August 8, 2012
Apple Issues Freeze On Password Changes In Response To Hacking Incident
Michael Harper for redOrbit.com — Your Universe Online
Following Mat Honan´s harrowing tale of having his accounts hacked and digital life wiped clean, Apple has said it is suspending over-the-air AppleID password resets for at least the next 24 hours.
Apple ordered their support staff on Tuesday to stop taking requests for passwords changes over the phone, according to employees who spoke with Wired.com. Rather than use a brute force attack to break into Honan´s accounts – email, iCloud and Twitter – the hackers simply engaged in some “social engineering,” calling the offices of both Amazon and Apple to have his passwords changed. By calling Amazon, the hackers were able to change Honan´s account password, which in turn allowed them access to some important information; namely, the last four digits of his credit card.
Armed with his last four digits of his credit card and his billing address, the hackers were then able to call AppleCare, pretending to be Mat Honan, and have access to his entire digital life. From there, they remotely wiped his iPad, iPhone and MacBook Air. Then they used his .me mail account to break into his Gmail account, and from there, they accomplished the only goal they had in mind when they started this intrusion: Take the @mat Twitter handle.
Though Honan had used a secure, albeit slightly old, password on his account, these hackers were able to take advantage of the human element rather than any technological loopholes.
The following Monday after these weekend attacks, Amazon announced they had changed their customer privacy policies in order to seal off these security gaps. Now, customers can no longer call Amazon´s customer service to have their account settings changed, including credit cards on file or email addresses.
While Amazon officials weren´t available for comment after these changes went into effect, Wired.com reporters who had called into customer service to confirm these changes were told they were put in place for “your security.”
Likewise, Apple has yet to offer an official statement on these new changes, though one Apple employee speaking anonymously told Wired the over-the-air password freeze would last for 24 hours, presumably long enough for Apple to discern exactly what had happened during Honan´s attack and what they can do to ensure these sort of missteps don´t happen again.
Wired once again tried to corroborate these claims by calling AppleCare in an attempt to change their passwords over the phone. A customer service representative told wired they were unable to change the password as the company was undergoing “system-wide maintenance updates” which prevented the resetting of passwords over the phone. Wired was then directed to attempt their password change online, via iforgot.apple.com.
“Right now, our system does not allow us to reset passwords,” said the Apple customer service rep.
“I don´t know why.”
While Apple has yet to offer an official announcement regarding changes as a result of this extremely dangerous security flaw, they did issue a statement on Monday regarding this specific incident, saying, “we found that our own internal policies were not followed completely.”
Apple could issue another statement in the coming hours regarding any new policy changes via Apple IDs and password resets.