Nathan Olivarez-Giles and Mat Honan for Wired.com:
Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired Reporter Mat Honan over the weekend, according to Apple employees.
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
Amazon made a similar decision earlier today:
Previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.
On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
Good move on both sides, although it shouldn’t have taken so long for both companies to react after the issue and holes were known and malicious persons could take advantage of it. It will be interesting to see how Apple will change their system in the long run.
Mat Honan was targeted last weekend by hackers and lost his personal data after they remotely wiped his iOS devices and MacBook. They accessed his accounts through several loopholes in Apple’s and Amazon’s support systems.
I wonder how many other accounts were targeted and accessed like this without their owners being able to make a big stink and get the proper attention.