The Security Flaws in Apple’s iCloud Account Reset Policies

Marco Arment:

Amazon’s system is partially at fault, but the weakest link by far is Apple. It’s appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts.

At the bare minimum, for this level of recovery that bypasses security questions, they should require confirmation of the entire credit-card number and verification code, no matter what they need to do to remain PCI-compliant and pull that off.

Apple needs to address this, and quickly. I can only wonder how many nogoodniks have been trying this scam in the last day now that it’s been widely publicized.

Update: I should point out that I disagree with Marco, though, about Apple requiring more credit card digits. This whole strategy of verification is fundamentally flawed. I wouldn’t write my iCloud password on a piece of paper in my wallet, but my wallet contains my home address and credit cards. Someone who finds my wallet should not be able to take over my iCloud account with nothing more than my driver’s license and credit card.

Tuesday, 7 August 2012