updated 08:00 pm EDT, Mon September 24, 2012
Better security comes at a cost for forgetful customers
With the release of the iPhone 5, a number of previous and new customers are encountering first-hand the new reality of Apple's increased emphasis on better security: it is now much more difficult to reset one's iCloud or Apple ID password than it used to be. While this is overall better for consumers in terms of making it harder for identity thieves to gain control of an account, it is also more difficult for customers who may not be able to jump through the newly-required hoops set up to ensure their identify before a reset can occur.
One of the most difficult password resets to do is accomplished over the phone, a method preferred by some buyers due to the human interaction element and their own comfort zone. Whereas Apple previously required only the correct billing address and the last four digits of a credit card to do a reset, it was discovered that social engineering can put this information quite easily into the hands of others through a fault in Amazon's account security (since fixed) that could then be used to gain access to iCloud accounts (and others) that used the same information. Password resets by email can now only be sent to the email address that was previously on file.
The company now requires that users get at least two correct answers to a series of questions, along with a "verification code" sent to the device which a user then verifies by typing it back. MacRumors has received reports from Apple phone CSRs who say the process now takes longer, but more importantly the influx of calls regarding password resets has increased to ten times normal levels thanks largely to the release of the iPhone 5.
The increase in password-reset type calls is said to be from customers trying to restore their iCloud backups of previous phones onto their new iPhones, and not remembering their iCloud password. Advice from the CSRs on how best to avoid any problems is to have a real credit card associated with the account (even if rarely used), and to set up Find My iPhone (which works with all iOS devices), and which offers a much easier "verification code" authentication for resetting passwords. Users should also be prepared to answer not one but several security questions (which were pre-picked by the user).
Another tip mentioned in the report was to caution users not to reset both the password and security questions at the same time, particularly if no credit card is attached to the account. Should the new password not work, the inability to rely on the old security questions or detailed credit card information could make it impossible for Apple customer service to avoid "freezing" the account until owner confirmation can be achieved through other means. [via MacRumors]