Slashdot Mirror
Amazon's Customer Service Backdoor (medium.com)
An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
Well it's more like Google does not have Customer Service...
While amazon screwed up here and enabled a social engineering attack:
Google services which seem significantly more robust at stopping these attacks
What is the evidence that he has to support this assertion? In his time at amazon, it seemed one party after some period of time started harassing amazon. Does he know that Google is more robust, or just that no one has gotten around to harassing him?
Assuming google is more robust, is it because they are 'just plain better' or because Amazon is so retail-heavy that it's much more difficult for them to block such attacks without royally pissing off their bread and butter retail customers?
It does surprise me that the support without logging in can do *anything* except help them reset their password. Resetting the password is more intrusive, though even this got notification sent to the legitimate account holder, so it wasn't a stealthy attack to begin with.
XML is like violence. If it doesn't solve the problem, use more.
Banking websites require 1 capital, 1 symbol, and 1 number in the password, doesn't allow you to use the back button and logs you out after 5 minutes but then allows you to reset your password by knowing your pet's name, your birthday, or some other ridiculously easy to find information. Yes, the password is usually sent to an email address but that email address doesn't have any of the same security, a person is always logged in, and usually has similar easy to crack password resets. Oh, and let's not forget that they won't actually allow you to opt out of the password reset or set it to something reasonable (like maybe most recent deposit combined with text message combined with a letter they mail out combined with credit card number)
In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon) It's not like people weren't already familiar with pins with debit cards. It would have been trivial to just add the pins on in one go.
As long as we continue to operate on the premise that convenience is more important than security we are going to continue to have security problems.
After much back & forth with [Google's] Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.
You obviously aren't pleased by this, but this is actually evidence that Google's customer service is significantly more careful with your account than Amazon's customer service (per the article).
Wrong: They're super-duper violating information if you're playing a victim card or an SJW.
Seriously though, even SSNs aren't so hardcore anymore. Wake me up when you have a web site that stores plaintext passwords and lets CS read them - which surely exist even today, so give them a low-level password. Y'all ARE avoiding reuse by maintaining tiers, right?
How do you know ?
No really, how do you know ?
What the OP and I do see is that they ask for stuff that could be easily used to do exactly that what its supposed to be warding off: identity spoofing.
In other words: that "helpdesk" (the higher management) is either as dumb as anything, or its actually an outfit to gain private information (or even a mix between the two).
Lets put it differently: Would you give some random joe a copy of the key to your house as proof that you're the actual resident ? Why not ?
the summary is confusing. unless he only has an amazon account for Amazon's cloud computing platform, what would be the point of migrating to Google? And google is only 'more robust' because they make it EXTREMELY hard to actually contact a live person.
Sleep your way to a whiter smile...date a dentist!