This article originally appeared in TidBITS on 2012-04-26 at 2:29 p.m.
The permanent URL for this article is: http://tidbits.com/article/12963
Include images: Off

Apple Extends iTunes Account Security, Confuses Users

by Adam C. Engst

So there I am in a hotel on spring break, getting a free iPhone app late at night, and all of a sudden, my iPhone is asking, nay, telling me that I must choose three security questions and provide answers. It’s not a good time, but the iPhone won’t let me continue with the download until I do, so I buckle down, choose the questions, and provide answers. But I’m not happy about it. I’m pretty certain that the interruption is not due to some sort of malware, since Apple has locked iOS down tight, but I don’t like the fact that Apple failed to provide any rationale for why these questions are being asked or how they’ll be used in the future.

[image link] [1]

I wasn’t the only one to be confused and irritated. Lots of people are being asked to provide these answers, and the process can range from a minor interruption to a creepy intrusion, thanks to the rather personal nature of many of the questions. With all the coverage of malware and security-related topics, the abruptness of the prompt seemed suspicious to many, generating discussions on TidBITS Talk [2] and the Apple Support Communities forum. Luckily, Lex Friedman over at Macworld was able to confirm with Apple that the prompts are legitimate [3], though no other details were forthcoming. Apparently, purchases being made through iTunes may also prompt these questions.

Along with the security questions, Apple asks you to provide an email address separate from the one associated with your Apple ID, presumably in case there’s some problem with your account and there’s concern that your main address may have been compromised. Unfortunately, the unexpected address verification email message also caused consternation among people whose spouses or children had answered the security questions for a family iTunes account.

The reason for these additional security questions and the separate email address is undoubtedly to provide a higher level of security on iTunes accounts. They should reduce the chance of evildoers guessing answers to security questions that are relatively easy to determine — mother’s maiden name and city of birth being the two most common I’ve seen.

What bothers me is that many of the questions Apple asks don’t have solid answers that I would necessarily give twice in exactly the same way, or answers that I could be certain of typing correctly. The classic questions of mother’s maiden name and city of birth have (for most people anyway) definite answers that won’t change and that can be typed reliably in response to an automated prompt. In contrast, here are some of the questions Apple asked (you could keep refreshing to get more questions, not that they ever improved):

I know I’m the sort of person who over-thinks questions like these, but I’m confident of my answers to only two. The favorite/least favorite questions are tricky, since I liked a number of my teachers and hated none, the cars I’ve owned have all been quite similar, and who my best childhood friend was depends on what years are considered childhood. Questions about firsts also bother me, since the albums and concerts I remember best weren’t my first ones, and questions about general locations have too many answers: where I was on Y2K could range from “Washington” to “Seattle” to “Issaquah” to “Tiger Mountain” to “with friends, tossing things I didn’t want to bring into the New Year into a raging bonfire.”

Worse, I don’t know how Apple plans to use these security questions. I could undoubtedly pick my answer from a multiple choice set, but I don’t know that I could enter the right one unprompted. And even if I was pretty certain of the actual answer, will I remember exactly how I typed it while sitting impatiently in that hotel room? Or will these questions be asked of me by Apple customer service in the event I call in for help? What happens if I get one wrong? What if you thought you were being clever by generating random strings of characters for each one using 1Password?

From a psychological standpoint, I’m also perturbed by the negative questions. It’s easy to imagine how being asked about your least favorite teacher or job — completely out of the blue, by a device that many people think of as intensely personal — could be extremely troubling to someone who had endured significant harassment or been fired for trumped-up reasons.

Don’t misunderstand — I think it’s laudable that Apple is taking additional steps to improve the security of iTunes accounts. I know from personal experience that dealing with compromised credit card numbers is a pain, and I’m sure working through a compromised iTunes account is similarly annoying.

But frankly, I think these questions are poorly designed to generate answers that many people will be able to produce on demand, and Apple has caused vast amounts of unnecessary consternation among millions of iTunes account holders by failing to provide a clear explanation of why the questions are being required and how they will be used. Perhaps in the future, Apple’s security folks can work with the team behind Siri to come up with a non-threatening and conversational way to elicit information that can be used to verify identity.

[1]: http://tidbits.com/resources/2012-04/security-challenge.png
[2]: http://talk.tidbits.com/Apple-address-verification-td4579301.html
[3]: http://www.macworld.com/article/1166511/apple_prompting_some_users_for_extra_app_store_security_details.html