
Amazon orders subject to replacement fraud (still) - georgemcbay
http://www.gmcbay.com/post?postId=ef970926-b3d4-4390-b384-4c49c00359b3
======
disillusioned
George, do you have any domains with your whois/registrar information matching
your Amazon account information? I guessed that was the vector they used to
attack me. I had several domains with my home address as my address, along
with my email and name. Voila. The entire triangle of data the CSRs need.

I was able to get a CSR to show me some of the logs of the chats with the
scammer, which was particularly enlightening:

[http://www.htmlist.com/rants/two-for-one-amazon-coms-
sociall...](http://www.htmlist.com/rants/two-for-one-amazon-coms-socially-
engineered-replacement-order-scam/) (Thanks also for linking to my post in
your article. It's insane this is still going on.)

~~~
georgemcbay
I do, yes. The domain this linked post is on is registered to my current
mailing address which is the same as the one I have on my Amazon file as my
shipping and my billing address.

I've changed my Amazon email address as you suggested in your helpful email
and hopefully that will be enough since I don't think it would be practical to
try to put my mailing address back in the bottle at this point.

~~~
bkeroack
Change your registered domain address! There's basically no upside to having
your "real" address listed.

~~~
eli
What should I put instead? Isn't a bogus address grounds for ICANN to take
your domain name away?

~~~
Washuu
Check if your domain registrar offers an anonymous registration service. Mine
provides it for free, but some charge a small yearly fee. It is still fine per
ICANN standards since it simply goes to a forwarding service.

~~~
33W
From ICANN's perspective though, doesn't that mean that the owner of the
domain is the registrar?

While most registrars would be perfectly fine, I worry about the one that is
willing to take the domain for themselves (for a domain not worth going to
court over).

While not exactly what happened, I remember the case of the @N twitter account
be stolen ([https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd)), and wonder if having your actual information on the
registration would help or hurt a situation like that.

------
sdrinf
Here's a working hypothesis:

| Why is Amazon's security for replacement orders so lax?

Amazon values customer satisfiction above their fraud write-off.

| Why would they send a replacement to an address that has never been
associated with me, and is in a wholly different state than the one the
original item was sent to?

Because the time between ordering an item, and defect can be sufficiently
large to cover moves: people shift around all the time. It's entirely
concievable you'd like to exercise replacement rights from Texas, even though
you've ordered it from NY.

| How did the scammer know about my order in the first place to social
engineer the replacement request?

Via: either buying order requests, using third-party honeypots to capture your
info, using the domain registrar, or a combination of any of these.

| Why haven't Amazon black-listed the 13820 NE Airport Way; Portland, Oregon
address as a destination for replacements? This package drop address shows up
again and again when you Google around for people who have been hit by Amazon
scams.

I suspect this might be [http://reship.com/](http://reship.com/) (Alexa rank:
166K). This is entirely legit: if you're a UK customer who'd like to buy stuff
that are exclusively US-only, reshippers are the cheapest way to do so. Based
on their Alexa rank, I suspect Amazon makes quite a money on these customer
segments. Blacklisting them also wouldn't help this case: reshipping companies
can easily buy up a handful of different addresses in a range of cities,
making this a game of whack-a-mole.

| Can I really trust this company to hold multiple credit card numbers of mine
in their database, one click away from someone potentially ordering thousands
of dollars of merchandise that they can apparently easily redirect to an
address that should have been black-listed years ago, if there were any kind
of sane security policy in place?

Note that no credit card, or password database has been compromised in
executing this attack. This is social engineering corporate goodwill at it's
vilest.

I suspect the root cause of this issue to be the friction-less execution of
this engineering. A proper solution for this problem might be as simple as
sending out an email with clickthrough-link-confirmation before replacement
shipping; this would raise the bar from "knowing about an order" to "knowing
about an order, and having an active compromise on the mark's inbox".

~~~
opendais
> Amazon values customer satisfiction above their fraud write-off.

I doubt this is the case. I've had to place chargebacks against Amazon to get
my money back for purchases that were not delivered due to Amazon screwing up
and telling the vendor that the software key(s) were not purchased.

