Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
The scariest part of his hacking was that it didn’t rely on a single password being guessed, brute-forced, phished, or stolen. It wouldn’t have mattered whether his password was “password” or “XEyOI^5FyC6gE!1BokW;uPpv2ick+lBo”.
This has been going around for the past few days after the Apple and Amazon accounts of Mat Honan were both easily hacked by calling tech support of the companies with basic information and getting the passwords changed.
Marco also mentions a few ideas that the companies should adopt, such as sending a message to a mobile phone..
Either way, it’s a good time to start thinking of better ways to handle password change requests, especially when customers call over the phone…
Update: Amazon is claiming they’ve already changed their policies and plugged this security hole on their side after the incident
Update 2: Apple has also posted a change in policies regarding Over-the-Phone AppleID Password Resets