Marko Karppinen

I make digital magazines profitable at Richie.
You should also follow me on Twitter here.

Apple continues to err on the side of insecurity

News about Mat Honan’s hacked Apple ID spread all over the web this weekend, but something about the story didn’t seem right to me. Mat was guessing that the hacker had found his password with a brute force search, but that sounded impractical: Apple is pretty aggressive about locking down accounts that get too many failed login attempts.

Now we know the real reason: Apple tech support gave the attacker access to the account. That may sound astonishing, but I have no trouble believing it. And that’s because the same thing happened to me in 2008.

The fact that the same attack vector works in 2012 proves that Apple still doesn’t take Apple ID account security seriously. Simply put, the front line tech support reps should never be able to perform a password reset like this. The fact that they still can means that Apple continues to err on the side of insecurity. What was crazy in 2008 is completely, utterly insane in 2012. Between then and now, here are some things that have happened:

If Apple’s ecosystem is to succeed, Apple IDs can only grow in importance. The impact of an Apple ID breach is now much greater than it was in 2008. I can’t even imagine what it could be four years from now.