
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam - disillusioned
http://www.htmlist.com/rants/two-for-one-amazon-coms-socially-engineered-replacement-order-scam/
======
temphn
The title of this link is very misleading. Amazon is actually going out of its
way to provide excellent customer service, and is being exploited by a
scammer. It is therefore not "Amazon's Scam", but a scam perpetrated against
Amazon.

As to whether or not something should be done, this is a
sensitivity/specificity tradeoff. Too far in the other direction of
distrusting customers and Amazon ends up like Paypal.

~~~
Shenglong
Paypal's customer service isn't bad because they don't trust the customer in
terms of authentication - it's bad because they have horrible policies in
place, and their reps are unintelligent, untrained, and unhelpful.

In any case, some authentication aside from "Full Name" would be nice. When I
was with Liquid Web, I had a pass phrase set up, which I could pass off as
regular conversation even in a crowded room without anyone suspecting it was
my authentication. That works best. Even a birth date and city of birth would
be better than a name.

~~~
conradfr
As a former PayPal CSR I don't think I was unintelligent, untrained and
unhelpful, oh well :)

~~~
mseebach
As a such, perhaps you have some interesting insights into what might be
causing PayPals uniquely poor (it seems) CS record? It seems that the majority
of PayPals public CS failures could have been avoided with a minimum of, well,
intelligence, training and helpfulness.

~~~
conradfr
I guess being the middle man in a sale / money dispute usually makes at least
one people unsatisfied of you ?

------
citricsquid
I suspect this is a result of their attitude towards re-orders due to delivery
issues, it would make sense that if CSR's are told "if a user wants a re-
order, just do it" that they'd not really consider the implications of
allowing them with a new address, because their attitude is do whatever to
keep the customer happy.

I had a delivery of a game go missing (~$60 cost) so I opened a live chat and
explained, then they shipped me a brand new order (which arrived!) without any
hassle or confirmation that my prior delivery had _really_ been stolen. This
seems like a trivial thing to abuse (and I'm sure many do). After my free re-
order was placed I thought "that was cool, I'll order from Amazon in the
future just in case...".

~~~
city41
I'm sure that is what they are counting on and once it happens to people they
probably become very loyal customers. At a previous place I lived my neighbors
stole two Amazon packages from my doorstep. Amazon had no problem not only
sending out replacements, but sending them to my work address instead. It made
me very much want to order from Amazon from then on.

~~~
hysan
This customer service model, where the CSRs go above and beyond to help the
customer with as little hassle as possible, is what built the initial customer
base for Newegg. Those customers have largely remained loyal even though other
online retailers have caught up in price. This is also what made Zappos very
popular (eventually bought out by Amazon). So the strategy clearly works. I
assume Amazon has calculated that the number of frauds is greatly outweighed
by whatever business is generated from returning customers and great PR.

~~~
dalke
Your model should be made more dynamic, to include that Amazon can adjust to
new fraudulent methods. Once a method is discovered for making fraudulent
purchases, it will be reused and broadened. Like the story of the Dutch boy
and the dike, it will get larger and larger until it collapses. Amazon no
doubt figures that they can plug the hole early enough, and reports like this
are part of that detection system.

------
edanm
This thread reads like a giant love-letter to Amazon. As well it should.

Amazon is one of the _best companies in the world_ . I've been buying physical
books from them for the last 8 years. I've recently started buying audiobooks
at Audible, and have even more recently purchased the new Kindle Paperwhite,
and have been burning through many, many ebooks. The _one_ time I had a
problem with a physical shipment, they resent the book, no-questions-asked.
From the looks of this thread, their customer service has stayed amazing.

My favorite Bezos quote, showing an approach that, over the long term, is
amazingly profitable: "There are two types of companies: those that work hard
to charge customers more, and those that work hard to charge customers less.
Both approaches can work. We are firmly in the second camp."

By the way, I agree with the OP, asking a simple question to verify the credit
card number would not hurt the customer service process, and would probably
prevent some fraud.

~~~
martincmartin
Richard Stallman vehemently disagrees with you.

