Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

Web Account Security

For those who don’t already know, Marko Karpinnen just had someone steal his Apple ID by sending a message to Apple implying that he’d changed e-mail address and forgotten his password.

Shocking as this may be, it really highlights a serious problem with current methods of identifying people, both off and on-line.

Marko is understandably unhappy about this, and suggests that Apple should have checked that it was him “by comparing the information in their personal profile”. Yet most information about most of us, particularly prominent developers like Marko, is publicly available (for instance via WHOIS or via a variety of other means). I’m quite sure that, even if Apple had done those kinds of checks, they could be readily defeated by someone with the gall to try this kind of thing in the first place.

The fact is that we need an identity system that is not based on people’s personal details, or this kind of thing is going to happen all the time.