In the wake of the massive Flashfake attack that compromised some 600,000 Apple computers running OS X, Apple Inc. has clamped down on security not only on its operating system but also on its App Store and iTunes.
Computer security firm Sophos said Apple now prompts its customers to set up three new security questions and an alternate email to curb possible phishing and fraud.
"While it's a welcome move toward stronger security for the increasingly targeted venues, users have been caught off-guard, unsure if the messages themselves are the work of phishers or scammers," Sophos noted in a blog post
Apple is getting criticism following the Flashfake attack, which exploits a vulnerability in an unpatched version of Java in Apple's OS X.
Sophos cited media reports
indicating users were requested to set up three security questions when downloading an app from the App Store.
It added Apple is also requiring a backup email address, "presumably in case a user's primary address and associated Apple ID become compromised."
Sophos noted Apple had confirmed to CNET the messages are legitimate.
But it also noted many Apple users were confused since they were unannounced by the characteristically tight-lipped Apple, and they solicit information.
It cited posts from "baffled" members of Apple support groups, wondering why the App Store keeps popping up "Security info required."
"There are reportedly over a quarter billion iTunes accounts. Many have credit card information associated with Apple IDs. It's easy to see why iTunes and the App Store are increasingly targeted by crooks," Sophos noted.
It said that in January 2011, 50,000 stolen iTunes accounts linked to stolen credit cards were being sold on a Chinese auction site.
In 2010, a large number of iTunes users reported that they had received unauthorized charges of up to $1,000 after a security breach, it added.
Still, Sophos said it is "good to see that Apple's finally doing more to secure iTunes and App Store." — TJD, GMA News