Scott Hanselman

A suggested improved customer interaction with the Apple Store (and Cloud Services in general)

August 13, '11 Comments [39] Posted in Apple | Musings
Sponsored By

Alternative Title: "What good fraud detection looks like"

Save me, Clippy, from Internet Fraud! My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.

MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.

But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?

I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.

This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.

Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.

For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.

MG Siegler calls me out here:

Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.

Here is the email and what it made me feel. Then I'll propose a solution.

Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.

I read this as:

  • We know what devices you have, and a new device we've never seen before has bought something.
  • If it was you, don't worry, this email was FYI.
  • If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
  • Whatever happened was probably your fault and you should be more careful with these tips.

It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.

Here's a email I would have loved to have received

Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.

  • You've never purchased an app in Chinese. Your last 492 app purchases have been English.
  • This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
  • This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
  • This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.

We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you

protect the security of your account.

MG Siegler says:

And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.

I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)

This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to foo@foo.com. Why is this notice here?"

gmail redirect notice 

I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.

Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.

gmail_warning  gmail-redirect-notice[1]

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.

The meta-points are

  • The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
  • Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
  • We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
  • It sucks to lose access to your cloud data.

What are your thoughts, Dear Reader?

Thanks to Matt Sherman for the Alternative Title! ;)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Welcome to the Cloud - "Your Apple ID has been disabled."

August 12, '11 Comments [104] Posted in Apple | Musings
Sponsored By

Welcome Hacker News, Slashdot, DF and TechMeme. Be sure to read the follow up post on "What Good Fraud Detection Looks Like."

Your Apple ID has been disabled. Evil.

So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.

The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.

I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.

I got this email out of nowhere yesterday.

Dear Scott Hanselman,
Your Apple ID,
scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to
iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple

After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.

The phrasing of this email is irritating and wrong-headed. Here's why.

  1. They know it's a device they've never seen before.
  2. They let it happen anyway.
  3. They tell me it's for my good in a self-congratulatory way.
      This email was sent as a safeguard designed to protect you against unauthorized purchases.
  4. But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.

Evil AppStunning.

I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.

If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.

The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.

Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.

Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.

And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.

Evil Receipt

Evil Music.I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either. 

Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.

According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.

Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.

If you have stores about fraud or hacking, tell me your stories at http://myappleidhasbeendisabled.tumblr.com

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Previous Page Page 2 of 2 in the Apple category

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.