Amazon's Customer Service Backdoor

An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.

But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.

Re:Does not surprise me....

I know it doesn't always hold true, but you can often tell how safe a site is to use by how nice it looks, how consistent the UI is, etc.

Amazon has always looked and felt like something an intern threw together in an afternoon and was then hastily built on top of over the next couple decades.