Apple Inc. is beefing up security for resetting user passwords after a journalist wrote about a hack affecting his personal data, highlighting possible weaknesses in the system protecting more than 400 million user accounts.
The company is temporarily suspending the ability to reset AppleID passwords over the phone while it takes steps to make the procedure more secure, said Natalie Kerris, a spokeswoman for Cupertino, California-based Apple. Mat Honan, a reporter for Wired, wrote this week that hackers gained access to his account, erasing pictures and other data from his iPhone, iPad and MacBook, after resetting his password by phone.
Honan said the incident highlighted potential vulnerabilities in AppleID, the verification needed for purchasing music, movies and applications from iTunes, as well as downloading software updates and accessing content on Apple’s iCloud Web-storage service. Kerris said Apple customers will need to use the company’s iForgot online system for resetting their passwords while the phone process is suspended.
“This system can reset a password in one of two ways: either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up,” Kerris said. “When we resume over-the-phone password resets, customers will be required to provide even stronger identify verification to reset their password.”
In the Aug. 6 article, Honan wrote that the hackers were able to use the last four digits of his credit-card number and his home address to get a member of Apple’s tech-support staff to reset his password. He said the hackers got his credit-card information by first gaining access to his account at online retailer Amazon.com Inc.
“The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan said in his article.
Ty Rogers, a spokesman for Seattle-based Amazon, said the company has investigated the reported exploit and closed it off. He declined to elaborate.
In addition to the Apple and Amazon accounts, the hackers also gained access to Honan’s Gmail account, which they used to reset the password for his Twitter Inc. profile. Once they had control of the Twitter account, the hackers posted racist and homophobic messages on the microblogging site, Honan said.
Honan’s experience underscores a vulnerability for people who have several accounts linked back to an e-mail address, said Derek Halliday, lead security product manager at Lookout Inc., a maker of security software. Once the hackers had access to his e-mail account, they could reset passwords for other websites.
People should identify what online accounts they operate that could, if compromised, lead to exposure of other data, Halliday said. He recommends creating complex passwords, with at least eight characters, using upper- and lower-case letters, as well as numbers and special characters. He also suggests keeping work and personal accounts separate, so that if one is hacked the others won’t be compromised.