
Amazon's customer service backdoor - grapehut
https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4#.lqxcfockn
======
danneu
Whois is great for social engineering attackers. You get a name, email,
address, and the first service to attack.

Meanwhile, the ICANN is working around the clock to make it illegal for us to
protect our personal information, and whois protection is becoming an
increasingly niche service for registrars.

For example, gandi.net (and thus Amazon) doesn't hide your name when you have
it turned on. By the time you find this out, it might occur to you to just
type in a different name, but now you're violating ICANN policy. And it's
already been scraped by any of those whois history websites.

~~~
TheOtherHobbes
A related word of warning: Namecheap updated their registration page last
year.

Now, when you register a domain it tells you free Whoisguard is included, but
it doesn't make it clear that _it 's disabled by default."

Previously it just worked. Now you have to check another box to turn it on.

This change makes no sense to me. (If you want free Whoisguard, why would you
not want it turned on?)

I was _white-hot furious* when I discovered that a handful of new domain regs
had leaked my contact details, and I began getting the inevitable spam calls
and texts.

~~~
scoot
Worse, they'll happily sell you Whoisguard for domains that don't support it.
When you discover it's not usable, they'll give you a refund, then include it
again in the next billing cycle.

I switched to Namecheap based on recommendations here, and their previous
stance on certain privacy issues, but I'm running out of alternatives.

~~~
lpsz
A happy NameCheap user for years, I have started switching away. Their horrid
"modern" 40px padding everywhere bubbly redesign makes GoDaddy look good in
comparison. A major pain to manage more than a couple of domains, and numerous
user feedback seems to fall on deaf ears, e.g. [1][2][3][4]

Example weird feature: all domains are shown, even ones that you've let
expire/sold years ago, and there is no way to hide them.

[1]
[https://community.namecheap.com/forums/viewtopic.php?f=10&t=...](https://community.namecheap.com/forums/viewtopic.php?f=10&t=7949)

[2]
[https://community.namecheap.com/forums/viewtopic.php?f=10&t=...](https://community.namecheap.com/forums/viewtopic.php?f=10&t=66644)

[3]
[https://community.namecheap.com/forums/viewtopic.php?f=10&t=...](https://community.namecheap.com/forums/viewtopic.php?f=10&t=65871)

[4]
[https://community.namecheap.com/forums/viewtopic.php?f=10&t=...](https://community.namecheap.com/forums/viewtopic.php?f=10&t=43083)

~~~
chrisper
Do you mind sharing where you switched to?

~~~
seanp2k2
Name.com has been legit for me for about 10 years. Use code PRIVACYPLEASE for
free whois privacy (this code has worked for the past ~5 years). I've also
used IWantMyName for some TLDs that name.com didn't have and I liked that they
had 2FA, but overall it was much less polished.

------
grapehut
Worth checking out: someone reproduces using a fake address to get a real
address.

[https://medium.com/@amaz/thank-you-for-sharing-this-but-i-
co...](https://medium.com/@amaz/thank-you-for-sharing-this-but-i-couldn-t-
just-accept-this-so-i-went-ahead-and-did-it-to-my-own-afb19d990056#.3l83bgwjp)

(contains pretty great screencaptures)

~~~
tempestn
Wow, that second rep was really struggling to find the line in his script that
fit the situation (without much success).

------
mrb
How to stop this:

1\. Get a friend's permission to "hack" into his Amazon account (or "hack your
own account").

2\. Contact Amazon's customer service, try the same social engineering
techniques that the OP documented.

3\. Once you obtain some sensitive information from the account, scare the CS
rep by saying: "Haha! I am actually not the customer. I am a
journalist/hacker/whatever and wanted to see how easy it was to social
engineer information out of your customer service department, and you failed.
I would like to talk to your manager please."

Hopefully if enough people do this, it will get some internal attention at
Amazon.

~~~
fnbr
Please don't do this. You're much more likely to get your friend in trouble
with Amazon and have the police called on you.

