Just a reminder to tighten up the policies and procedures for customer service.
IT security is not just firewalls and ID systems; social engineering is the most overlooked aspect of security. You can pretty much walk up to a receptionist and ask for a temporary badge to get into an office or walk to IT Helpdesk and get ‘your’ password reset.
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
The change follows similar security tightening at Amazon, which on Tuesday closed a hole in its customer service systems that gave people the ability to gain control of a customer’s Amazon account as long as the hacker knew the name, e-mail address and mailing address of the victim. (Wired)
I am sorry for Mat Honan but the attack was a precise. Once you overtake someone’s email, you can start claiming other accounts one after another - lot of services requires you to verify / connect with more than one email accounts including email accounts.