Amazon and Apple May Have Fixed the Security Flaws That Paved Way for Major Hack of Your Data

On Tuesday, TheBlaze reported a security flaw using a few relatively easy to find bits of personal information -- the last four digits of a credit card number and an email and billing address -- that lead to what Mat Honan described as the destruction of his digital life.

Using the last four digits of Honan's credit card number stored by and found through Amazon.com, hackers were able to get Apple customer service to reset the password to his Apple ID, access to which eventually let them take over his email and social media accounts and remotely wipe his Apple devices of information.

On Monday-- when Honan first described the Friday incident for Wired's GadgetLab -- the method by which he was hacked was still functional (Wired tried it out). Now, though, both Apple and Amazon are taking steps to help close these vulnerabilities.

Wired reports Amazon changing its policies in what seems to be a direct result of Honan's experience, which he noted happening to other victims as well:

Previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.

On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.

Wired says the policy change by the company was done "quietly," only noticing the change had been made after it tried to replicate the hack again on Tuesday and wasn't able to do so. Representatives were not available for comment.

Apple has also temporarily froze its policy that allows customer service representatives to change Apple ID passwords over the phone, which was how hackers were able to take over Honan's ID in the first place. Honan's supposed identity was authenticated over the phone using the four digits of his credit card.

Wired (via SlashGear) in a separate article reports Apple sources saying the freeze on call-in password changes is giving the company time to review its security procedures:

Our Apple source’s information was corroborated by an Apple customer service representative, who told us Apple was halting all AppleID password resets by phone. The AppleCare representative shared that detail while Wired was attempting to replicate Honan’s hackers’ exploitation of Apple’s system for the second day. The attempt failed, and the representative said that the company was going through system-wide “maintenance updates” that prevented anyone from resetting any passwords over the phone. The rep said we should try calling back after about 24 hours, and directed us toiforgot.apple.com to change AppleID passwords ourselves on the web instead.

“Right now, our system does not allow us to reset passwords,” the Apple rep told Wired. “I don’t know why.”

[...]

While it’s clear that Apple is reacting to the privacy vulnerability that surfaced with the hacking of Honan’s digital identity, it’s unclear what final policy change will emerge. Apple officials declined to comment on whether permanent changes to the company’s security measures were planned.

At the time of Honan initially reporting his devastating hack, an Apple representative said that some of the company's own procedures were not followed on the phone call that lead to his password change.

Read more about Honan's experience, as well as details that could help protect yourself from a similar hack here.

Featured image via Shutterstock.