Apple and Amazon reset phone password resets
Following reports that the resetting of passwords over the phone by customer service representatives allowed hackers to use iCloud to remote wipe author Mat Honan's MacBook, iPhone and iPad, both Amazon and Apple have changed their policies, according to reports from Wired. The magazine appears to have continued testing the techniques used by the hackers who staged the attack on Honan and found that both companies have now put in place measures to stop the social engineering exploit.
In the case of Amazon, the company's customer service representatives say that that they will no longer add credit cards to accounts over the phone. This move should stop social engineers adding bogus cards to accounts and then using the bogus card number to authenticate adding an email address with a new password to the account.
Apple have taken more temporary action with a reported freeze on resetting AppleID passwords over the phone while the company considers what changes to make to security policies. The freeze is expected to last at least 24 hours and users who wish to change their passwords are being directed to iforgot.apple.com to do an online reset.
Neither company has made official statements about the policy changes; the information was obtained from customer service representatives responding to Wired's repeated testing of password reset systems. It is therefore unclear what the companies' final policies will be.