Slashdot Mirror
Amazon's Customer Service Backdoor (medium.com)
An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
He thinks Google is more secure ... ?
Puteulanus fenestra mortis
Never do customer support unless the user can log in to their account.
Well, there's your problem. Most of the times I don't want to log in into an account, because:
And if I want to abuse the system on purpose, I can always pretend to be a computer-illiterate old granny.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
While amazon screwed up here and enabled a social engineering attack:
Google services which seem significantly more robust at stopping these attacks
What is the evidence that he has to support this assertion? In his time at amazon, it seemed one party after some period of time started harassing amazon. Does he know that Google is more robust, or just that no one has gotten around to harassing him?
Assuming google is more robust, is it because they are 'just plain better' or because Amazon is so retail-heavy that it's much more difficult for them to block such attacks without royally pissing off their bread and butter retail customers?
It does surprise me that the support without logging in can do *anything* except help them reset their password. Resetting the password is more intrusive, though even this got notification sent to the legitimate account holder, so it wasn't a stealthy attack to begin with.
XML is like violence. If it doesn't solve the problem, use more.
Banking websites require 1 capital, 1 symbol, and 1 number in the password, doesn't allow you to use the back button and logs you out after 5 minutes but then allows you to reset your password by knowing your pet's name, your birthday, or some other ridiculously easy to find information. Yes, the password is usually sent to an email address but that email address doesn't have any of the same security, a person is always logged in, and usually has similar easy to crack password resets. Oh, and let's not forget that they won't actually allow you to opt out of the password reset or set it to something reasonable (like maybe most recent deposit combined with text message combined with a letter they mail out combined with credit card number)
In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon) It's not like people weren't already familiar with pins with debit cards. It would have been trivial to just add the pins on in one go.
As long as we continue to operate on the premise that convenience is more important than security we are going to continue to have security problems.
Back when Amazon.com had been in business for a few years I called their tech support to recover my password.
They read the password to me over the phone. That means passwords at that time were not stored as a hash but as clear text in their database.
Do not look at laser with remaining good eye.
There is a person in the UK that occasionally types in my email address for their Amazon UK account. Although they shouldn't do that, Amazon UK doesn't verify the email address by requesting a reply. As a result, Amazon UK reroutes all of the customers communication to me.
In addition, it is almost impossible to contact Amazon UK without logging into the misdirected account (easy to do, since there is absolutely no check to a password reset requested other than to click the link on the email, and since the email is wrong there is no barrier).
Once you do talk to Amazon UK, they seem to be completely clueless and try to assure me that I am the owner to the account. The last time it happened, after about 10 tries to get them to change the email address back to the rightful owner, I just gave up and reported them as Spam.
I have no idea whether the person ever got their account back. It is pretty bad when someone is trying very hard not to hack an account is forced to do it by Amazon and then can't get it undone.
Wait what?
Public information, stuff that shows up in phone directories ("white pages" as we used to call 'em) was enough to commit fraud with some online services?
Amazon may have a problem here -- there are many reasons that company should be burned down and the ground salted -- but thinking that your address or phone number are ever private information that can be used to authenticate you is a much deeper problem.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number.
Shatner must be stopped.
systemd is Roko's Basilisk.
Wrong: They're super-duper violating information if you're playing a victim card or an SJW.
Seriously though, even SSNs aren't so hardcore anymore. Wake me up when you have a web site that stores plaintext passwords and lets CS read them - which surely exist even today, so give them a low-level password. Y'all ARE avoiding reuse by maintaining tiers, right?
It is a tough decision. On one hand, too loose, and you get the issue with TFA. Too tight, and you will get people locked out, and walking off to other sources because they can't log in.
Some sites think they are smart, and use some oddball info from Lexis-Nexus where they give you vague multiple choice questions with "none of the above". Miss one, you get royally locked out.
My personal take is that I like how Network Solutions did things. They asked for a fax or photo of one's license to verify an account if all else fails, which allowed recovery fairly reliabily, as they could cross-check the license with other info.
Long term, what I would love to have (and yes, I'm mentioning IoT here... so please put down the torches and pitchforks for a brief moment...) would be a ZTIC-like device that worked over 3G, used a USB port just for power, and whose sole job would be to recover accounts.
The user would pull out the device, go to the website that they are locked out of, plug the device into a USB port, receive a confirmation on the device's e-Ink [1] screen, hit "yes", and they would get a recovery passcode. The device is made to be brain-dead simple. No battery, just plug in to any USB port, confirm on the device that the user of the device wants to have a recovery made, then the device shows a recovery code. Since the communication is via 3G and various security stacks, it is as secure as any other way, and someone making bogus recovery requests can't go far because the user has to interact with the device before a password is generated for recovery.
Of course, if the device is lost, that is an issue... but there are always means to get a new device. Perhaps as mentioned above, fax/E-mail a copy of a license to get another device, and have it properly coded as a recovery tool.
This isn't a perfect scheme, but it would save a lot of hassle, and the end user just has to ensure that ZTIC-like device is stashed somewhere securely.
