Blog

bevkjbvkbdkdxoeoziejdoiehz fiugebfuyegwik

Account Security

So everyone has probably read Mat Honan’s story on how various of his accounts were hijacked. While things like that happen every day, the big issue here is that it was done using only publicly available information. We have learned that the security of an Amazon or Apple account is basically nil. There are a number of points which could be handled much better.

  1. No security by obscurity - we all know that it makes no sense for security software, but it also makes no sense for a security process either. If there is a manual process to recover your account, it needs to be documented, step by step. Using that information, users can protect themselves much better and a process that is so weak that publishing breaks it has nothing to do with security anyway.
  2. Show relevant information on file - if one visits his Apple ID account page, there is no mention of billing information. Yet it exists and can be used to access the account. Why is that the case? There needs to be one place to view all information associated with the account and one place to remove or edit it.
  3. No password reset with public information - billing addresses, credit numbers or birthdays provide zero security - they are a small step beyond asking someone for his name. Authentication needs either a shared secret or an unique token. A proper way would be sending something to the billing address or requiring a photo ID. There is still potential for fraud, but it is much more difficult.
  4. Untangle remote wipe and device search - “Find my iPhone” makes sense for almost anybody, but most people don’t need to wipe the photos of their kids from a stolen device. Weak passwords are broken daily and wiping the targets device will now be part of the show. Break those two options apart and require additional authentication for wiping a device or Honan’s story will become a daily tale.
  5. Provide two factor authentication - our Apple IDs provide access to our data, purchases and money. For Apple developers, they can even be the key to their business and still they are tied to the secrecy of a couple of characters. There are better ways and they need to be implemented fast.

These five points are only a start and they are not alternatives. Every single one of them needs to happen or we will all be able to relate to Mat Honan sooner rather than later.