
Amazon just told me to log into someone else's account – and delete it - Roedou
http://www.ousbey.com/blog/amazon-just-told-me-to-log-into-someone-elses-account
======
macros
The I have too much time on my hands approach is to self-publish a short story
to this person on how to get in touch with you and buy it from their amazon
account.

~~~
PeterWhittaker
Oh, I so much I could upvote multiple times. Brilliant.

~~~
PeterWhittaker
Wow, that got downvoted? Yikes.

Some folks have itchy trigger fingers....

(Oh, I know. I forgot to phrase it as "This" followed by a personal anecdote
supporting the assertion in question. Ah, humbled again.)

(Yup, expecting karma loss on this. Fun and games, no eyes at risk.)

~~~
PeterWhittaker
In a perverse way, I am enjoying this game. It's sort of fun seeing the
occasional karma drop and imagining the motivations and rationalizations....

Ah well....

------
r00fus
So Amazon's Kindle account creation process doesn't ask the user to verify
their email prior to associating it with an account?

Sounds very sloppy. Could it be a regression, or was it always this way? I
wonder if this could be used to spearphish or scam someone somehow?

~~~
wl
I have a first initial last name gmail account and I see a lot of this kind of
thing. Tons of companies don't verify email addresses and many make it
impossible to do anything about it. Cell phone companies, banks, insurance
companies, PayPal, eBay, Apple... it's getting rather ridiculous at this
point.

~~~
Doctor_Fegg
Tangentially related and amusing anecdote:
[http://dotat.at/tmp/railtrack.pdf](http://dotat.at/tmp/railtrack.pdf)

(summary: troublemaker registers 'Railtrack Ltd' as UK limited company after
dissolution of the previous Railtrack, which owned the country's rail network;
long succession of solicitors, land agents etc. fail to do basic research and
send legal demands to this new Railtrack Ltd; merriment ensues)

------
yoctonaut
I managed to get (first name)@(popular).com, and man, it's a core sample into
what a bunch of people all over the world are doing. Signing up for cable or
satellite tv, buying iPads/iPhones, sending each other family photos, ordering
dinner, taking cabs, buying bus tickets, getting divorced, offending their
condo association, signing up for dating/hookup sites, opening stock-trading
accounts, applying for jobs, posting jobs for people to apply to, and more.
And none of them know their own email address.

~~~
steanne
given that my name can be seen as an abbreviation for sainte anne, i tend to
get french churches that don't know their own email address.

------
aroberge
The practice of checking the validity of email addresses seems to be lost on
many (most?) businesses. I've found in my mailbox, from at least 4 other "A
Roberge" located in either the U.S. or Canada the following:

Health insurance form and other information for a child

School report for a child

Mortgage information

Book library late notice

Nail product order confirmation

Multiple confirmations of job applications

PS4 account information

Various invitations to family gatherings

etc.

Whenever I could find the relevant information, I contacted the various people
that send me the original email to correct the information. Most did not
respond (including the father of a child with the above mentioned information
who was copied on one email).

Sometimes the emails contained an unsubscribe button (yay) but, upon trying to
use it, it asked for a password (which I obviously did not have). So, off to
the spam folder...

So, I completely agree that Amazon's registration process is very flawed ...
but there seems to be a lot of clueless people and businesses out there as
well.

~~~
fencepost
I get these regularly, and for purchase notifications on sites where I expect
the person will come back, I make an effort to track them down and notify
them.

The only one where I actually put in quite a bit of effort was when I was
getting the email notifications for downloading someone's CME (Continuing
Medical Education) certificates as they completed courses. It turned out to be
a real pain - I could find the person, but couldn't get hold of them.
Approaching retirement age, rural, etc. - I think I finally ended up leaving
voicemail on their son's # and with their church, though it probably would've
been easier at that point to just sit down and actually write and mail a
letter.

And the only one that really annoys me is the gun nut. I get more crap from
whacked out black helicopter EEEEBOOOOOLLLAAAAA idiots now...... And he
actually gave them money, so they just don't go away.

~~~
aroberge
Have you tried emailing them and telling them that every time they contact
you, you are going to donate some money to 1) Obama and 2) some organization
that lobby for more gun control?

~~~
fencepost
If I actually felt like engaging, I'd probably just buy the original donator a
gift subscription to The Nation or something like that. I regard the actual
organization as being much like Glen Beck - either a completely cynical
huckster who doesn't actually believe any of the crap he spews, or someone so
dissociated from reality that discussions are pointless. Either way, I'm not
going to convince them of anything, and after an initial unsubscribe I just
mark anything further as spam and be done with it.

------
pwarner
I had a very similar problem with ebay. Account made with my email, not me.
Again, no email verification. To make it worse I couldn't log in and delete
the account since ebay required security questions to do a password reset. I
ended up trying to track down and call the person, it was a while ago but I
think I even sent them snail mail. (there was enough info in the emails to
track them down, maybe a shipping address when they won an auction?)

Eventually they stopped, but no thanks to ebay.

Why is email address verification not more standard?

