Apple and Amazon have both temporarily stopped resetting customer passwords over the phone, while a better security system is worked out after a technology journalist was hacked using social engineering.


The two companies will now assess their security procedures after Wired journalist Mat Honan had his Apple, Amazon and Gmail accounts compromised, followed by the remote wiping of his iPhone, iPad and MacBook Air.

Amazon told CNET: "We have investigated the reported exploit, and can confirm that the exploit has been closed as of yesterday afternoon."

This was followed by an unnamed Apple employee telling Wired that there was a freeze on resetting account passwords by phone until the company could come up with a more secure solution. "Right now, our system does not allow us to reset passwords," the employee said.

She added: ""This system can reset a password in one of two ways - either have a password reset sent to an alternate email address already on record or challenge the customer to answer security questions they had previously set up. When we resume over the phone password resets, customers will be required to provide even stronger identify verification to reset their password."

Hackers gained access to Honan's accounts by first adding a new credit card to his Amazon account - needing just his name, email address and billing address - before calling back to request a new password, which was given after providing the newly-added card details.

The hackers then proceeded to call Apple's Applecare service and, pretending to be Honan, gained access to his Apple account and finally his iCloud account - this access led them to use the Find My iPhone and Find My Mac services to remotely wipe his devices and lock them with a new four-digit PIN.

Honan explained, in a lengthy piece on the Wired website after one of the hackers, Phobia, contacted him via Twitter: "What happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's.

"Apple tech support gave hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information - a partial credit card number - that Apple used to release information."

Honan concludes: "In short, the very four digits that Amazon considers to be unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

Data in the cloud will be 'horrendous'

Just days before Honan published his account of the hacking on Wired, Apple co-founder Steve Wozniak voiced his concern about the safety of relying on the cloud during a question and answer session.

"I really worry about everything going to the cloud," Woz told the audience after a performance of The Agony and Ecstasy of Steve Jobs, a new one-man show about the Apple co-founder performed by Mike Daisey.

Woz added that taking more of our computing into the cloud is "going to be horrendous," with a lot of "horrible problems in the next five years."

"With the cloud, you don't own anything. You already signed it away. I want to feel that I own things. A lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything onto the web, onto the cloud, the less we're going to have control over it."