Skip Links

Amazon hack highlights customer service security weakness

By Taylor Armerding, CSO
December 26, 2012 06:35 PM ET

CSO - Amazon, the nation's largest online retailer, apparently still has some rather porous security protocols.

A flaw discovered last week by Chris Cardinal, managing partner at the Web development company Synapse Studios, is apparently doing more harm to the e-commerce giant than its customers -- at least so far.

That makes it less of a public relations nightmare than the flaw that last summer resulted in a hacker securing the digital identity of Wired reporter Mat Honan and then erasing his cloud accounts and taking control of his Twitter feed.

Amazon's media relations had not responded at the end of Monday to both emails and calls seeking comment.

But Cardinal, who reported on it in HTMList, said his recent experience is proof that the company needs to lift its security game. "Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it's hurting them directly," he said.

This time, Cardinal wrote, the problem was with customer service, not weaknesses in the Web services. He said scammers used his name, address and order history to defraud the company into sending "replacement" products to a different address than Cardinal's even though he had already received those products.

Cardinal wrote that one morning in mid-December he started receiving emails from Amazon Customer Service representatives about problems with an order for a camera and filter he had already received.

Within hours, customer service had sent him emails apologizing for the problem, saying a replacement order had been created and a refund requested on his credit card for the first order, which supposedly had not shipped or had been stolen in transit.

The email said the order would be shipping to his name, but at an address in Portland, Oregon.

"Hm. I've heard great things about Oregon, but I've never been myself," he wrote. "More to the point, my camera is sitting here with me right now. Definitely don't need a replacement. Amazon is shipping a phantom replacement to a phantom Chris Cardinal at a phantom address in the Pacific Northwest."

As he tried to cancel the replacement orders and tell Amazon Customer Service about the fraudulent activity, Cardinal said he was caught in a, "revolving door of CSRs (customer service representative), all of whom appear completely incapable of checking chat history or picking up on a potential fraudulent stream of activity."

With a bit more sleuthing, Cardinal he said he found a social engineering forum where users were offering to buy Amazon order numbers. "Why? Because as it turns out, once you have the order number, everything else is apparently simple," he wrote.

He said while Amazon "is essentially very secure as a web property," requiring a password to do just about anything online, including changing an address or adding a credit card, "the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying."

Cardinal found that the "mysterious Portland address" is, "owned by a company called ReShip.com: a company that allows you to have a "virtual" mailing address which will forward packages and mail out of the US. Clearly, the camera was on its way overseas."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News