~~~
russell_h
Thats funny, a month or so ago I tried to sign up for an eBay account and
never managed to make it through the buggy email verification. Last I checked
I still can't use the account, or create another with the same email address.

------
anonbanker
If we can use trust law as our starting point (trust = shared title to
property), then we see that an Amazon/Kindle account is just a trust between
you, amazon, and this other party. The only one investing money in the trust
is this third party.

If you delete the account, you have two of the three parties' agreements
documented. You need all three, in order to be able to claim that nobody's
rights are being infringed. This can be done by making a good faith effort to
notice the third party via multiple forms of communication. Even if they don't
get to the party, you need to at least make the attempt. Send a first notice,
wait ten days, if no response, send a second notice. If no response, consider
that your acquiescence, and delete the account.

~~~
jellicle
It's not possible to contact the third party without logging into "their"
account, which is a crime under the Computer Fraud and Abuse Act. The act of
getting that contact info from someone else's account is precisely what the
CFAA exists to illegalize.

~~~
anonbanker
by using your email address, they have entered you into this trust with them.
As such, you have a claim to ownership of the account. The Computer Fraud and
Abuse Act only covers accounts that do not belong to you, and being this one
partially does, you are within your rights to use the account to contact the
other owners.

~~~
jellicle
That's a pretty novel legal argument, that you acquire ownership of someone
else's computer account - that you have entered into a legal contract with
someone who isn't aware you exist - merely because they typoed their email
address.

It is so novel, in fact, that it doesn't exist.

Don't make up bullshit and write it in legal threads. You might deceive
someone into thinking your bullshit is accurate.

~~~
anonbanker
I look forward to your evidence that interest in a contract does not connote
informal equity.

------
skamoen
This guy doesn't seem to be willing to actually help you. I'd consider trying
a new chat session with, hopefully, a new guy who's capable of doing his job.

~~~
exelius
Sounds more like he doesn't have the tools to help because Amazon had locked
him out.

As a side note, this is how customer service becomes terrible. Security audits
turn up processes that allow social engineering attacks, so they lock down the
customer service tools. Agents get confused, so they implement rigid
procedures (i.e. you can be fired for going off-script). These rigid
procedures can be executed by a trained monkey at minimum wage, so agent
quality declines. Rinse and repeat for a few decades and you get Comcast
customer service.

~~~
toong
Wow, the idea that he really doesn't have the tools to help out didn't even
enter my mind. I was just assuming ignorance/incompetence ?

Still .. Hanlon's razor is in my head :-)

Edit: if the customer-support-tools really are locked down, shouldn't they
have a procedure to escalate ? Telling a user to break the law to help himself
out should not be standard practice after all.

~~~
exelius
He may not have the tools as a security precaution: when you're a huge company
like Amazon, you're going to hire a few bad apples. So you don't want to give
all of your support reps access to every account (though maybe you have a few
managers who do), which is why the security questions exist.

Furthermore, I don't even know what Amazon is _supposed_ to do in this
instance. They would normally e-mail the user, but that's obviously not going
to work in this case. I guess they could send a snail mail letter, but even
then this is probably enough of an edge case there's no policy around it, and
as such no automated form letter to send or system to send it from. If their
support reps are taught to never deviate from policy, he may have gotten
confused and given up (this happens any time you hire anyone under ~$15/hr:
you have to pay them enough to care).

I would guess he could have gotten a better response by jumping on LinkedIn
and finding a VP of customer support and e-mailing them directly. At a company
with the velocity Amazon has, they still see one-in-a-million errors a few
dozen times a year, so it's not a bad idea to address them as they come up.

------
pessimizer
It's just bad customer service workflow (that you weren't escalated, but
locked into the script) and bad interface design (that addresses aren't
verified.)

It's some ratio of lack of imagination:care.

I called paypal last week to remove an expired card from my account. At some
point, Paypal has started doing background checks to come up with security
questions after the fact, _all three of which_ have to be answered correctly
in order to have a discussion about your account.

One of the questions was my father's wife's (who he married when I was in my
late teens and both lived in a different state) birthday month. Another was a
friend's street address that I used to get an Oregon ID, and slept on her
floor for about 3 months _20 years_ ago.

The operator was sympathetic, but what could she do? She had no way to
escalate, and there was no contingency for if a question was asked that the
customer may _never_ have had the answer to. It's just sloppy.

