Scott Hanselman

A suggested improved customer interaction with the Apple Store (and Cloud Services in general)

August 13, '11 Comments [39] Posted in Apple | Musings
Sponsored By

Alternative Title: "What good fraud detection looks like"

Save me, Clippy, from Internet Fraud! My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.

MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.

But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?

I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.

This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.

Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.

For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.

MG Siegler calls me out here:

Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.

Here is the email and what it made me feel. Then I'll propose a solution.

Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

I read this as:

  • We know what devices you have, and a new device we've never seen before has bought something.
  • If it was you, don't worry, this email was FYI.
  • If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
  • Whatever happened was probably your fault and you should be more careful with these tips.

It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.

Here's a email I would have loved to have received

Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.

  • You've never purchased an app in Chinese. Your last 492 app purchases have been English.
  • This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
  • This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
  • This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.

We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you

protect the security of your account.

MG Siegler says:

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.

I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)

This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to foo@foo.com. Why is this notice here?"

gmail redirect notice 

I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.

Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.

gmail_warning  gmail-redirect-notice[1]

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.

The meta-points are

  • The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
  • Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
  • We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
  • It sucks to lose access to your cloud data.

What are your thoughts, Dear Reader?

Thanks to Matt Sherman for the Alternative Title! ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Saturday, August 13, 2011 11:14:49 PM UTC
Certainly Apple IDs are high value targets. These are users with some disposable income who may use their credit cards at high volume and not notice an extra $20 was charged.

That's why you were targeted.

Now, your suggestions are all fine and good and of course there will be newer, but more difficult attack vectors by pretending to be one of those emails. But still, there are more steps that can be taken.

The current system of:

1) A suspicious purchase was made and we know it because we're sending you this email.
2) We let the purchase happen anyways.
3) Oh yeah and then we disabled your ID... ultra-security!

It's not secure. That is not a path to preventing fraud and leaves the user insecure. I would say this about Xbox Live if a similar transaction occurred.

Interesting that my credit card company stops a suspicious purchase (to a high enough threshold, probably scoring it similarly to the methods you described, Scott) and then CALLS me and says "Hey, did you try to buy $25,000 worth of shoes at Payless.com" and resolves it in minutes.

Of course, they would have to eat $25,000, so they have motivation.
Saturday, August 13, 2011 11:38:26 PM UTC
100% with you. I love Facebook's new double authentication mechanism. Any new device or browser/computer combination does not let me login until I enter a code that gets TXT'd to me. This means that unless the attacker had my phone in their hand, they would not be able to login to my Facebook. It's totally cool with me and not annoying to enter a 5 digit code to protect my account.

I think every cloud service that (especially) contains private information should be forced to implement exactly the measures you describe, or even at a minimum, what Facebook employs. I've never seen Amazon do anything like this or even offer something like this... if they do, they definitely don't advertise it.

I also wish it was easier to secure customer information when you have a site. I recently developed a site that optionally asks users for their email or phone to send notifications. I encrypt that information and bought SSL for the site; I only have 30 users right now but I feel it's worth it just to be safe. Who knows how many services we log into everyday don't even do that, especially if they are one-off 3rd party apps on phones/sites/etc. I blatantly say I encrypt your information as they focus on the textbox and even include a lock icon next to each field that is encrypted. Maybe some people don't care, but security is important to me, especially when it deals with my information.
Saturday, August 13, 2011 11:47:49 PM UTC
You know, it is entirely possible your account was compromised without even knowing your password. Imagine there is a service that Apple has exposed that isn't properly hardened, you could have fallen victim to some sort of zany CSRF or other type of attack. The attacker just needs a bit of specialized knowledge, and some special token (a cookie, or other auth credential) and forget about needing passwords - or even specific account information. I don't claim to know the specifics of their systems or security, but this seems a lot more likely given how you take care of your passwords.
Sunday, August 14, 2011 12:24:25 AM UTC
MG Siegler is worse than Gruber. I read most Techcrunch articles but I will never again read one by him. He makes as much sense as the guy who was predicting the rapture a couple months ago.
Sunday, August 14, 2011 12:44:45 AM UTC
I agree that a better form of detection/validation is needed for fishy purchases, especially given the significant delay in purchase email confirmation that sometimes manifests due to batch processing of the iTunes charges. Those guys posting defensive posts about it are out of line and aren't getting the point.

I don't see that they offers any two-factor authentication and that would be a good *option* for any account where money is transferred from Paypal, credit cards, or banks. I saw an interesting one that's not too obtrusive (offered by MyOpenId among others) in which the service calls your cell after you login with your username/password. If you answer and hit the # key it continues the authentication: ANX Phone Factor Authentication.

James Culbertson
Sunday, August 14, 2011 1:18:06 AM UTC
Hi Scott,

Do you think government or legislation should play a part in addressing your meta-points? Banking for example is heavily regulated to protect customers.

