In a high-profile case last month, a hacker was able to gain access to Wired reporter Mat Honan's iCloud, Gmail, Twitter, and Amazon accounts, taking control of much of Honan's digital life and remote wiping his iPhone, iPad, and MacBook Air. Honan later detailed how the hack was accomplished through social engineering by entering the system through weaknesses in Amazon's account security and then using credit card information stored there to gain access to Honan's iCloud account.
Following the incident, Apple temporarily halted over-the-phone iCloud password resets, which had required only the user's billing address and the last four digits of the credit card on file with the account. Apple has since rolled out new authentication for password resets, including a requirement that users provide two correct responses to a small group of challenges that includes user-set security questions, more detailed credit card information, and device confirmations via either serial number or pushed Find My iPhone verification codes.
We've heard from several Apple support employees who have noted that their abilities to help customers have been severely restricted as part of the effort to tighten up security, with staff only able to send password resets to email addresses on file with the account. Employees are no longer permitted to send password resets to arbitrary email addresses and can no longer set temporary passwords on accounts to enter troubleshooting mode during support calls.
One employee we spoke with has detailed a tremendous influx in support calls with the release of iPhone 5, as customers looking to restore iCloud backups of their old phones onto their new phones are in some cases having difficulty remembering their passwords. Support calls are said to be up on the order of tenfold over the past week or so surrounding the iOS 6 and iPhone 5 launches.
I know what you are thinking. The rightful person that owns the Apple ID should have no problem doing enough of that to be able to verify their ID and be able to then reset their password or security questions or unlock their account. And you would be wrong in thinking that.
This employee has emphasized that if users can not confirm their identities within the new framework of authentication challenges, there is nothing Apple support staff can do to help them and they will be frozen out of their iCloud accounts. For this reason, the employee notes that users are strongly encouraged to know the exact answers to their security questions, make sure a proper credit card is associated with the account, and set up Find My iPhone/iPad/iPod, maximizing their chances of being able to regain access to their accounts should their passwords be lost.
Finally, this employee has cautioned users about both changing their password and resetting their security questions at the same time, particularly if they do not have a credit card on file with the account. In that instance, if the user is unable to get into their account with the reset password, the deleted security questions and the lack of a credit card will essentially make it impossible for Apple support to verify their identity and regain access to the account.
