[willfulwizard]

> In an earlier attempt on Tuesday to change an AppleID password (which is the same password used to log into iCloud and iTunes), Apple customer service offered up a different response, saying that passwords could only be changed over the phone if we were able to supply a serial number for a device linked to the AppleID in question — for example, an iPhone, iPad or MacBook computer.

Adding (or worse, substituting) a serial number helps, but seems insecure in the event of a lost/stolen phone. A device serial number, plus all the already mentioned info: name, address, last 4 characters of a credit card, are all reasonably easy to extract from a stolen phone. Would be nice if some piece of info not usually stored on a phone were required. I suppose that a lost phone is already a security breach, but any containment would be an improvement.

[ryannielsen]

On many Apple devices, the only way to access the serial is to actually log into the device and open Settings or About this Mac. If the attacker's able to do that then – in the majority of cases – they likely already have access to your mail and probably many other accounts as well. At that point, it's pretty much game over for you; containment's impossible.

(Two big loopholes on the Mac side are guest accounts and the recovery partition. Both of those offer ways to get your machine's serial number which do not require the attacker to log into your account.)

[lloeki]

The serial is engraved/printed on the case of my Macbook Pro and iPhone 4.

[ryannielsen]

Ah, you're correct on the MacBook case. I didn't have any laptops nearby to confirm.

I can't find anywhere on my phone where the serial number's printed, though. The numbers on the back are not the phone's serial number.