As a cloud service provider offering services to consumers, should there be a body of legislation that applies beyond privacy laws? For example:

- You must not store un-hashed passwords
- You mustn't include passwords in emails
- You must audit the following events
- You must put the following checks in place to monitor fraud
- When terminating or locking accounts, you must have an appeals process and provide an export of all user data

Paul
Sunday, August 14, 2011 1:38:07 AM UTC
This may have been since you had PayPal as the payment method, but when I try to purchase from a different device I am prompted for: Apple ID, Password and CVV2 of the CC I have on file. Even with the first two bits compromised, unless they have my card they cannot make a purchase. I go though a fair bit of hardware so I see this a fair amount.
Sunday, August 14, 2011 1:43:12 AM UTC
Steam solves this problem by requiring you to authorize any new device accessing your steam account when you first log in.

- You install steam on a new computer and log in.
- Steam recognizes this is a new device, and sends you an email confirmation.
- You enter the confirmation in Steam, which unlocks Steam and you're done.

This process assures me that if someone tried using my steam account on a new computer, I'll be notified before they get to the checkout.
Sunday, August 14, 2011 3:09:54 AM UTC
What this tells me is that you have never dealt with the public.

Thanks to caller-id phone based customer interactions have long had the ability for the company to know who is calling before answering the phone, yet they all still ask you for your name/phone number/account when answering. This is because when caller-id first came answering the phone by greeting the caller by name freaked out the public who felt they were being spied on.

Similarly, if Apple sent the email you wrote the customers first reaction would be horror that someone at Apple is tracking their every purchase, where they are living, etc. Yes, you and most of the people reading this know that it is all automated, but the general public doesn't understand this. Instead they would be publicly ranting about Apple spying on them.

aa
Sunday, August 14, 2011 5:23:50 AM UTC
I think the point I agree with the most is that they could use the data they collect to help protect the customer a little better. Perhaps if they used the vast amounts of data to help and protect the customer instead of only marketing purposes, not as many people would complain about privacy and the amount of data they collect. Personalized ads or recommendations are fine, but personalized service and security would provide more motivation for me to give someone my business over their competition.
Sunday, August 14, 2011 5:30:46 AM UTC
In the Swedish app-store I need to enter my card details including CVC each time I use a new device. Even if the account is compromised, the bad guy will not be able to charge my card. Was both your AppleID and Cc-information compromised?
Sunday, August 14, 2011 7:14:32 AM UTC
"Similarly, if Apple sent the email you wrote the customers first reaction would be horror that someone at Apple is tracking their every purchase, where they are living, etc."

Given that they already email you about every purchase you make, I don't think that's really an issue here.
Sunday, August 14, 2011 7:32:21 AM UTC
ICR and AA - I have to agree with ICR. I don't think anyone has any illusions about what Apple does or doesn't know about us.
Sunday, August 14, 2011 8:07:10 AM UTC
So did you make the purchase in the end? :-)
Sunday, August 14, 2011 8:24:14 AM UTC
A great response, that identifies not just the issue but also proposes solutions, now we just have to build it ;-)

The Techcrunch article and your follow-up display the differences between tech journalism (skin deep coverage and critique), and in-depth tech understanding and the development of solutions.

Sadly it also shows the contempt Apple has for its customers: Come and spend lots of money on our wonderful technology but if there's a problem - it's your fault, rather than you have brought into the Apple family now let's work together to keep the bad guys at bay. Customer service is not about having great shop windows and saying "Have a nice day", but day in day helping your customers use the reality of what you have sold them.
Sunday, August 14, 2011 10:39:02 AM UTC
I don't agree with MG SIEGLER - there simply isn't enough evidence to prove that your password was compromised. This reaction is akin to Air Crash investigators saying Pilot Error when they actually don't really know what happened - so it must have been a human factor.

The point that you originally made is valid and your proposed solution is also valid; there is definitely a hole somewhere in the AppStore - there should be more fraud detection and prevention, otherwise this would never have happened in the first place.

This isn't something that just affects Apple, as attacks become more sophisticated the providers need to keep pace - and keeping the end user accurately informed about potential suspicious (or different) activity is essential. Maybe the end user isn't sophisticated enough to understand the seriousness of messages and maybe they will panic - which is why the *Why am I seeing this* type of explanation is so important.

Not informing the user before suspicious purchases are paid seems crazy. That is what I read as your original point, and it's still valid.
Sunday, August 14, 2011 11:13:11 AM UTC
The solution you propose is similar to the types of discussions we're having with respect to malware and host-based intrusion prevention. When we understand what normal behavior is, we flag what doesn't match that pattern. Depending on what is attempted, the security system may block it and notify or it may not. It's all dependent on the severity of what's being attempted.

