Apple's email was straight forward and to the point (high signal to noise). The "solution" needlessly tacks on boilerplate, and divulges additional information about the user in the email. If someone's iTunes account has been compromised, it is possible that their email account may have been as well. Best not to show too much.
The actionable item in Apple's email is very clear: change my password, and then learn how to be more secure. In the "solution," it is not. You need to "associate [my] new device with [my] Apple ID"? Huh? Do I need to re-register my current device, or what?
I'm all for using Bayesian inference behind the scenes, but don't needlessly flood the user with excess information. Tell them what's up, and what they need to do.
Withholding information could be helpful later, should the user need to verify their identity over the phone (for example).
Sending an email when an account is used for the first time on a new device is not a bad idea, but it could become another hoop for the user to jump through, and again, their email may also be compromised.
Apple obviously knew there was something off. Their systems detected an issue. Detecting an intrusion is obviously not a problem, though I do think your suggestions for detection would be nice.
The way it reacted to an intrusion, however is absolutely unacceptable. Simply informing you that you got hacked after it's already happened is not the way it should have dealt with this. Ideally, it would block the purchase, blacklist the IP, then force you to confirm through an email.
Sure, if your email got compromised too, that won't do any good, but at least it would have tried to stop the unauthorized access.
Another nice thing I'd like to see would be something like Google's two-step authentication, where you would have to authorize the new registration via a previously registered device.
Sure, my hope is that if they emailed me (NOT at mobile me email, but a non-Apple address) at my Gmail which is setup for 2-factor, for confirmation that'd be ideal.
The irony is that they are all setup for 2-factor auth...the phones I have already are the second factor. The idea that someone, anyone, with a phone and my password could make effectively unlimited purchases against my saved payment instrument without being challenged makes me, as a former banking engineer, cringe.
All I'm asking is that new phones authenticate and be challenged, expecially if they don't match clearly recorded existing behavior patterns.
I agree, apple really dropped the ball in this case.
In fact, how did this app manage to slip through the review process? It seems to me that the only purpose is to funnel stolen money to somebody.
Sadly, the state of many online security systems is entirely sub-par. It's a sad sign when your email has more security features than your bank account (as I know is the case for me)
The actionable item in Apple's email is very clear: change my password, and then learn how to be more secure. In the "solution," it is not. You need to "associate [my] new device with [my] Apple ID"? Huh? Do I need to re-register my current device, or what?
I'm all for using Bayesian inference behind the scenes, but don't needlessly flood the user with excess information. Tell them what's up, and what they need to do.
Withholding information could be helpful later, should the user need to verify their identity over the phone (for example).
Sending an email when an account is used for the first time on a new device is not a bad idea, but it could become another hoop for the user to jump through, and again, their email may also be compromised.