Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon's Customer Service Backdoor (medium.com)

Posted by Soulskill on from the be-less-helpful-please dept.

An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.

But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.

3 of 131 comments (clear)

  1. Google... by JasterBobaMereel · · Score: 4, Interesting

    He thinks Google is more secure ... ?

    --
    Puteulanus fenestra mortis
    1. Re:Google... by Anonymous Coward · · Score: 5, Interesting

      Well it's more like Google does not have Customer Service...

      Well, they do, sort of.

      A while back I ordered a nexus android phone direct from google for testing. I received the phone, my credit card was charged, I paid my credit card bill, and all was good.

      About 4 months later, I decided to buy another nexus android phone direct from google. I logged in to my account and bought another phone.

      A day later I get a rejection message that my account was suspended and to contact google. I call them, speak to someone (in the USA, judging by their accent). They explain that my account was suspended for security reasons, and they are transferring the call to their "security team".

      Their "security team" is based in the Philippines, and they told me my account was suspended for suspicious activity, and to reactivate the account I needed to upload scans of my driver's license and passport, otherwise they won't reactivate my account.

      Why does google flag this as a suspicious? I have no idea. If the initial order was fraudulent, I probably would have disputed the charge on my credit card instead of paying it months ago.

      After much back & forth with their Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.

      I told them to fuck off.

  2. Does not surprise me.... by Lumpy · · Score: 5, Interesting

    Back when Amazon.com had been in business for a few years I called their tech support to recover my password.

    They read the password to me over the phone. That means passwords at that time were not stored as a hash but as clear text in their database.

    --
    Do not look at laser with remaining good eye.