back to article Apple, Amazon, close password door after horse bolts

Apple and Amazon have, in the wake of the grievous p0wnage inflicted on WiReD writer Mat Honan, changed their security procedures and no longer allow password changes to be made over the phone. Much is being made of how sloppy it was for both companies to allow this to happen. I've got worse news: this stuff has been going on …

COMMENTS

This topic is closed for new posts.
  1. Phil Kingston

    With such companies usually requesting far more information about their customers than is necessary for the purpose of providing their service, it is astounding that they haven't then been using that information to ensure they avoid such enormous cock-ups. Like you say, if a bank insists on holding a mobile number for its customers so they can ring them at stupid o'clock and offer them mortgage, they should also be able to use it to ensure they don't allow someone else unauthorised account access.

    A timely wake up call for them I think.

    1. Annihilator

      "<sob> my phone's been stolen" is quite a common place to start...

      1. ~mico
        Stop

        Re: my phone's been stolen

        We are sorry, sir/miss, but you will first have to get a new phone and block the old one at your phone company's office.

    2. jonathanb Silver badge

      There are quite a few banks that text you a code to type in to the website when you make a payment.

      1. Anonymous Coward
        Anonymous Coward

        Shirley?

        Shirley you mean 'purchase' rather than 'payment'? I'd gladly allow others to make payments. I merely object to attempts to ring up charges to my accounts.

    3. Anonymous Coward
      Anonymous Coward

      Customer support is a cost, thereby it has to be cheap, SMS and calls cost...

      Marketing campaigns are thought as "money making business" and thereby they get money for calls, SMS and whatever could annoy the recipient most. Customer support is thought as a "money losing business" thereby it has to be as cheaper as it can get, so cut everything to the bone. SMS? They have a cost (unless you can charge the recipient as some "premium SMS" does). Telephone calls? Even more costs!

      1. Stuart Castle Silver badge

        Re: Customer support is a cost, thereby it has to be cheap, SMS and calls cost...

        Now weigh the cost of that text or phone call (which will be a couple of pence at most) against the cost of the loss of the customer's business, the bad publicity and/or costs of any legal action.

        Also, SMSes may be considerably cheaper than you think. After all those operating scams can afford to send out millions and be in profit if just one person falls for the scam.

        1. Wize

          Re: Customer support is a cost, thereby it has to be cheap, SMS and calls cost...

          And if you work on the rigs in the north sea, you can't get a text message for up to 3 weeks.

          Not very handy to send out a new password.

          1. Andy Fletcher

            Re: Customer support is a cost, thereby it has to be cheap, SMS and calls cost...

            Guess they hadn't considered oil rig staff. Better put the old system back on then eh? Just get the call centre staff to pre-qualify the caller by asking "are you calling from an oil rig?"

            1. Jean-Luc
              Paris Hilton

              Re: Customer support is a cost, thereby it has to be cheap, SMS and calls cost...

              My name is Paris Hilton and I am a very important person and I need my password reset. Sorry, but you can't send me one of the text whatchamacalits, because I am on an oil rig for 3 weeks.

              My pet's name? Tinkerbell.

  2. Eugene Crosser

    Depends on where's the wealth

    It's the consequence of proliferation of the "cloud".

    Ten years ago money in the bank was as real as a thousand years ago. It was worth the effort to go and try to lift it from a bank. The banks had to learn to deal with that.

    There was not enough value in what was hosted with the tech companies to justify the effort of stealing it, so the techs could afford laxer security practices than banks.

    In the few recent years, more and more of the stuff that matters is going to the "cloud" which makes it more attractive target for the evildoers, so only now the shift to stricter security practices becomes justified.

    1. Destroy All Monsters Silver badge
      WTF?

      Re: Depends on where's the wealth

      Hah!

      You will find that money in the bank has been as real as your favorite politician's most heartfelt promise to be Good To Every Single Voter since the idea if fractional reserve banking emerged from the mind of a crooked banker like a turd emerges from a bear with diarrhea. Additional uncoupling of paper money by the same politician's decision from any physical good like gold (to pay for the wars, natch) was the last straw.

      1. Eugene Crosser

        Re: Depends on where's the wealth

        All right, all right, not as real as a thousand years ago. I concede.

        The point still stands.

