Apple temporarily suspends phone password resets
In the wake of the hack that hit Wired senior writer Mat Honan, Apple has temporarily changed the way users can reset the passwords for their Apple IDs.
“We’ve temporarily suspended the ability to reset Apple ID passwords over the phone,” Apple spokesperson Natalie Kerris told Macworld. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways—either have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.”
That’s a stronger stance than Apple initially took; on Monday, the company said that its “own internal policies were not followed completely.” The company also added that it would review those processes to ensure the protection of customer data.
Several of Honan’s accounts were compromised as part of the hack, including his Apple ID, which gave the attacker the ability to erase his iPhone, iPad, and MacBook. Even more troubling, the hacker, who reset Honan’s Apple ID password by calling customer support, was only asked to verify his purported identity using readily available information about Honan: a billing address and the last four digits of his credit card. The latter was acquired from Amazon, which lets customers call in and change account settings over the phone provided they could give their name, email address, and mailing address—three more pieces of information that are relatively easy to find online.
Wired reporters say they were able to duplicate the hack several times on Monday. By late in the day, however, Amazon had reportedly changed their policies to prevent people from calling in and changing account settings, though the company declined to comment officially on the matter.
The breach shines a spotlight on security practices for large companies and users alike. Honan has said that the damage could have been mitigated if he’d enabled two-factor authentication on his Google account, or if he’d avoided using the same email prefix (his first initial and last name, “mhonan”) on multiple services.
However, much of the responsibility clearly lies at the feet of Apple and Amazon. While the responses from the companies may be regarded as positive steps, it’s clear that more stringent security mechanisms must be implemented to ensure that breaches like this don’t become commonplace. It’s also led to suggestions that the current system of usernames and passwords is antiquated, and in need of replacement, but with the degree to which that practice is entrenched and the lack of a viable widespread alternative, it would seem that change is unlikely in the foreseeable future.