Apple and Amazon respond to account security concerns

Apple and Amazon respond to account security concerns

This weekend, Wired's Mat Honan had his internet accounts hacked and iPhone, iPad, and Mac erased, thanks to his own linking of accounts, lack of two-factor authentication, and lack of backups -- but also because of severe problems with both Apple's and Amazon's online security policies and procedures. Basically, with an internet connection and a social engineering attack, anyone could get at least partially into anyone else's stuff.

Amazon was the first to respond, according to Wired's Nathan Olivarez-Giles:

On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts. Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”

And Apple followed up, again according to Wired:

Apple on Tuesday ordered its support staff to immediately stop processing AppleID password changes requested over the phone, following the identity hacking of Wired reporter Mat Honan over the weekend, according to Apple employees. An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours.

Both of these reactions sound like triage -- getting some pressure on the exploit to stop the bleeding so they have time to do a proper follow up and, hopefully, change their policies to something a lot more secure.

It sucks that this happened to Honan, but it's good both Amazon and Apple are taking action, and the attention needs to stay on them until a better solution is in place, and the idea of continually appraising and updating the policies going forward is embraced.

And while Apple and Amazon are in the hot seat this time, Google, Microsoft, Facebook, and ever other player large and small would do well to take this as a cautionary tale and examine and re-examine their own policies so they're not ever next.

You've all gone and set up two-factor Google verification, realistic back up strategies, and good, strong passwords for all your other accounts, right?

Source: Wired + Wired

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Apple releases new "All on iPad" commercial

Next up →

Poll: Do you want an LED notification light on the next iPhone?

Reader comments

Apple and Amazon respond to account security concerns


Actually, I was just going to more fully implement my 1Password app and have it generate strong passwords for me instead of just remembering the ones I made up when.....

Safari started crashing like crazy yesterday and this morning. I googled around and it seems 1Password and Mountain Lion don't play well together. Great.

Is this happening to you, Rene?--I remember you recommended 1Password etc.

I'm pleased to announce that I actually did a need a little kick in the butt on my passwords and locks. While all my data was safely backed up, I felt my passwords should be stronger.

-Enabled two-factor
-Put simple pins on my iDevices (with 10 try wipe enabled)
-Used a naming convention to effectively randomize (and NOT write down) my passwords for the top thirty or so sites and services I use
-set my password to 12345- just like my luggage (just kidding on that last one!)

Thanks for dropping an ax kick on my complacency guys!

Heh, yep, I actually do something very similar. I was just trying to be a bit vague in my description so somebody didn't learn my ways and hack me! But that XKCD piece is an excellent visualization of methods I've been taught over the years.

Another thing I have always done because of my medical IT background- I always lock my computer as I get up. A quick Window+L keys on a PC or hot corner on a Mac. :)

It is nice to see these companies at least attempting to address the issue but it is sad that there are so many others online that have almost no security. I was looking for a new bank the other day and found one that required passwords to be between 5 and 10 characters. Really? You're going to let me create a password consisting of 5 characters?

There should be some standard developed for security best practices. I'm sure that something exists, yet I have not seen it promoted by any online business. We have the Better Business Bureau and Energy where is a standard for online security?

Password minimums should be 10 characters. It is frustrating to see even password vault apps that max out at 16 chars. There should standards defining which bits of personal information you expose to employees and customers, both over the phone and through email. The US educational system has FERPA and healthcare has HIPAA. But what good are any of the other standards if the account can be easily hacked?

At least if they raised the bar and made it optional then people would know if the site meets the basics in security. As this exploit shows, you have to think not only of the information you display, but the effect of information that may be gathered from multiple sources.