  3. This post has been deleted by its author

  4. LinkOfHyrule
    Joke

    This is how it actually happened!

    Ring ring

    "Hello banking customer services, how may I help you?"

    "Hi, it's Kylie here, you know, Kylie Minogue!"

    "Can I have your account number and password please..."

    "Urm I can't actually remember my password as I am just so busy being Australia's best loved female solo artist - can I sing I Should be so Lucky to you instead to prove I am who I say I am?"

    *Presses play on CD player*

  5. Arctic fox
    Headmaster

    I am actually fairly amazed that two such major companies have/had systems that.........

    ..........could be so easily gamed by bog standard social engineering techniques (if I have understood what was done in this instance). Particularly so since both companies derive major income selling services and content in a fashion that is very dependent on a relationship of trust with their customers. Yes, I know the journalist concerned has admitted that it was partly his fault but that is the point. A significant proportion of these companies' customers are not the sharpest knives in the draw when it comes to making their side of such systems secure which means that the reality is that these companies' systems have to (to some extent) protect their customers from those customers own failings. That is the price you have to pay as a company if you are in that type of business. There really is no excuse for their systems being so readily penetrated by techniques that are, in terms of the history of the "Age of Tech", as old as the hills.

    1. Anonymous Coward
      Anonymous Coward

      Re: I am actually fairly amazed that two such major companies have/had systems that.........

      Even in my secondary school in the mid-nineties, we were taught that one of the most successful 'hackers' (in terms of making money, not shits and giggles) was female, and didn't use much specialist IT knowledge.

      She would go (flounce?) into an office "Oh, it's my first day, but I haven't been given my login, please help, I feel so silly" before moving up to the second floor "I've been given my login, this one look, but it doesn't seem to be the right one..." That was if she didn't see a Post-It note on a monitor, of course.

      But yeah, this was taught to 15 year olds more than a decade and a half ago.

      1. Stuart Castle Silver badge

        Re: I am actually fairly amazed that two such major companies have/had systems that.........

        Yep, heard about her..

        I also heard about the bloke in the early 70s who used social engineering techniques (in this case, flirting a lot with the women of the company) to scam about $1,000,000 worth of equipment out of a telco in America.

        All without touching a keyboard.

        This lapse of security by both Amazon and Apple (who are both supposed to be experienced service providers) is worrying. It's worrying because we (with their encouragement) are entrusting increasing slices of our lives to their storage. In the case of Amazon, we are also increasingly trusting potentially sensitive procedures and data from various companies to them, in the guise of their "Cloud" services. Data that can seemingly be accessed by someone phoning up and asking (essentially).

        That's not to let Apple off. No. While Apple don't let you run your own procedures on iCould, they are still storing potentially sensitive data for various individuals and probably organisations. Data that, as above, can seemingly be access by someone phoning up and asking.

        Both companies need to up their security. Hell, even Facebook offers two factor authentication.

  6. TeeCee Gold badge
    Facepalm

    Really?

    "....two-factor authentication is now easier than ever to deliver, thanks to SMS...."

    That would assume that I would cheerfully hand over my mobile phone number to organisations known for their swiss-cheese security and close relationship with advertisers.

    Now why would you think that? Have you seen Satan out shopping for thermal underwear?

    1. Term
      Mushroom

      Re: Really?

      If you're already handing over the ability of a cloud service to remotely wipe your smart phone, tablet and laptop, surely your mobile phone number is the least of your security concerns!

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        anyone daft enough to allow anyone/anything to allow remote data destruction on THEIR hardware is mad.

        have we not had simple cheap back-up systems for donkeys years,have we not also had decent encryption for quite some time as well.use them.

        the idea of backing up ALL your data with the same folk who can remote wipe data is just plain stupid. and realy shows how stupid and lazy folk realy are.

        1. Charles 9

          Re: Really?

          You've never had your phone stolen, have you? Remote wipe is usually the last resort to prevent identity theft by someone stealing the phone. It also blocks the phone's account, rendering the phone or SIM useless in terms of using it for nefarious purposes.

          1. Tom 35

            Re: Really?

            If they are taking your phone for the data the first thing they are going to do is remove the SIM. Same if the cops take your phone.

            I lost my last phone some place on the subway (no remote wipe unless someone found it and took it outside, still powered on) and I just called the phone company when I got to work and reported it lost to block the account.

