> First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.
> Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.
At least to get into the Apple account, you need the credit card on file. For Amazon, you can send a fabricated credit card number and get complete access (because you can add a new email account, to which you send a password reset to).
Apple just seems like the worser player because Mat Honan put so much power into the hands of iCloud. If Honan was in charge of administering enterprise services using Amazon's EC2 services, and hackers used his account to wipe out everything (or compromise corporate security), everyone would be calling out Amazon.
Edit: I haven't seen this fact mentioned much, but Honan's billing address was compromised through a WHOIS lookup on his domain. This is a huge reason to use registry protection services. It's true someone could look you up using things like Pipl and Spokeo, but that's only if you have something in public records, such as a mortgage (or, in some cases, leases).
Honan is in an especially tough situation because of the uniqueness of his real name.
Amazon on the other hand doesn't (potentially) have the power to wipe your machines and cause havoc. If someone compromises your Amazon account, then worst case they can order goods in your name to be sent to you & Amazon will be out the cost of shipping and re-selling those goods, plus the cost of any chargebacks if they mess you about refunding your credit card. In other words, the risk here lies with Amazon, not the end-user, so they are rightly free to set the level of security applied to Amazon accounts to whatever they feel meets their goals.
It's not Amazon's fault that the 4 digits that the credit card companies decided that it was ok to leave on your receipts are precisely the four digits that Apple accepts as evidence that you own the card in question.
The fault lies with Apple for accepting data that you leave behind every time you make a purchase with your credit card (it's printed on every credit card receipt you leave behind at the local pizza joint IIRC) as being suitable evidence to permit an anonymous caller access to an Apple account.
Now, if Amazon applies the same level of security to accounts with personal data or other costs to the end-user (cloud drive, Amazon S3 or EC2 accounts and so on) then you'd be right to lay into them. Does anyone know if that's the case?
AFAIK, though, I use the same credentials to get into my Amazon consumer account as I do my Amazon EC2 and S3 account and into my affiliate account (and Kindle, etc.). Does the security level elevate as soon as I've been flagged as a developer-user who isn't just buying books/CDs? If there is, I've seen no sign of it.
You could have a stale login from months ago and still access some parts of your account, but you need to enter your password before you purchase or access some sensitive information.
And obviously most people share their address with various online retailers and friends/family, etc. This is not something I expect to have to keep secret to securely use amazon.com.
(ps. I'm not an iCloud user. But I am a frequest amazon.com user, so I've sent them an e-mail voicing my concerns -- I hope they fix their policies).
From Honan's post:
"In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover."
Sounds like Apple support needs some lessons on social engineering prevention.
Sure, if I was a facebook db admin I'd be semantically satiated with the data, but that doesn't mean it isn't important.
There used to be books that they put on everyone's doorsteps that had everyone's name, address and phone number in them. Society managed. Addresses should not be considered private information, nor should birthdays, mother's maiden name, etc.
'Tell us your account number, as well the amount of a recent transaction on the account'.
Oh, so you gave me a personal check? Great, let me go deposit it, so that's a transaction that I know about. And I already have your account number (and routing information) from the check itself.
This isn't just to be able to drain all funds from the checking account (for which the numbers on the check alone are sufficient) but to reset the passwords on the account, which usually gives you access to any linked accounts as well.
* Full name?
* How long have you been with the bank?
* How many accounts do you have?
* Do you have a business account?
* How many business accounts?
* What's the name of the business?
* Have you set up auto-debit?
* Have you set up electronic-debit?
* To what companies?
* What was your last charge on your credit card?
* Do you have any monthly transfers set up?
* For what amounts?
* Do you have any loans?
* Do you own any investment funds?
* Have you reset the password before?
* <My security question>?
* How many two-factor auth thingies do you have?
* Serial number on your two-factor auth thingy?
* Model of the above?
Are the questions I recall. So at least not every bank is careless enough to only require you to name a recent transaction.
The banks seem to have worked out that they have access to a reasonable amount of information that they can use it in this way.
The answers weren't easily guessable and there was a threshold so you didn't need to get everything right which allows them to make the questions a little trickier.
The system wasn't perfect - if you broke into my house and got my papers you could probably get past it - but it was a million times better than asking where I went to school.
