Apple freezes over-the-phone password resets

Aug 8, 2012
2
Apple freezes over-the-phone password resets

The hack performed against Wired writer Mat Honan serves as a cautionary tale for others to ensure they back up their data, but what about the security issues found with the companies that helped facilitate the crime? Amazon fixed its own security hole yesterday, and now Apple has blocked customer service representatives from issuing password changes over the phone for Apple IDs.

According to an Apple employee that spoke to Wired, the company has placed a 24 hour freeze on any new over-the-phone password changes in order to give the team more time to think about and implement new security measures. When Wired once again tried to duplicate the social engineering used against Apple customer service representatives, they were told that the systems were prevented from resetting passwords, and that users had to do so via Apple’s website instead.

There’s still no official comment from Apple regarding the freeze, however, and it’s not yet clear what the company intends to do to prevent similar situations from occurring in the future. Amazon quietly fixed its own security issue yesterday, with a new policy in place that prevents callers from simply providing a name, email address, and home address to gain access to an account.

The hacker who reset Honan’s various Apple devices first went after his Amazon account, providing the easily gathered information to customer service representatives over the phone in order to gain access. Once the hacker managed that, the last four digits of Honan’s credit card were displayed in his account, information that Apple representatives happily accepted as proof as identity, allowing the individual to perform a password reset and gain access to the iCloud account.


Must Read Bits & Bytes