The ripples from Mat Honan’s weekend security incursion keep pushing outward. Earlier today Amazon shifted policy to prevent account details from being changed via a phone call, which blocks one avenue the hackers used to get the personal info used to compromise Honan’s iCloud account. Now, according to Wired, the other shoe has dropped: Apple’s phone support team is in a 24-hour freeze for account resets by phone.
This change, which Wired confirmed with an internal Apple source and also tested directly by trying to perform a password reset in a call with AppleCare, might be a temporary holding action until Apple comes up with a more permanent adjustment to its security policies. As Honan’s story unfolded late Friday night, it wasn’t immediately clear how the hackers gained access to his iCloud account, but it turned out that with just an email address, mailing address and the last four digits of the account’s credit card, AppleCare would provide a temporary account password over the phone.
Apple could implement a two-factor authentication scheme similar to Google’s approach, but that’s confusing to set up for mobile devices and in situations where a separate challenge step doesn’t work smoothly (calendar or email apps, for instance). Apple could also do a callback step to the phone that’s on the account, although in the case of a stolen phone that might not help. Even a multiple-choice “which of these songs did you purchase on this date” account detail check might add some security to the process, but a perfect system hasn’t been invented yet.
As risk guru Bruce Schneier points out (in the context of a far more tragic incident), “Novelty plus dread plus a good story equals overrreaction.” Human beings aren’t particularly good at accurately assessing risk, and we focus on solving the last problem rather than the next one. Hopefully Apple will take this wake-up call on account security as an opportunity for a clear-eyed evaluation of some of the ongoing, high-incidence security issues it faces rather than focusing exclusively on the headline problem.
[hat tip to MacRumors]
AppleCare freezes over-the-phone password resets in wake of hacking incident originally appeared on TUAW – The Unofficial Apple Weblog on Tue, 07 Aug 2012 22:00:00 EST. Please see our terms for use of feeds.