Including business accounts and brokerage accounts (which are often handled separately with different security processes), I've had numerous accounts with many different providers, and never had anything close to that level of security.
(private browsing, throwaway email, tor, check cashing place, etc.)
This, on the other hand, was simply following procedure. No social "engineering" here.
Seeming clueless when doing malicious things is unquestionably a form of social engineering.
Say I'm a naive person and say I go for dinner and pay via credit card. Since there's not much information on there, I throw the receipt away. On the receipt (at least those I get here) is my last name, as well as the 4 last digits of my CC number. Now assume my last name was sufficiently rare in the area for a potential attacker to make sure that this was actually my receipt. Also assume, that I'm an Apple nerd with an iCloud account (which I'm not).
Some potential hacker finds my receipt, puts 1 and 1 together and calls Apple and gains complete access using nothing but a receipt with 4 digits and a name on it.
Is the restaurant to be hold responsible for it because they printed those 4 digits on the receipt? Hell no! Is Apple responsible for giving access to my account to a complete stranger possessing nothing but a CC receipt? Yes.
In this case, Apple is after all responsible for the data loss and their security measures are clearly questionable. One should never use a security key which is obtainable by everybody and his grandma. The last 4 digits of your CC number are not private because the card companies decided that it's secure enough to show them.
Don't get me wrong, 95% of the fault rests with Apple, but Amazon should review their processes. There is simply no reason for them to be handing these details out, particularly without valid confirmation of the person's identity - if they need to confirm the card details the customer can give the four digits and the customer service representative can confirm them.
One of the basic rules of security, don't do anything that's not necessary and this is entirely unnecessary.
Or a driver's license, or a voter registration form....
Excuse me while I delete all of my files from Amazon's Cloud Drive...
In this case it's a bit of a red herring given that his private address is right there on his personal website -- the whois is just an extra, completely unnecessary, step. Hide behind a whois protection service, but anyone motivated can get your address easily.
A personal address is not a secret bit of information. Pretending that it is brings nothing but an illusion of security. The same goes for many other laughably easy to acquire bits of information about someone -- what primary school you went to, one's mother's maiden name, etc: These are things that we've never treated as secret, and it's only the laziest of hackers that it discourages.
Private registrations allow you to anonymously register a domain. That's still a useful service for a lot of people.
Or am I missing something? Is there value added in this process? Or do these concerns end up reaching a much wider audience?
Put another, less inflammatory way, Hacker News tends very highly towards the ephemeral. I would argue certainly more highly than reddit and possibly even more highly than something like 4chan.
This creates a detrimental effect because the discussion around these news stories is more long-lived than HN (the discussion vector) would let us believe.
This creates something I'd call the Hacker News Timeshift - blogspam based on yesterday's news purely on the off chance that the generated blog post will act as a vector for spurring the truncated discussion, thus generating plenty of ancillary or almost coincidental traffic to the blogspam.
Anyone who visits the new stories page once a day will see this effect in action for roughly 50% of the stories that were on the news page yesterday.
Regardless, it's finally dawning on me that the never-ending stream of Apple punditry is a fucking bore, including the "high quality" sources in the echo-chamber such as DF and 5by5.
Similar to the way Daring Fireball blogs about Apple stories, except he doesn't make HN as much.
If you run a system on the scale of iCloud, and you don't crack it yourself, you can bet someone else will save you the trouble.
iCloud was NOT hacked. There was simply a mistake made by a customer service rep as acknowledged by Apple.
If I can't figure out how to turn on my shiny, new Mac, there is zero need to any verification. If I'm asking for a password reset, they should know for sure who I am by the end.
I had to remove an authentication from my Blizzard account once. They required me to do all the normal verification stuff (secret questions, password, etc), send an ID and confirm the process via a contact point I already had on the account. It took 24 hours. And they did it right.
For the record, "Munich" == "Which" in iPad-ese.
In the US, at least, regulated banks have some security requirements that might prevent this (though I'm not sure). But outside of that my guess is that it's routine for a customer service agent to be able to make any modification to an account they want, without an extra authentication factor or supervision.
So yes: blame Apple. But be wary, they can't possibly be the only ones.
