I’m a Mac user, but I know we’re still in the minority. Consequently, I hear (Windows-using) people bang on about how much they hate iTunes on a daily basis. It’s never been a problem for me on a Mac. Not that is, until now.
When trying to download a (free) bit of software from the App store this morning, after entering my password, I was asked to enter it again and then complete three security questions. Seems a bit overkill from the start – even my bank don’t need this many separate levels of security. Then I got to the questions. Oh dear. It’s my least favourite type of security questions. That’s right – it’s the ones where an American has decided what questions you can pick from.
It’s not quite “which college did you go to?” or “what was your GED?” (some kinda American-only education test), so it’s not as hard as applying for a job with them, but it’s not far off. (Re job application: I’ve never seen so many American-specific questions in one supposedly international job application form. At one point it asked something about if I’d ever been banned from Hawaii. I’ve never even been there. One of the other actual questions on their form, for completion by UK applicants is: “If offered employment by Apple, are you able to provide documentation of your legal right to work in the United States?” – Of course not! I’m a British citizen. I have a right to work in Britain though, which is where the job they were advertising actually was.)
In this case, you’ve got three sets of questions. One set per question. They’re all stupid questions, that both don’t really relate to me, are slightly ambiguous, and not particularly secure. They’re all very very similar. Here’s all three sets it offered me.
Apple – these are really shitty questions.
Which city were you first kissed? What am I? 12?
My best childhood friend? From the entire first 18 years of my life? There were several. They came and went.
My first teacher? What, ever? Like when I was 5 you mean? I can’t remember.
The first car I owned? I had a company car for a year before I bought one. Whichever car I put down in that list, I’m sure that when they come to ask me these, I’ll definitely pick the other one. BUT if you want to pick your first car for the first question (as many might), then you cannot pick your first job for the other questions! How stupid is this?
First job? Are we counting paper rounds in this, or is it my first adult job? Again, in 3 years when they ask me these, I won’t remember whether I was counting everything, or just the stuff that appears on my CV.
Some of them are going to be tricky to remember. “Where were you on January 1, 2000?”. If presented with that challenge 12 months from now, are you going to remember whether you said “Swindon” or “at home”, or whatever? And you will have to type your answer exactly the same, with the same choice of punctuation you used originally. “Where was your favourite job?” – even now I’m thinking “do they mean WHERE location, or WHERE company?” – you think I’m going to remember my answer when I eventually need to?
There are some things notable by their absence. Look back over that list. The ones that are ALWAYS in these sorts of sets of questions, are curiously missing. There’s no option to use the name of your mum/dad. There’s no option to use the name of your first son/daughter/dog. There’s no option for the town you grew up, or the place you were born, or your mother’s maiden name. The sorts of unambiguous ones you’ll definitely remember, are all missing. Yet, the ones that remain are curiously similar. First car, favorite car, least favorite car. First job, favorite job, least favorite job. First teacher, favorite teacher, least favorite teacher.
The people who have lucked out here are people who have just passed their driving test and bought a shit car. Their first, favorite and least favorite cars are one and the same.
I should say I really don’t mind the ones where you can set your own questions. That’s fine. They’re much more secure. You can be as obscure (and yet memorable) as you like. I sometimes use names of characters from films that seemingly only I have watched. But your first car? There’s loads of people who know this of me. That’s not a secure question at all. It’s fairly safe to assume my first proper kiss happened in the same town I grew up in, and everyone who has ever met me has asked where I’m from. I bet it’s the same for most people.
So I don’t mind secure write-your-own questions. These? I’m very tempted to pick any questions at random and set “I don’t remember” as the answers. I won’t, obviously. What I’ll do is write them all down afterwards. Nice and secure, eh Apple?
P.S. On one of those links I gave, someone suggested contacting Apple and telling them exactly what you think of their security questions. So I have. I’ll let you know if I get a reply.
Update 22 April 2012, 11:24pm.
After a few back and forth emails with Apple support, where they advised me to change my Apple ID password and security question through their website, it turns out I was wasting my time, as I was then presented with the same stupid prompts to set three questions when I attempted to use iTunes again. Their response when I told them this, was:
“Ben, I understand your concern but from time to time, Apple enhances the security of our valued customer’s iTunes Store accounts. The recent changes are not meant as an inconvenience, but rather to help safeguard your account details and activity. Apple is pleased to provide this feature and hopes that keeping your safety in mind, will help you to better enjoy the iTunes and App Store.
With this new system in place, when a purchase is attempted from a new device or computer, the store selects, at random, two of the three challenge questions for your Apple ID to verify that you are the account owner. If the questions are answered incorrectly ten times, your account becomes temporarily locked. When your account is locked, you cannot make purchases using any device that has not previously used the Apple ID. It also prevents you from changing your challenge questions. However, you are still able to make purchases using a trusted device.
You will also have the option to enter a “rescue” email address. This option will allow you to send a message to the rescue email, should you forget the answers to the challenge/response questions in the future.
I hope this information was helpful. Thank you for your understanding. Thank you for being an iTunes Store customer.”
So basically what I’m going to do is pick three questions at random which don’t fit my needs, and/or would be very easy to find out about me, answer them stupidly, and write the whole lot down in an unencrypted form, for use in two years time when I buy a new device and need to remember them. Welcome to “secure” password systems in 2012, everyone.