~~~
0xffff2
Have the police called on you for what, exactly?

~~~
zymhan
Stealing free shipping. You monster.

------
_Codemonkeyism
Amazon does not care. A fraudster used our startup bank account to pay at
Amazon. We told them, they did not blacklist the user to use our account or
take any actions beside removing the bank account (ours) from his Amazon
account.

The fraudster did this at least 3 times with increasing amounts of money.
Amazon did not care. Only when we went to the police did this stop.

Amazon sold me a phone, the box arrived empty (I wonder why they do not check
the weight when it leaves their warehouse, DHL printed a weight on the box
that was less than the phone alone). It took Amazon support months to solve
this, especially they could or would not cancel the attached mobile phone
contract for months.

~~~
kuschku
I had a situation where Amazon couldn't bill my bank account, so they blocked
logging in.

I verified with just name and address to a customer service rep and asked for
the steps I'd have to do to unlock it again, and they told me that (a) the
transaction failed, (b) they told me my IBAN. In plaintext. The full IBAN. (c)
and then they told me the steps to fix it (wire them the money that I was
owing them, plus 6 EUR. Standard procedure in Germany).

In the end, everything worked again, but, the fact that they gave out by IBAN
— enough info for anyone to go and pull money from my account — is making me
so angry.

~~~
SimpleMinds
Could you tell how knowing IBAN enables someone to take money from your
account? As far as I understand, the only think that can happen with IBAN is
to receive money.

Maybe you're thinking of credit card number? The CC's I had had different CC
number and IBAN account.

~~~
pfg
SEPA direct debit allows you to pull money via IBAN (+ BIC, depending on the
countries involved in the transaction).

Specifics vary from country to country. Some require active approval from the
customer (IIRC France, probably more), others "just work".

Fraud is not as common, since bank accounts that are allowed to debit money
this way are generally only available to companies who have to sign paperwork
ensuring that they have written permission from each debitor. Additionally,
although this might be country-specific as well, chargebacks can be initiated
without providing any reason for at least 8 weeks, and in case of a fraudulent
transaction, up to 13 months.

~~~
SimpleMinds
Thanks, didn't know about that. Sounds like it's very specific version of
account and most default accounts with IBAN doesn't have this possibility.

~~~
kuschku
No, anyone’s account can be debited from, but only specific accounts can be
debited to.

I can’t pull money from your account, even if you tell me your IBAN.

But I can use your IBAN to order from amazon, and then amazon can just pull
however much they want from your account.

Luckily chargeback with direct debit works just as fast as with credit cards.

~~~
SimpleMinds
Thanks! That's something new that I didn't hear before. For interested parties
seems [0] has some information. I need to check with my bank then to see how
it works in my country.

[0]
[https://gocardless.com/guides/sepa/introduction/](https://gocardless.com/guides/sepa/introduction/)

------
nmjohn
> services should allow me to easily create lots of aliases. Right now the
> best defense against social engineering seems to be my fastmail account
> which allows me to create 1 email address alias per service

What you may want is a catch-all email - which lets you do _@domain.com - >
nmjohn@domain.com (where _ is everything besides already defined addresses) -
that way you can make up emails on the fly without having to setup the alias
beforehand.

I've had that setup for 5 or 6 years now, and it works extremely well. A handy
side-effect of this is it makes it easy to see which companies sell your email
address to spammers when you included the name of the original company in the
email you register with

~~~
mdavidn
Fastmail and Gmail support a local suffix of the form
yourname+amazon@gmail.com. That's a plus character between the local name and
local suffix. If you use a password manager, you can replace a predictable
suffix like "amazon" with random hex value.

Unfortunately, many sites borked their e-mail address validation and do not
accept the plus character. (Amazon permits it.) Also, you'll ocassionally find
a customer service ticketing system that expects replies to come "From" your
account's e-mail address. (Many mail clients can alter that header, but it's a
pain.)

~~~
jedberg
Also a lot of systems strip anything after the + now, especially spam systems.

~~~
sbarre
I've even started seeing registration systems that tell me that I've entered
an invalid address if I do the [email]+[something]@gmail.com trick.

Twice now I was only able to register after removing the +[something] part of
the email.