<http://stallman.org/amazon.html>

He cites DRM, remote wiping of Kindles, sweatshop conditions in some shipping
facilities, cutting off service to Wikileaks, squeezing small publishers, not
paying enough UK taxes, and being a member of a right-wing lobbying group.

~~~
edanm
Most of what he talks about, I don't care about. I used to care a lot about
DRM, I in fact swore I'd never do business with Audible because of DRM. Turns
out, I care less about the DRM than about getting good content at a good
price. It's also part of moving everything to the cloud - I'm more used to the
idea of not having a "physical" bookshelf full of books, but rather a
bookshelf keep by Amazon. It actually makes things easier for me as a
consumer. Remote wipe I assume was a one-off.

About the other stuff, it doesn't really impact me as an Amazon user. The only
thing I'm interested in is them squeezing small publishers, because I do want
to make sure I keep having good content... but so does Amazon, so I trust them
to work it out. I don't mind if Amazon becomes a large publisher themselves,
it'll probably work in my favor.

In general, almost everything Stallman cares about is uninteresting to me, and
the few stuff I think he's "right" about I think he takes to extremes that
are, frankly, crazy.

~~~
Semaphor
> Turns out, I care less about the DRM than about getting good content at a
> good price.

As long as it's convenient. Not all DRM is equal. Even though I backup my
Amazon books DRM-free, I only do it because it happens automatically when I
connect my kindle to my PC. But compare that to the DRM in many PC games or
the Audio CD DRM we had a few years ago. I'd rather skip a game than getting
one that requires me to be online to play it in single player.

------
ghshephard
90% of these attempts at scamming the CSRs could be prevented if Amazon
allowed me to provide a SMS address that they could send a message to for
confirmation.

Every time I login to gmail over the web from anywhere but my personal
computer, I take an (at most) 5 second pause while Google SMS's my cellphone
and has me enter the 6 digit code. Failing that, in my wallet, I have a list
of 12 Backup "Nuclear Codes" should I for some reason lose my iPhone and need
to login to email in the intervening period while I get it replaced.

Trivial to implement, very secure.

~~~
ProblemFactory
GMail has a nice 2-factor scheme. While the SMS might need external services,
the app-based verification keys are based on open standards and open-source
code, and can be added to any web application with about 10 lines of code:
<http://code.google.com/p/google-authenticator/>

There is even a Unix login module for adding it to SSH.

~~~
bigiain
Amazon use the same two factor auth too. I've got my AWS account secured with
the Google Authenticator app using TOTP codes as well as passwords.

It worries me that "consumer friendly" customer service leaks information like
this, that could potentially lead to my AWS account getting suspended while
fraud is investigated.

~~~
mbreese
It's probably a good idea not to use the same Amazon account for AWS and
personal shopping, just for this reason.

~~~
bigiain
Yeah, I know that _now_…

I've got real live client sites which I haven't (yet) migrated important
S3/Route53/EC2/CloudFront services out of the "I'll just try this out on my
account to see if it'll work" setup.

------
jdietrich
Sears built the reputation of Craftsman tools based on their unconditional
lifetime guarantee; They also created a cottage industry of people searching
yard sales, thrift stores and scrapyards for rusted old tools. A British
clothing retailer (Marks & Spencer) was famous for an extremely liberal refund
policy, which also made them a magnet for shoplifters and petty fraudsters.

I'm sure Amazon know how much this sort of fraud is costing them. I'm sure
they've calculated that it's worth the cost, at least for now. Shrinkage is
just another cost of doing business.

~~~
devcpp
Worth the cost of asking for more information for the replacement of expensive
items? It just takes a few more seconds to each rep and is surely shorter than
all the new orders being placed for scammers.

~~~
kamjam
Exactly. And what happens when a user needs a legitimate refund/exchange and
Amazon then refuse because their account has had so much fraudulent account
gone unnoticed? Not very good customer service at this point...

------
forgingahead
It's a scam, certainly, but it's actually great customer service policy. If
the only risk is the loss of value of a product to Amazon, and there is no
personal data loss for a customer directly, then it's actually an acceptable
loss policy to Amazon.

They (and most good businesses) would prefer the majority of their customer
base be able to get refunds and deal with order issues swiftly than have to
jump through hoops to prove who they are. Certainly an SMS PIN or other
authentication method would make it more secure, but there is no further
customer benefit. The monetary loss to Amazon is basically a rounding error so
why make things more complicated?

~~~
joshj19
This exactly. The net benefit to Amazon from improved customer service is
likely worth the potential for a few lost products. Sure may be wrong, but to
them it may just be a cost of doing business. It's not unlike many department
store's policy of not targeting a shoplifter-in-action in a mall, especially
once they've left the store (mostly for liability reasons).

