Marco on Apple and Amazon Security Flaws
Tuesday August 7th, 2012
And ideally, before resetting a password by phone, they’d send a forced “Find My”-style push alert to all registered devices on the account saying something like, “Apple Customer Service has received a request to reset your iCloud password. Please call 1-800-WHATEVER within 24 hours if this is unauthorized.”
Another phone call? It is not going to work out for the hearing impaired or anyone who cannot stand using the phone. If this situation happened, we would have to use TextRelay (UK service – Wikipedia to the rescue!) where the middle person relay my text to speech will be seeing my confidential details. This is a huge risk for me. The service said it is all confidential and yet that is difficult to trust in a situation like this.
How can we improve this system without the need of a phone call? A random hash url with 4 digit PIN access? Write an random generated essay to allow access? Perhaps, Google’s 2 step verification idea is perhaps the best solution for today.
We are reusing and building on top of existing security models and it is time for a new way to improve security. We need to start stretching our imagination and play with new ideas.
After all… Who will guard the guards themselves?