This type of thing is going to happen more and more and the fact that remote wipe of all the devices happened totally negates any advantages of using cloud services. I mean, what's the point of having everything backed up remotely if
a) the backup is not current
b) the same remote servers can wipe your devices at any time
In addition, it's possible the remote backups could be removed as well (although not sure about that for iCloud) and in that case, you might as well not back anything up and have a hard drive die (at least that could be recovered I suppose).
Apple needs to jump out in front of this asap and announce a policy change in regards to security in order to put people at ease. I'm glad this is making waves and I think there needs to be more noise about it in order to get them to change.
Also, don't ever expect Apple to do anything ASAP. Even if the whole world shouts at them, they won't say anything. They take their time to (hopefully) think this through.
For this specific thing, no. But this was a fairly blatant act by the hacker. What if they silently read your iCloud mail, or used the Find my iPhone functionality to stalk you.
In case of cookie sniffing, Google shines. They show you the IP addresses of people who have used your account recently. If you (or them) spot an stalker, you can reset the password. I don't know how effective that could be with 3G, but at least
That said, It's no secret that Apple's password system is absolute garbage. I had to reset it 5 times last month because someone was trying to get to my iCloud account (probably brute-force). Apple would de-activate my account and would require me to re-enter security questions and choose a "new" password that I haven't used in the past year. And every time I had to spend an hour typing the new password in my various devices. AND I WOULDN'T RECEIVE MAILS IN THE MEANTIME. Just ridiculous.
Many sites use things which are public information (mother's maiden name) but even question's like "Where were you on this important date?" or "what was your first car?" start to look pretty silly in the age of Facebook. Worse, a dropbox-loving facebooker who's checking his gmail account from his iPhone probably has enough information in many of those places to compromise the other accounts.
Bank: I'll just need you to confirm your mother's maiden...um...um
Me: Yes, it's a long string of random characters, want me to read it?
Bank: No, that's ok, thanks.
like, put the first name in "Mother's maiden name", or the middle name, or swap their position
And you are right to treat it as a passsword
Frustrating? Yes. But good security can't be transparent to the user.
Now I had completely blanked on what that was.. was it my username? Was it my full name? Was it the beginning part of my email? gah, I'm on break outside a cafe and thought I could get this settled quick..
So the person on the phone, in quite a polite and understandable way, gave me a number to call back directly when I could remember it as I had passed all other verification steps. Had a moment of clarity and called back 2 seconds later and got on with it. They overnighted me a brand new phone.
I rate that interaction a 10/10. 9/10 if we can imagine a world of omniscient amazon that knows when I've received broken items..
Nearly always security is the opposite of convenience. Once people realise that you can be "more secure" or "more convenient" we'll all be better off. This implies to be "more secure" you must be "less convenient". It's always a trade off.
The EU has data protection law, which means companies that store personal data are legally required to ensure it's safe. I wonder if Apple are in breech of the law here?
In my blinkered world, Google and Facebook seem to be the companies to beat in the area of security for consumer services. 2-factor auth, proactive account security such as geographic checks etc.
I can see how Apple's corporate mindset would find it painful to sacrifice user experience for security. Google, not so much.
As an aside, it's about time Microsoft offered 2-factor auth for their accounts.
What's needed right away is a "badge of security approval" from an independent third party, which verifies not just the technological side, but the customer-service side too. Including things like:
- password policies (e.g. not limiting to 16 characters)
- hashing and salting passwords
- standards for security questions (these are usually so horribly written)
- standards for identity verification if you've forgotten password AND sercurity question answers (most sites will not be big enough to bother with this, so you just lose your account, but Facebook/Apple/Google/etc. need to have a common model, so inconsistencies between companies can't be exploited)
- policies for sending out password-reset emails, adding/changing e-mail addresses, with appropriate user notification
- waiting periods between changing emails and passwords, so you can't just go and change everything about an account all at once
- special unique privileges to initiate operations that can delete large amounts of data (like a special second password, or extra security questions, for deleting your account, remote wipe, etc.)
These are just vague ideas off the top of my head, not an actual proposal. But we really need a set of "best practices", and a way of identifying that companies are actually following those best practices.
