After being on the receiving end of a truly awful hacking attack, Wired writer Mat Honan explained how it happened in detail. And he was very clear about two of the parties responsible for leaving major loopholes that let hackers into his digital life: Amazon’s and Apple’s security policies, in tandem, were used against him. Now, unsurprisingly, both Amazon and Apple have quickly and quietly moved to close those loopholes. For Amazon, it means no longer letting users change or update account info over the phone. For Apple, it means it has temporarily instructed customer-service representatives to stop helping customers reset passwords via the phone.
Reports the New York Times on Wednesday:
“We’ve temporarily suspended the ability to reset AppleID passwords over the phone,” said Natalie Kerris, an Apple spokeswoman, in a statement. “We’re asking customers who need to reset their password to continue to use our online iForgot system (iforgot.apple.com). This system can reset a password in one of two ways — either have a password reset sent to an alternate e-mail address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password.”
That’s great — for now. But Honan’s experience has rightfully freaked out a lot of people, especially Apple users. Apple is going to have to make long-term changes, both practical and symbolic, that communicate to users that they can trust iCloud and Apple’s security measures. But what those will be isn’t clear. And it’s not even clear Apple knows yet.
What’s most dismaying for users about this situation is the lack of agreement among companies on what kind of information is to be considered private and secure. Amazon, as Wired pointed out, doesn’t (or didn’t) think the last four digits of a credit card were sensitive information. But Apple deemed them secure enough to use as a key to unlock the door to your AppleID via a password reset, together with your name and billing address.
Apple’s iCloud is the very center of the company’s vision and strategy now. It makes phones, tablets, computers and set-top boxes that all hook into one another in different ways via iCloud. It’s very convenient for users to open up Safari on a MacBook and see the website they were reading or the document they were working on on the iPhone earlier today, just as it’s helpful that they can access their iPhone photos on their MacBook or iPad without having to do any manual transferring of files.
But that convenience comes with a price. As my colleague Derrick Harris wrote earlier, the most important thing for consumers who have bought into the cloud is to remember that “if we want to be part of it, we just have to keep on trusting our providers to keep us safe.”
That’s why Apple has its work cut out for it now. Obviously it needs a more secure procedure for Apple ID account access than information any retailer you happen to do business with would have. The statement from Apple on Wednesday shows that it understands the severity of the problem. But it will need to communicate the eventual fix clearly to future and current customers so users feel safe using its cloud.