For anything software related, they offer no refunds _even when they and /or
their vendor screw up to the point the product is unusable_.

~~~
jdminhbg
> I doubt this is the case. I've had to place chargebacks against Amazon to
> get my money back for purchases that were not delivered due to Amazon
> screwing up and telling the vendor that the software key(s) were not
> purchased.

There may be a difference between how they treat physical and digital
purchases then, because my experience (and the experience of vast numbers of
internet commenters) is that Amazon will refund or replace a physical order
with basically zero investigation.

~~~
opendais
Yes, they have different policies depending on what you purchase and whom you
purchase it from.

Frequently with physical products Amazon is able to place the majority cost
[they only lose out on their commission] of the refund onto the supplier.
[e.g. If Amazon's fraud check fails to catch a fraudulent order, they push the
cost of the chargeback onto the supplier if it is a FBA or MFN item. They also
do this if their system screws up and merges multiple products onto the same
ASIN even tho they are different colors or whatever.]

My guess is the vendor in this instance was large enough Amazon had to make a
different deal where Amazon was the one eating the refunds if it was Amazon's
error. The vendor blamed Amazon. Amazon couldn't even figure out I issued a
chargeback and successfully disputed it for my money back.

------
rtpg
The way this is played up makes it sound like a security issue, but it's a
social issue above all else.

A story I've been meaning to write for a while, but aligns well with this: I
bought a kindle a while back, with the (kinda expensive) case because I knew I
would break the screen if I didn't.

I broke the screen anyways (some badly aligned books in my bag I think). I
sent a kinda annoyed email at amazon about how their case didn't seem to help
me much.

The next morning somebody from Amazon called me, trying to help me out with
seeing if they could fix the screen (reboot style things). I was fairly
confident I destroyed the screen, but they offered to replace it for me for
free if I sent them back the old one at their cost.

The issue was that I was heading off to Japan the day after (from France), and
so it would be a bit complicated for me to go to the post office on a sunday
night to send it off. Instead, they offered to just send me the replacement to
my address in Japan, no questions asked.

At no point did I prove anything about my story, I could have walked away with
2 Kindles (granted, one is probably blacklisted now, if I put it online). They
did know I had bought one recently (which let them get my phone number through
my account), but still.

Amazon has some pretty great customer service, and honestly requiring "proof"
would, although for a rational human being would seem normal, have caused me
great grief and I would just think about my 300g brick that I used for all of
1 week.

Anyways, I like Amazon a lot more than I probably should and take any
opportunity to tell this story. Fraud is the small cost to pay compared to the
goodwill you end up with by trusting (or at least pretending to trust) your
customers.

The wifi on the replacement Kindle stopped working though... been too lazy to
figure out why though.

~~~
jrochkind1
Oddly, someone else in this comments section mentions an, according to them
well-known, issue with this:
[https://news.ycombinator.com/item?id=7882436](https://news.ycombinator.com/item?id=7882436)

~~~
gambiting
Yup, it's me. The issue is mentioned many many times on Amazon forums,and
everyone reports the same thing. Sometimes it's enough to change the name of
your wifi network,sometimes it won't help. I also found a post somewhere
talking about how the Wi-Fi kernel driver of the Paperwhite actually crashes
in presence of certain networks, and nothing helps except for a reboot - and
obviously if that network is still there it will crash again.

It seems to be mostly triggered by BT/Virgin Media routers here in the UK:

To give you an example:
[http://www.amazon.co.uk/forum/kindle?_encoding=UTF8&cdForum=...](http://www.amazon.co.uk/forum/kindle?_encoding=UTF8&cdForum=Fx3IRFCNF3E5K2W&cdThread=Tx2Q9SIWX3B7U91)

------
quackerhacker
Amazing that the scammer is even able to have the fraudulent replacement item
sent to a different address than where the order was originally sent not once,
but twice and an address not associated with the account nor
confirmed/verified and could possibly be linked to multiple accounts.

Seems like a blatant oversight in loss prevention and fraudulent data sifting.
Not only does it admit that an account has been compromised in some shape
(socially most likely), but it disappointingly shows incompetence in Amazon
CSRs.

~~~
jwdunne
If I recall, to deliver to a new address, Amazon requires you to verify by
entering the card details you are using for the purchase, to prevent fraud.
They should be doing the same here.

