Don't most companies use this very same "insecure" system? 99% of the population won't have this problem because not even some of your closest friends know what street you grew up on or your mother's maiden name. If you are going to use this information as part of your personal security, don't go telling people. Because, duh, you might as well tell them your password.
I forget the term for it, but it's exactly like Terms and Conditions. Always expect the user to solve any puzzle put to them using the least amount of energy/effort. It's quite honestly not worth it to anyone to go through the work of securing their information/data/whatever until it's actually genuinely at risk or they have lost something in the past. Until then it's an impedance and an annoyance that makes them very unhappy.
Once something like this happens it's impressive how much cognitive dissonance there is behind the excuses those very same people make or their claims that not enough was done to protect them. Don't get me wrong, these individuals were horribly victimized and it's not ok, but we can't allow ourselves to be satisfied by just blaming the company, especially if they otherwise provided the tools that would have kept the account secure. We can only realistically expect the companies we entrust our data to be responsible for making it possible for us to secure our data and not leaking it through other systemic failures. If we choose to shortcut it then it's our responsibility to learn from that and do better next time. We can't blame anyone involved here for doing what they should otherwise be motivated/expected to do. Apple provided the tools to protect the accounts, and as far as we know didn't allow them to be otherwise compromised. The victims set up their accounts in a way that they could easily access/recover them in the future (honestly, it's now required to remember around 20+ account passwords to manage our lives and it's only getting worse) regardless if they knew the risks or not. Security education is out there and it's as loud as we could hope to get it, people just won't internalize it until the risk is tangible. We can demand that companies like Apple, but it won't actually improve anything if people can't be bothered to use them or more importantly find it WAY more inconvenient and seek ways to bypass them in whatever way possible just to get them out of the way.
It's a shame that this is blowing up for Apple as if it's all Apple's fault, but maybe some good can come from it.
My favorite are banks that require you to use their security questions which are along the lines of "What city were you born in?"
The average user probably trusts their bank, and assumes that their bank is doing everything to protect them, and unknowingly compromise themselves by putting in correct answers to trivial questions.
"99% of the population won't have this problem because"
they don't use facebook or photo sharing sites or ... oh wait I guess they do. That might be a problem.
I don't think this is rocket science here. Find my FB account, find my mom, what is her brother/uncle/fathers last name, or just look at her "friends" list and try the most common last names. Or heck just try them all, there won't be more than a couple hundred to try and thats easier than bruteforcing the entire phone book. Heck just use my friends list, I know enough men on my moms side of the family. Done. Next.
Find my FB account and get a general idea where I grew up (just to make sure, although my name is weird enough for this not to matter). Go to genealogy website, search old phone books for my mom's name or just my last name, street name was Greenfield. Maybe you'll find my house and my aunts house, so two names to try. Done. Next.
Find my FB account, look thru old pix, here's me and my girlfriend in front of this 80s subcompact POS that being my first car which was a falling apart POS when I got it, but whatever. Ask an "old" guy to id the car. Its either a Dodge Omni or a Plymouth Horizon. And its red, if thats the question. Done. Next.
Its very unusual to have a "personal security question" that isn't answered by facebook, twitter, linkedin, any of the photo sites, classmates.com, etc.
>99% of the population won't have this problem because not even some of your closest friends know what street you grew up on or your mother's maiden name.
Those are the same hand-wavey thought processes used by people who are paid to know better that get them hacked.
If I knew your name and where you live, I could find out your mother's maiden name and the street you grew up on in not much more time than it took me to type this comment - especially if it were something I did all the time. Fact-based additional confirmation questions are stupid, and non-fact based ones are impossible to remember.
seriously: http://www.peekyou.com/ or any of these services will work, and many of them allow you to buy prepaid packages.