~~~
ghshephard
"many department store's policy of not targeting a shoplifter-in-action in a
mall"

Citation? I've never heard of such a policy. Every mall I've had knowledge of
had a _very_ extensive security organization that was pretty effective at
targeting shoplifters-in-action.

~~~
mscarborough
Apart from personal experience working in grocery stores, where nobody really
cares, there is this: [http://marga.voxpublica.org/2012/08/shoplifting-and-
magnetic...](http://marga.voxpublica.org/2012/08/shoplifting-and-magnetic-
anti-theft-devices/)

Depends on where you go and which mall. Strip malls are a lot less effective
with countering shoplifters than the 'real' malls.

------
vinhboy
I don't get it. What does the dot-email have to do with them social
engineering their way to your order numbers?

Is the fact that they used a dot-email the weak link here, and what thankfully
allowed you to catch on to the problem early?

If that is the case, why would an attacker use a dot-email, when they could
just use any email.

~~~
vegardx
I think they used the dot-notation to legitimate it, basically just a brick in
the social engineering scheme pulled on the support rep.

~~~
disillusioned
That's my thinking. I assume they figured that because the account they were
"chatting as" was so close, it might help. Or they thought it had a dot
initially and found out they were wrong when the rep said there were no
orders.

Amazon lets you chat without signing in and you can claim to have any email
address you want at that point, so it's tricky to say if this was intentional
(hoping the reps were "dot blind") or if it was just a mistake/bad initial
guess.

------
shalmanese
It could also be that Amazon waives it's same address policy only around
Christmas as it knows that a) people are travelling and b) a missed Christmas
present is a bigger deal than a normal missed package.

It might have figured that this would be an acceptable loss given that it can
only be exploited once a year.

------
damian2000
Its amazing that this scam seems like its being pulled off from outside the
US, via a re-shipping service in Oregon. Anyone know how vulnerable
international Amazon customers are to this same scam? I'm thinking that the
scammers require some sort of re-shipping service, which are generally not as
widely available as they are within the US.

~~~
dminor
I work at a small online retailer and almost all of our fraudulent orders are
from outside the US. Use of a mail forwarding service is also typical.

~~~
hannibalhorn
When these fraudsters use mail forwarding services, do they have the address
registered with the credit card company, and do you guys check that?

I ask because I live overseas and use a forwarding service quite a bit, but
several smaller shops do flat refuse to ship to me, meaning I have to ship to
my dad's and have him send it to my forwarding service, which ups the price a
bit. And it's kinda frustrating, as I do have the address registered with my
banks.

At least reading a story like this one explains to me a bit why things are the
way they are.

~~~
line
They usually don't since they may not have the bank login information or be
able to pass the bank's verification checks in order to change the registered
info. Even if they do, merchants many times won't check because its very time
consuming to call up the bank to verify shipping address.

Thats unfortunate that it causes you the hassle. But from the merchant's
perspective, especially if they have been burned before, ship forwarding
services are high risk.

Look at it this way. When you place your order, to the merchant, your IP will
be from overseas, the credit card will be based in the US, and you are
shipping to a ship forwarding facility. This is very typical of what fraud
looks like with stolen US cards. The problem is that merchants bear the
responsibility and chargebacks are a big problem, so they may not want to take
the risk.

------
whyleyc
Couldn't this be fixed by Amazon just requiring you to be logged in when you
start a chat with them ?

Tiny bit of extra hassle for the user but is made up for by the fact that
Amazon wouldn't need to bother asking any security questions to verify
identity.

~~~
UnoriginalGuy
In this case the fraudster was logged in to an Amazon account. They created a
new account using the alternative e-mail address and set the address
differently to the original account.

They then claimed that the original account was lost due to the e-mail address
being "hacked" and that they needed the order numbers. They then used the
order numbers to request a replacement using their new account.

~~~
pbhjpbhj
> _They created a new account using the alternative e-mail address and set the
> address differently to the original account._ //

You lost me.

So customer Andy Blogger has account ablogger@gmail.com.

Fraudster Bandy Logger creates account at Amazon using email address
ab.logger@gmail.com and the verification email is sent to Andy's account (as
gmail is dot blind in email addresses).

How does fraudster Bandy confirm ownership of the Amazon account so he can log
in and change the accounts email address? Doesn't he have to create the
account with the re-shippers postal address, then confirm the account with an
email address they control, then change the email address to the one for the
Gmail account ... doesn't that look pretty damn suspicious.