~~~
justincormack
Maybe that fails for zero cost items like this as there is no card being used?

~~~
jwdunne
But if its a return, surely they can pair it with the original purchase, inc.
the address and card used?

~~~
justincormack
The card might have expired and be destroyed, so you could have a valid reason
for not being able to produce the number.

~~~
jwdunne
In which case, you would simply get in touch with support and prove your
identity and purchase some other way as my thinking is that this would a rare
occurence, since receiving a faulty purchase pair using a card that has
expired and you no longer hold whilst living at a completely different address
is a freak event. Plus, couldn't you still use the expired card as
verification even it expired?

------
lilt12345
Yodel (especially poor UK courier) lost an expensive item once. Once I got
through to a human at Amazon, they took me at my word and the replacement item
was on its way that day. A few weeks later the original turned up, looking
very battered.

The amount of goodwill I have towards Amazon because of that experience is
tremendous. I took out Prime, and I look there first for everything now. I can
absolutely see that being worth the shrinkage.

------
aestra
My experience with Amazon customer service hasn't given me any faith in their
competence.

Years and years ago I ordered a few items, mostly DVDs. I got the items.
Months later I get an email from Amazon customer service saying I owe them
money from that order because I never paid for it. I said "huh?" I call
customer service and I found out it was because there was a chargeback. I
didn't do a chargeback so I was confused.

Eventually I figure it out because the CC number shows up on the invoice with
the last 4 digits. I accidentally transposed the last 2 digits of my CC
number. I combed through my CC statements and found out that I indeed wasn't
ever charged for the original items. Apparently the card was valid and was
charged even though it was someone else's card. That means they didn't even do
the least bit of checking to see if the billing address was the same or even
name.

I call up and told them what happened. They just were dumbfounded and confused
about the whole situation and didn't know how to handle it. They just kept
insisting I return the items and they'll give me a refund. I think she was
confused as to what I was even trying to tell her since I received the items.
I said I didn't want to return them and even if I did they were now used
items. They said "what's the problem then?" I told them they THEY sent ME and
email saying how I owe money. I wanted to take care of it. Well finally the
customer service rep just took down my right CC number and presumably wrote it
in as a note in the logs or something.

I was never charged for the order.

\---

Even more years ago my college boyfriend told me that when he was like 17 him
and his friends played some kinda "prank" where they ordered some expensive
cameras shipped to the school and put in some fake name and credit card.
_Apparently_ according to him the cameras shipped. Kids freaked out they would
get in trouble, they told a science teacher. Science teacher took care of it
and called Amazon before the cameras arrived to say that it was just some kids
messing around.

~~~
adrr
You can't transpose two numbers in a credit card, the card number will fail
luhn validation which means its not a valid credit card.

~~~
aestra
Well it happened. _I didn 't make the story up_. It was the last two numbers.
I am totally serious that happened.

Perhaps Amazon didn't validate at all. Who the hell knows?

------
jastorific
I used to be an Amazon customer service rep. I know for a fact that
replacements can only be sent to the original address. However, you can change
the address _after_ the order's been made. Calling into customer service to
change this address is going to be risky, so doing it self-serve online is
probably what's being done here. These hackers had access to your account I
suspect.

~~~
georgemcbay
Thanks for the insider info. One question I have though is if they did have
access to my account and are able to change addresses after an order is made
online, why not go for the gusto and make really expensive orders using my on-
file credit card numbers instead of just doing replacement items?

In any case, I've changed both my password and my email address on Amazon, so
if they did have access to the account that should solve that issue for now.
The whole situation has made me paranoid enough that I'm considering creating
a locked-down custom VM used solely for Amazon shopping.

~~~
AustinDizzy
It's because they didn't want to alert you of the charge. Coming from a
previous blackhat, the last thing a blackhat would want to do is alert you
that something is happening. How often do you check your bank account?
Probably once a day, maybe more. How often do you check your Amazon? Maybe
only when you're going to buy things. I have my accounts set to text/notify me
with every transaction detail.

Another reason why it'd be a replacement is because you don't get charged
anything directly. They're betting you see the $0.00 charge, no bank activity,
and you'll just brush it off like it was just a glitch. Not only this, but
half the people who do this aren't even 18 and they're just reading tutorials
on forums for how to get free stuff by social engineering or "hacking."

------
brador
Just a note that Amazon have been known to ban accounts if you action too many
returns. The bans are very rare, but they are for life and across all Amazon
properties. Hit up Google for more.

