If you forget your Apple iCloud password, don’t expect to hop on the phone to change it. Apple announced today that for the time being, it will no longer change passwords over the phone, according to The New York Times.
The move comes after a hacker tricked an Apple customer service representative into handing a hacker the keys to Wired reporter Mat Honan’s digital kingdom.
Over the weekend, the hacker, aka Phobia, gamed Amazon customer service, who gave him access to Honan’s account. The information Phobia found there provided him enough information to trick Apple and get into Honan’s iCloud account. From there, Phobia deleted Honan’s Gmail account, wiped his iPhone, iPad, Mac, and spammed his and Gizmodo’s Twitter accounts (Honan had linked the two accounts previously).
Apple spokesperson Natalie Kerris said this in a statement:
“We’ve temporarily suspended the capability to reset AppleID passwords over the phone. We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways – either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.”
At the time, all you needed to retrieve an Apple password was the person’s e-mail address, billing address, and the last four digits of a credit card on file. These pieces of information are easily uncovered with a little digging. Phobia snagged the last four digits of Honan’s credit card after breaking into his Amazon account, which was fairly easy as well.
Phobia accessed Honan’s Amazon account by providing an account holder’s name, e-mail address, and billing address (that last of which Phobia found after doing a “WhoIs” lookup on one of Honan’s websites) to a customer service representative. Once approved, Phobia added a new credit card number to the account, which was later used as “identifying information” to trick a second Amazon representative into letting Phobia into the account. The four-digit credit card number used to trick Apple was listed inside the account.
Yesterday, Amazon quietly told customer service that it was no longer allowed to change account information, such as adding a credit card number or e-mail address, over the phone.