Apple tightens iTunes, App Store security
Apple is boosting security in the iTunes Store and the App Store in an attempt to stop hijacking of Apple accounts, but the unannounced changes are causing some confusion and alarm in the Apple fan base.
Introduced Wednesday, the new security measures prompt users to input three security questions and answers. The security questions will be asked whenever a user downloads an app from the App Store.
In a discussion forum on the Apple Support Communities website, users of iTunes on PCs and Macs and the App Store on iOS devices reported seeing the prompts, though SecurityNewsDaily did not see them on its own iPhones and PCs. (The tech blog The Verge did get the prompts.)
Forum commenter fiasko5k wrote: “iPhone 4s: why does app store keep popping up ‘security info required’? This happens after I put in my password. Is this something to be concerned about?”
Chris0973 said: “I had the same issue on my iPhone 4 today and also was worried that it might be a virus or phishing exercise. It is certainly worded like one.”
Both users had a right to be concerned: Unsolicited requests to enter email addresses and other sensitive data are typically the linchpins of nearly all phishing and malware scams.
Apple confirmed to CNet that it has been rolling out the new security measures to protect customer accounts. The company did not make a public announcement about the change, however.
To further increase security, Apple is also requiring users to enter a backup email address. Should the user’s primary email address, and the Apple ID tied to it, become compromised, Apple says it will use the backup address to notify the user.
The measures appear to be Apple’s first attempt to tackle a low-key but persistent problem. Hundreds, perhaps thousands, of Apple accounts have been hijacked over the past two years by scammers who “blow out” the account balances with purchases of music, movies, games and other apps.
Perpetrators exploit the fact that a single AppleID will work across the entire Apple universe to freeze users out of their own accounts. The fact that millions of people still use the same email address and password to set up multiple accounts with different companies only makes the scammers’ task easier.