• Apple Puts 24-Hour Freeze On Over-The-Phone Password Resets

    Apple’s latest non-answer to the password-reset hack made public late last week is a 24-hour freeze on over-the-phone password resets.

    Apple’s “say nothing” approach to the recent password-reset hack that turned tech writer Matt Honan’s iLife upside down hasn’t helped the public outcry. Sources inside Apple familiar with the matter told Wired today that the over-the-phone password freeze would last at least 24-hours. The employee didn’t know the exact reason behind the stopgap measure, but speculates it’s a temporary measure while Apple determines what changes to make.

    Amazon dealt with a similar loophole recently that allowed people to take control of someone’s account if they knew the account holder’s name, e-mail, and mailing address. Those lucky enough to deal with Sprint’s online account “verification” process over the years could be familiar with account hijacking as well. Sprint’s verification measures used to include (and may still) generic questions that everyone had to answer like “what high school did you go to?” in order to access their account or change their password. Once invaders had access to a user’s account they could order phones, accessories, and other products and have them charged to the user’s account.

    While Apple is rightfully taking a huge right-hook to the chin for this absurd lapse in security, they’re not the only company that utilizes this sort of password reset protocol. Expect changes to sweep across the online security world and fast.

    Source: Wired
    This article was originally published in forum thread: Apple Puts 24-Freeze On Over-The-Phone Password Resets started by Phillip Swanson View original post
    Comments 2 Comments
    1. Micturition's Avatar
      Micturition -
      This is exactly what should be happening. Only banks and other crucial account-hosting websites should be doing the same
    1. szr's Avatar
      szr -
      This is why I custom answers to such security questions that only I would know. For example, a security question for a best friend's name would usually prompt me to use an obscure moniker a friend of mine may have used some 15+ years ago in some obscure system that no longer exists. That sort of thing. Remember, just because security questions ask for certain information, doesn't mean you have to use real information, but rather it's better to use something that's only uniquely (and preferably obscurely) meaningful to you.
  • Connect With Us

  • Twitter Box

  • Facebook