          2. Anonymous Coward
            Anonymous Coward

            Re: Really?

            er,i have had people try,i did not say remote wipe a bad idea,i said having one usless bunch of jerks in charge of ALL yer data AND remote wipe is a bad idea.

  7. petur
    Meh

    My bank...

    My bank requests that I drop by in person and show them some ID.

    Works for me.

    And my data is on my own private cloud (Beefy QNAP NAS).

    Works for me too.

    1. Anonymous Coward
      Anonymous Coward

      Re: My bank...

      Wow, every fileserver in the world is a cloud now - who knew?

      1. petur
        Meh

        Re: My bank...

        Don't know about every fileserver, but mine handles my files (duh), backups, streams my music, has my mails, and calendar, can be connected to via VPN, can run a VM if needed,... from a user point of view, it is like using a cloud service.

  8. Peter 39

    easy vs. hard

    Given the state of mind of most people after a theft or loss, it ought to be (relatively) easy to lock an account against being exploited. Maybe even just for 24 hours.

    But it should be quite hard to reset the password so a new one can be established.

  9. Anonymous Coward
    Anonymous Coward

    Password reset

    I've been in a situation where I was in a meeting with a financial institution a few years ago who were insisting on FIPS compliant hardware security modules to manage some of the data encryption, but then have capacity for customer service people to READ the password back to the customer if they forgot it. To which we pointed out that a password reset procedure should be used instead and no-one should be able to read the password. They looked surprised and then agreed that our suggestion was better.

    The fact that holes in the Amazon and Apple services exist should come as no surprise when people who came up with that requirement are still in the gene pool.

  10. Tom 35

    Banks

    My Bank (TD) used to phone me to sell me crap then ask me to prove who I was by giving them personal info.

    I would reply with "you called me, prove you are the bank by telling me my mothers maiden name" (and I don't even give them the real one since it can be found in public records).

    I sent them a letter telling them just how stupid they were, training their customers to be marks for phone scams. It took a few months for them to stop doing that and switch to just asking for a postal code to make sure they were not calling the wrong number.

  11. OffBeatMammal

    Apple, not Amazon

    just to be clear...

    Amazon only listed four digits of a credit card number (a common practice elsewhere today)

    Apple gave away the keys to the kingdom by not refusing to divulge the information when the scammer couldn't remember any of the other detail

    Two factor auth - by a phone app, SMS or little dongle you can lose - is a pain in the bum but sadly (for the moment at least) seems to be the way to go... and much as it pains me to say Google with their alternatives (I use the phone app) seems to be the best solution (thanks to my bank and need for RAS access to work I have three token generating devices I have to lug around!)

    1. Kevin (Just Kevin)

      Re: Apple, not Amazon

      > just to be clear...

      > Amazon only listed four digits of a credit card number (a common practice elsewhere today)

      No, they did one more thing than that: They allowed the scammer to add a fake credit card number to the account over the phone. Then they allowed him to use that credit card number, online, to gain access to the account and reveal the last 4 digits of the real credit card number. So they're not innocent.

      BUT The story claims they allowed a password change over the phone. My understanding is that they never did that. They allowed the addition of a credit card to the account. The password change was done online.

    2. Charles 9

      Re: Apple, not Amazon

      Nice idea, but there's a Catch-22. What if the second factor needed to perform such a feat is the very thing you're trying to recover? I don't see how you can perform an out-of-band authentication when you have no second band.

  12. Maryland, USA
    Thumb Down

    Recently I had to call my credit union to have my password reset. I was asked the most basic of questions, then told, "OK, it's reset." I replied, "Are you kidding me? I don't WANT it to be that easy!" Every site should include challenge questions whose answers not every your twin would know. Paul

    1. Charles 9

      The trouble with that approach is that you inevitably end up with challenge questions even YOU can't answer. And if you have REAL account trouble and are out of the country (and therefore unable to reach a B&M branch--if such a thing exists for your bank/credit union), you're SOL--and it may not even be your fault, even.

  13. MobiusStrip

    They haven't fixed the problem.

    Both Apple and Amazon are still perpetrating the same idiotic security blunder: forcing customers to use an E-mail address as their user ID: http://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-address-as.html

This topic is closed for new posts.

Other stories you might like