Can you believe that Apple just handed out an Apple ID password in response to a one-line request? From Marko Karppinen:
I tried to log in to Apple Developer Connection this morning to find out that my password had been changed and the email associated with my account was now a yahoo.com address that wasn't mine. Luckily, my "security question" was still the same, so I was able to reset the password and email address back.
Based on the emails that have appeared in my .Mac mailbox, this was accomplished by sending this classy one-liner to Apple:
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
To which Apple reacted by doing the only reasonable thing - saying Sir, Yes Sir! and handing my account over. [From Apple just gave out my Apple ID password because someone asked - MK&C]
You have to believe that Apple actually does have procedures in place (based on the "security question") that were ignored in this case. This is just evidenced that no matter how strict security policies are, there is always going to be a McEmployee that will ignore them; even technical constraints that enforce policy can usually be overridden by somebody who is too busy to ask a couple of extra questions.
What's the better solution, to pour money into building more sophisticated safeguards or to outsource the risk?
Leave a comment