Friday, August 12, 2011

Welcome to the Cloud - "Your Apple ID has been disabled."

So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.

The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.

I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.
I got this email out of nowhere yesterday.
Dear Scott Hanselman,
Your Apple ID,
scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID.

If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases.

If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance.
Regards,
Apple

After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.
The phrasing of this email is irritating and wrong-headed. Here's why.
  1. They know it's a device they've never seen before.
  2. They let it happen anyway.
  3. They tell me it's for my good in a self-congratulatory way.
      This email was sent as a safeguard designed to protect you against unauthorized purchases.
  4. But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.
Stunning.


I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.
If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.

The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.

Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.
Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.

And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.

More @ bit.ly/p1gaE2

No comments:

Post a Comment