[1]: To save power, e-Ink is the best thing here.
...because Google is intentionally near-impossible to contact as a user of their services? Do you have the phone number of Gmail Customer Support?
Why would an IT professional use the same credentials for his AWS account as he does with his Amazon retail account? Just use a different email address for the AWS account (and not the email address that you've published on your business card, WHOIS, LinkedIn, etc). Either use a second email account just for AWS (they are free, you know?), or use an alias (i.e a gmail username+somespecialalias@gmail.com address)
He likely uses is Amazon credentials in several different browsers, the Amazon App, Kindle App, perhaps an Amazon instant video viewer on his TV, an Amazon Kindle device, etc. He's trusting a lot of different consumer apps and devices to keep a secret that could affect his livelihood. Not to mention the problem he's complaining about -- customer service for a retail company that wants to make sure he gets his packages.
Amazon has this amazing review site where you can post reviews of all the products and services. Just log in and post a scathing 1 star review.
Can you point me to the AWS review site? I'd like to read their reviews.
Really? I have never felt scared in a Wal-mart parking lot. I don't even hear about much crime there either, they have cameras everywhere in their lots.
Be afraid. Be very afraid.
Faster! Faster! Faster would be better!
...real address and phone number. That was enough to commit fraud with a couple of unrelated online services
This is the problem... when the fuck does it make sense to regard that information as sensitive. In a sane world the companies that allow anonymous customers to set up an account with so little info and verification would be responsible for the fraud.
Christmas before last I was the lovely new recipient of a brand new amazon account, that I didn't signup for. The problem starts with Amazon not validating email ownership and ends with Amazon not understanding how account ownership works. Some child with my same name was given a brand spanking new Fire HD for Christmas and a pile of Amazon gift certificates which they loaded up in short order, the mistake was made they maybe typoed their email address or they them self didn't understand that you don't inherently own yourname@emailprovider.com
I tried to contact Amazon support and have them fix this problem with out ruining this kids Christmas. Amazon's response? No problem here with their processes, however I should give him my email address as far as they are concerned he owns my gmail account I've had since the closed gmail beta... After much arguing Amazon wasn't budging, I had already explained that gmail ignores dots in your address among other things, so u.ser@gmail.com u.s.e.r@gmail.com us.er@gmail.com, and user@gmail.com etc all are the same account but amazon will register individual accounts for them, my problem is I use a . in mine just for readability and spam identification and is how I have *MY* amazon account registered. Additional fun is anything after a + sign in your email gets ignored too, so you can use an email like user+is.the.CEO.of@gmail.com and it'll just send any email to that to user@gmail.com, maybe I could have used this and told them that this is not a gmail problem and they should fix it? This behavior on google's part is in my opinion: fantastic, it's an epic step on account security meaning someone else can't come along and pretend to be me just by adding or removing a dot from their email address. Blaming Google in this case was a weak attempt at avoiding responsibility.
Long story short, Amazon didn't care that I could reset this kids password and buy whatever it is I wanted using it, as far as they were concerned this wasn't their problem. Here's amazon's official response I got before I escalated it to Jeff Bezos and spoke to the executive of customer relations (this is a thing by the way, anyone can do this)
"Unfortunately, this is an issue that will need to be resolved by Google. We would normally be able to temporarily disable your account in order to sort out the email issues, as these issues can be caused by typos on another person's side. However, as this is not an email typo issue, we will not be able to resolve this issue ourselves. Samantha L"
I would really like to know beyond handing over my account, what they think Google is going to do about it?
The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Amazon's fault if the address was used to cause the sending of a replacement credit card? Did the scammer rent a room at said hotel and request that the card be sent there?
The second time, he complains about the disclosure of the last purchased item and the shipping address. I'd say that the majority of the time when there's fraud, if the real customer calls in, he'd like to know where the item is actually going so he can include that in his police report. In spite of the scammer's attempt, the agent really didn't give out any useful information about the credit card.
The third time, we don't have a the transcript, so it's possible that the agent read off all the addresses, the AWS username, and all credit-card numbers ever associated with the account. More likely, the agent said, "I'm sorry, I can't give you that information. I can send a copy of your invoice to your e-mail address on file."
Even the last-purchased item is arguably sensitive. What if it's a bulk-pack of condoms, for example? Or (back to Amazon's roots) a book on the list of banned books? I'd encourage Amazon to close that hole, but I'm not sure I have a good solution.
Then how do I get support for severe slowdowns on my Nexus 7 (2012) 8 GB tablet purchased from the Google store, which started after I installed Lollipop?
The 2012 Nexus 7 is out of warranty.
When you are a customer at Amazon.com, you are very unlikely to lose any money, even if someone hijacks your account. Your risk is extremely low.
When you are a customer with Amazon Web Services, *any* breach or security is exceedingly dangerous and can be severely expensive. Your risk is low because security tends to be high. Any sign of a potential security flaw should be taken very seriously.
