Apple obviously knew there was something off. Their systems detected an issue. Detecting an intrusion is obviously not a problem, though I do think your suggestions for detection would be nice.
The way it reacted to an intrusion, however is absolutely unacceptable. Simply informing you that you got hacked after it's already happened is not the way it should have dealt with this. Ideally, it would block the purchase, blacklist the IP, then force you to confirm through an email.
Sure, if your email got compromised too, that won't do any good, but at least it would have tried to stop the unauthorized access.
Another nice thing I'd like to see would be something like Google's two-step authentication, where you would have to authorize the new registration via a previously registered device.
Sure, my hope is that if they emailed me (NOT at mobile me email, but a non-Apple address) at my Gmail which is setup for 2-factor, for confirmation that'd be ideal.
The irony is that they are all setup for 2-factor auth...the phones I have already are the second factor. The idea that someone, anyone, with a phone and my password could make effectively unlimited purchases against my saved payment instrument without being challenged makes me, as a former banking engineer, cringe.
All I'm asking is that new phones authenticate and be challenged, expecially if they don't match clearly recorded existing behavior patterns.
I agree, apple really dropped the ball in this case.
In fact, how did this app manage to slip through the review process? It seems to me that the only purpose is to funnel stolen money to somebody.
Sadly, the state of many online security systems is entirely sub-par. It's a sad sign when your email has more security features than your bank account (as I know is the case for me)
The way it reacted to an intrusion, however is absolutely unacceptable. Simply informing you that you got hacked after it's already happened is not the way it should have dealt with this. Ideally, it would block the purchase, blacklist the IP, then force you to confirm through an email.
Sure, if your email got compromised too, that won't do any good, but at least it would have tried to stop the unauthorized access.
Another nice thing I'd like to see would be something like Google's two-step authentication, where you would have to authorize the new registration via a previously registered device.