the work of phishers or scammers.
After all, the messages bear the scam stamp: they’re unsolicited, they were unannounced by the characteristically tight-lipped Apple, and they solicit information.
Some quotes from the baffled, from a discussion forum on the Apple Support Communities site, collected by MSNBC in a report published Thursday:
fiasko5k: "iPhone 4s: why does app store keep popping up 'security info required'? This happens after I put in my password. Is this something to be concerned about?"
Chris0973: "I had the same issue on my iPhone 4 today and also was worried that it might be a virus or phishing exercise. It is certainly worded like one."
Although it made no public announcement about the security move, Apple did confirm to CNet that the messages are, indeed, legitimate.
CNet’s Lance Whitney reported that the additional security is apparently aimed at accounts that may have triggered a flag for one reason or another. Whitney said he got no additional security requests when he logged in and out of his iPhone and iTunes accounts.
Neither did I when I logged out of iTunes, but I did get an expired certificate warning from Chrome when I tried the “forgot password” function in iTunes. That’s enough security exploration for a Friday afternoon, thank you – I backed off.
There are reportedly over a quarter billion iTunes accounts. Many have credit card information associated with Apple IDs. It’s easy to see why iTunes and the App Store are increasingly targeted by crooks.
And compromised iTunes accounts have certainly caused headaches in the past.
In January 2011, 50,000 stolen iTunes accounts linked to stolen credit cards were being sold on a Chinese auction site.
About a year before that, a large number of iTunes users reported that they had received unauthorized charges of up to $1,000 after a security breach.
As Sophos’s Chester Wisniewski has noted, Apple has previously failed to put in measures to better secure iTunes accounts or purchases made from iOS devices.
Up to now, users have tended to choose feeble passwords for iTunes and the App Store when they’re entering the password from a mobile device.
No mystery there: it’s no fun to enter a long, complex password, complete with punctuation, when you’re poking at a phone keypad.
And as many have pointed out, password re-use is an issue. All it takes to crack an overused password is a data loss at one organization in a chain of redundant password use.
iTunes’s security is moot if somebody’s using the same password to buy tunes and also to get into Facebook, and/or Twitter, and/or Gmail, ad nauseum – at that point, it’s not just iTunes security that’s relevant, but the security of every place a redundant password is entered.
It’s good to see that Apple’s finally doing more to secure iTunes and App Store.
It would have been nice if Apple had actually told us what it was doing, but hey. We’ll take whatever incremental improvements we can get.
“Security info required” image credit: The Next Web
It’s great to see that Apple is taking steps of making the iOS App store more secure. However, they should tell all users about the security measure they’ve implemented. I have a complex password for my iTunes account, and I don’t mind entering it on my iPhone’s virtual keyboard.
“Making the iOS App store more secure”. Foisting the hassle of making users feel like Apple is doing something, when it’s all just pablum is more like it. I canceled my App store account.
Terry Carlson
Too intrusive. Buy your music from Amazon.
Even better: buy some of your music from a record store! It helps your local community to thrive, gets you in front of music that the lame amazon algorithm would never suggest, and gets people away from their computer and in contact with other people. What a concept. 😉
At issue here is the lack of security this forces upon us. At a glance using these passwords makes us safer, but the security (in quotes only) it offers does no one any good. Apple is the problem. Hackers have tken the majority of the information on Apple's end. This does nothing to secure our information on Apple's end. The fact that they told us users NOTHING is part of the culture of Apple's problem. I for one refused to answer there additional questions. I flatly refused to give Apple yet another email address (as if another email address would prove anything but making me less secure). I don't need Apple or their culture.
And today I finally got the expected reply from Apple. They did not request me to complete their new security questions when I went to download a song. They actually let me buy it.
My password is strong. I check my credit card and apple account often. I do not want or need this added information out there for a hack to steal. Apple needs to fix their business culture and realize if users think its a possible attack, then it is (even if it wasn't). Tell us before hand, let us make the needed changes and then and only then force feed those who do nothing!
Can you say f’d up? I have no problem entering my credit card number every time but instead we choose to enter passwords. Do not leave your credit card info on any site and see how many times your info gets stolen. Stop with all the security questions !
The apple has gone rotten.
I refuse to fill out more questions see u later apple
Let me show you what questions Apple is forcing us to choose from – I cannot answer any of these and certainly would not be able to later remember how I answered. These seem to be aimed at teenagers. As an older adult, they are so far removed from what is important in my memories that it is as if they are forcing me to answer questions in a foreign language I don’t understand. All I can do is make up answers I have no hope of remembering later just to get through this roadblock pop-up. See for yourself if you are an adult over 40 or so if you can find questions here that you could reliably and consistently answer now and 5 months from now:
What was the first car you owned? For me, I don’t know because I shared cars and have owned dozens as well.
Who was your first teacher? Wow, are you kidding me – I’m not even sure teenagers would remember this.
Where was your first job? Sounds less unreasonable, but I can’t answer since I have had many quasi-jobs (as a teenager), and I really don’t remember the first one – besides, do you remember the business name and exactly how to spell it…
[Comment edited for length]
Boycott Apple iTunes Store…Once they have this data, no matter how well encrypted, it will be warehoused somewhere and your very very personal history and data can be captured and if you used these type of answers for your banking, credit card history or the many other online services that ask these stupid-ass personal questions, you identity WILL someday be compromised. Apple makes enough money to do this in a better format.
NO MORE MONEY FROM ME< JOIN ME IN BOYCOTTING ALL APPLE online purchases.
I will no buy any more apps or music or whatever as long as they force me to answer these stupid questions. I have more than enough other non apple options. So they just lost one customer