How about recording a short video on account creation, speaking/signing name
or something similar. Then reps could confirm owner ship via video chat. Sure
it would still be possible to abuse but would be a lot harder.

------
KaoruAoiShiho
Wow Amazon customer service is amazing.

~~~
disillusioned
I just wish they would add some challenge that wasn't publicly available
information. The rep admitted to me on the phone that "that's all we need, and
we can do a lot with just that." They can't place new orders or add billing
methods, and she claimed they don't have access to even see your billing
information anymore (perhaps since the Mat Honan debacle?) but yeah, eager to
please, clearly.

~~~
vegardx
Actually, all the reps would need to do is look at your history. Like "You
recently returned a book, can you tell me what book?", and it would be pretty
hard to social engineer it from some other source.

~~~
philip1209
I like this idea. When I call my online brokerage, they ask, "For security,
can you please name a stock that you currently own?"

~~~
mseebach
AAPL. Now, I'd like to buy _a lot_ of penny stocks.

~~~
philip1209
Long on AAPL? Hopefully not since September!

~~~
mseebach
Sure, why not? They're still up 100% y/y. Either you're long on Apple, in
which case it's just a little bumpy right now or you were long on Jobs, in
which case you closed your position out when he passed away.

~~~
philip1209
I was definitely long on Google during their Baidu incident. That was painful
to weather!

------
nchlswu
I had a strange issue with my Amazon account a while back where I couldn't log
in and when I finally could, all my account history was lost. I can't recall
if it was my mistake (I've used dot-emails before), but this definitely
reminds me of it.

As a Canadian shopper, the abuse of these shipping depots is a bit concerning
to me, as I've used one of the depots mentioned in the post. These are such
high volume shipping locations (to so many different addressees), I'm sure
Amazon has shipped tonnes of orders to these locations and I'm wondering if
they've investigated them before? These centers are very easy targets for
abuse and I know Nike keeps a database of these addresses and blacklist them.

I'm not sure if they do it to prevent grey market exports or fraud, but (from
a consumer perspective), I hope Amazon doesn't go this route.

------
munger
Thanks to Chris Cardinal for taking the time to write this up! I think it's
important to be aware of current fraud like this since a lot of HN readers are
probably also amazon customers (as I am myself).

Also interesting to know about gmail "dot blindness" - kind of like "plus
addressing" you could use it to track who adds you to spam lists, by giving
out different versions of your gmail address to different vendors (not that
most people have time for that - I've never done this).

Plus addressing looks like this: myusername+whatever@gmail.com sends to
myusername@gmail.com, but some site's email regex check do not allow this, so
dot addressing could be used instead.

------
disillusioned
I will say this, since it's somewhat amusing, but it's the first time I've
been scammed for negative $43 dollars. I wonder if the scammer figured that he
could get me some hush money and hoped I'd let the rest slide?

------
brechin
Amazon actually distinguishes between accounts with the SAME email address but
different passwords. I don't know of any other site that uses email as an
account identifier and lets multiple people use the same one.

~~~
xxpor
They don't allow you to do this anymore. Back when Amazon started, lots of
families only had one email address from their ISP. They allowed you to make
multiple accounts with different passwords for this reason.

If you try to set it up today, it won't work.

------
mjt0229
As I recall, Apple was _the_ weak link in that identity theft, although Amazon
was not blameless.

~~~
IheartApplesDix
Everywhere I've ever shopped and every ATM I've used shows you the last 4
digits of your CC#, why Apple decided to use the first 4 is beyond me. Maybe
they just wanted to _think different_?

------
robododo
I, unwittingly, nearly pulled the same scam with Dell about 10 years ago.

I had a new notebook shipped to my house. It cost about $1600 new. The
tracking information said it was delivered, so I hurried home to get it as I
didn't want it on my doorstep. I get there, and no box. I checked the deck out
back (where the UPS guy would sometimes leave things), and nothing. Crap.

So I call Dell, and after working with them for 20 minutes, I have a new
replacement on the way. I basically had to "super pinky promise" that the
notebook never really made it to me.

10 minutes later, my neighbor comes by and says "Hey, got a package for you!".
Holy moly... I just social engineered the poor Indian lady at Dell. After a
quick call back, the replacement is canceled.

To this day, I'm both shocked and very happy that Dell made it so easy. I like
that they trusted me (a return customer) and tried to do the right thing.
However, that trust is so easy to exploit.

I'm not sure what the answer is here. In this case, I can't blame amzn. I
mean, they are trying to be helpful. How do you setup a system that's truly
helpful w/o leaving wide gaps for scammers? Things like 2-factor auth, sms
codes, etc will annoy most non techies (IMO).

------
Shank
I'll vouch for the ease at which Amazon sends replacements for broken
products. I've ordered obscure replacement phone parts (namely touch screens
and lcd panels), but had issues with a couple. Amazon gladly refunded the
defective ones on the spot, which allowed me to buy others right off the bat.

I really hope this gets stopped - I'd rather not have Amazon's generosity
thrown down the drain because of a few scammers.

------
zobzu
I'd like to point out that this is almost ALWAYS the problem. People ALWAYS
get hacked, not because they use "love123" as their passwords, not because
their pc/mac wasn't up to date.

Nope. They get hacked because the security question ask for a pet name, or a
school name, or a friend name. Freaking easy. They get hacked because support
gives information without authenticating people.And so on.

Dear companies, stop doing that. Thanks.