Is + actually an invalid email character (according to RFCs etc?). I couldn't
find any reference to that when I looked.

~~~
jedberg
I'll try to avoid ranting here, but _anything_ is a legal email address per
the RFC (even an @ sign in a username, or an email address without any @
sign).

RFC 821 is the original and 2821 summarizes it plus the few that came after to
add and clarify.

The only true "RFC email validity check" is to send an email to whatever
address they provide.

------
incarnate
This is exactly the same thing that let someone delete Mat Honan's (Wired
author) accounts back in 2012:

 _Apple tech support gave the hackers access to my iCloud account. Amazon tech
support gave them the ability to see a piece of information — a partial credit
card number — that Apple used to release information._

[http://www.wired.com/2012/08/apple-amazon-mat-honan-
hacking/](http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)

~~~
ec109685
No, customer service did not disclose the cc number in this instance -- they
did disclose his address though, which stinks.

------
paulcole
"The problem is, 9999 times out of 10000 support requests are legitimate,
agents get trained to assume they’re legitimate. But in the 1 case they’re
not, you can completely fuck someone over."

That's why nothing will change if these estimates are even in the right
universe. Nobody wants to inconvenience the vast majority of customers to
prevent a minuscule number of issues.

~~~
bigiain
Until/unless we can find and implement a workable way to make this a problem
Amazon is financially on-the-hook for, instead of Amazon (et al) customers.

I wonder what the PCI implications are if it's true that Amazon gave away his
last four cc digits over the phone?

I wonder if there are applicable PII laws in his jurisdiction that'd have
Amazon able to be held liable for disclosing his address? (I think there are
here in Australia(1), but that doesn't mean regular Amazon customers have any
chance of prevailing in court against Amazon's in-house legal team...)

(1) 6.67 of this says your address is "individually identifying data":
[http://www.alrc.gov.au/publications/6.%20The%20Privacy%20Act...](http://www.alrc.gov.au/publications/6.%20The%20Privacy%20Act%3A%20Some%20Important%20Definitions/what-
not-%E2%80%98personal-information%E2%80%99)

~~~
superuser2
In the US, the relation Legal Name ~ Home Phone Number ~ Address is
emphatically _not_ private. It's in the phone book, it's in directories
published by local school districts, it's on public property ownership
records, in some cases voter registrations are subject to FOIA, it's on
corporate registrations, amateur radio licenses, FAA pilot licensing
(including small drones), all kinds of professional certifications and
business licensing which is published on the internet, etc.

So no, very unlikely.

------
AndrewUnmuted
I worked for Amazon for four years. For nearly the entire time I worked there,
I, as an engineer, had access to every customer's purchase history, contact
information, email addresses, etc. The reason? On occasion, I'd need to get a
user's email address to reach out to them if they reported bugs. The one
service that offers employees this access is all or nothing. Either you get to
see a customer's email, credit card number, and purchase history - or you get
to see nothing at all.

Everyone knew that I had this access, and everyone knew that it was against
Amazon's own policy to give me access. But to them, that was easier than
fixing the service so that it was more useful.

Perhaps I'm just clueless, but something tells me that any relevant competitor
to Amazon - say, I don't know, Google - would choose to fix the service
instead.

~~~
0xffff2
>Perhaps I'm just clueless, but something tells me that any relevant
competitor to Amazon - say, I don't know, Google - would choose to fix the
service instead.

Why? The attitude you describe (do what's easy, not what's right) is endemic
to any organization over a certain size in my experience.

------
Camillo
Yes, Amazon is doing it wrong. But the much bigger problem is that your bank
lets fraudsters impersonate you using easily obtained information such as your
name and address. It is completely backwards that you need an impenetrable
wall and moat around the place where you buy books and groceries, because,
once you get past it, then the place where you store all your money and get
your mortgage is as easy to penetrate as a piece of tissue paper. The root
cause of all identity theft are the incredibly lax security policies of the
financial system.

------
turar
If you own a home in the U.S., anybody already can get your address legally
and easily from your county or district property appraiser's/assessor's
website. Along with how much you paid for it, and when you bought it. So
calling Amazon CS rep is a hard way to go about it. :)

~~~
rhblake
Ah... if you're a resident of Sweden, anybody can get your full name, address,
date of birth, civil status, list of company engagements (e.g., board member,
owner of a firm, etc.) and the make and year of any cars registered by going
to one of several websites - [http://www.ratsit.se/](http://www.ratsit.se/)
being one of the most popular ones. No login needed. This information is
public data straight from the government. (Exceptions: people < 16-18 years
old (afaik), and people with protected identity (about 15K out of 9.8M)).

