Earlier today I was installing an app on my iPad and the iTunes store wanted some “additional security details”. I set up some questions and answers, feeling reasonably confident that, as I was using the App Store app, the details were actually being taken by Apple. In addition it requested an optional email address for account recovery but it wouldn’t let me use my normal email address because that’s also used for my Apple ID (so why does that make it invalid for account recovery?)
I supplied a different email address and the App Store accepted the “additional security details” and let me complete my purchase…
Then, I got this email:
From: Apple [firstname.lastname@example.org]
Sent: 27 April 2012 14:08
To: Mark Wilson
Subject: Please verify that we have the right address for you
You’ve taken the added security step and provided a rescue email address. Now all you need to do is verify that it belongs to you.
The rescue email address that you gave us is [email address removed] . Just click the link below to verify, sign in using your Apple ID and password, then follow the prompts.
The rescue email address is dedicated to your security and allows Apple to get in touch if any account questions come up, such as the need to reset your password or change your security questions. As promised, Apple will never send any announcements or marketing messages to this address.
When using Apple products and services, you’ll still sign in with your primary email address as your Apple ID.
It’s about protecting your identity.
Just so you know, Apple sends out an email whenever someone adds or changes a rescue email address associated with an existing Apple ID. If you received this email in error, don’t worry. It’s likely someone just mistyped their own email address when creating a new Apple ID.
If you have questions or need help, visit the Apple ID Support site.
(The actual email was prettier than this, for example it contained graphics with Apple logos, and an Apple footer, but the words are reproduced here almost verbatim – in addition to removing my email address, I’ve also edited the verification link to make it invalid, but otherwise that’s the way it was presented).
This email annoys me for two reasons.
- I hate security theatre. Real security should involve something I have and something I know. All of Apple’s questions are just about something I know. In effect, it’s just multiple passwords…
- Apple have sent me an email asking me to confirm an email address but with no personally identifying information (no “Dear Mark”; no “Dear Mr Wilson”, nothing that confirms my relationship with them), asking me to click a link that could go anywhere. If this were from PayPal we’d be saying “noooo – don’t do it, it’s a phishing attack!”.
I was very careful about checking out the link in the email and it does appear to have been genuine, but Apple has an enormous market of largely unsuspecting and trusting consumers, not all of whom could be described as “IT literate”. By not encouraging any from of “safe computing” Apple is setting a very bad example – and is re-enforcing practices that consumers should be avoiding. Microsoft has some good advice on their site for symptoms of phishing and several of the symptoms are present in the email I received from Apple.
Earlier today I dismissed an article that quoted Eugene Kaspersky as saying Apple was 10 years behind Microsoft in terms of security [awareness] – too many vested interests at play, I thought. On the other hand, if this afternoon’s email really does represent Apple’s corporate culture towards security, they do have some serious catching up to do…