-- 'The' Lord and Master Bitman On High, Master Of All
I agree with you that the number of printable ASCII strings of a given length that include at least one lowercase letter, at least one uppercase letter, and at least one digit or punctuation character is smaller than the total number of printable ASCII strings of the same length. But it's about increasing the average security of an account, especially if the distribution is currently skewed toward more easily guessed passwords. If you make the least complex password more complex, you increase the expected time to compromise an account. That said, sites I've developed encourage use of passphrases by giving the option to substitute length for complexity: you don't have to include a digit or punctuation if the password is at least 16 characters long (after stripping leading and trailing spaces), and you can turn off password masking if you know nobody else is viewing your screen.
I frequently find better bargains at my local brick and mortar stores - and I don't have to pay S&H
Also, even when you can find it cheaper online, a store will likely price match. I'm with you. I am however disappointed because more and more it's the case that retail doesn't even bother to stock the products I would want. They generally have low quality cheap versions, sometimes store branded to mask ability to compare and demand price match.
XML is like violence. If it doesn't solve the problem, use more.
This bullshit of having to provide payment information - even when you're no going to buy anything - is just stupid.
Apple's requirement to provide payment information in order to activate an iOS device is to make eventually buying something on iTunes Store or App Store more convenient.
Lastly, just delete you payment information and that'll make the account useless.
Unless someone tries to blackmail you with purchase history. I know someone who purchased adult toys on Amazon in the past but doesn't want that to leak to the public.
Online shopping has jumped the shark. The deals are gone - I frequently find better bargains at my local brick and mortar stores
Provided you can even find a particular product locally. More obscure products are easier to find on Amazon, eBay, or a niche site. I never managed to find a Nokia N900 phone, Archos 43 Internet Tablet, or Samsung Galaxy Player in a major electronics chain near me back when those products were in production. Even nowadays I can't find Archos or JXD gaming tablets in stores.
Do you also have groceries delivered? If not, you can shop at brick-and-mortar stores when you make a grocery trip.
You said "diseased creatures". Does this mean you have a compromised immune system? If you do, and you receive disability allowance for it, then yes, Amazon may be a prudent choice.
Unfortunately if you fail to pay in Amazon the first thing they take away is your way to log in. :(
Well, unless you're black and in the toy department picking up a toy gun.
the summary is confusing. unless he only has an amazon account for Amazon's cloud computing platform, what would be the point of migrating to Google? And google is only 'more robust' because they make it EXTREMELY hard to actually contact a live person.
Sleep your way to a whiter smile...date a dentist!
You are correct that this particular device is out of warranty.
But I have another question: Why do warranties on cellular devices tend to expire before the device would be paid off under the most common financing arrangement? Smartphones are often sold on a 24-month contract, yet not all are warranted for 24 months.
The "Amazon [web site] has always looked and felt like something an intern threw together in an afternoon and was then hastily built on top of over the next couple decades."
Amazon managers: Don't mod the parent comment down. Instead, fix the problems!
This advertisement paid for by Google.
Where do you live? Just the State should do. Or, alternatively, look and see if you can find it yourself. I'll show you Maine's example:
http://legislature.maine.gov/l...
Here's a good description from the AG:
http://www.maine.gov/tools/wha...
See, specifically, 4 . 3 for a bit of a quick run-down. I'll quote it here:
The implied warranty of merchantability is created by Maine law and means that the product will
be fit for the ordinary purposes for which such products are used.6
For example, washing machines
must be fit for washing clothes. They must be able to do the job washing machines ordinarily do and to
last for as long as washing machines ordinarily last. The same is true for toasters, new automobiles,
mobile homes, clothing, furniture and every other item you purchase for family, household or personal
use. To prove a breach of the implied warranty of merchantability you must show that the product was
defective in design, materials, or workmanship.
(Emphasis added and emphasis mine.)
I have, in fact, used it for a cell phone that they said was no longer covered under warranty. Except, not really. What I did was contact the OEM for a repair. They said that they'd not be repairing it. I sent them a link to the above and asked if they were familiar with Maine's law. They sent me a new phone. I'm not sure if that actually counts as using the law or not?
Maine's one of ten States that has that protection - your State may afford similar consumer protections but you'll need to investigate that on your own or tell me where you live and I can search on your behalf. Unfortunately, such protections are not universal. I don't even actually know if the law would have applied (the screen had died just about a year and a half after purchasing it - this seems to happen a lot with my preferred style of phone, that with a slide-out "full" keyboard) but it worked in that I sent them a link to the law and got a new phone sent to me - they even express shipped it. I wouldn't have been so adamant but I'd already paid for it to be replaced once with the insurance plan.
"So long and thanks for all the fish."
For all of Apple's defiance of DOJ's requests for access to customer accounts, they did the same thing as Amazon a few years ago. I can't find the details right now but it involved a tech writer, he may have written for Wired. The hacker was able to access the guy's account very easily by providing very little real information. Years ago someone at Bell Canada was using my name as a reference for many new accounts. I kept getting calls from collection agencies asking if I knew such and such person. It was only after I put a password on my account that the calls stopped. Maybe this is a simple way of preventing this kind of identity theft.