Apple Suspends Over-the-Phone AppleID Password Resets

"After Epic Hack [...]".<p>Sorry, not that epic. Yes, multiple steps were required but the biggest issue in security once again was the human element.<p>Epic would be finding the flaws in SSL/TLS that allows you to generate a valid cert for any domain (Moxie Marlinspike) or a bug in DNS that is such cause for concern that people have to upgrade their infrastructure (Dan Kaminsky) or intercepting GSM calls (Chris Paget) while making the device believe it is on a legitimate network.<p>This hack came down to social engineering and using flaws in two companies verification systems. That isn't epic. People have been calling companies and people on the phone for decades and having them hand over information without proper identification/verification. The guys stuff got remote erased, well damn, the system worked as it was supposed to work ... other than that the right person wasn't at the controls ... remote wipe worked as expected.<p>Yes, changes have to be made, and yes security and verification of identity has to be made more secure when there is a lot at stake, but this hack was by no means epic.

I think having to re-enable remote wipe on each device after a password reset would be a reasonable compromise.

Wouldn't it be much better if video calls (or Facetime) became ubiquitous (and mandated for auth)? The mere fact that the attacker needs to show his face for getting the password reset should improve things a lot because it would make detection as well as post-facto investigation much easier.

Wired mentions Apple 46 times in the article (including twice in the title)... and Amazon 3 times. In fact, most of the public and HN outrage about this incident has been directed at Apple.<p>That's the downside of Apple being so close to perfect. We expect perfection from them at all times. And when they make a mistake, it seems 100x more outrageous than if it were any other company.<p>Don't get me wrong, they made a terrible mistake in this case, but Amazon has gotten off lightly in comparison.

Does Apple do in-store password resets? I'm thinking with their retail presence this would be a good solution. If you want your password reset come into the store with a photo-ID and the physical credit card on your account. Doesn't get much better than that. I realize not everyone has an Apple Store nearby but many do.

&#62; In an earlier attempt on Tuesday to change an AppleID password (which is the same password used to log into iCloud and iTunes), Apple customer service offered up a different response, saying that passwords could only be changed over the phone if we were able to supply a serial number for a device linked to the AppleID in question — for example, an iPhone, iPad or MacBook computer.<p>Adding (or worse, substituting) a serial number helps, but seems insecure in the event of a lost/stolen phone. A device serial number, plus all the already mentioned info: name, address, last 4 characters of a credit card, are all reasonably easy to extract from a stolen phone. Would be nice if some piece of info not usually stored on a phone were required. I suppose that a lost phone is already a security breach, but any containment would be an improvement.

Interestingly Google will not get into this situation because they do not offer over the phone support. That is the advantage of being a free service I guess! People do not expect customer service beyond a point.<p>Of course they offer two factor authentication.

I see no reason not to use a password manager (ex: keychain on macos) to keep different usernames and passwords for each account. It is very little overhead (at least with keychain).<p>And yes I mean different user names even if it is required to be a valid email id. If you use gmail, you can use "yourid+RandomNumberOrAnything@gmail.com" as the email address. This is additional protection against remote hackers since guessing the account name of one account doesn't get you the names of accounts on other services.<p>And yes ABSOLUTELY NO reason to not have 2 factor auth for your google account.