Call or visit the Swedish Tax Agency if you want further info, such as
personal identity number ("personnummer" \- think Social Security Number but
used for absolutely everything), taxed income, identity and full info of
parents (including mother's maiden name - so much for that), etc. You don't
have to tell them who you are or why you want this information.

Enter a street address on a site like ratsit.se and you'll find all the people
registered on that particular address. I could go on. When I talk about this
with friends in countries like Germany and France they're often flabbergasted;
in Sweden we're so used to it that we think it's natural. We're basically
doxxed by our own government by default. A stalker or identity thief's
paradise. It's messed up.

~~~
jdmichal
Though, I would wager that very few Swedish companies consider any of that
information as a "password", as seen in the article...

~~~
breakingcups
Overseas companies would though

------
adarsh_thampy
As someone who has trained customer support agents, I can attest to the fact
that most agents have to be taught every scenario. If it slightly deviates
from the one they have been trained on, they are clueless.

Not saying all customer support people are like this. However, majority of
people are. They rely on pre-written scripts. When a question is asked, they
search for the template question with the answer.

~~~
representative
You're absolutely right about the majority. If someone is capable enough to
understand customer needs and resolve issues outside of predefined scripts
they are capable enough to be working beyond customer support. Customer
support representatives are largely people who exist as an interface between a
customer who doesn't understand a system and a system that doesn't understand
the customer needs.

Most companies would do well to invest in "Customer Support Engineer" type
roles, putting people who _understand_ systems and are informed problem
solvers on the front lines, people who can identify technical solutions to
customer problems. Customer Support Representatives problem solving seems to
begin and end with what they've learned from the latest ZenDesk Webinar. Most
companies seem to believe that fast and friendly messages are what customers
want, through twitter and Facebook, when the reality is they want their
problem solved and the business most benefits when the _cause_ is identified
and solved for all customers, not the symptoms for one customer.

Most companies could slice their customer support costs in half and increase
their customer satisfaction substantially if they invested in building out
roles for problem solvers instead of ticket solvers. 1 ticket solved is 1
ticket solved. A problem solved can be hundreds or thousands of future tickets
prevented and an improved customer experience.

(This comment isn't a slight against customer service representatives, they
serve an important purpose at many companies and often provide great value.
This comment is a slight against the companies that choose to hire a dozen
more customer support representatives instead of addressing the core issues
that are driving people to their support.)

~~~
richardwhiuk
I think you substantially over-estimate the number of tickets which can
actually be 'solved' like this, and dramatically under-estimate the cost it
would take to solve the problem. I'd have a hard time believing that the large
number of companies who all operate this model are getting the cost-benefit
analysis wrong by such a large margin as you seem to suggest.

------
dannysu
Reading through this thread, I've now taken action to use a unique email for
important accounts. I was already using [name of service]@[some other domain I
only use for email].com. However, I just changed now to [random # and
chars]@domain.com.

An additional thing I'm doing is reviewing what accounts have my credit card.
One of the things I like about my Bank of America credit card is that I can
use their ShopSafe feature to generate a card number for specific accounts.

So if I'm buying transit pass on a website probably made by incompetent
people, I generate a new credit card number and use it one time. Same thing
with doctors that want me to write my credit card info on a piece of paper and
mail it back to them.

------
okigan
Any recommendation what one (as a customer of Amazon) can do today ?

