Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Temporary ban placed on phone AppleID password resets

Temporary ban placed on phone AppleID password resets
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Aug 7, 2012, 11:14 PM
 
On Tuesday, Apple ordered its telephone support staff to immediately cease AppleID password changes requests. The likely temporary change in procedure comes following the Wired reporter Mat Honan's identity hack over the weekend, resulting in completely deleted MacBook, iPad, iPhone, and GMail accounts as a result of an attacker tricking an AppleCare rep into resetting Honan's iCloud password, which started a chain of password reset procedures to access the next system, culminating in the reporter's Twitter accounts.

An Apple employee told Wired that the phone support password procedure change would last at least 24 hours, but MacNN was told that the block would be in place "as long as it takes" to update Apple's policies and procedures to prevent another event like the weekend's hack from taking place. The change follows changes to Amazon's security routine, which previously allowed hackers to gain control of an Amazon account as long as the name, email address, and mailing address was known. Wired was attempting to recreate the events of the weekend hack when the block was discovered. The attempt failed, and the phone representative said that the company was undergoing "maintenance upgrades" that prevented password resets over the phone. The phone support technician directed all password reset requests to iforgot.apple.com. In a telephone conversation with support supervisors MacNN has discovered that the final identity verification procedure after the expiration of the temporary ban on phone password resets was "in discussion" at the executive level of Apple support. Honan said he has confirmed with both Apple and the hacker that victimized him that his iCloud account was compromised by a "social engineering" trick with AppleCare. The hacker managed to get an AppleCare support staffer to skip security questions by providing information from Amazon, and then reset Honan's password, giving the hacker complete access to anything tied to Honan's iCloud account or email address. This included not only personal and Gizmodo Twitter accounts, but also Honan's GMail account, which was completely deleted. The Find My iPhone app in the iOS sports a device erase feature and was used to perform remote wipes of Honan's Mac, iPhone, and iPad following iCloud seizure by the hacker. Apple admits to a failure to follow normal support procedures and rules which resulted in the hack.
     
Professional Poster
Join Date: Sep 1999
Status: Offline
Reply With Quote
Aug 8, 2012, 07:51 AM
 
The right thing to do is stick to the policy of requiring the user to answer the security questions before resetting the password. And if the security questions have been changed recently, then don't reset the password unless the caller can answer the old questions.
     
Banned
Join Date: Feb 2005
Status: Offline
Reply With Quote
Aug 9, 2012, 01:27 AM
 
Originally Posted by hayesk View Post
The right thing to do is stick to the policy of requiring the user to answer the security questions before resetting the password. And if the security questions have been changed recently, then don't reset the password unless the caller can answer the old questions.
Let see how Apple deals with this blow once it resumes.... Maybe, just maybe we'll see a "We F'ed up" page. That would be honorable.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Online
Reply With Quote
Aug 9, 2012, 01:47 AM
 
Originally Posted by blahblahbber View Post
Originally Posted by hayesk View Post
The right thing to do is stick to the policy of requiring the user to answer the security questions before resetting the password. And if the security questions have been changed recently, then don't reset the password unless the caller can answer the old questions.
Let see how Apple deals with this blow once it resumes.... Maybe, just maybe we'll see a "We F'ed up" page. That would be honorable.
I’m pretty sure they’ve done the honorable thing and been in contact with everybody affected by this violation of internal guidelines…you know, that one guy…the journalist...
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 08:00 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2