The ripples from Mat Honan's weekend security incursion keep pushing outward. Earlier today Amazon shifted policy to prevent account details from being changed via a phone call, which blocks one avenue the hackers used to get the personal info used to compromise Honan's iCloud account. Now, according to Wired, the other shoe has dropped: Apple's phone support team is in a 24-hour freeze for account resets by phone.
This change, which Wired confirmed with an internal Apple source and also tested directly by trying to perform a password reset in a call with AppleCare, might be a temporary holding action until Apple comes up with a more permanent adjustment to its security policies. As Honan's story unfolded late Friday night, it wasn't immediately clear how the hackers gained access to his iCloud account, but it turned out that with just an email address, mailing address and the last four digits of the account's credit card, AppleCare would provide a temporary account password over the phone.
Apple could implement a two-factor authentication scheme similar to Google's approach, but that's confusing to set up for mobile devices and in situations where a separate challenge step doesn't work smoothly (calendar or email apps, for instance). Apple could also do a callback step to the phone that's on the account, although in the case of a stolen phone that might not help. Even a multiple-choice "which of these songs did you purchase on this date" account detail check might add some security to the process, but a perfect system hasn't been invented yet. Google's Tim Bray is working on the future of authentication, and he comments that one way to be safer online is to not be "the softest touch on the block" -- if you're a slightly harder nut to crack, security-wise, casual hackers will generally leave you alone in favor of easier targets.
As risk guru Bruce Schneier points out (in the context of a far more tragic incident), "Novelty plus dread plus a good story equals overreaction." Human beings aren't particularly good at accurately assessing risk, and we focus on solving the last problem rather than the next one. Hopefully Apple will take this wake-up call on account security as an opportunity for a clear-eyed evaluation of some of the ongoing, high-incidence security issues it faces rather than focusing exclusively on the headline problem.
[hat tip to MacRumors]