2FA does not help here as someone goes through support channel which looks
like bypasses 2FA

Also concerned if the same trick can be applied to Amazon Cloud services, as
there one can also run up a big bill pretty quickly.

~~~
bigiain
If I were the OP or someone equally sure I was likely to be targeted via my
Amazon account, I'd consider:

Using a unique email address.

Using a unique physical address (both for my account details and for my
delivery addresses).

Use a unique credit card (I'd probably get a refillable prepaid gift card, and
set up some auto topup to ensure it's got my expected monthly Amazon bill
available as "credit", but not much more).

I'd probably move any AWS billing to a different Amazon account.

If I were more paranoid (or being actively targeted), I'd probably also try to
go unique on _everything_ I tell Amazon; phone numbers, different
city/state/zipcode (as well as street address), company name, website url,
alternate contacts - then I'd set up "Security questions" with unguessable
questions/answers (perhaps diceware/xkcd style "correct horse battery staple"
type ones, that a CS rep could easily read out and verify - rather than a
base64 GUID...).

Not that I trust the "security questions", but if Amazon lets you use freeform
questions as well as answers, it might help to make your first security
question "Have you noticed this account has two factor authentication turned
on?" with an answer like "Yes, so Amazon Customer Service will take additional
care when being asked to reveal account information, right?"

~~~
Your_Creator
It seems to me that ANYONE who buys ANYTHING is equally likely to be targeted
via their Amazon account -

Think about how many people actually use Amazon services

Through sheer competition, Amazon is forcing Walmart to close over 100 stores.
We only know that because Walmart is big enough to get noticed.

Remember when Walmart was the company putting local mom and pop shops out of
business?

Cycle of life I suppose...

------
leeleelee
I think the best solution, for now, is to just regularly check your full
credit report for anything you don't recognize and watch your credit card,
debit card statements for any purchases you don't recognize.

I've had credit cards get compromised in the past, and it was actually quite
painless to have my bank (Chase) shut the card down and issue a new one.

Your information can be stolen from SO MANY sources and not just Amazon
customer service. It's impossible to guarantee who sees any of your personal
information once you share it with ANYONE on the internet (Amazon, Google,
some random retailer, domain registrar, etc.).

The server at your local Applebees could steal your CC info.

Be sensible with where you share personal information, but don't be
unreasonable. It's safe to use Amazon.

Just watch your credit report (regardless of whether you feel you're at high
risk) and bank statements.

If/when a problem arises, then deal with it.

------
pfarnsworth
The problem is Amazon has thousands of poorly trained first-level support
staff with far too much power and information.

What we need is a global security standard for support staff, with a template
as to what information is accessible by staff and what isn't. And what is
available to better trained 2nd-level support, etc.

And then each company can say they are certified for this particular security
standard, and then you can't get social engineering attacks where you attack
one large corporation, get partial information, and then feed that into
another large organization to get other information. This was done previously
using Amazon, again, to get enough information to take someone's Twitter
account, if i remember correctly.

~~~
Merad
Not Amazon. Essentially every company. Your typical first tier support rep is
paid perhaps $9-10 an hour, utterly hates their job, and has access to scary
amounts of account information. It doesn't help that call center turnover
rates are often so high that it isn't unusual for the median experience of
reps to be 6 months, or less.

The bottom line really is that _so far_ these kinds of social engineering
attacks haven't been enough of a problem for companies to have the slightest
economic incentive to improve the situation.

------
xenadu02
The vast majority of services use email address to identify you so
diversifying your email addresses helps a lot. I've known about every
hack/info leak ahead of everyone else for that reason - I use a unique email
for every service.

I also use different cards for the major online retailers / tech giants so
knowing the last four digits from my Amazon account is useless to validate
anything else (though this does require having several credit cards or debit
cards).

Whois privacy is absolutely required.

Unfortunately if someone is determined enough, almost all ISPs, cell
companies, retailers, etc will happily give them control of your entire
digital life. You can only minimize the risk somewhat.

------
tommoor
Damn, lucky they send out emails after a customer service interaction or you'd
have never had any idea this even took place.

~~~
grapehut
It makes me wonder, if the person is unsuccessful at authenticating, does the
real owner get a follow up email? For instance, maybe he had to try 5 times to
contact support before he found an agent who authenticated me using a fake
address.

------
bobby_9x
Its interesting how easy it is to do something like this, yet legitimate
third-party sellers can‘t even talk to a live customer support rep. when their
account is suspended.

------
rplnt
> migrating as much to Google services which seem significantly more robust at
> stopping these attacks.