~~~
damian2000
You can add in there passwords not being secured properly by application
developers too ... probably the biggest source of being hacked.

------
rckrd
I'm surprised Amazon was not suspicious that a service request had come from a
location where the account has never been logged in from before.

------
michaelhoffman
I reported this to a friend of mine who works in fraud detection at Amazon.

------
jneal
I accidentally did something similar. I ordered an item, and paid for
overnight shipping on a Thursday morning. The item didn't arrive as promised
on Friday, in fact it didn't arrive until Wednesday the next week. That
weekend, I called in complaining that I hadn't received my item. The label was
printed Thursday, but UPS never picked up the package. They assumed it was
lost and re-shipped my package. Low and behold, I received both packages and
ended up with a 2 for 1. I kept the extra still in the box for a month,
figuring I'd get a call from Amazon eventually asking for it back - when I
never heard from them I decided to sell it.

~~~
mseebach
So you're guilty of theft and fencing - and of abusing the trust Amazon
extends to it's customers.

------
city41
I wonder if I am being the target of this scam now too?

I just got an email from Amazon customer service asking if my recent customer
serivce inquiry was handled satisfactory. I've not contacted Amazon or ordered
from them in quite some time. So I wrote them and told them that (I also
linked to this blog post on htmlist). Their reply:

> Thanks for bringing this to our attention.

> It looks like one of our customers mistyped his or her e-mail

> address when placing an order with us. You have _not_ been

> charged for anything as you didn't order.

mistyped their email address? This seems unlikely to me, as my gmail address
is pretty unique and not likely "near" other people's addresses. I dunno,
feels suspicious to me.

------
npsimons
I find it interesting that people are _still_ blaming Amazon for the Mat Honan
iCloud hack, when it was Apple who was so lax in letting someone reset a
password with as little as the last four digits of a credit card number.

------
disillusioned
Annnnnnnnnnnnnnnnnnnd Amazon terminated my account. Great. (And that of the
other woman this happened to.) EDIT: Being told that it was just on hold
despite the customer service email and my account being locked out. Oy.

------
bcoates
What's the deal with these reshippers? It seems like the weak point in the
scam, Amazon should either blacklist their addresses or coordinate with them
to authenticate where the package is actually going.

~~~
line
While there are higher risk, you can't really just blacklist them all since
there are a lot of legit orders that get sent to reshippers. For example,
customers buying from overseas and the merchant may not offer international
shipping. So you have to look at other data points as well.

In this case, having an established order and delivery history and then to
have it shipped to reshipping is odd and should've raised a flag.

I'm sure Amazon's fraud system knows about that address. But maybe that flag
is not exposed or given to the csrs. That particular one in Oregon is used
fairly frequently by fraudsters. We've seen it a number of times among our
merchants.

------
prlin
Witty how he flips the Amazon "smile from a to z" upside down into a frown.

------
ars
"And up until early this afternoon, the whois information for my domain"

Whois information is archived basically permanently by many online databases.
Changing it doesn't help anything - the old values are easy to find.

~~~
disillusioned
Yep. Aware of that, mostly hoping to remove some of the low-hanging fruit. My
fault for stupidly posting my real information in my domain records.

~~~
nraynaud
That's not stupid, that's what is asked and for a long time it was not a
problem. Times have changed, that's it.