Really, this is the only reasonable solution going forward. As others have indicated, it may not be a compromised password. It may be that a portion of their system is exposed. Remember, AT&T got busted on this with the iPhones not too long ago where sensitive information did get revealed. But even if it's totally the user's fault, you want to bring the user on board, to make them part of the solution, not screaming at them for doing it all wrong. The former gets a lot more compliance from users than the latter. It also tends to retain customers better. So I like your proposed solution a lot better, along with the references to how others get it right.
Sunday, August 14, 2011 12:40:37 PM UTC
Definitely seems like a weak spot in Apple's customer service. Disabling your account after x, y and z purchases have already been made... what good is that?
Sunday, August 14, 2011 1:46:11 PM UTC
Paul wrote:
"Do you think government or legislation should play a part in addressing your meta-points? Banking for example is heavily regulated to protect customers. "

The thing I generally don't like about these sorts of things is that they become "safe harbors" for business. In other words, government sets a weak minimum standard for this kind of interaction. Fraud still occurs, but now the businesses are immune to legal action because they just say "We implemented the processes specified by the dept of cloud services to the fullest."

There is banking regulation and now apparently the US is going to provide these safe harbors for a new Consumer based credit agency. So you can't sue for unforseen torts. They get immunized by the new agency.

I am painting this with a very broad brush, and I am not going to say I am against all implementations of legislation or regulation to combat this. I'm just saying I think it's the weakest tool we have. Our wallets are the most powerful.
Sunday, August 14, 2011 2:28:06 PM UTC
Interesting read. You've mentioned bank fraud detection systems. So on top of anything that major sites should provide; should it be that online vendors inform the payment systems (in this case paypal) of the country of the user making the purchase? Not just the location of the reseller, especially in an age of digital content that can be delivered anywhere at great speed. The banks could even require the ip address (even if for privacy reasons it's only down the last x bits)? Afterall it's not that far off what is done for ATM transactions.

It would give that additional layer of detection \ protection from people who actually specialise in dealing with fraud and theft, it also benefits those who use smaller\ open source shopping carts.
Sunday, August 14, 2011 3:41:21 PM UTC
I think you have very good suggestions here. I am both a Windows and Mac/iOS fan. I like the nice walled garden for iOS but all cloud services need to start being much more proactive in their security approaches. Especially the point you are making here, if you are basically agreeing to allow a company (like Apple) have detailed information on what you use and where you use it then it seems like a very reasonable expectation that as part of having that information they should use it to prevent fraud.
I think a good part of how companies currently deal with this is based on early design decisions where the intent was to limit liability while keeping things easy for the user. But over time the design of these processes have not kept up with the information and integration available to those companies. In the end users will vote with their feet (or their NIC) if companies don't act to keep users secure.
Jeff Reser
Sunday, August 14, 2011 3:56:17 PM UTC
You missed a point in the email you'd love to receive:
* Despite not being able to sync your purchases with this un-associated device, we've allowed your Apple ID to purchase something from this device.
Sunday, August 14, 2011 11:22:12 PM UTC
First a couple points on the security breach itself. I won't mention them by name but a well known password keeper had a security breach, I wonder if they obtained your password via a site that you just happened to use the same Apple password on, like Apple's site :) Of concern is also the fact your CC info is a gonna too.

As for the cloud - I just don't see the relevance to this issue. Even if the cloud as a concept never existed and iTunes was a tiny vertical, this would still have happened and been a PIA. There is no 1 cloud as you point out so even though "a" cloud might be very centralized, who uses just 1? A compromised system is a problem regardless.

I point this out only because the cloud already gets enough and in most cases unjustified negative press spreading more fear and misunderstanding, not that you were necessarily trying to do that - it was just a rant ;) which you don't need to apologize for either - anyway, on the plus I changed my iTunes pwd so thx.
Monday, August 15, 2011 7:15:08 AM UTC
Scott,

Great posts on security! This interaction is inspiring for me to rethink some of the security paths in place in our own system. In fact I now feel inclined to advocate to put a more stringent security protocol in place in our software, so our users can feel safe about accessing their data online.

Thanks for your effort on these posts.

Greets,
Jonathan
Monday, August 15, 2011 8:26:56 AM UTC
Indeed it does suck to lose your data. At the end of the day with digital services such as these, and others like Kindle, the centralised records of your purchases are your receipts. If this information is lost or compromised, how easy is it to get back and how easy is it to prove your purchases?

Fair enough, a bank account is likely a "more important" entity than an iTunes account. However, things like Zune and iTunes are only getting bigger and bigger - people plough a lot of money into these and expect their purchases to stay safe. I agree that behavioural security systems are likely the best way to go. I have no problem with these entities knowing what I buy, what devices I have, and where I buy it - as it enables them to detect strange behaviour.