Because they don't have customer support?

~~~
vgt
Because 2FA

------
vjvj
Wow. I had a similar experience with Skype too. They couldn't care less that
someone had got access to my account and made calls. The attacker even added
his own mobile number (in a different country) but Skype wouldn't bother
investigating or escalating...

------
rogeryu
We had our AWS account hijacked three years ago. Someone had taken over our
admin email by hijacking the DNS. They had hacked into our DNS account (with
another provider) and changed the MX for our domain. Then they contacted
customer support and convinced them to disable two factor authentication. Then
they started to play with our account, starting and stopping servers.

Taking back the DNS took time. Meanwhile the hijackers were logged in, and
could not be logged out by Amazon. This took more than a day. It took us two
full days to get all back to normal.

The good thing is that they could not login to our servers. What they wanted
is still not clear, and who did this - we saw some suspicious traffic from
Russia, but that's all.

------
ikeboy
>Email services should allow me to easily create lots of aliases

I use blur from Abine.com, gives me a new email that forwards to my main, as
many as I want, integrated with a browser plugin that barely adds time to
signup.

------
free2rhyme214
Someone hacked my Amazon account once. I'm surprised they don't have 2-step
verification.

~~~
danneu
On the other hand, 2FA opens up the "I lost my phone" customer support channel
which might be just as weak.

For example, you can turn on 2FA for sending money via Bank of America's
webpanel. As in, you log in with username/password and need 2FA for some
restricted actions.

Well, phone up customer support and they'll remove your 2FA if you can provide
them some secret details... all of which are displayed on the webpanel to
anyone that was already able to log in.

It's a joke.

~~~
jimrandomh
If they were following a script and the script were careful, saying "I lost my
phone" would cause them to try to contact your phone, and when you answered
and said you still had it, would put a fraud alert on the account and stop all
further attempts to social engineer customer service.

But most companies aren't anywhere near that careful.

~~~
mcintyre1994
Wouldn't that allow somebody who stole your phone to lock you out of your bank
if they answered the call? Seems like that'd make a stressful situation
potentially worse if thieves knew they could do that. Especially if they
called from a number that's linked to the bank anywhere and something like
Google's dialer surfaces who it is - your bank calling seems like a potential
"maybe I can get more" for a thief so they might be inclined to answer and
impersonate.

~~~
jimrandomh
I would prefer that my bank, if it detects fraudsters trying to pull some sort
of trick involving my account, to freeze things until I show up and present
ID. That's inconvenient, but clearly better than the alternative.

~~~
zyxley
So... what about banks with no actual physical branches?

~~~
jimrandomh
In an ideal world, the bank would direct you to a notary public who would
check your identity and public key fingerprint. (Sadly, the present state of
things is probably too dysfunctional to manage that.)

------
Animats
This is Amazon's problem for using street address (!) as a password. If
there's an authentication issue, they should at least email or call or SMS
you.

------
fredwu
It is rather unfortunate yet at the same time unsurprising. :(

Two years ago I found out that Amazon allows multiple accounts to be set up
using the same email address with different passwords (!!!) - which means that
the potential attack vector is larger for no good reason.

I don't recall how this happened but I can only assume at the time I signed up
to AWS and I might have reset/changed the password somehow that resulted in
the system creating another copy of my account.

So all the information (credit cards, addresses, etc) of the "old" account
still existed until I deleted them. But let's say if someone who has no idea
that they have more than one accounts with Amazon, they could easily leave
their information intact in their "old" accounts, which if they have weak
passwords can easily be compromised.

Unfortunately Amazon did not take this report seriously, and to this very day
this issue still persists.

~~~
sleepychu
My email address also maps to two unique accounts. One of them has never had
any information on it anyway but I agree it's very concerning.

------
dannysu
There's also no way to separate AWS account from Amazon account it seems:
[https://forums.aws.amazon.com/thread.jspa?threadID=85882](https://forums.aws.amazon.com/thread.jspa?threadID=85882)

This is really bad. The security implications are different between the two.

~~~
ugh123
Sure there is. Sign up with a different email account. I hear they're free
these days...

~~~
dannysu
I meant that there isn't a supported way by Amazon. What about purchase
history? Kindle books? Coupon credits? You're gonna manually migrate all AWS
services you use one by one? What about AWS credits you might have gotten?

