Home > Mac News > WTF, Apple?

WTF, Apple?

April 16th, 2012

Apple is reportedly trying to be “more secure” about its Apple Store setup. The thing is, they’re going about it in the most idiotic way I can imagine–one which may beef up their security, but at the same time, sets up millions of users to fall for trojans and phishing schemes.

As we are exposed to these schemes more and more, we learn to avoid falling for them by adhering to a few basic principles. There are two which have become engrained the strongest. The first is, when a pop-up appears and asks you to enter your password, be very leery of it, especially if it does not look fully official and could be a scam. That is exactly the method used by the FlashBack malware creators; break that principle, and you open the door for trojans.

Next, when you get an email and it links directly to a “trusted” site and asks you, before anything else, to enter your user ID and password, don’t. Banks will even tell you outright that they never send emails that link you to login pages, and that you should enter the bank’s URL directly. With Safari being vulnerable to counterfeit URLs, the danger is even greater. Break that principle, and you can be suckered into phishing schemes.

And yet, with Apple’s “more secure” tightening of iTunes accounts, they are leading users to violate those exact two principles, setting them up to be victimized by scammers and hackers.

First, in the iOS, when you try to download a new app from the App Store, it will, as usual, take you out of the App Store so you can see the app downloading–a “feature” which is stupid for different reasons.

Here’s the stupid part, security-wise: outside of the App Store app, you get a dialog box which pops up and says, “Security Info Required”; before you can download anything, even a free app, you have to accept it and–despite having just entered your user ID and password to download the app only seconds before, you are prompted to do it again.

When that happened to me, red flags went up–it had all the hallmarks of a trojan (a pop-up followed by an unusual and redundant ID & password request, neither of which I had ever seen before). Nor am I the only one to get this sense–many were baffled by this procedure for exactly the same reasons. It was only after researching on the web that I felt halfway confident that it was indeed genuine; for obvious reasons, I am extremely reluctant to enter my iTunes Store password, and Apple did a piss-poor job of making it seem authentic. All they had to do was make the pop-up appear a second earlier, within the App Store app, and I would have been more confident it was genuine. Even better, they could have gone to the trouble of being consistent, and, like with the iTunes Store EULA, simply prompted you to go back to the App Store app and go through the process. Instead, they made it happen outside any known and trusted app, which makes it more suspicious.

Sure, the chance of an unheard-of trojan popping up just then on my iPad was unlikely–but Apple’s method here violated the principle.

That’s the first ball dropped by Apple. The second: after they require you to enter a backup email address, they send you an email with a link to authorize the email address. OK, I thought–this is the standard thing where you click on the link, they get the message, and tell you “OK, you’re authentic.” That’s how it always works–again, consistency is key.

Instead, the email link takes me to a page telling me to re-enter my iTunes Store ID and password. What the fuck, Apple? Are you people not just stupid, but insanely stupid? I never input IDs and passwords in response to any email link. Especially at a time when Safari is know to be susceptible to URL spoofing.

Essentially, Apple is demanding that users follow a process which you should never, ever follow because it is exactly the process used by scammers to harvest your private information–exactly like they did just a few months ago. Simply on a matter of principle, I refuse to follow that process. Yes, the chances of a scammer sending me a phishing email to the right email address just after I secured my account to that address are exceedingly slim–but anyone who takes security seriously–and I take my iTunes Store account security very seriously–you simply do not enter a password like that in response to an email someone sent you. Even if the link appears legit and the URL seems legit, you never know when scammers are going to find a way to make it look that way.

What Apple should have done is simply accepted the coded email response, like everyone else. Or, if they have such a hard-on to get your iTunes Store ID and password confirmed, do it within an app or again, a site the user navigates to.

But to force users, not once but twice, to follow a route that makes them wide open to malware and phishing attacks in the future?

Stupid, stupid, stupid.

Categories: Mac News Tags: by
Comments are closed.