Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon's Customer Service Backdoor (medium.com)

Posted by Soulskill on from the be-less-helpful-please dept.

An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.

But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.

13 of 131 comments (clear)

  1. Google... by JasterBobaMereel · · Score: 4, Interesting

    He thinks Google is more secure ... ?

    --
    Puteulanus fenestra mortis
    1. Re:Google... by ZiakII · · Score: 5, Insightful

      Well it's more like Google does not have Customer Service...

    2. Re:Google... by Anonymous Coward · · Score: 5, Interesting

      Well it's more like Google does not have Customer Service...

      Well, they do, sort of.

      A while back I ordered a nexus android phone direct from google for testing. I received the phone, my credit card was charged, I paid my credit card bill, and all was good.

      About 4 months later, I decided to buy another nexus android phone direct from google. I logged in to my account and bought another phone.

      A day later I get a rejection message that my account was suspended and to contact google. I call them, speak to someone (in the USA, judging by their accent). They explain that my account was suspended for security reasons, and they are transferring the call to their "security team".

      Their "security team" is based in the Philippines, and they told me my account was suspended for suspicious activity, and to reactivate the account I needed to upload scans of my driver's license and passport, otherwise they won't reactivate my account.

      Why does google flag this as a suspicious? I have no idea. If the initial order was fraudulent, I probably would have disputed the charge on my credit card instead of paying it months ago.

      After much back & forth with their Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.

      I told them to fuck off.

    3. Re:Google... by shawn2772 · · Score: 3, Insightful

      After much back & forth with [Google's] Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.

      You obviously aren't pleased by this, but this is actually evidence that Google's customer service is significantly more careful with your account than Amazon's customer service (per the article).

  2. Is he sure? by Junta · · Score: 4, Insightful

    While amazon screwed up here and enabled a social engineering attack:

    Google services which seem significantly more robust at stopping these attacks

    What is the evidence that he has to support this assertion? In his time at amazon, it seemed one party after some period of time started harassing amazon. Does he know that Google is more robust, or just that no one has gotten around to harassing him?

    Assuming google is more robust, is it because they are 'just plain better' or because Amazon is so retail-heavy that it's much more difficult for them to block such attacks without royally pissing off their bread and butter retail customers?

    It does surprise me that the support without logging in can do *anything* except help them reset their password. Resetting the password is more intrusive, though even this got notification sent to the legitimate account holder, so it wasn't a stealthy attack to begin with.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. password resets are a horrible weak link too. by Wycliffe · · Score: 5, Insightful

    Banking websites require 1 capital, 1 symbol, and 1 number in the password, doesn't allow you to use the back button and logs you out after 5 minutes but then allows you to reset your password by knowing your pet's name, your birthday, or some other ridiculously easy to find information. Yes, the password is usually sent to an email address but that email address doesn't have any of the same security, a person is always logged in, and usually has similar easy to crack password resets. Oh, and let's not forget that they won't actually allow you to opt out of the password reset or set it to something reasonable (like maybe most recent deposit combined with text message combined with a letter they mail out combined with credit card number)

    In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon) It's not like people weren't already familiar with pins with debit cards. It would have been trivial to just add the pins on in one go.

    As long as we continue to operate on the premise that convenience is more important than security we are going to continue to have security problems.

  4. Does not surprise me.... by Lumpy · · Score: 5, Interesting

    Back when Amazon.com had been in business for a few years I called their tech support to recover my password.

    They read the password to me over the phone. That means passwords at that time were not stored as a hash but as clear text in their database.

    --
    Do not look at laser with remaining good eye.
    1. Re:Does not surprise me.... by rgbscan · · Score: 3, Interesting

      At the end of the 1990's I worked for one of the phone company "bells" that later became part of Verizon. At the time, customer service could pull up a webpage that had your account password as a field, but in display it was hidden with bullets (HTML input tag, type password IIRC). So all you could do was clear the field, type in a new password for the customer and click update. (The customer was then supposed to use that password to go online and change it to something else). Anyway, some technical support rep on customer service duty picking up an extra shift figured out you could just view that page's source and see the existing password in the clear, since it was the html tag obscuring it and not the database being hashed or anything. Well designed security there :-)

  5. Re:Won't work by dreamchaser · · Score: 4, Informative

    The context of the conversation is customer service for people who already have accounts that can be exploited via the social engineering of said customer service.

  6. Shatner! by wonkey_monkey · · Score: 4, Funny

    In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number.

    Shatner must be stopped.

    --
    systemd is Roko's Basilisk.
  7. Amazon has no idea what security is by SirDrinksAlot · · Score: 3, Interesting

    Christmas before last I was the lovely new recipient of a brand new amazon account, that I didn't signup for. The problem starts with Amazon not validating email ownership and ends with Amazon not understanding how account ownership works. Some child with my same name was given a brand spanking new Fire HD for Christmas and a pile of Amazon gift certificates which they loaded up in short order, the mistake was made they maybe typoed their email address or they them self didn't understand that you don't inherently own yourname@emailprovider.com

    I tried to contact Amazon support and have them fix this problem with out ruining this kids Christmas. Amazon's response? No problem here with their processes, however I should give him my email address as far as they are concerned he owns my gmail account I've had since the closed gmail beta... After much arguing Amazon wasn't budging, I had already explained that gmail ignores dots in your address among other things, so u.ser@gmail.com u.s.e.r@gmail.com us.er@gmail.com, and user@gmail.com etc all are the same account but amazon will register individual accounts for them, my problem is I use a . in mine just for readability and spam identification and is how I have *MY* amazon account registered. Additional fun is anything after a + sign in your email gets ignored too, so you can use an email like user+is.the.CEO.of@gmail.com and it'll just send any email to that to user@gmail.com, maybe I could have used this and told them that this is not a gmail problem and they should fix it? This behavior on google's part is in my opinion: fantastic, it's an epic step on account security meaning someone else can't come along and pretend to be me just by adding or removing a dot from their email address. Blaming Google in this case was a weak attempt at avoiding responsibility.

    Long story short, Amazon didn't care that I could reset this kids password and buy whatever it is I wanted using it, as far as they were concerned this wasn't their problem. Here's amazon's official response I got before I escalated it to Jeff Bezos and spoke to the executive of customer relations (this is a thing by the way, anyone can do this)

    "Unfortunately, this is an issue that will need to be resolved by Google. We would normally be able to temporarily disable your account in order to sort out the email issues, as these issues can be caused by typos on another person's side. However, as this is not an email typo issue, we will not be able to resolve this issue ourselves. Samantha L"

    I would really like to know beyond handing over my account, what they think Google is going to do about it?

    1. Re:Amazon has no idea what security is by SirDrinksAlot · · Score: 4, Informative

      The account in question was taken care of, I tried to follow up but they went silent. You can still register new accounts with out validation. This isn't a Gmail specific issue, it's really a no validation issue. If an account doesn't already exist under an email you can just register and use it right away.

  8. Re:Glory hole? by davester666 · · Score: 3, Insightful

    the summary is confusing. unless he only has an amazon account for Amazon's cloud computing platform, what would be the point of migrating to Google? And google is only 'more robust' because they make it EXTREMELY hard to actually contact a live person.

    --
    Sleep your way to a whiter smile...date a dentist!