While you can certainly register two accounts and start all over, it's clear I
meant an intentional support by the system to allow one to separate the two.

------
jasonkostempski
Couldn't customer service just treat all sensitive information like the they
treated the last 4 digits of the CC in this scenario? Verify only, reveal
nothing. I'm sure almost all legit customers don't have even 5 possible
addresses they may have shipped to, make them say what they think it is.

~~~
hobs
That would be the basic standard to which all CSRs are trained to, and
deviating from that is 100% deviating from protocol in almost any case, they
do it for individual reasons (speed, a good customer survey, whatever)

When I trained Apple techs the clear communication was that people use
pretexting for not just mundane things like credit card theft, but to commit
violence against other people (especially in the case of domestic violence
where they have some personal details and can try to get more).

Anything but the strategy of verify only is putting people's lives in danger.

------
anindyabd
The OP says he is "a security conscious user who follows the best practices
like: using unique passwords, 2FA, only using a secure computer and being able
to spot phishing attacks from a mile away..." yet I do _not_ think he enabled
2FA on Amazon.com. If he did customer service would not have helped the hacker
pretending to be him. As their help page says, "If you need help from Customer
Service after enabling Two-Step Verification, you'll need provide a security
code similar to when trying to sign in to your account."
[https://www.amazon.com/gp/help/customer/display.html?nodeId=...](https://www.amazon.com/gp/help/customer/display.html?nodeId=201596330)

~~~
putlake
I was excited about Amazon enabling 2FA. I started using it rightaway but it
doesn't work with their extended applications. e.g. signing in on Roku, Amazon
photos uploader app for Mac, Amazon video on Android/iOS.

~~~
micro-ram
Amazon should simply treat users with active 2FA accounts as high security
accounts. High security accounts must go through a much more rigorous
validation when speaking with support.

------
Nemant
Somebody should try getting Jeff bezos' address. I tried a couple of times and
failed.

------
krampian
I'm concerned that names and addresses alone seem to be enough for these guys
to do meaningful ID theft with. The phone book is full of names and addresses
anyone can get their hands on easily. Even these guys in India - there's
whitepages.com. Not sure why they're going to all the trouble of trying to
game Amazon's customer support.

On that note, I order alot from Amazon and throw out their boxes in the trash
outside all the time. Sometimes I notice that neighbors (presumably) take
those boxes for their own use before trash pickup comes along. All of them
have my name and mailing address on them...

------
ommunist
Same sh#t happens with Apple Support all the time, for few years in a row.
Someone was after my last 4 digits, requesting password resets to Apple ID,
like 14 times a day, and then impersonating me, talking to support.

~~~
virusduck
Did you activate 2FA?

~~~
ommunist
After that I did. And I was so much surprised, Apple delays 2FA activation for
a week! 'to be sure that you are you'

------
nicksuperb
I've been using my local USPS PO box for domain registration for the past few
years. It pays for itself when you figure in the cost of add-on services from
registrars. I also use it as an address for similar in-person sign up forms
also. Aliasing services like Fastmail are also a solid part of the equation.
Use it as much and in as many places as possible. You could also try an IRL
alias-type hack by giving out a slightly different name (middle name, title,
etc.) when filling out your address.

------
ninjakeyboard
People will forever be the weakest link in a system's security.

------
EGreg
This article has taught me a valuable lesson: I should be using the
email+suffix@gmail.com feature in each service I'm signed up for. Seems like
an easy enough change.

Ideally, the suffix would be some non obvious function of the service name,
which I can remember easily. Like taking the second letter of the service name
and relating it to an object I encounter a lot in my life.

------
joncp
Working in the same neighborhood as Amazon's new headquarters, I've become
convinced that not all is well with their security. All those blue badges with
their employees' full names dangling from their belts while they're in line at
the local food trucks is a social engineer's dream come true. Expect to see
some high-profile breaches.

------
yomly
Someone's life in Amazon is about to become a world of pain. This is not going
to be a fun Jeff B escalation...

------
facepalm
I find it a bit weird that address and even credit card number are
confidential information. Credit card numbers are not really secret, you hand
them out to random waiters in random restaurants. Maybe part of the fault lies
with the other companies who accept that information as ID?

------
BaNzounet
A possible solution to avoid people finding out the email you're using for a
given service is to dump random word/phrase in your email address.

e.g. email+ifidontknowthisthisisnotme@youremail.com

Not sure how an agent would react to someone having part of the correct email
though.

------
RainManDetroit
Simply create an LLC and have it manager-managed, as opposed to member-
managed, As long as you either do no business or legitimate business, the
owner (member) into is protected, and it will list your registered agent and
their office address as the site owner.

