A suggested improved customer interaction with the Apple Store (and Cloud Services in general)
Alternative Title: "What good fraud detection looks like"
My recent 'screed' called "Welcome to the Cloud - "Your Apple ID has been disabled" got a number of people talking. Yes, Gruber's DF called it a 'screed' which is a common enough term on his site I suppose. Sure, it was a rant, I'll accept that.
MG Siegler from TechCrunch had these comments, some very valid. Emphasis mine.
But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.
And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?
I honestly don't how my Apple ID account was compromised. I had a high-entropy generated site-specific password. I've scanned all my systems for trojans, keyloggers and rootkits. However, that's not the point, nor was it the point of the post (although it was a bit of a rant on my part, admittedly.) The point isn't even Apple-specific, although they are an excellent example.
This security related user interaction could just as easily been on Xbox Live, Amazon Kindle, DropBox, or any of a hundred other Cloud services. Regardless of how the fraud occurred, what happens next is a user interaction point that is an opportunity to make things right for the customer.
Before I worked for Microsoft, I was the Chief Architect at an Online Banking vendor. At our high point, 25% of the retail online banking in the US ran through the system I worked on. We worked half the top ten banks in the country, as well as banks overseas. We worked with anti-fraud systems and the FBI. We designed a number of interesting systems around keeping users safe and informed.
For example, in one system, if your account password is compromised the bad guys could be able log into and see your account balances. However, there was a scale of 'risky operations' from seeing your account numbers (hidden by default) to transferring money internally (risky) to transferring money overseas (very risky) that would throw up gauntlets. Using Bayesian algorithms we would assign a user's session and their activities a risk value. When those values passed a threshold, we get challenge them for more information. The user isn't bothered when they do the stuff they always do from the computers they always use. But if you're suddenly on a new browser from a new system in a new country doing something you've never done before, we'll challenge you. This kind of adaptive real-time fraud detection with security gates is will have to become the norm in user interactions with Cloud Services.
MG Siegler calls me out here:
Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like.
Here is the email and what it made me feel. Then I'll propose a solution.
Your Apple ID was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.
If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
I read this as:
- We know what devices you have, and a new device we've never seen before has bought something.
- If it was you, don't worry, this email was FYI.
- If it wasn't you, you should go to iforgot.apple.com and change your password and protect your account.
- Whatever happened was probably your fault and you should be more careful with these tips.
It may very well be my fault, but this user interaction isn't designed to comfort me or to make me feel safer. It succeeding in upsetting me and making me feel not only out of control but also helpless.
Here's a email I would have loved to have received
Congrats on your new iPhone/iPad! We noticed you've made your first purchase, as your Apple ID was just used to buy 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.
Ordinarily we wouldn't bother you but we noticed a few things about your recent purchase.
- You've never purchased an app in Chinese. Your last 492 app purchases have been English.
- This purchase was from the China Unicom carrier, while your other 3 devices are on AT&T.
- This purchase originated from a location in Shanghai, while your previous app purchases have originated from Oregon.
- This application included In-App purchases over $20 and you've set your in-App purchase threshold at $10.
We realize this may be inconvenient, but in instances like these, it's best to be extra careful. We need to associate your new device with your Apple ID. This is a one-time operation. If you made this purchase, please click here to confirm. This email was sent as a safeguard designed to protect you against unauthorized purchases on new devices.
protect the security of your account.
If you did not make this purchase, click here and let us know. The security of your account is important to us and we always recommend you
MG Siegler says:
And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time.
I have, according to iTunes, 492 applications. They have all been purchased on either my iPad or my iPhone. I purchase new apps all the time. In fact, the ratio of my app purchases to my device purchases is 492:2. I realize MG says "people buy new devices all the time" but I would argue that a single confirmation email on the first application purchased on a new device would greatly reduce cases of fraud like this (assuming you don't have a @me email account that the bad guys own.)
This is a single example of an Apple interaction, but I would expect nothing less from my Xbox, from my Kindle, or from my Bank. In fact, I get notifications from Gmail that make me feel better about my interaction with them, not worse. Recently I logged into my Google Apps account and a small red banner was at the top that said "You are forwarding email to foo@foo.com. Why is this notice here?"
I saw this Gmail notice and said to myself, "rock on." I didn't realize I was forwarding emails with certain keywords to another account. This could be an attack vector for bad guys to siphon information out of a compromised email account. And the "why is this notice here?" link is subtle brilliance. Inform the customer and answer common questions.
Gmail also has a "notify me of suspicious activity" setting. I receive this when I am overseas or after coming back. Also brilliant. You don't usually go to Poland, so here's how to protect yourself.
