Looks like folks are starting to think this through. No doubt there has been a rash of copycat attempts:
http://www.pcmag.com/article2/0,2817,2408206,00.asp
-----
The devastating hack of Wired writer Mat Honan has prompted Apple to change its password reset policy - at least for now.
According to Wired, AppleCare representatives are currently not allowed to help customers change their passwords over the phone. The move comes after a hacker used this method to gain access to Honan's account.
The change is in place for at least 24 hours, an AppleCare rep told Wired.
An Apple spokeswoman confirmed that the company has temporarily suspended the ability to reset Apple ID passwords over the phone. AppleCare reps will instead direct callers to iforgot.apple.com, which will let customers select one of two options: have a password reset email sent to their alternate email address, or answer a previously supplied security question.
When over-the-phone password resets are restored, Apple said it will require customers to provide "even stronger" identity verification, but the spokeswoman did not have details on what that might entail.
Yesterday, Amazon confirmed that it will no longer allow Amazon customers to change account settings like email and credit card data over the phone.
At issue is a hack that allowed an individual who identified himself as Phobia to gain access to Honan's accounts via an unsecured Gmail account and Amazon and Apple password reset loopholes that resulted in customer service representatives basically handing over access to Honan's accounts. Phobia, who apparently just wanted Honan's simple, three-letter Twitter account (@mat), managed to delete years worth of documents, photos, and more.
In a lengthy piece about the ordeal, Honan blamed himself for hack, arguing that had he set up Google's two-factor authentication, the whole mess could've been avoided.