A secure "lock" icon in the browser bar is no longer enough.
Bank Of America is horrible in this. First off, if someone else tries to log in using your username 3 times, it locks you out of your account. You need access to your email to get back in.
But it demands you re-create three security questions after that. I chose a simple username so other people stumble across it a lot. So I have to go through this process frequently, and there is nothing I can do to stop it.
How securely are they storing this PII? Probably not at all. I try to give the exact same questions and answers every time to limit what BoA knows about me, but someone compromising by BoA account might be able to learn that information and use it to cascade attacks into other services. (They display by secret questions and their answers to me in plaintext.)
This is what all or virtually all Swedish banks do.
Only websites where the users need instant access or you have a low profit per user cannot afford security tokens. Banks are obviously not included here.
They also use two-factor auth on logins from new computers (or when you've cleared your cookies).
The comedian Lucy Porter does a nice sketch about setting your own security question, claiming that one of hers was "Are you really going out dressed like that?" to which the answer was "You're not my real dad, you can't tell me what to wear."
Both apple and amazon are in violation of V2.9: "Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism."
Clearly the secondary authentication controls are weaker than the primary authentication controls.
It would be so awesome if all the common web app providers published ASVS compliance reports. Never gonna happen though.
That sounds so good and the appeal of this kind of problematic scheme is what makes security such a hard, one that we likely won't see easily solved.
Aside from the usefulness or not of the stuff on your checklist, any "badge of security approval" is basically outsourced security. And that won't work because any wholesale security provider must provide one-size-fits-all security and one-size-fits-all fails because it must either so secure no one could break and so be far too unwieldy for most uses or it must be fairly flimsy and so fail exactly when the use case becomes critical (and of course trusting any third party expands your perimeter of trust in a fashion that you might not aware of).
The physical locks and strong boxes we have are scaled according to what we're facing and still real human beings to keep an idea of whether they are really secure. I live in a good neighborhood. I've lived in bad neighborhoods. It's part of becoming an adult. The lock on my gate is flimsy but it's enough. But I watch to see if the neighborhood is going down hill, if there's some factor which would make me a target. It's a paltry measure but it actually has pretty well. My security level can't be carte blanch guaranteed by anyone. Even if I hire security service, I'm not ultimately leaving everything to them.
Outsourced security won't work in the sense of entirely outsourced security*. The information age can't really get away from the "rings of trust" situation where the most highly entities can not really, should not be trusted to give away their trustedness on a wholesale basis. Some people can and should rely on outsourced security but the biggest targets should not and cannot.
And it is all a matter of levels. Average consumers can trust the browser bar (more than a lot of things) because they aren't special targets. That's OK.
Dropbox doesn't send an email notification, or anything of the sort, when adding a computer to your Dropbox account.
I discovered this, when one day I realized some of my files in Dropbox were deleted. Specifically my 1Password file.
I logged in to check things out, and discovered that there was a weird computer added to my account. I promptly changed my password to dropbox, did a recover of my 1password file, changed the master password of that, then went through and changed passwords of my most important information stored in 1password.
The fault lied with me, in that my dropbox account was still using my temp 'testing this service out' password I'd used when i first signed up. Stupid me. My 1password master password was already very strong so I wasn't highly concerned.
What ticked me off, was that there was absolutely no notification or verification process when adding a computer to your Dropbox account! I wrote Dropbox, and their only response, after MANY days, was 'make sure your password is strong'.
On your account page you can enable RSS feeds. The home page then has a link to the feed, which I have in Google Reader. It includes all file changes, as well as machine additions and removals.
I had perhaps a dozen or so old entries on there. Now, I don't know if there are actually any serious security implications here, especially since most of those instances are genuinely defunct. However there's no sense in leaving them around if I'm not using them anymore. Maybe it's worth checking out and pruning? I don't know.
Email accounts get hijacked, phones loose data, and impersonation happens on Twitter. A blog post about one of these or all in combination may make the front page of HN, but unless the writing is compelling (and in this story none of it is), it will not persist there.
This story is a story because the Macbook was wiped remotely. That's what's scary. Losing data on a phone or iPad will never potentially entail the loss of years of work. They are second and third devices, and intended primarily for consumption not creation.