![gmail-redirect-notice[1]](https://hanselmanblogcontent.azureedge.net/WindowsLiveWriter/2123d001c0c6_D199/gmail-redirect-notice%5B1%5D_5.png "gmail-redirect-notice[1]")
I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.
The meta-points are
- The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
- Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
- We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
- It sucks to lose access to your cloud data.
What are your thoughts, Dear Reader?
Thanks to Matt Sherman for the Alternative Title! ;)
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
I think every cloud service that (especially) contains private information should be forced to implement exactly the measures you describe, or even at a minimum, what Facebook employs. I've never seen Amazon do anything like this or even offer something like this... if they do, they definitely don't advertise it.
I also wish it was easier to secure customer information when you have a site. I recently developed a site that optionally asks users for their email or phone to send notifications. I encrypt that information and bought SSL for the site; I only have 30 users right now but I feel it's worth it just to be safe. Who knows how many services we log into everyday don't even do that, especially if they are one-off 3rd party apps on phones/sites/etc. I blatantly say I encrypt your information as they focus on the textbox and even include a lock icon next to each field that is encrypted. Maybe some people don't care, but security is important to me, especially when it deals with my information.
I don't see that they offers any two-factor authentication and that would be a good *option* for any account where money is transferred from Paypal, credit cards, or banks. I saw an interesting one that's not too obtrusive (offered by MyOpenId among others) in which the service calls your cell after you login with your username/password. If you answer and hit the # key it continues the authentication: ANX Phone Factor Authentication.
Do you think government or legislation should play a part in addressing your meta-points? Banking for example is heavily regulated to protect customers.
As a cloud service provider offering services to consumers, should there be a body of legislation that applies beyond privacy laws? For example:
- You must not store un-hashed passwords
- You mustn't include passwords in emails
- You must audit the following events
- You must put the following checks in place to monitor fraud
- When terminating or locking accounts, you must have an appeals process and provide an export of all user data
Paul
- You install steam on a new computer and log in.
- Steam recognizes this is a new device, and sends you an email confirmation.
- You enter the confirmation in Steam, which unlocks Steam and you're done.
This process assures me that if someone tried using my steam account on a new computer, I'll be notified before they get to the checkout.
Thanks to caller-id phone based customer interactions have long had the ability for the company to know who is calling before answering the phone, yet they all still ask you for your name/phone number/account when answering. This is because when caller-id first came answering the phone by greeting the caller by name freaked out the public who felt they were being spied on.
Similarly, if Apple sent the email you wrote the customers first reaction would be horror that someone at Apple is tracking their every purchase, where they are living, etc. Yes, you and most of the people reading this know that it is all automated, but the general public doesn't understand this. Instead they would be publicly ranting about Apple spying on them.
Given that they already email you about every purchase you make, I don't think that's really an issue here.
The Techcrunch article and your follow-up display the differences between tech journalism (skin deep coverage and critique), and in-depth tech understanding and the development of solutions.
Sadly it also shows the contempt Apple has for its customers: Come and spend lots of money on our wonderful technology but if there's a problem - it's your fault, rather than you have brought into the Apple family now let's work together to keep the bad guys at bay. Customer service is not about having great shop windows and saying "Have a nice day", but day in day helping your customers use the reality of what you have sold them.
The point that you originally made is valid and your proposed solution is also valid; there is definitely a hole somewhere in the AppStore - there should be more fraud detection and prevention, otherwise this would never have happened in the first place.
This isn't something that just affects Apple, as attacks become more sophisticated the providers need to keep pace - and keeping the end user accurately informed about potential suspicious (or different) activity is essential. Maybe the end user isn't sophisticated enough to understand the seriousness of messages and maybe they will panic - which is why the *Why am I seeing this* type of explanation is so important.
Not informing the user before suspicious purchases are paid seems crazy. That is what I read as your original point, and it's still valid.
Really, this is the only reasonable solution going forward. As others have indicated, it may not be a compromised password. It may be that a portion of their system is exposed. Remember, AT&T got busted on this with the iPhones not too long ago where sensitive information did get revealed. But even if it's totally the user's fault, you want to bring the user on board, to make them part of the solution, not screaming at them for doing it all wrong. The former gets a lot more compliance from users than the latter. It also tends to retain customers better. So I like your proposed solution a lot better, along with the references to how others get it right.
"Do you think government or legislation should play a part in addressing your meta-points? Banking for example is heavily regulated to protect customers. "
The thing I generally don't like about these sorts of things is that they become "safe harbors" for business. In other words, government sets a weak minimum standard for this kind of interaction. Fraud still occurs, but now the businesses are immune to legal action because they just say "We implemented the processes specified by the dept of cloud services to the fullest."
