Apple recently confirmed that it has suspended the ability to reset Apple ID passwords over the phone after a hacker used the procedure to wreak digital havoc on writer Mat Honan’s iCloud account.
Spokeswoman Natalie Kerris confirmed the news to The Next Web:
We’ve temporarily suspended the ability to reset AppleID passwords over the phone. We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com).
Kerris also said that whenever phone resets are brought back online, customers will need to provide “even stronger” identity verification to reset the password.
If you haven’t heard about Honan’s saga, his Wired article is a great place to start.
Basically, a hacker armed with Honan’s home address and last four digits of his credit card number, was able to use social engineering and call Apple to perform the password reset.
After Honan’s account was compromised, the hacker gained control of his iCloud account and remotely wiped his iPhone, iPad, and MacBook Air filled with numerous photos, documents, and emails that were never regularly backed up.
The hacker gained the last four digits of Honan’s credit card by first using some slick social engineering techniques on Amazon.com. The retailer has also confirmed that it has closed that specific loophole used.
And with Apple moving more and more of its services, on both iOS and OS X, to iCloud, Honan does make a very good point about the state of cloud computing security:
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
Source: The Next Web