August 08, 2012, 8:52 PM — In the wake of the hack that hit Wired senior writer Mat Honan, Apple has temporarily changed the way users can reset the passwords for their Apple IDs.
Weve temporarily suspended the ability to reset Apple ID passwords over the phone, Apple spokesperson Natalie Kerris told Macworld. Were asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two wayseither have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.
Thats a stronger stance than Apple initially took; on Monday, the company said that its own internal policies were not followed completely. The company also added that it would review those processes to ensure the protection of customer data.
Several of Honans accounts were compromised as part of the hack, including his Apple ID, which gave the attacker the ability to erase his iPhone, iPad, and MacBook. Even more troubling, the hacker, who reset Honans Apple ID password by calling customer support, was only asked to verify his purported identity using readily available information about Honan: a billing address and the last four digits of his credit card. The latter was acquired from Amazon, which lets customers call in and change account settings over the phone provided they could give their name, email address, and mailing addressthree more pieces of information that are relatively easy to find online.
Wired reporters say they were able to duplicate the hack several times on Monday. By late in the day, however, Amazon had reportedly changed their policies to prevent people from calling in and changing account settings, though the company declined to comment officially on the matter.
The breach shines a spotlight on security practices for large companies and users alike. Honan has said that the damage could have been mitigated if hed enabled two-factor authentication on his Google account, or if hed avoided using the same email prefix (his first initial and last name, mhonan) on multiple services.