There is banking regulation and now apparently the US is going to provide these safe harbors for a new Consumer based credit agency. So you can't sue for unforseen torts. They get immunized by the new agency.
I am painting this with a very broad brush, and I am not going to say I am against all implementations of legislation or regulation to combat this. I'm just saying I think it's the weakest tool we have. Our wallets are the most powerful.
It would give that additional layer of detection \ protection from people who actually specialise in dealing with fraud and theft, it also benefits those who use smaller\ open source shopping carts.
I think a good part of how companies currently deal with this is based on early design decisions where the intent was to limit liability while keeping things easy for the user. But over time the design of these processes have not kept up with the information and integration available to those companies. In the end users will vote with their feet (or their NIC) if companies don't act to keep users secure.
* Despite not being able to sync your purchases with this un-associated device, we've allowed your Apple ID to purchase something from this device.
As for the cloud - I just don't see the relevance to this issue. Even if the cloud as a concept never existed and iTunes was a tiny vertical, this would still have happened and been a PIA. There is no 1 cloud as you point out so even though "a" cloud might be very centralized, who uses just 1? A compromised system is a problem regardless.
I point this out only because the cloud already gets enough and in most cases unjustified negative press spreading more fear and misunderstanding, not that you were necessarily trying to do that - it was just a rant ;) which you don't need to apologize for either - anyway, on the plus I changed my iTunes pwd so thx.
Great posts on security! This interaction is inspiring for me to rethink some of the security paths in place in our own system. In fact I now feel inclined to advocate to put a more stringent security protocol in place in our software, so our users can feel safe about accessing their data online.
Thanks for your effort on these posts.
Greets,
Jonathan
Fair enough, a bank account is likely a "more important" entity than an iTunes account. However, things like Zune and iTunes are only getting bigger and bigger - people plough a lot of money into these and expect their purchases to stay safe. I agree that behavioural security systems are likely the best way to go. I have no problem with these entities knowing what I buy, what devices I have, and where I buy it - as it enables them to detect strange behaviour.
Obligatory XKCD reference:
http://xkcd.com/936/
I'm not sure that graphic at the top of the post is very reassuring.
I think it would be a step in the right direction for the cloud services. Recently two colleagues accounts were compromised for lack of fraud alerts. They both also confirmed that their systems were virus free. Go figure.
Ubuntu One, are you listening?
Apple did (does?) this wrong, and the people who don't agree with that statement are probably just so used to defending Apple that they forgot to stop and consider how easy this system would be to improve.
That's one of the things I admire about you Scott: You don't settle for mediocrity. Don't listen to the haters either. You're right about how they handled it bad, and you're probably even right about how you didn't lose your password
I wish google could do something about emails sent to you pretending to be some one else(especially your friends). This could save the world millions of spams.
Google has implemented excellent security modelling as you mentioned. Also if I login from other countries, it will specifically notify.
Apple has to make their cloud service secure because such a reputed organization like Apple should not have this kind of bad images on the user support and financial transactions.
SaaS vendors, PLEASE add support for RSA tokens. They are cheap, easy to integrate, and crazy simple to use.
Way to go you!
i searched the internet for solution, that's why i came here.
i didn't use any redeem code from unknown source, nor did i use invalid credit card.
it made me outrage when i was told my apple id had been disabled.
purchase of charged items on my Mac couldn't be completed before my apple id was disabled(free items, or via my iPhone or iPad, could be downloaded). i contacted them for help but they told me restriction on my id can not be removed.
i have spend hundred of dollars on my id. i don't think it's my fault as a consequence my apple id shouldn't have been disabled.
Comments are closed.
That's why you were targeted.
Now, your suggestions are all fine and good and of course there will be newer, but more difficult attack vectors by pretending to be one of those emails. But still, there are more steps that can be taken.
The current system of:
1) A suspicious purchase was made and we know it because we're sending you this email.
2) We let the purchase happen anyways.
3) Oh yeah and then we disabled your ID... ultra-security!
It's not secure. That is not a path to preventing fraud and leaves the user insecure. I would say this about Xbox Live if a similar transaction occurred.
Interesting that my credit card company stops a suspicious purchase (to a high enough threshold, probably scoring it similarly to the methods you described, Scott) and then CALLS me and says "Hey, did you try to buy $25,000 worth of shoes at Payless.com" and resolves it in minutes.
Of course, they would have to eat $25,000, so they have motivation.