~~~
djrogers
So I need to pay the state of California $800/yr to stop Amazon from giving
away my personal info? No.

------
ubersync
If anyone wants to start a fund to sue Amazon for this, I am ready to pitch in
a $100.

~~~
PhantomGremlin
That's probably wishful thinking. I haven't checked Amazon's terms of service,
but nowadays you can count on both of these being true:

\- you agreed to arbitration

\- you agreed to disallow class action lawsuits

I.e. thanks to the Supremes[1]:

    
    
       As a result, businesses that include arbitration
       agreements with class action waivers can require
       consumers to bring claims only in individual
       arbitrations, rather than in court as part of a
       class action.
    

[1]
[https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepc...](https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepcion)

~~~
arianvanp
I'm pretty sure those kind of terms, at least in The Netherlands and most of
Europe, are illegal. So lets Class-action them in Europe instead? I'll pitch
in 100 euros.

~~~
SEMW
Any lawsuit, class action or otherwise, requires the claimants to have
suffered whatever harm they're suing over. You can't sue a company because
they injured someone else.

(IANAL and I'm only familiar with English law, but I'd be very surprised if
there was anywhere where that isn't true, it's pretty fundamental)

------
gravypod
I am VERY interested in what you mentioned about fastmail. That seems like an
amazing idea. I have never thought about it.

I think I need to make a script that can do that for me. A simple mail server
to forward emails both ways.

------
aaronbrethorst
"A chain is only as strong as its weakest link."

------
purpled_haze
And now that this is public, we're all at more risk.

------
ronyeh
On your Amazon home page, go to:

Your Account › Change Account Settings › Advanced Security Settings

Turn on 2-step Verification.

It won't completely solve social engineering, but it can't hurt.

~~~
UnoriginalGuy
If you had read the article you would know that they already had 2F turned on
before the first intrusion and throughout the subsequent intrusions.

~~~
asymptotic
I might be being pedantic, but the only mention of 2FA in the OP is:

"As a security conscious user who follows the best practices like: using
unique passwords, 2FA, only using a secure computer and being able to spot
phishing attacks from a mile away, I would have thought my accounts and
details would be be pretty safe? Wrong."

Are you sure the author enabled 2FA on his Amazon retail account, or was it
only enabled on his AWS account? The two systems do not share the same 2FA.

FYI I enabled 2FA on my Amazon retail account and when I called customer
support they verified it. Once the verification failed and they refused to
give me support.

Anyone else confirm a similar story with 2FA and support? Anyone willing to
explicitly test this out?

~~~
hayd
There's no reason to assume he wasn't using 2FA. The title says "backdoor" and
that's the point: they didn't verify identity... they asked for name, email
and a _nearby_ address.

~~~
edderly
> Actually, I do have 2FA enabled on my account. But I don't think I had it
> enabled at the time for the very first attack.

[https://news.ycombinator.com/item?id=10965111](https://news.ycombinator.com/item?id=10965111)

------
hagmonk
Why didn't the OP turn on two step verification? Amazon does support this.

~~~
sleepymountain
His Amazon account wasn't even logged into, the CS rep gave up his information
without the attacker being authenticated, and the attacker used that to login
to other non-Amazon systems.

------
muppetman
I read this as a guy who has serious amnesia.

------
swehner
Customer support is what Amazon adds to the otherwise simple service of
operating an online catalogue, stocking products and sending them out when
ordered.

As you can see here, they are not doing a good job even in that department.
Taking huge profits for basically failing.

I have called this a lose-lose in the past.

So -- be good and stop using amazon!

