Apple and Amazon stop over-the-phone password resets

Security-low nimbus?

Apple and Amazon have made it impossible to reset your password over the phone, for the time being at least.

This follows the hacking of Wired writer Mat Honan's iCloud account, which saw his iPhone, iPad, and MacBook Air remote wiped within minutes.

Hackers gained access to his account over the phone, exploiting a loophole in Apple's Applecare and Amazon's tech support. The hackers added a new credit card to Honan's Amazon account - all they needed was Honan's name, email address and billing address. Then they phoned back up, saying they couldn't access the account, and were able to reset the password, thanks to the use of the new credit card.

They phoned Apple next, impersonating Honan, and it all went from there.

The hackers couldn't answer Honan's security questions, but that didn't prove to be much of a hurdle. Which is a little worrying, to say the least.

Buying time

An unnamed Apple employee told Wired the freeze on phone access is to buy Apple time to work out how to reform its security policy.

Amazon is taking similar steps. "We have investigated the reported exploit and can confirm that the exploit has been closed as of yesterday afternoon," an Amazon spokesperson told CNET. So now you can't make changes to your Amazon account over the phone either.

Hopefully we'll see tightened security controls from both companies soon. Considering how well-publicised this has been, we're expecting a statement from Apple to that effect any day now.

Via The Verge, CNET

Joe Svetlik

Joe has been writing about tech for 17 years, first on staff at T3 magazine, then in a freelance capacity for Stuff, The Sunday Times Travel Magazine, Men's Health, GQ, The Mirror, Trusted Reviews, TechRadar and many more (including What Hi-Fi?). His specialities include all things mobile, headphones and speakers that he can't justifying spending money on.