
Ask HN: AWS refuses to stop billing me for a compromised account - unknownsavage
Around about a year ago, I had my AWS account get fully taken over by a successful social-engineering attack. Prior to a full-take over, the screw-ups by their customer-support were bad enough that in response to a viral blog post ( https:&#x2F;&#x2F;medium.com&#x2F;@espringe&#x2F;amazon-s-customer-service-backdoor-be375b3428c4 ) they upgraded me to &quot;executive support&quot; for free.<p>Regardless, it was all for nothing when they gave my account to someone else. Besides compromising sensitive information, the attacker was able to change the account information and email address to the point I am unable to authenticate.<p>At this point, I do not care about recovering my account, as I have fully switched to Google cloud and have been extremely impressed by Google&#x27;s Advanced Protection Program. However, my credit card keeps getting billed by Amazon. When ever I phone Amazon, I can&#x27;t get through to a reasonable human being as despite having the credit-card in my hands, I can not authenticate against the account with changed details. Nor will Amazon simply remove the credit card number that I can provide them.<p>I&#x27;ve even requested a new credit card from the bank, however the bank continues to forward AWS charges to me. So I have been going through a kafkaesque ritual of disputing the Amazon charge with my bank only to win and have Amazon bill me for the next month.<p>However the last dispute I&#x27;ve made, the bank (of America) has now ruled in Amazon&#x27;s favor and rebilled my account. My bank has replied: &quot;We&#x27;ve thoroughly reviewed the details of your dispute(s), and based on the information we received, we&#x27;re unable to pursue your dispute(s) future.&quot;<p>At this point, I&#x27;m stonewalled between my Bank siding with Amazon, and Amazon not speaking to me. I feel like I&#x27;m out of options. What are my options now?<p>If any human at Amazon sees this, my account number is: 326156978341 and dispute case number is: 92919033. Please for the love of God, stop billing me.
======
jolmg
I'm trying to think of how to avoid something like this ever happening to me,
and I think the lesson I can learn from this is to use a debit card instead of
a credit card? That way, the account can go to 0. That debit card would only
be for services with automated billing like this, and would have limited
funds.

I mean, I imagine the main problem here is that you can't close your credit
card because the bank now says you owe them that money, right? If it were a
debit card, that would never be a problem.

EDIT:

> I've even requested a new credit card from the bank, however the bank
> continues to forward AWS charges to me.

They forwarded from one card to another? AWS charged a closed card and the
bank forwarded it? Sounds like you need to close the client account (your
whole client relationship with the bank), not the card.

EDIT 3: Or do you mean that you requested a new card without closing the old
one? If they're both open, it's not that charges are being forwarded, but
rather that the old card is still valid and both are linked to the same credit
account. Maybe you can ask them to close it?

EDIT 2:

> Nor will Amazon simply remove the credit card number that I can provide
> them.

By the way, if you can't authenticate with Amazon as the rightful owner of
that account, it sounds unreasonable for them to comply to a stranger asking
them to simply remove a credit card number of some account.

~~~
unknownsavage
> They forwarded from one card to another? AWS charged a closed card and the
> bank forwarded it?

Yup.

> By the way, if you can't authenticate with Amazon as the rightful owner of
> that account, it sounds unreasonable for them to comply to a stranger asking
> them to simply remove a credit card number of some account.

I disagree. If I can provide a full credit card number, they should be able to
remove it from all accounts. Either the card is compromised, or I'm telling
the truth.

~~~
detaro
So anyone you ever bought something from with that credit card should be able
to kill your AWS account with a simple phone call?

~~~
Nextgrid
They could send an email to the owner of the account asking to reauthenticate
the card (re-enter the numbers & CVV, go through 3D-Secure or provide a
picture of the card or bank statement).

This would mitigate incidents like this - as far as I’m aware the attacker
doesn’t actually have the card number, so giving them 24 hours to confirm it
(or the card gets removed after that) would be a good solution while remaining
only a minor inconvenience for legitimate usage (realistically speaking, how
many online stores who might have your card number are malicious enough to
call companies and try to get your accounts shut down, with no benefit to
themselves?)

------
detaro
Filed a police report and provided bank and Amazon with copies of it? (Any
written communication with either? Paper trail of provided evidence is kind of
important for such things)

That said, it's quite bad handling that bank and Amazon haven't managed to at
least shut down future charges / tell you what they need to do so.

------
chrisked
File a police report for the social engineering. Report that too your bank and
amazon in a written, semi official letter. If that does not work lawyer up.

------
cmurf
These are fraudulent charges to occur after you've closed the AWS account.
Cancel the credit card account, on the basis they have violated their
fiduciary duty to the customer. Tell them you're filling a lawsuit.

File small claim lawsuit for the improper charges within 10 business days, if
the bank hasn't made this right.

You have proof of cancellation of the AWS account? That's how you will win.

------
serpi
They've been sending me a bill for three years now on an account they closed.
I could not get the assholes to kill the account so I changed credit cards.
The support was helpful but gave me phone numbers to call that did not exist
and just kept saying they can't do anything else.

I threatened with lawyers and I have full correspondence on my behalf kept
safe so they can just fuck off with their bills.

------
kull
I would report the CC being stolen and get a new one. Technically, it was
stolen, together with the AWS account.

------
dyeje
Did you report the card stolen? I have never heard of charge forwarding. The
number should not work. You need a new bank.

~~~
londons_explore
It's a new thing. The aim is so companies like Netflix don't lose subscribers
when the subscriber loses their card and requests a new one.

The implementation is very shoddy - a mapping of old to new cards is
distributed to any big provider who has charged the old card.

~~~
m11a
I believe the forwarding is only done if the card was marked as a replacement
due to damage or expiry. If reported as stolen the forwarding shouldn't
happen. Not sure what happens in the case of lost.

OP said they didn't report it as stolen so that might be the reason why the
charges are being forwarded.

------
theandrewbailey
It might be lawyer time. IANAL, but might it be possible to sue AWS? You
technically aren't their customer (by their own doing), so any arbitration
clause might not apply anymore.

------
atian
The only issue here I ser is that you haven’t bothered Amazon enough that the
account was inaccessible. Everything else is working as intended.

------
Blackstone4
Have you considered cancelling your credit card?

