New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated Aug 20th (exclusive coupons)
 


Tuesday, August 07, 2012, 05:51 pm PT (08:51 pm ET)

Apple reportedly puts hold on over-the-phone password resets in response to hack [u]

A report on Tuesday claims Apple has put a 24 hour hold on over-the-phone AppleID password change requests, possibly in response to the high-profile hack of Wired reporter Mat Honan's iCloud account.

Update: In a separate report, Wired notes Amazon has also modified its security policies and will no longer be accepting over-the-phone account changes.

According to an unnamed Apple employee familiar with the matter, the call-based password reset freeze will remain in effect for at least 24 hours and speculated the ban is meant to give Apple time to assess the situation, reports Wired.

The publication corroborated the tip with an AppleCare representative while trying to replicate the security exploit that allowed hackers access to Honan's iCloud, Twitter and Gmail accounts. Wired's most recent attempt failed, the representative said, because Apple had initiated system-wide "maintanence updates" which put a halt to changing AppleID passwords over the phone.

“Right now, our system does not allow us to reset passwords,” the AppleCare representative said. “I don’t know why.”

On Friday, Honan's iCloud account was compromised, with hackers wiping data from his MacBook, iPad and iPhone and locking him out of other internet services. It was discovered later that the hackers' goal was to gain access to Honan's unique @mat Twitter feed.

Mat Honan

Wired writer Mat Honan. | Source: Wired


The hackers allegedly used a combination of Amazon's credit card record keeping system, Apple's user authentication requirements and "social engineering" to gain entry into Honan's iCloud account.

"On Monday, we were able to call Apple, reset AppleID passwords over the phone, and gain access to iCloud accounts by supplying AppleCare representatives with a name, e-mail address, mailing address and the last four digits of a credit card number linked to an AppleID," Wired writes. "This is the exact same information hackers supplied Apple with on Friday to get a temporary password that gave them access to Honan’s iCloud account."

Because Honan's accounts were all tied together with credit card numbers and redundant email addresses, the hackers didn't have a hard time skirting existing security measures.

Apple released a statement on Monday, saying “we found that our own internal policies were not followed completely.” The internal source, however, notes that if the Apple rep issued a temporary password based on the hacker-supplied AppleID, physical address and last four credit card digits, they would have "absolutely" been operating within Apple's instituted guidelines.