~~~
zem
> At some point, Paypal has started doing background checks to come up with
> security questions after the fact

wtf? paypal keeps pestering me to link it to my bank account, with the
incentive that i won't have to pay fees to transfer money to friends. i've
held off out of a vague feeling that they'll find some way or the other to
screw me over once i do; stories like this make me happier that i've listened
to that instinct.

------
neomech
Reading the chat log it doesn't seem like the replies are from an actual
person. Are Amazon outsourcing their customer support to a collection of AI
constructs. :-)

~~~
adamio
If AI needs only be better than these responses, this could be a huge
opportunity

------
robododo
This is the burden of having firstlast@popular.com email address.

Once, my wife had someone setup some sort of financial account with her email
(CC, IIRC). They didn't verify the address!

My wife called and tried to do the right thing, but the people on the phone
just didn't understand the concept that the email address was wrong. It simply
wouldn't compute for them. Since my wife had the email address, she /must/
have been the account holder. Right?

~~~
AjithAntony
Me too. I'm particularly noticing in my case, since I get lots of people in
India using my eponymous gmail address, that Indian banks, mobile carriers,
and ISPs are terrible at every facet of this experience. Lots of spam, no
unsubscribe opportunities, sending passwords in plain text in email, all mails
are embedded images only with no text.

------
colinbartlett
"Low level customer service rep at Amazon just told me to log into someone
else's account - and delete it."

Clearly, someone made a mistake. This is not some official policy sanctioned
by Bezos and handed down from above, despite what the clickbait headline
reads.

------
robbrown451
Here's how you can send the original owner a message so that you don't have to
delete the account.

Log into their account, and order, to be delivered to their address, something
that gives them the first letter of your message. For instance
[http://www.amazon.com/Sterling-Silver-Initial-Pendant-
Neckla...](http://www.amazon.com/Sterling-Silver-Initial-Pendant-
Necklace/dp/B00CIOBWHQ/ref=sr_1_3?ie=UTF8&qid=1414518915&sr=8-3&keywords=initial)

Then do it over and over to send them a message that their email address is
wrong. You'll have to space them out by a few days, so they arrive in order.

~~~
malexw
If he has access to the account, why wouldn't he just write up an explanation
of the problem and push it to the Kindle?

------
Justin_K
I had the same issue with my Adobe account. Someone created an account in
another country, with my email address. I took the liberty of doing a password
reset own my to reclaim the address. Luckily, the user had purchased nothing.

I had to then go through Adobe support to reset the country, as I couldn't do
it on my own.

I too was surprised that there was no process to verify the email address.
What a joke!

------
robbrown451
I would place a bet that now that this is on HN, someone at Amazon will tell
you no, don't do that, we'll fix the issue.

~~~
Roedou
It's as if that was the plan all along... ;)

~~~
robbrown451
Ha. Good luck... :)

------
whiddershins
Madness. My friend is getting emails from 3 different dating sites, all to a
person who has a very similar name and managed to sign up for all these sites
using the wrong email address.

Somehow none of them bothered with email authentication.

It seems as if, technically, these sites (including Amazon in this scenario)
are engaging in illegal spam practices. But who knows.

~~~
bryanrasmussen
whoa, that explains what's been happening to me. I've been getting some mail
from some match.com and I've never signed up.

------
cddotdotslash
Shouldn't Amazon be verifying the email address before they just start
treating it as valid?

------
rogerallen
It is such negligence that so many companies do not validate email addresses.

It is especially frustrating that nearly every time this happens it comes from
a "do not reply" address within the company so you can't do anything about it.

------
jmsduran
I recently bought a Kindle Paperwhite, and also noticed how easy it was to tie
the Kindle to an email account upon purchase, all without verification. This
seems like something Amazon definitely needs to fix.

------
ck2
It's gmail, sheesh just create a filter to delete the emails.

If you delete their account you may be committing a crime somehow, just
logging in may be committing a crime, not worth it.

~~~
chris_mahan
Just forward them all to privacy@amazon.com?

~~~
adamio
Email the whole blog post to jeff@amazon.com for higher level support

------
jpetersonmn
Why not just create a filter to send those emails to the trash? I certainly
wouldn't log into the account, that's likely illegal.

------
jonnynezbo
I applaud you taking the time to do the right thing. I probably would have
just created an email filter, and called it a day.

------
gwbas1c
Actually, the best thing to do is to make this very, very, very painful for
Amazon.

First, it needs to become very obvious that Amazon goofed in not verifying
that the kindle owner owns the email address.

Second, the person with access to the account needs to rack up so many charges
that they max out the credit card.

By making "not verifying email addresses" an expensive product mistake, this
problem can be solved quite quickly.

------
adenner
having the email address my last name @ gmail.com I have gotten a lot of this
sort of thing. The best one was 3 years worth of income tax returns from some
accountant in New Zealand.

------
Pinckney
Why not just set up a filter to delete them?

