Incredible. Someone should probably get fired for this - not the poor sod who changed the account details, but probably the person in charge of customer service processes for .mac. That's just... appalling.
I also look forward to seeing Apple's response (or to hearing comments from any Appleistas on this site?).
Mac: PC, what's going on? We're just doing a commercial.
PC: You can't be too safe these days, with viruses and hackers all around the internet.
Mac: Well, yes, actually. You CAN be too safe.
PC: What do you mean?
Mac: Well, with our new MobileMe (.mac) service, you don't need passwords. It's all part of our new "Mac Experience" program.
PC: Really? That doesn't sound very secure.
Mac: Actually, it's very secure. You see, in order to log in to your MobileMe service, all you need to do is contact customer service. By giving out passwords through customer service, we add an extra level of security through a human interface. That makes it nearly impossible to make a mistake.
PC: Sounds good. (As he steps around the "firewall") I thought this whole password-security thing sounded silly.
Absolutely unacceptable. If anything, the reset password instructions should have been sent, and nothing else.
On the other hand, Apple now has an incredible PR/customer relations opportunity. Could you imagine if Apple cam back to him with free products, free .mac (mobileme) subscription, and a team of people to help re-secure his information? If that happened to me I would feel that they did their part in restoring my confidence. I doubt this is an exploitable loophole in account security as much as it is simply a fluke or blunder on behalf of one man in a customer support center.
am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com
My response, even if I were a paid customer service rep, would have been: "What?"
Seriously, "did" instead of "could"? No capital letters? No space between the comma and "did"? Etc. etc. etc. The mail just doesn't make any sense. Reading it makes me want to cry.
Well, it's not an excuse, but believe it or not, there are many non-native English speakers that use .mac. Some of them may even have a name that looks very similar to Marko Karppinen.
It's pretty clear that our 'personal' information just isn't so personal anymore, so I think that it's a good idea for companies that use verification questions to be very careful to determine that the verification questions that they use for password reset or identification purposes contain truly 'private' information. It's scary when I call up a bank and I can get full access to my account by just giving my account number and my mother's maiden name. Isn't that information in a database somewhere? If I'm on facebook and my mom is on facebook, how hard is it to figure that out? Genealogy websites would probably also be a great help to dig up this info.
My other favorite verification questions are "Where were you born?" and "What's your birthday?". Hm... these are also Facebook profile questions, and they're also not so hard to dig up.
I thought that my social security number was private at least, but last week (no joke) I got a letter in the mail from UPenn saying that a university researcher's laptop containing my social security number had gone missing. fun fun.
My recommendation for web developers would be to rely on users having control of their email accounts and to not allow for "security questions." And if there is a problem with someone's email account being hacked, speak with the customer and use your common sense to resolve the situation. You can always just suspend the account pending the outcome of your 'investigation'. But please please don't outsource this 'investigation' task to people who lack communication skills and/or common sense. (e.g. PayPal, eTrade, Citibank & Dell)
Hmm, and I thought I was clever when I put that my "mother's maiden name" (or whatever asinine question they ask) was a GUID. Apparently there's an easy workaround to my security..
29 comments
[ 6.0 ms ] story [ 102 ms ] threadIf the very well funded Apple can screw up this badly, just think what most places could manage.
I also look forward to seeing Apple's response (or to hearing comments from any Appleistas on this site?).
That's ridiculous.
But still, their security process has a hole big enough to drive a truck through.
The poor guy probably will probably need to spend weeks undoing their mess... Can't wait for Apple's response.
"Did it not occur to you at all that someone at "marko.[redacted]@yahoo.com" was not actually me? For example, because the names didn't match?"
Anyone got good suggestions?
PC hackers don't need passwords.
PS: I can almost feel my karma burn.
PC: (Standing behind windows firewall pictured here: http://obligement.free.fr/images/windows_firewall.jpg) Welcome, commercial viewer #3113452. Please enter your password.
Mac: PC, what's going on? We're just doing a commercial.
PC: You can't be too safe these days, with viruses and hackers all around the internet.
Mac: Well, yes, actually. You CAN be too safe.
PC: What do you mean?
Mac: Well, with our new MobileMe (.mac) service, you don't need passwords. It's all part of our new "Mac Experience" program.
PC: Really? That doesn't sound very secure.
Mac: Actually, it's very secure. You see, in order to log in to your MobileMe service, all you need to do is contact customer service. By giving out passwords through customer service, we add an extra level of security through a human interface. That makes it nearly impossible to make a mistake.
PC: Sounds good. (As he steps around the "firewall") I thought this whole password-security thing sounded silly.
On screen: MobileMe, you could be anyone.
End
On the other hand, Apple now has an incredible PR/customer relations opportunity. Could you imagine if Apple cam back to him with free products, free .mac (mobileme) subscription, and a team of people to help re-secure his information? If that happened to me I would feel that they did their part in restoring my confidence. I doubt this is an exploitable loophole in account security as much as it is simply a fluke or blunder on behalf of one man in a customer support center.
The password reset options I see just give you a way to change the password, not retrieve your existing password.
My response, even if I were a paid customer service rep, would have been: "What?"
Seriously, "did" instead of "could"? No capital letters? No space between the comma and "did"? Etc. etc. etc. The mail just doesn't make any sense. Reading it makes me want to cry.
The reply was probably: "Yes I did. Apple thanks you for your business"
My other favorite verification questions are "Where were you born?" and "What's your birthday?". Hm... these are also Facebook profile questions, and they're also not so hard to dig up.
I thought that my social security number was private at least, but last week (no joke) I got a letter in the mail from UPenn saying that a university researcher's laptop containing my social security number had gone missing. fun fun.
My recommendation for web developers would be to rely on users having control of their email accounts and to not allow for "security questions." And if there is a problem with someone's email account being hacked, speak with the customer and use your common sense to resolve the situation. You can always just suspend the account pending the outcome of your 'investigation'. But please please don't outsource this 'investigation' task to people who lack communication skills and/or common sense. (e.g. PayPal, eTrade, Citibank & Dell)