Temporary ban placed on phone AppleID password resets
updated 02:10 am EDT, Wed August 8, 2012
Move comes after Wired reporter hacked; iOS, OSX devices wiped
On Tuesday, Apple ordered its telephone support staff to immediately cease AppleID password changes requests. The likely temporary change in procedure comes following the Wired reporter Mat Honan's identity hack over the weekend, resulting in completely deleted MacBook, iPad, iPhone, and GMail accounts as a result of an attacker tricking an AppleCare rep into resetting Honan's iCloud password, which started a chain of password reset procedures to access the next system, culminating in the reporter's Twitter accounts.
An Apple employee told Wired that the phone support password procedure change would last at least 24 hours, but MacNN was told that the block would be in place "as long as it takes" to update Apple's policies and procedures to prevent another event like the weekend's hack from taking place. The change follows changes to Amazon's security routine, which previously allowed hackers to gain control of an Amazon account as long as the name, email address, and mailing address was known.
Wired was attempting to recreate the events of the weekend hack when the block was discovered. The attempt failed, and the phone representative said that the company was undergoing "maintenance upgrades" that prevented password resets over the phone. The phone support technician directed all password reset requests to iforgot.apple.com. In a telephone conversation with support supervisors MacNN has discovered that the final identity verification procedure after the expiration of the temporary ban on phone password resets was "in discussion" at the executive level of Apple support.
Honan said he has confirmed with both Apple and the hacker that victimized him that his iCloud account was compromised by a "social engineering" trick with AppleCare. The hacker managed to get an AppleCare support staffer to skip security questions by providing information from Amazon, and then reset Honan's password, giving the hacker complete access to anything tied to Honan's iCloud account or email address. This included not only personal and Gizmodo Twitter accounts, but also Honan's GMail account, which was completely deleted.
The Find My iPhone app in the iOS sports a device erase feature and was used to perform remote wipes of Honan's Mac, iPhone, and iPad following iCloud seizure by the hacker. Apple admits to a failure to follow normal support procedures and rules which resulted in the hack.
Professional Poster
Joined: 09-17-99
The right thing to do is stick to the policy of requiring the user to answer the security questions before resetting the password. And if the security questions have been changed recently, then don't reset the password unless the caller can answer the old questions.