Over this past weekend we reported that writer Mat Honan had quite a few of his personal online-accounts hacked, all due to a lack-of-security with Apple support. I’m not going to blame Apple directly because mistakes happen, but they now are working to add additional security to over-the-phone password resets.
For the time being, all password resets over-the-phone are suspended. If you were to call requesting a password reset, the Apple employee will redirect you to Apple’s iForgot webpage. An Apple employee, speaking to Wired, mentioned the suspension will last at least 24 hours.
Wired actually attempted to re-create the hacking situation:
Our Apple source’s information was corroborated by an Apple customer service representative, who told us Apple was halting all AppleID password resets by phone. The AppleCare representative shared that detail while Wired was attempting to replicate Honan’s hackers’ exploitation of Apple’s system for the second day. The attempt failed, and the representative said that the company was going through system-wide “maintenance updates” that prevented anyone from resetting any passwords over the phone.
On Monday, customers were only required to present their “name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID” to AppleCare employees. But when Tuesday came along, customers were asked to present a serial number from a device linked to an AppleID.
If you were creating Apple’s new policy, what information would you require over-the-phone?