Apple’s latest non-answer to the password-reset hack made public late last week is a 24-hour freeze on over-the-phone password resets.
Apple’s “say nothing” approach to the recent password-reset hack that turned tech writer Matt Honan’s iLife upside down hasn’t helped the public outcry. Sources inside Apple familiar with the matter told Wired today that the over-the-phone password freeze would last at least 24-hours. The employee didn’t know the exact reason behind the stopgap measure, but speculates it’s a temporary measure while Apple determines what changes to make.
Amazon dealt with a similar loophole recently that allowed people to take control of someone’s account if they knew the account holder’s name, e-mail, and mailing address. Those lucky enough to deal with Sprint’s online account “verification” process over the years could be familiar with account hijacking as well. Sprint’s verification measures used to include (and may still) generic questions that everyone had to answer like “what high school did you go to?” in order to access their account or change their password. Once invaders had access to a user’s account they could order phones, accessories, and other products and have them charged to the user’s account.
While Apple is rightfully taking a huge right-hook to the chin for this absurd lapse in security, they’re not the only company that utilizes this sort of password reset protocol. Expect changes to sweep across the online security world and fast.