It's our computers which hold our work (and as this story shows, moving it to "the cloud" may not offer significantly greater protection). An architect doesn't store her design on her iPhone, nor a developer her code, nor an entrepreneur his company's books. Our computers tend to hold important parts of our lives. They are the tools we use to create and retain our work.
Apple forgetting that for the sake of a consistent sales sheet across product lines is really the heart of this story's traction.
Remote wiping at the flick of a switch is a bug, not a feature in the consumer world.
the only reason i discovered this is because they didn't have my real email address and BillMeLater called me to tell me they needed me to update my email address. so, we also know that they don't even require email address authentication. now all of my credit reports are locked. i recommend everyone do the same.
sorry to hijack the discussion, but wanted to provide another "4 digits suck" example.
Many of our financial systems rely on trust alone. For example, anyone you give a personal check to can drain your checking account. All they need is your account # and routing #, that are on the check.
Not trying to defend anyone. But has this been reproduced enough to confidently say they'll give control to "anyone"? Or was it just an employee mistake not following the policies in place? It would be a mistake on their part either way, but I'm just trying to understand what the mistake was.
On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s e-mail address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.
The employee should not be given the ability to not follow the policy.
Don't get me wrong, remote wipes are useful. But they should be protected by some kind of a "Remote Wipe Authorization Passphrase" that the user must set up. Otherwise we are all simply at the mercy of the next access control vulnerability in iCloud.
Don't use remote wipe unless you have a backup solution. I mean seriously, the very concept of remote wiping, whether intended or not, should make you buy an external hard drive and activate Time Machine. Because a remote wipe could happen in a database-server glitch on Apple's part, which would presumably bypass a passphrase mechanism. So why leave your data to chance?
But the other reason to not have a passphrase...what is the purpose of having a remote wipe? Because you are paranoid that ot only someone will steal your laptop, but that they'll steal the data. Depending on your work situation, time could be the main factor here. What happens if you forget your passphrase...because really, how often are you going to be using that passphrase? Then you've given your robber minutes/hours to access your data.
Just to be clear, the verification process is still incredibly flawed on Apple's part, and the remote-wipe problem should not have happened in the first place. But enabling any kind of remote-wipe-power without thinking through the backup process is Honan's fault, as he admits in his article.
And in the same way that users don't accept that hitting a delete button deletes their content - there are tons of complaints on such issues - they won't accept that remote wipe effectively rids them of all their cat pictures.
I see where you're going and every tech person should definitely keep a backup. Then again every tech person should be aware of how the cloud can fail and how putting your life into the cloud can fail you. However, the above is sadly true for Mr. John User, who has no idea what the cloud actually is, he justs wants his things synchronized between his devices. The act of paying for a services raises expectations, and data integrity as well as permanency is probably part of those expectations.
Yes, you should backup but for way more important reasons than enabling remote wiping.
Your work should never be dependent on a single device staying functional.
In the interest of full disclosure... I can barely muster trust enough for gmail. Actually, I don't trust gmail, which is why I don't use it for anything important or personal. I certainly would not put my child's photos onto a cloud service and expect them to be safe. And from what I understand, these people put, not only their data on iCloud, but their ACTUAL DEVICES are administrable from iCloud. That seems insane to me. It seems that this is the inevitable result of any such system.
I guess I am just a bit surprised at the surprise being expressed here. USB drives are not THAT horrible are they? They seem, to me, far more reliable backup methods.
I choose to just double up on cloud services as a "backup"
EDITED to add link: https://tahoe-lafs.org/trac/tahoe-lafs
... That's about it.
I use gmail, but I don't trust it, and have been looking for an excuse to get away from it for a while.
I'm not very comfortable with other cloud services.
For me, it's a balancing act. I find it hard to manage backups. I don't want to run a RAID setup at home. I really like the convenience of Dropbox and S3.
I mean, yeah, obviously the primary concern would be "oh my god my house burnt down." But if you can minimize the repercussions by putting digital stuff which is important to you offsite, maybe that's something to be relieved about.
But yes, I mean it literally. Insurance may pay to replace your house. But a portfolio of a few years of work, the text of your half-finished novel, photographs of your children growing up, the final e-mails you exchanged with your uncle who died of cancer? No insurance money will ever replace those.
As far as password recovery, I would like to see something more "physical", if you will. For example, Apple charges a small random amount to the CC on file and you have to come back and give them the amount.
A fingerprint scanner on every iPhone could be interesting.
I think the reality is that nearly all but the most safety conscious/paranoid hackers reuse easy-to-remember passwords across a multiplicity of sites. Some might have two or three passwords to fence-off, say, financially related logins from non-financial stuff. Still, the vast majority of Internet users are probably in the first group with a simple password across every single login they have. That's the problem. And, with such tools as Facebook logins you also have a situation where discovering on login gets you in to all manner of sites.
How do you protect Mom, Dad and Uncle Fester from this? You are not going to turn them into computer scientists or security experts. No, they are not going to create and remember fifteen different thirty-two character passwords with a mixture of alphanumerics and symbols. That's just not going to happen.
Not sure what the solution might be at this point. The Internet, due to the nature of its organic evolution does not have an underlying security construct that is, for lack of a better word, bulletproof.
Just a few years ago I looked at my receipt from a local Dairy Queen and it had all but the last four digits printed on it. I complained to the guy behind the counter, who didn't see the problem.
I assume most new POS systems nowadays don't even have the option to print anything but the last four, but there are still some out there in the wild which do. Which is why I still shred all my receipts.
I'm not saying that obfuscating the first 12 digits on a receipt solves the problem; just that it's a very minor adjustment that makes things more difficult for the attacker. But some organizations are still failing at even these most rudimentary steps.
But someone got the bright idea to attach other things to your credit card information, like your entire MacBook.
We need to burn down the entire concept of "security questions" and start over from scratch.
The UK may have a better protocol, but that doesn't change the fact that for a significant population, the number on the card is really anything but private. Certainly Apple should know this, being based in the US...
This is usually ok since credit card companies have the whole fraud thing figured out for the most part. It only becomes "not ok" when companies like Apple make them into something that absolutely needs to be secret.
That's still a fail because if your wallet probably contains credit cards, which have your name and credit card number, obviously. And driver's licenses in the US, as far as I know, include an address. So it's all there. You're screwed.
What is necessary is 2-factor authentication, which is what a lot of us have been saying for a long time (I wrote this blog post in 2009, after another Twitter-related hacking: "Why The Twitter Breach Is Bullish for Two-Factor Authentication": http://chrisco.wordpress.com/2009/07/16/why-the-twitter-brea...). If not 2-factor, at least don't make recover possible with things so easily obtained, such as information from items typically contained in a person's wallet.
But ultimately, if the attacker has the ability to remote wipe/encrypt your device he/she is probably in control of any keys required to undo it.
What proportion of share price is effected by security, as that is all a company realy care about.
Now maybe the whole credit card system that we have is at fault - one number to rule them all to pay for things. Maybe is we had a system were we could give each transaction a unique number you could was unique to each vendor you used. Then if that number is leaked it woud be clear were it leaked from and only effect the people who leaked it. Until then there are disposable credit cards.
If Apple only accepted Apple credit cards and if Amazon only accepted Amazon credit cards, then this would not of happened. Can see what the outcome of this will be and people will still complain.
You are basically assigned an access phrase and access image. They ask you to look at these two things and know what they are. Then, when you visit the site you enter ONLY your username. Once you click submit you're shown your access phrase and access image. If this were a phishing site, there is a high chance that your access phrase and image wouldn't match so you'd know to GTFO.
This is followed with a 2 factor authentication. Pretty solid IMHO :)
But iirc certain banks in India have a alphabet board behind the card with letter-number pairs, right? Something like A-14 B-65 and so on. Then they just ask you to enter random 3 boxes.
The idea that "one non-diligent AppleCare employee" did this is reality-averse. Wired managed to duplicate what happened to Mat after-the-fact using other people's details. Even if you were correct, "one non-diligent AppleCare employee" should not be able to do what this employee did (apparently in accordance with policy, FWIW). A company that cared about security would not allow it.
So you can put down that water you're carrying (boy, does it look heavy!) any time you'd like.
I do like his second idea though.
Remember time beats all security.