~~~
georgemcbay
This is my primary lingering worry about the whole situation, that it may
impact my ability to get replacement items sent out if I actually need them in
the future.

Hopefully they take your Amazon history into account when figuring this sort
of thing out because I've been a customer for a very long time and have spent
an amount of money that would likely seem obscene (if I totalled it up) over
the years.

~~~
big_maybe
>> Hopefully they take your Amazon history into account

But of course they won't. Your experience with them clearly demonstrates that
reality. No leg of that octopus knows what any of the other legs are doing.

------
heffer
I found it also pretty odd that I could use my Prime account to order things
for a friend using my address for shipping and billing and his bank details
for direct debit (which is the most common means of payment here on Amazon.de,
I guess).

The other way around (his address, my bank details) also works without any
further verification.

So I could basically just enter someone's bank details and hope the order
ships to my anonymous forwarding address before they notice. The victim will
then order her bank to refund the fraudulent direct debit transaction (thanks
to SEPA she now has 13 months to file the request). Amazon will probably
suspend the account but the perpetrator will obviously not care.

Even if it's less convenient (because not instantaneous) Amazon should be
doing something similar to what PayPal does: transferring a few cents together
with a verification code to the account for verification.

This scenario would hopefully only work if the account itself was compromised.
But when looking at how overcredulous customer support seems to be it might
well be possible to pull this off without actual access to the account.

~~~
hga
I do this frequently, the use case is ordering things for my father, who's
certainly capable of doing this on his own, but since I buy so much stuff from
Amazon, starting a year after they opened, it's the most convenient way.

Only difference is I'm in the US and charging it to a credit card of his. And
a Prime account is not required (we recently split the difference on getting
one). And if they're looking for fraud, that we have the same last name, and
his billing address is about a mile away, could reassure them.

------
jmnicolas
It happened to me in a brick and mortar shop : I went to the shop to have my
laptop repaired and they told me it was impossible since I had been reimbursed
when I gave them the laptop back 6 months ago (the same laptop I had in my
hands).

They never told me what happened but I suspect someone in this shop took the
money and declared the laptop returned.

------
enscr
> Amazon is out quite a bit of product and a _lot_ of trust from me.

The product is still a drop in the bucket for Amazon. Hopefully some of you
actions will trigger their fraud protection dept. to blacklist the address or
maybe they think it's not worthwhile blacklisting a whole address with
multiple suites for a tiny amount. Anyway, I don't think it's reason enough to
lose trust in Amazon. As long as they got the honest customer covered, it's OK
to lose some when you are running a business of Amazon's scale.

As @sdrinf mentioned, it's social engineering at play. Maybe they can raise
the bar to placing phone orders/replacements. Or maybe they think, they'll
lose more business by adding a teeny hurdle than gain on fraud recovery.

 _A times B times C equals X. If X is less than... we don 't care_ kind of
thing (Fight Club recall reference)

~~~
darrenmc
Amazon might not even loose money from this at all. It is common for retailers
to charge these costs back to the supplier.

~~~
enscr
This is a logistics issue: shipping to an unverified address before receiving
back the original product. Amazon should be solely responsible for it.

------
patcheudor
"Also, our secure server software (SSL) is the industry standard and among the
best software available today for secure commerce transactions."

Hey! What the heck? I'm in the security industry and had no idea about this
new "secure server software" and why is the TLA SSL? What the heck? I've been
on vacation for the last week, when did it hit?

On a serious note, I understand that some security teams hire non-technical
types into the team but it's always the responsibility of senior staff to make
sure they are at least understanding the basics, especially when communicating
with customers. Say it with me: Secure Sockets Layer (SSL). There's a
credibility problem here somewhere.

~~~
MichaelGG
First, they'll be negotiating TLS in nearly all cases.

Second, they were not defining the acronym. They're just stating they have
software to help secure things, and as an side it's called SSL. They mention
SSL because some users may have heard of this and it signals that Amazon's
doing the right thing.

------
jacobgreenleaf
I would think that if Amazon is failing to rectify the problem, then they at
least have a very clear and obvious incentive to do so.

