incrediBILL - 6:09 pm on Aug 7, 2012 (gmt 0)

Use two-factor authentication where you can.

I think you missed the larger point that it doesn't matter what you use for security when some iDiots at Apple let just anyone reset your passwords to your email account. Their methodologies and procedures for validating the owner of the account were 100% flawed.

The email account is the critical lynchpin to this whole story because once it's breached the whole security system, two-factor authentication or not, crumbles like a house of cards because you can simply reset it all from scratch.

One way to keep hackers out of your account, assuming they haven't also stolen your phone, is to see if the caller ID being used matches what's on file for the account. If the caller ID doesn't match, support should go: "Sir, we'll call you back on the phone # currently on file with your account to verify a password reset.". They could even have sent an SMS to the phone that requires a response before resetting the password. That simple act of validating the caller ID or calling back to the owners last known valid phone number of record would've stopped this hacker dead in their tracks.

It doesn't take much to thwart fraud except common sense and due diligence.

SIDE NOTE: If credit card companies simply used SMS verification for all MAJOR purchases for anyone with a cell phone registered to their account then credit card fraud for SMS enabled cell phone owners would cease immediately. Implementing it has ZERO impact on any existing CC transaction system or website and only requires implementation at the credit card processing centers. Simple solution to a billion dollar problem but we'll never see it happen in our lifetime because it's too easy.