Apple freezes over-the-phone password resets in response to Honan hack
An anonymous Apple employee confirmed to Wired tonight that the company is putting a 24-hour freeze on over-the-phone password verification—a step in Apple ID security that cost Wired reporter Mat Honan an iPhone, iPad, MacBook, several e-mail accounts, and two Twitter accounts worth of information over the weekend.
The hacker was able to take control of Honan's three Apple devices after accessing Honan's iCloud and .Me account through a password change made by Apple tech support, after the hacker gave the rep Honan's e-mail address, the last four digits of a credit card number, and the associated billing address, which the hacker gleaned from Amazon tech support. Earlier today, Amazon said it would no longer allow customers to call and change account and e-mail settings.
Yesterday, Apple publicly maintained that nothing was wrong with its security policies. "In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer," Apple said in a statement. "In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected."