9 Comments

Summary:

Both Apple and Amazon have quickly moved to close security loopholes. But Wired writer Mat Honan’s experience has rightfully freaked people out. Apple has to make long-term security-policy changes, both practical and symbolic, that communicate to users that they can and should trust iCloud security.

After being on the receiving end of a truly awful hacking attack, Wired writer Mat Honan explained how it happened in detail. And he was very clear about two of the parties responsible for leaving major loopholes that let hackers into his digital life: Amazon’s and Apple’s security policies, in tandem, were used against him. Now, unsurprisingly, both Amazon and Apple have quickly and quietly moved to close those loopholes. For Amazon, it means no longer letting users change or update account info over the phone. For Apple, it means it has temporarily instructed customer-service representatives to stop helping customers reset passwords via the phone.

Reports the New York Times on Wednesday:

“We’ve temporarily suspended the ability to reset AppleID passwords over the phone,” said Natalie Kerris, an Apple spokeswoman, in a statement. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways — either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.”

That’s great — for now. But Honan’s experience has rightfully freaked out a lot of people, especially Apple users. Apple is going to have to make long-term changes, both practical and symbolic, that communicate to users that they can trust iCloud and Apple’s security measures. But what those will be isn’t clear. And it’s not even clear Apple knows yet.

What’s most dismaying for users about this situation is the lack of agreement among companies on what kind of information is to be considered private and secure. Amazon, as Wired pointed out, doesn’t (or didn’t) think the last four digits of a credit card were sensitive information. But Apple deemed them secure enough to use as a key to unlock the door to your AppleID via a password reset, together with your name and billing address.

Apple’s iCloud is the very center of the company’s vision and strategy now. It makes phones, tablets, computers and set-top boxes that all hook into one another in different ways via iCloud. It’s very convenient for users to open up Safari on a MacBook and see the website they were reading or the document they were working on on the iPhone earlier today, just as it’s helpful that they can access their iPhone photos on their MacBook or iPad without having to do any manual transferring of files.

But that convenience comes with a price. As my colleague Derrick Harris wrote earlier, the most important thing for consumers who have bought into the cloud is to remember that “if we want to be part of it, we just have to keep on trusting our providers to keep us safe.”

That’s why Apple has its work cut out for it now. Obviously it needs a more secure procedure for Apple ID account access than information any retailer you happen to do business with would have. The statement from Apple on Wednesday shows that it understands the severity of the problem. But it will need to communicate the eventual fix clearly to future and current customers so users feel safe using its cloud.

  1. Yes, Apple and Amazon each have a hole to plug, but an even bigger lesson from this is DON’T LINK YOUR ACCOUNT LOGINS and BACK UP YOUR STUFF.

  2. “Apple will need to communicate the eventual fix clearly to future and current customers so users feel safe using its cloud.”

    If I were Tim Cook I’d be on this.

  3. As long as people scatter their info all over the cloud, cross referencing will be the challenge. While it might look innocent to have a little data here and over there, putting it together is always more powerful.
    In the apsense of any understanding of cross referencing by providers as well of users, Google’s two factor approach per provider and application is one possible solution. Just be prepared for an incredible mess over time, multiple generations of gadgets from different providers.
    Context also would help, how can a machine let itself be wiped if it is at a location where it should be and the user/owner could be asked for confirmation?

    1. Ronald, you make an incredible point. Why not incorporate some kind of GPS / location into security? All of the pieces are there…heck, I even have ‘home’ in my car, and on my phone…why not add it to security? You maybe on to something…

  4. You have to treat the web as you would a bathroom wall – nothing is secure. No different than handing your credit card and drivers license to a waiter at a bar or restaraunt. Ironically for this individual, if he would have been using the ‘cloud’ and been swimming in the Apple pool, as they want you to, none of his data would have been lost. When you remote wipe your machine, it doesn’t delete the information in the cloud….granted it would have taken time to reinstall all of the programs one at a time, but it’s still do-able. Even better would have been a simple back up to Time Machine – then restoring would have only been one click away, on all of his Apple devices…

  5. I am glad apple is doing what it can to look into this. Information in the cloud must be secure.

  6. Cloud is a cute name for somebody else’s hard drives that pretend to be your own, and you have no idea where in the world they really are.

    Woz is right, it’s going to be a mess implementing cloud computing.

    Kids growing up will use cloud computing as their primary system, though, and that will change the perception.

    In the meantime, I back up everything. Maybe I’ll use the cloud to store Dilbert comic steps.

  7. While Apple clearly needs to do some work, the major problem with this particular case lies with Amazon. Yet almost every article I read seems to focus on Apple. I don’t understand it.

    1. As Mat Honan notes, your local pizza delivery guy also has the last 4 digits of your credit card number. Apple gives you a temporary password to iCloud with name, email, billing address and the last 4 credit card numbers. If Apple isn’t going to enforce the correct answers to security questions, well, why have the questions at all?

Comments have been disabled for this post