A report from the Times of London is grilling Apple over security on iTunes and its handling of iTunes account theft.

In a sense, the report doesn't really point out anything new. iTunes uses the same account recovery system thousands of other online retailers use and it's open to the same types of social engineering vulnerabilities. Additionally, it's no secret that Apple has a less than stellar reputation for customer service and handling of complaints, but what big consumer electronics vendor doesn't?

Really, the article points out a security crisis that affects many online retailers, among the largest of which is iTunes. Given the amount of personal information we regularly post online, it's easier than ever to pull the information necessary to foil the 'account recovery question' system many sites use.

Blocking this attack vector, however, is easier than a lot of others. Sites need to offer more personal recovery questions (i.e. things harder to guess than 'favourite colour') and users need to do a better job of locking down their information on social networking sites. Additionally, the social networks themselves need to keep a close eye on how user data is handled and protected (I'm looking in your direction, Mr. Zuckerberg...)

Yes, Apple's the convenient target in this report, but the underlying issue goes far, far beyond iTunes.

19 May 2010