Alternative Title: "What good fraud detection looks like"
My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.
MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.
But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.
And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?
I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.
This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.
Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.
For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.
MG Siegler calls me out here:
Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.
Here is the email and what it made me feel. Then I'll propose a solution.
Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
I read this as:
- We know what devices you have, and a new device we've never seen before has bought something.
- If it was you, don't worry, this email was FYI.
- If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
- Whatever happened was probably your fault and you should be more careful with these tips.
It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.
Here's a email I would have loved to have received
Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.
- You've never purchased an app in Chinese. Your last 492 app purchases have been English.
- This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
- This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
- This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.
We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices. protect the security of your account.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you
MG Siegler says:
And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.
I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)
This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to email@example.com. Why is this notice here?"
I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.
Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.
I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.
The meta-points are
- The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
- Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
- We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
- It sucks to lose access to your cloud data.
What are your thoughts, Dear Reader?
Thanks to Matt Sherman for the Alternative Title! ;)