Slashdot Mirror
Amazon's Customer Service Backdoor (medium.com)
An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
He thinks Google is more secure ... ?
Puteulanus fenestra mortis
While amazon screwed up here and enabled a social engineering attack:
Google services which seem significantly more robust at stopping these attacks
What is the evidence that he has to support this assertion? In his time at amazon, it seemed one party after some period of time started harassing amazon. Does he know that Google is more robust, or just that no one has gotten around to harassing him?
Assuming google is more robust, is it because they are 'just plain better' or because Amazon is so retail-heavy that it's much more difficult for them to block such attacks without royally pissing off their bread and butter retail customers?
It does surprise me that the support without logging in can do *anything* except help them reset their password. Resetting the password is more intrusive, though even this got notification sent to the legitimate account holder, so it wasn't a stealthy attack to begin with.
XML is like violence. If it doesn't solve the problem, use more.
Banking websites require 1 capital, 1 symbol, and 1 number in the password, doesn't allow you to use the back button and logs you out after 5 minutes but then allows you to reset your password by knowing your pet's name, your birthday, or some other ridiculously easy to find information. Yes, the password is usually sent to an email address but that email address doesn't have any of the same security, a person is always logged in, and usually has similar easy to crack password resets. Oh, and let's not forget that they won't actually allow you to opt out of the password reset or set it to something reasonable (like maybe most recent deposit combined with text message combined with a letter they mail out combined with credit card number)
In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon) It's not like people weren't already familiar with pins with debit cards. It would have been trivial to just add the pins on in one go.
As long as we continue to operate on the premise that convenience is more important than security we are going to continue to have security problems.
Back when Amazon.com had been in business for a few years I called their tech support to recover my password.
They read the password to me over the phone. That means passwords at that time were not stored as a hash but as clear text in their database.
Do not look at laser with remaining good eye.
The context of the conversation is customer service for people who already have accounts that can be exploited via the social engineering of said customer service.
In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number.
Shatner must be stopped.
systemd is Roko's Basilisk.
The account in question was taken care of, I tried to follow up but they went silent. You can still register new accounts with out validation. This isn't a Gmail specific issue, it's really a no validation issue. If an account doesn't already exist under an email you can just register and use it right away.