I'm not saying that a call back should replace a security question. It improves security.
Well, again, yes and no. Security questions are inherently more secure as long as the individual keeps the information private. Like wise, call back is more secure if the information is compromised but not the primary call back number. Of course, the primary call back number can more easily be compromised by people who have access to the household.
Each has its flaws, its own advantages and its own weaknesses though I'd say it's much easier for an individual to keep his information private than make sure his callback number is not accessible to others (cell phones are worse than home numbers, since a cellphone can be stolen, a SIM card cloned, etc...).
Using a combination of both does improve security (after asking the questions, proceed to callback), though it is quite less convenient (the balance between security and convenience is important too) in that each time you need to modify your account, you must be close to your primary call back number.
Same for e-mail confirmation, it assumes that the primary e-mail account is unshared and not compromised (either through auto-configured password on a stolen cellphone/PDA or through simply the hacker knowing the password/having access to the e-mail through other means). It also requires that you have access to it at the moment you call.
We don't even need to talk about snail mail now do we ?
That's why I refuse to say any type of call back/e-mail/snail mail is "superior" to personal identifiable information. I don't really think it is. Combining authentication methods is inherently more secure though, I'll grant you that, though it comes at the cost of convenience to the account holder.
In the end, iCloud is a consumer service for pictures, music and a few tidbits. The security and authentication procedures are made convenient enough for this type of service while ensuring the security is "good enough" for this type of data. You can't expect bank/government level hassle in recovering a lost password and thus the security that comes with it.
----------
I'm amazed social engineering still works these days.
How is it surprising ? Social engineering will always work. There is simply no protection against it. Fast talkers are fast talkers. They will get the info they need and use it appropriately when needed. You can't firewall, ID Card, biometrics around it.
I'm also amazed Apple confirmed that's how it happened. Well that Apple representative is out of a job.
Apple has not confirmed anything, Matt hasn't even claimed so. They have only told him that someone called in for a password reset. He claims they used "clever social engineering" which could be simply asking the rep to use another authorised authentication method than security questions.
There is no information provide that lets us believe the Apple rep did not do his job properly. Why do people keep ignoring this ?
I use so many passwords that I often forget them frequently. Which is in a way a nice security feature as I have to reset them a few times a year.
Relying on other people having access to reset your passwords is how these situations are created in the first place. If no one forgot their passwords, tech support people wouldn't need access to reset them in the first place.
