On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
That’s some good news, but as Marco Arment explains, Amazon’s changes are small beans next to what Apple needs to do:
Amazon’s system is partially at fault, but the weakest link by far is Apple. It’s appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.
I was alarmed that Apple (or any company) would ever allow this. The last four digits of your credit card number are effectively public knowledge, as far as security measures are concerned. Apparently, Apple didn’t get this memo:
My source at Apple confirmed issuing password reset based on name, last 4 of CC, address, and AppleID was “absolutely” Apple policy.
Mat Honan and Nathan Olivarez-Giles now have confirmation that Apple has temporarily stopped over-the-phone password resets:
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
Unfortunately, it’s only a temporary measure. It needs to be as difficult as possible for passwords to be reset if the user is unable to confirm their identity. The fact that it was this simple to reset a password over the phone with publicly-accessible information is appalling.