Apple reportedly puts hold on over-the-phone password resets in response to hack [u]
A report on Tuesday claims Apple has put a 24 hour hold on over-the-phone AppleID password change requests, possibly in response to the high-profile hack of Wired reporter Mat Honan's iCloud account.
Update: In a separate report, Wired notes Amazon has also modified its security policies and will no longer be accepting over-the-phone account changes.
According to an unnamed Apple employee familiar with the matter, the call-based password reset freeze will remain in effect for at least 24 hours and speculated the ban is meant to give Apple time to assess the situation, reports Wired.
The publication corroborated the tip with an AppleCare representative while trying to replicate the security exploit that allowed hackers access to Honan's iCloud, Twitter and Gmail accounts. Wired's most recent attempt failed, the representative said, because Apple had initiated system-wide "maintanence updates" which put a halt to changing AppleID passwords over the phone.
?Right now, our system does not allow us to reset passwords,? the AppleCare representative said. ?I don?t know why.?
On Friday, Honan's iCloud account was compromised, with hackers wiping data from his MacBook, iPad and iPhone and locking him out of other internet services. It was discovered later that the hackers' goal was to gain access to Honan's unique @mat Twitter feed.
Wired writer Mat Honan. | Source: Wired
The hackers allegedly used a combination of Amazon's credit card record keeping system, Apple's user authentication requirements and "social engineering" to gain entry into Honan's iCloud account.
"On Monday, we were able to call Apple, reset AppleID passwords over the phone, and gain access to iCloud accounts by supplying AppleCare representatives with a name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID," Wired writes. "This is the exact same information hackers supplied Apple with on Friday to get a temporary password that gave them access to Honan?s iCloud account."
Because Honan's accounts were all tied together with credit card numbers and redundant email addresses, the hackers didn't have a hard time skirting existing security measures.
Apple released a statement on Monday, saying ?we found that our own internal policies were not followed completely.? The internal source, however, notes that if the Apple rep issued a temporary password based on the hacker-supplied AppleID, physical address and last four credit card digits, they would have "absolutely" been operating within Apple's instituted guidelines.
Update: In a separate report, Wired notes Amazon has also modified its security policies and will no longer be accepting over-the-phone account changes.
According to an unnamed Apple employee familiar with the matter, the call-based password reset freeze will remain in effect for at least 24 hours and speculated the ban is meant to give Apple time to assess the situation, reports Wired.
The publication corroborated the tip with an AppleCare representative while trying to replicate the security exploit that allowed hackers access to Honan's iCloud, Twitter and Gmail accounts. Wired's most recent attempt failed, the representative said, because Apple had initiated system-wide "maintanence updates" which put a halt to changing AppleID passwords over the phone.
?Right now, our system does not allow us to reset passwords,? the AppleCare representative said. ?I don?t know why.?
On Friday, Honan's iCloud account was compromised, with hackers wiping data from his MacBook, iPad and iPhone and locking him out of other internet services. It was discovered later that the hackers' goal was to gain access to Honan's unique @mat Twitter feed.
Wired writer Mat Honan. | Source: Wired
The hackers allegedly used a combination of Amazon's credit card record keeping system, Apple's user authentication requirements and "social engineering" to gain entry into Honan's iCloud account.
"On Monday, we were able to call Apple, reset AppleID passwords over the phone, and gain access to iCloud accounts by supplying AppleCare representatives with a name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID," Wired writes. "This is the exact same information hackers supplied Apple with on Friday to get a temporary password that gave them access to Honan?s iCloud account."
Because Honan's accounts were all tied together with credit card numbers and redundant email addresses, the hackers didn't have a hard time skirting existing security measures.
Apple released a statement on Monday, saying ?we found that our own internal policies were not followed completely.? The internal source, however, notes that if the Apple rep issued a temporary password based on the hacker-supplied AppleID, physical address and last four credit card digits, they would have "absolutely" been operating within Apple's instituted guidelines.
Comments
http://www.theverge.com/2012/8/7/3226322/amazon-security-phone-account-changes
In a way that is really foul customer service, but on the other, if they make this situation very very clear to all customers then it's not their fault if someone doesn't keep things accurate and current
I prefer to view it as, "We can't fix stupid."
Store your credit card online at your own risk.
Link account info at your own risk.
Use common passwords at your own risk.
Use cookies at your own risk.
I've used Solip's Razor for a long time - to paraphrase - "Use false info for verification and recovery data" - as it is hard to guess lies.... Just keep track of them. I use the msecure app to securely keep track of the fibs.
Hell I have a tough enough time keeping track of the truth. For instance I've had security questions about what my first car was. Now I have to figure out if I answered with the make, the model or both. Ask me what my grandfathers name was. Did I put the full version or the shortened nick name version of his name. Thing is you have to be exact. I could get a question about what my name is wrong. If I say Joe and the computer has Joseph, I just failed that question.
Quote:
Originally Posted by ChristophB
I've used Solip's Razor for a long time - to paraphrase - "Use false info for verification and recovery data" - as it is hard to guess lies.... Just keep track of them. I use the msecure app to securely keep track of the fibs.
Forgot to include this quote in my post.
The move to cloud services will take some trial and error for both consumers and providers. Mat Honan was an incautious guinea pig caught by Apple's early flawed practices. Life goes on.
Quote:
Originally Posted by JollyPaul
The move to cloud services will take some trial and error for both consumers and providers. Mat Honan was an incautious guinea pig caught by Apple's early flawed practices. Life goes on.
At least there wasn't any direct financial loss/tampering.
Quote:
Originally Posted by Mynameisjoe
Hell I have a tough enough time keeping track of the truth. For instance I've had security questions about what my first car was. Now I have to figure out if I answered with the make, the model or both. Ask me what my grandfathers name was. Did I put the full version or the shortened nick name version of his name. Thing is you have to be exact. I could get a question about what my name is wrong. If I say Joe and the computer has Joseph, I just failed that question.
Don't forget the instances where they check your answers in a case sensitive manner.
But, basically, if you answer truthfully, it's easy enough for someone who wants to to find out the answers to your questions, especially if they are targeting you in particular.
Still, call me cynical, but I wonder why they happened to choose this particular reporter? Is it possible that he isn't telling us the whole story and that he set himself up, for the story?
They have no clue like their users
http://gizmodo.com/5932742/apple-really-doesnt-know-how-to-fix-its-massive-security-exploit?utm_campaign=socialflow_gizmodo_twitter&utm_source=gizmodo_twitter&utm_medium=socialflow
Originally Posted by daylove22
They have no clue like their users
Please don't spam this Gizmodo crap in every thread.