or Connect
AppleInsider › Forums › General › General Discussion › Apple reportedly puts hold on over-the-phone password resets in response to hack [u]
New Posts  All Forums:Forum Nav:

Apple reportedly puts hold on over-the-phone password resets in response to hack [u]

post #1 of 11
Thread Starter 
A report on Tuesday claims Apple has put a 24 hour hold on over-the-phone AppleID password change requests, possibly in response to the high-profile hack of Wired reporter Mat Honan's iCloud account.

Update: In a separate report, Wired notes Amazon has also modified its security policies and will no longer be accepting over-the-phone account changes.

According to an unnamed Apple employee familiar with the matter, the call-based password reset freeze will remain in effect for at least 24 hours and speculated the ban is meant to give Apple time to assess the situation, reports Wired.

The publication corroborated the tip with an AppleCare representative while trying to replicate the security exploit that allowed hackers access to Honan's iCloud, Twitter and Gmail accounts. Wired's most recent attempt failed, the representative said, because Apple had initiated system-wide "maintanence updates" which put a halt to changing AppleID passwords over the phone.

?Right now, our system does not allow us to reset passwords,? the AppleCare representative said. ?I don?t know why.?

On Friday, Honan's iCloud account was compromised, with hackers wiping data from his MacBook, iPad and iPhone and locking him out of other internet services. It was discovered later that the hackers' goal was to gain access to Honan's unique @mat Twitter feed.

Mat Honan
Wired writer Mat Honan. | Source: Wired


The hackers allegedly used a combination of Amazon's credit card record keeping system, Apple's user authentication requirements and "social engineering" to gain entry into Honan's iCloud account.

"On Monday, we were able to call Apple, reset AppleID passwords over the phone, and gain access to iCloud accounts by supplying AppleCare representatives with a name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID," Wired writes. "This is the exact same information hackers supplied Apple with on Friday to get a temporary password that gave them access to Honan?s iCloud account."

Because Honan's accounts were all tied together with credit card numbers and redundant email addresses, the hackers didn't have a hard time skirting existing security measures.

Apple released a statement on Monday, saying ?we found that our own internal policies were not followed completely.? The internal source, however, notes that if the Apple rep issued a temporary password based on the hacker-supplied AppleID, physical address and last four credit card digits, they would have "absolutely" been operating within Apple's instituted guidelines.
post #2 of 11
Amazon flinched too

http://www.theverge.com/2012/8/7/3226322/amazon-security-phone-account-changes
post #3 of 11
So both services are basically saying if you forget your password, securit questions and don't keep your email address current you are screwed.

In a way that is really foul customer service, but on the other, if they make this situation very very clear to all customers then it's not their fault if someone doesn't keep things accurate and current
post #4 of 11
Quote:
Originally Posted by charlituna View Post

So both services are basically saying if you forget your password, securit questions and don't keep your email address current you are screwed.
In a way that is really foul customer service, but on the other, if they make this situation very very clear to all customers then it's not their fault if someone doesn't keep things accurate and current

I prefer to view it as, "We can't fix stupid."

Store your credit card online at your own risk.

Link account info at your own risk.

Use common passwords at your own risk.

Use cookies at your own risk.

I've used Solip's Razor for a long time - to paraphrase - "Use false info for verification and recovery data" - as it is hard to guess lies.... Just keep track of them. I use the msecure app to securely keep track of the fibs.
Edited by ChristophB - 8/7/12 at 8:46pm
post #5 of 11

Hell I have a tough enough time keeping track of the truth. For instance I've had security questions about what my first car was. Now I have to figure out if I answered with the make, the  model or both. Ask me what my grandfathers name was. Did I put the full version or the shortened nick name version of his name. Thing is you have to be exact. I could get a question about what my name is wrong. If I say Joe and the computer has Joseph, I just failed that question.

post #6 of 11
Quote:
Originally Posted by ChristophB View Post



I've used Solip's Razor for a long time - to paraphrase - "Use false info for verification and recovery data" - as it is hard to guess lies.... Just keep track of them. I use the msecure app to securely keep track of the fibs.

 

Forgot to include this quote in my post.


Edited by Mynameisjoe - 8/7/12 at 10:25pm
post #7 of 11

The move to cloud services will take some trial and error for both consumers and providers. Mat Honan was an incautious guinea pig caught by Apple's early flawed practices. Life goes on.

post #8 of 11
Quote:
Originally Posted by JollyPaul View Post

The move to cloud services will take some trial and error for both consumers and providers. Mat Honan was an incautious guinea pig caught by Apple's early flawed practices. Life goes on.

 

At least there wasn't any direct financial loss/tampering.

When a company stops chasing profit and start chasing the betterment of their products, services, workforce, and customers, that will be the most valuable company in the world.
Reply
When a company stops chasing profit and start chasing the betterment of their products, services, workforce, and customers, that will be the most valuable company in the world.
Reply
post #9 of 11
Quote:
Originally Posted by Mynameisjoe View Post

Hell I have a tough enough time keeping track of the truth. For instance I've had security questions about what my first car was. Now I have to figure out if I answered with the make, the  model or both. Ask me what my grandfathers name was. Did I put the full version or the shortened nick name version of his name. Thing is you have to be exact. I could get a question about what my name is wrong. If I say Joe and the computer has Joseph, I just failed that question.

 

Don't forget the instances where they check your answers in a case sensitive manner.

 

But, basically, if you answer truthfully, it's easy enough for someone who wants to to find out the answers to your questions, especially if they are targeting you in particular.

 

Still, call me cynical, but I wonder why they happened to choose this particular reporter? Is it possible that he isn't telling us the whole story and that he set himself up, for the story?

post #10 of 11

They have no clue like their users

 

http://gizmodo.com/5932742/apple-really-doesnt-know-how-to-fix-its-massive-security-exploit?utm_campaign=socialflow_gizmodo_twitter&utm_source=gizmodo_twitter&utm_medium=socialflow

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply

"Apple people have no objectivity when it comes to criticism of Apple.." Lenovo X1 Carbon is out..bye bye MBAir

Reply
post #11 of 11
Originally Posted by daylove22 View Post
They have no clue like their users

 

Please don't spam this Gizmodo crap in every thread.

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple reportedly puts hold on over-the-phone password resets in response to hack [u]