Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
08-07-2012, 10:00 PM #1
Apple Puts 24-Hour Freeze On Over-The-Phone Password Resets
Apple’s latest non-answer to the password-reset hack made public late last week is a 24-hour freeze on over-the-phone password resets.
Apple’s “say nothing” approach to the recent password-reset hack that turned tech writer Matt Honan’s iLife upside down hasn’t helped the public outcry. Sources inside Apple familiar with the matter told Wired today that the over-the-phone password freeze would last at least 24-hours. The employee didn’t know the exact reason behind the stopgap measure, but speculates it’s a temporary measure while Apple determines what changes to make.
Amazon dealt with a similar loophole recently that allowed people to take control of someone’s account if they knew the account holder’s name, e-mail, and mailing address. Those lucky enough to deal with Sprint’s online account “verification” process over the years could be familiar with account hijacking as well. Sprint’s verification measures used to include (and may still) generic questions that everyone had to answer like “what high school did you go to?” in order to access their account or change their password. Once invaders had access to a user’s account they could order phones, accessories, and other products and have them charged to the user’s account.
While Apple is rightfully taking a huge right-hook to the chin for this absurd lapse in security, they’re not the only company that utilizes this sort of password reset protocol. Expect changes to sweep across the online security world and fast.
Last edited by Orby; 08-07-2012 at 10:09 PM. Reason: typo
08-07-2012, 10:32 PM #2
This is exactly what should be happening. Only banks and other crucial account-hosting websites should be doing the same
08-08-2012, 05:27 PM #3
This is why I custom answers to such security questions that only I would know. For example, a security question for a best friend's name would usually prompt me to use an obscure moniker a friend of mine may have used some 15+ years ago in some obscure system that no longer exists. That sort of thing. Remember, just because security questions ask for certain information, doesn't mean you have to use real information, but rather it's better to use something that's only uniquely (and preferably obscurely) meaningful to you.