------
javajosh
Hey, I have an idea: how about stop using Amazon and start buying and selling
from your local community, small businesses, like with actual people who can
get to know you and who aren't susceptible to this kind of nonsense?

The cool thing about dealing locally is that you no longer have to wade
through bureaucracy to get customer service - you can walk up to a flesh-and-
blood person and talk to them face to face! And, unless they have masks from
"Mission: Impossible" you'll be very, very difficult to spoof!

~~~
runaway
Because I personally don't value seeing a flesh-and-blood person very much. In
my experience, Amazon has them beat in price, convenience, and customer
service (they replace items and take my returns without an attitude, always).
They also carry items my local stores wouldn't dream of carrying.

The only time I buy from local stores is when I absolutely must have it that
day. And it looks like Amazon might even be doing that soon.

~~~
javajosh
Perhaps I'm spoiled but there are two very good camera shops nearby. They are
more expensive than Amazon, but they are also the hubs of the local
photographer community, and the people that run them are neighbors. They also
have consignment, used gear, etc. and for those time when I shoot film they do
a great job of developing.

The inconvenience of going there is far outweighed by the benefits. Perhaps
that's why they have survived in the era of Amazon and Best Buy! But I really
really encourage people to actively search for local independent photog places
(I mean, not Scammy's, er I mean Sammy's) if you take photography seriously at
all, the premium is worth it.

~~~
disillusioned
I actually use the local lab/photog shop for prints and camera work and lens
rentals, but they want $1,150 for the T4i with 18-135 STM. Amazon sold it to
me for $799. (It's back up to $865 now, but still.)

I looked, but I couldn't justify the extra $350 at this time.

~~~
javajosh
Hmm. Normally the price discrepancies aren't that large, so I can't blame you
there. Next time try talking to them - camera shops know whats up and will
often work with you on the price. Negotiation is also one of the nice parts of
dealing with actual real-life people.

~~~
fest
That's one of the reasons I don't like shopping offline- I hate the act of
negotiation about price of something. I also don't like to negotiate on price
when I'm selling something myself. If I'd be willing to sell it cheaper, I'd
put a cheaper price tag on it.

Reminds me of classifieds like "will sell for $100. Serious buyer will get $30
discount".

~~~
javajosh
I hear ya. In this case, there's not much of a negotiation - it's more of a
"Well, I want to support local business, but Amazon has this product for $350
cheaper. Can I work with you on price?" Then, if they don't come down in
price, you buy it from Amazon.

Local stores are not all the same, of course. Some, perhaps many, local stores
don't deserve to survive. They are poorly run and perfectly willing to scam
people who don't know the market price of stuff. But still I'm eager to at
least try to work with them to avoid living in a world of nothing but
enormous, monolithic corporations. Granted _retail_ isn't exactly my favorite
industry - I'd much rather support small makers of things - but I still try.

------
prostoalex
How did this Chris Cardinal guy find out about the original camera order, if
he didn't have access to htmlist@gmail.com?

~~~
disillusioned
Further down in the article I mention that a possible vector was that I
tweeted from my personal Twitter that I was considering buying a T4i and that
someone searching for that might consider me a target and try.

It's definitely an interesting question, but it's clear he was just hunting
and pecking, which is why he wanted all the order numbers from November and
December... not sure if he initiated a few other chat sessions to figure out
what was in each order and found a high-ticket item to pursue, or what, but
it's a good question... I don't know what made me an initial target at all.

Interestingly enough, Amazon offers a "Tweet this purchase" option which I did
NOT avail myself of, but which would definitely exacerbate this problem.

(Also, my name is Chris Cardinal. I don't know the scammer's name, but of
course he couldn't request Amazon to change the shipping address AND the name
for the replacement order. That would be a bridge too far.)

~~~
prostoalex
Ah, didn't realize he used the same name. So potentially

1) first chat session with Amazon support to claim that he lost access to his
email and needs order #s (which is what you've tested out, and it works)

2) subsequent sessions from different accounts with various dot placements to
inquire about the status of specific order #s

3) when a high-value item is found, sticking to the original dotted address,
and asking for replacement

Is your mailing address available from public sources?

~~~
disillusioned
Yep, it was on the whois for several of my domains. I've since privatized
them, but the caches will remain. Oh, how they'll remain.

------
Evbn
In passing, not fair to blame Amazon because Apple uses effectively public
information (last 4 of CC, which is known to every restaurant waiter and shop
clerk in America), as a secret key.

