After being on the receiving end of a truly awful hacking attack, Wired writer Mat Honan explained how it happened in detail. He was very clear in identifying two of the parties responsible for leaving major loopholes that let hackers into his digital life: Amazon’s and Apple’s security policies, in tandem, were used against him. Not surprisingly, both Amazon and Apple have quickly and quietly moved to close those loopholes. Amazon no longer lets users change or update account info over the phone. Apple has temporarily instructed customer-service representatives to stop helping customers reset passwords via the phone.
Reported the New York Times on Wednesday: “’We’ve temporarily suspended the ability to reset AppleID passwords over the phone,’ said Natalie Kerris, an Apple spokeswoman, in a statement. ‘We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways—either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.’”
That’s great—for now. But Honan’s experience has rightfully freaked out a lot of people, especially Apple users. Apple is going to have to make long-term changes, both practical and symbolic, that communicate to users that they can trust iCloud and Apple’s security measures. What those will be isn’t clear. It’s not even clear Apple knows yet.
What’s most dismaying for users about this situation is the lack of agreement among companies on what kind of information is to be considered private and secure. Amazon, as Wired pointed out, doesn’t (or didn’t) think the last four digits of a credit card were sensitive information. But Apple deemed them secure enough to use as a key to unlock the door to your AppleID via a password reset, together with your name and billing address.
Apple’s iCloud is now the very center of the company’s vision and strategy. It makes phones, tablets, computers, and set-top boxes that all hook into one another in different ways, via iCloud. It’s very convenient for users to open up Safari on a MacBook and see the website they were reading or the document they were working on on the iPhone earlier today, just as it’s helpful that they can access iPhone photos on their MacBook or iPad without having to do any manual transferring of files.
Such convenience comes with a price. As my colleague Derrick Harris wrote earlier, the most important thing for consumers who have bought into the cloud is to remember that “if we want to be part of it, we just have to keep on trusting our providers to keep us safe.”
That’s why Apple has its work cut out for it. The company needs a more secure procedure for Apple ID account access than information is accessible to any retailer you happen to do business with. The statement from Apple on Wednesday shows it understands the severity of the problem. It will need to communicate the eventual fix clearly to future and current customers so users feel safe using its cloud.
Also from GigaOM:
Connected Consumer Q1: Controversy, Courtrooms, and the Cloud (subscription required)