Saturday, November 26, 2011

Just Pondering because I’ve probably eaten too much turkey…

We use iTunes in our home. Yes, I’ve considered other options for both iTunes-like song managers/players as well as pay-for-media sources. All have their pro and con.  In the end it just seems to be the best solution for us.  Relatives can pick up iTunes gift cards for the girl, there is a wide selection of tune-age and videos, and it generally works fine.  Not to mention support for all the iPod devices we seem to have collected over the years.

However this post really isn’t about that, more about some issues folks have been encountering regarding their iTunes accounts.

Since we use iTunes gift cards as our music tender, it isn’t really a high $ target to watch for. Generally the card gets redeemed and spent almost immediately with a $1 or less balance left on the account at any given time.

I do keep a sensitive ear on the webs for security related matters and when this post showed up many months ago I did pay attention:

I got hacked on iTunes -- Ed Oswald - BetaNews.

Long post shortened, Ed discovered someone, somehow, had managed to raid his Pay Pal and iTunes accounts with some fraudulent charges.  Ed insisted he maintained good protection on his accounts.

That post was followed up by iTunes hack widespread, and Apple appears to know about it also by Ed.

More feedback was that others were also encountering this problem, including those with with a gift-card balance on their account.  Meet three people ripped off by iTunes fraud ring - Ed Oswald

After that brief flurry of posts and coverage, the issue seems to have spun-down. Either the problem was resolved or the web’s attention moved on to other things.

That probably would have been the end of things, with these posts getting filed into my bookmark cellar and a lesson learned to watch both my email and the sub $1 gift card balance on our iTunes store account (so far no issues), except this post showed up a few months later from Scott Hanselman.

Welcome to the Cloud - "Your Apple ID has been disabled."  - Scott Hanselman’s Computer Zen

I found this notable for two reasons, first it came on the heels (related or not) to the prior issues Ed Oswald had posted on, and secondly, Scott is one of those Windows guru’s who “gets it” and according to his post, he seemed to have not left himself in a position for this to easily been a victim of.

And then Scott does a follow-up post that made keeping this on my radar worthwhile:

A suggested improved customer interaction with the Apple Store (and Cloud Services in general) - Scott Hanselman’s Computer Zen

Rather than just dwelling on the attack vector, consequence, and complaining in general, Scott one-ups the situation by taking a thoughtful look on how iTunes notified him of the issue, and suggestions for notification improvement.  Quoting Scott from that post…

I expect my cloud services to let me know in a way that escalates appropriately with the threat when something that doesn't' match my patterns happens.

The meta-points are
  • The Cloud(s) and all its services are protected only by our passwords and the most basic of fraud systems.
  • Cloud services are totally centralized, which makes them a big target, but they have activity information about what we're doing online that isn't being utilized to keep us safe.
  • We, the Users, need to demand better, more secure interactions from the cloud vendors that we put our trust in.
  • It sucks to lose access to your cloud data.

Well said.

Scott is still soliciting feedback from others with the Apple account issue at "My Apple ID has been Disabled" on Tumblr but it doesn’t look like it has been very active for a number of months.

I haven’t been able to find if these Apple account hack events were isolated or if there was some root-cause that was discovered and resolved.  We may never know.

On a probably only tangentially-related note, I was discussing with Dad how we rely on on-line bill-paying for most of our bill payments, banking, and insurance account management. Heck, even at work most all of our HR interaction is done “on-line”. I don’t believe we have had a “brick-n-mortar” HR department for many years.  Dad is “old-school” and while quite comfortable with on-line computing, still refuses to do on-line banking/bill-pay.  The USPS loves him.

I’ve noticed that for every on-line account service we interact with, they all seem to have large splash-screens at log-on requesting “paperless billing” enrollment.  Probably saves on a ton of costs and is marketed as being more convenient and more secure (avoid id theft from sticky fingers pulling bill/account info out of the mailbox).

At the same time, I noticed this USPS add running the past few weeks:

In it the USPS describes the security benefits of the mail system to communicate with customers and how its inherently safer than the Internet with statements such as

  • “A refrigerator has never been hacked,”
  • “An online virus has never attacked a corkboard.”
  • “Give your customers the added feeling of security a printed statement or receipt provides. It’s good for your business. And even better for your customers.”

I’m all for the USPS and their dedicated carriers, and overall it’s a good communication medium.  And yes, they have some revenue challenges as the Net continues to be relied on more by subsequent generations of communicators.  At the same time, we use a locked postal box and have two shredders in the house to deal with secure-shredding as those items go from the secure “refrigerator and corkboard” to the trash system.

Point is, it seems to be that either in the “cloud” or via the “snail” system data/account information has its own attack vectors and neither is inherently any more safer than the other. Hackers can break into corporate systems and accounts can be compromised with poor IT security and end-user account safeguards, regardless if the billing “method” is paperless in the cloud or papered through the USPS.  Likewise, business and users can lock down on-line accounts for customers who can secure them with rock-solid safeguards, but someone can still steal a periodic paper communications from a mailbox (or trashcan) and walk out the door and commit theft (if it even makes it to the mailbox).

Neither is a solution in-of-itself.

Probably the best protection? As Mad Eye would say, “Constant Vigilance!”

And the battle for cost cutting and revenue generation wages on…with security as the forefront selling point.

…like I said..just pondering.

Claus V.

No comments: