Apple and Amazon pull over-the-phone password resets
Apple and Amazon have both pulled the ability to reset password information over-the-phone after a high profile tech journalist was hacked, leaving egg on the faces of two of the world’s largest tech companies.
Wired writer Mat Honan’s iCloud account was haked and wiped, costing him all the data on his iPhone, iPad and MacBook Air within minutes. Hackers had used a loophole in Apple’s Applecare and Amazon’s phone-based tech support.
They added a new credit card to Honan’s Amazon account (which merely required Honan’s name, email address and billing address), and used the new card details to reset his password.
Using the same details, they phone Applecare, impersonating Honan. They were even able to blag their way past Honan’s security questions.
Apple have now told Wired that they have put a hold on phone access to security features in order to figure out exactly what went wrong. Amazon are doing likewise, telling CNET:
“We have investigated the reported exploit and can confirm that the exploit has been closed as of yesterday afternoon.”
Both Apple and Amazon will need to publicly make clear any reforms they have put in place following this lapse of security in order to renew consumer confidence in their security procedures once more.