Obligatory XKCD reference:

http://xkcd.com/936/
Monday, August 15, 2011 12:23:29 PM UTC
Maybe your email is too verbose. Something along the lines "your recent purchase is way off your other purchases. Click here to confirm" is more friendly to my 60 years old daddy
Monday, August 15, 2011 1:25:18 PM UTC
Yep, that sort of email you'd love to receive is exactly the reason I don't like Microsoft products. Has the public reaction to Clippy taught you nothing?

I'm not sure that graphic at the top of the post is very reassuring.
Monday, August 15, 2011 2:01:27 PM UTC
To be honest, I hadn't owned an Apple product since the iPod first came out so many years ago and then several weeks ago my Contract with Verizon was up so I renewed and replaced my Droid with an iPhone to try it out. I don't even know why they have you setup a password for your account because every single time I try to download an app it locks my account and I have to setup a completely new password. During the reset process it doesn't let you use a password you have used within the past year, but if you go to the site you can change the password you just created to anything you want, including your old password. After three weeks, this 5 minute process every few days is starting to annoy the crap out of me.
cadetduke
Monday, August 15, 2011 3:51:51 PM UTC
@Tom Cook, that was a joke man ;)
James Culbertson
Monday, August 15, 2011 4:48:07 PM UTC
"Screed"? Quite the magniloquent parlance for such a ballyhooed harangue. Kudos to you Gruber, kudos!
Monday, August 15, 2011 5:42:06 PM UTC
I think you brought up excellent points. I can appreciate the type of security you mentioned from some of my banks.

I think it would be a step in the right direction for the cloud services. Recently two colleagues accounts were compromised for lack of fraud alerts. They both also confirmed that their systems were virus free. Go figure.

Ubuntu One, are you listening?
Monday, August 15, 2011 9:53:44 PM UTC
Your suggested email is fine, but Sérgio's suggestion is much better. It also more closely matches the google examples that you gave.

Apple did (does?) this wrong, and the people who don't agree with that statement are probably just so used to defending Apple that they forgot to stop and consider how easy this system would be to improve.

That's one of the things I admire about you Scott: You don't settle for mediocrity. Don't listen to the haters either. You're right about how they handled it bad, and you're probably even right about how you didn't lose your password
Tuesday, August 16, 2011 3:19:36 AM UTC
Good points.

I wish google could do something about emails sent to you pretending to be some one else(especially your friends). This could save the world millions of spams.
Tuesday, August 16, 2011 7:29:22 AM UTC
Excellent post. I was also skeptical about MG's comment, I am concerned about my money than my fanship to Apple. I still remember last year lot of account has faced fraud purchases. What Apple ultimately expecting from a purchase? A safe genuine purchase from customer or any purchase in the name of the customer which can be either fraud or genuine? Without a proper security system any cloud or online services are a headache for customers.

Google has implemented excellent security modelling as you mentioned. Also if I login from other countries, it will specifically notify.

Apple has to make their cloud service secure because such a reputed organization like Apple should not have this kind of bad images on the user support and financial transactions.
Tuesday, August 16, 2011 8:46:11 AM UTC
More and more horror stories made me believe that we are being the beta testers for security modules of this applications. What a beauty charge everyone's credit card twice, and send a sent a sweet message to the device owner. Basic issue lies in the the way the transactions are allowed in the small devices.
Tuesday, August 16, 2011 8:01:09 PM UTC
I wish more sites would offer integration with an RSA token. It galls me that my World of Warcraft account is more secure than my cloud services and banking site. Clicking a button to generate a six digit code in addition to entering my username and password doesn't bother me at all. The added security makes me more than willing to go through the extra step. It becomes so second nature that within a week you don't even notice you're doing it, just like typing a password.

SaaS vendors, PLEASE add support for RSA tokens. They are cheap, easy to integrate, and crazy simple to use.
Wednesday, August 17, 2011 10:01:38 PM UTC
A couple of people have failed to consider that security can be modular. Users can and should be given the ability to apply heightened security to their accounts. So just because someone personally wouldn’t want to deal with a feature does not mean the feature shouldn’t be included as an optional one.
Friday, August 19, 2011 2:31:19 AM UTC
I think the cool thing here is by Tech Crunch acknowledging your post they are putting you on the same journalistic tech level as them.

Way to go you!
Tuesday, October 30, 2012 3:00:19 AM UTC
i've been confronted with this problem since 2 days ago.
i searched the internet for solution, that's why i came here.
i didn't use any redeem code from unknown source, nor did i use invalid credit card.
it made me outrage when i was told my apple id had been disabled.
purchase of charged items on my Mac couldn't be completed before my apple id was disabled(free items, or via my iPhone or iPad, could be downloaded). i contacted them for help but they told me restriction on my id can not be removed.
i have spend hundred of dollars on my id. i don't think it's my fault as a consequence my apple id shouldn't have been disabled.
Young
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.