~~~
disillusioned
It's extremely straightforward: they value customer satisfaction considerably
above their own fraud write-offs. That's literally it. It's a bit silly,
because there are a number of measures the CSRs could take to prevent someone
with JUST your email, address, and name from accessing your account (Netflix
asks for a "call in code" visible when you're logged into the site, for
instance), but they don't.

The CSRs are in India and basically told to satisfy any "did-not-arrive
shipments". The fact that they are also willing to ship to an alternate
address is completely insane. But my scammer told them they were "on vacation"
and appealed to that side of the customer satisfaction coin.

~~~
gambiting
Yup. I had the same thing with Logitech - my mouse broke while I was visiting
my parents in an entirely different country, and they sent me a replacement
there, without having to send the old one back. I just explained I was on
vacation and it was fine,they just asked me to give them the new address.

------
habosa
Another angle: this is why I shop at Amazon, and make a point to buy items
fulfilled by them directly.

Any time I have had a problem with an Amazon item, they have made it insanely
easy, and cheap, for me to get a new one.

With the Kindle 2 (first one with the directional nub) the screen was VERY
fragile. I used the official case but just putting it in my bag caused the
screen to crack 3x in a year. When this would happen, I'd call Amazon and
they'd have a new one on my doorstep the next morning. Then I'd use that box
to send the old one back, no questions asked. Sure I could have been a
fraudster and probably could have somehow kept 2 Kindles, but I appreciated
the customer service.

[Aside: no I'm not just an idiot, the Kindle 2 really was that fragile. I've
had a Kindle of every generation and never broken any other screen, but broke
that one 3x].

------
gellpak
Is it really that hard to craft a title that uses normal english? For example:

"Amazon orders are still subject to replacement fraud"

There, I won't have to sit there and swap emphasis in my head until it makes
sense with that one.

~~~
teach
Newspaper headlines very often omit linking verbs (am, is, are, etc) when they
can be inferred from context to make room for more important words.

They probably don't have much use on a web page except to _sound_ like a
newspaper headline.

------
jebus989
Presumably there's some Durden-esque equation for costing this, wherein
increased earnings from customer retention and goodwill more than offset
estimated losses through fraud.

------
deltron
I bet there's a thread on socialengineered dot net about this. I'd do a google
search for "site:socialengineered(dot)net amazon replacement"

Obviously I'm not going to link to a scam site, but you can get in through and
read the articles through Google so you don't have to register with them. I
saw this site with another Amazon scam where people were requesting refunds
saying not shipped, etc.

------
danielweber
UI complaint:

If I click on a picture to view a larger version of it, I should not have to
hunt around the page for a blue button to stop viewing the large image.

~~~
georgemcbay
Thanks for the feedback, you're right!

My site (which is woefully unfinished even for its originally intended
purpose) is primarily used as a photo-blog showing photo albums to remote
friends and family. This rant was the first text-heavy traditional blog-post
I've made to it. I need to put some work into making the UI make sense for
posts made in that context.

------
abc123xyz
Amazon themselves have actively recommended this reship.com when I asked about
delivery before for certain product.

------
ars
If you happen to notice this before the item is delivered you can call UPS and
have the package returned to sender.

If you really want you can have someone stake out the home and see who comes,
but that's really something for Amazon + the Police to do.

~~~
disillusioned
Not just returned to sender. I've had people tell me they were able to have
Amazon reroute the package to them, and then be told to keep it. It's like a
free Xbox (or camera or whatever) without having to do the dirty work of
perpetrating the scam yourself!

------
bencollier49
Are Amazon actually making money on these? Do they charge costs and shipping
back to the supplier above trade price?

------
lvs
Are you somehow on the hook to return a defective item because of these
replacement requests?

~~~
disillusioned
No, the scammers claim it never arrived, so Amazon merely sends it again.

------
jrockway
Could this just be a database querying problem, and maybe no items were
actually shipped as a result?

~~~
psykovsky
Nah... It's only a case of not reading the article...

