Amazon Has Another Huge Security Hole

You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadget blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple. (The last four of your credit card, incidentally.) I'm sad to say that Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it's hurting them directly.

Someone has devised a relatively simple way of defrauding Amazon.com and they require very little hard information to pull it off. While this story is still developing, I'm writing this up in an effort to make Amazon aware of the problem and hopefully help them tighten their call center and live chat security.

I woke up this morning to find four tightly spaced emails from Amazon apologizing for the premature termination of our live chat session. They all differed slightly but were along the lines of "I couldn't gather enough information to take action." At first, I figured this was a bizarre phishing scheme, but the post-chat emails were true to Amazon's normal format and linked to valid Amazon post-chat survey links. I did notice that the emails were being sent to my name with a dot bisecting the first and last name: GMail is "dot-blind". You can literally email h.t.mlist@gmail.com and it would get through to the htmlist@gmail.com account with no issues. But Amazon is NOT dot blind. html.ist@gmail.com is a distinct Amazon account from htmlist@gmail.com, even though the email account is the same. (Because many providers are NOT dot-blind, this is actually normal practice.)

This was of particular interest to me as I have never given out my email address with a dot in it. Ever. More on that soon.

Finally, the last email indicated that "I did check on your account and found that no orders are present on this account. However if you'll be able to provide us the order numbers, we'll be able to proceed from there." Someone is sniffing out order numbers.Something wicked this way comes

Two hours later I received yet another post-chat email from Amazon Customer Service. Here it is:

I'm so sorry about the problem you had with your orders. I've created a replacement order for you at no additional charge. Here are the details:

Order Number: 103-4XXXXXX-XXXXXXX
Shipping Speed: One-Day Shipping
Guaranteed Delivery Date: Tuesday, December 18, 2012

I've requested a refund of $42.99 to your card for B+W 67mm Clear UV Haze with Multi-Resistant Coating (010M).

You'll see the refund on your Visa statement in the next 2-3 business days.

Oh boy. This was troubling. I had ordered and received that specific camera filter as part of the purchase of a new Canon camera. I was happy with my purchase and was certainly not requesting a refund. But what's this about a replacement order?

I log into my account to find a one-day-shipping replacement order for the camera and the complimentary bag and memory card that comes with it set in the "shipping soon" status. Seconds later, I receive another email from Amazon:

I'm so sorry about the problem you had with your orders. I've created a replacement order for you at no additional charge. Here are the details:

Order Number: 103-4XXXXXX-XXXXXXX
Shipping Speed: One-Day Shipping
Guaranteed Delivery Date: Tuesday, December 18, 2012

Shipping To:
Mr Chris Cardinal
13820 NE Airport Way
K5981
Portland, Oregon 97230
United States
Primary Phone: 647-234-1819

Hm. I've heard great things about Oregon, but I've never been myself. More to the point, my camera is sitting here with me right now. Definitely don't need a replacement. Amazon is shipping a phantom replacement to a phantom Chris Cardinal at a phantom address in the Pacific Northwest. By now, I'm a little frustrated.

I call Amazon and inform them of this. I had earlier called to seek a partial price-match refund on my still-shipping camera and lucked out with a North American CSR. This time, not so lucky. The call center rep was certain that my account had been compromised but very forgiving and assured me I wouldn't be responsible for any of this. I explained that my account itself was still intact, that I possessed full control over it, and I had already changed my password just in case. My email requires two-factor authentication and showed no unusual activity, so at this point, I'm relatively confident that the vector of attack was completely confined to Amazon's leaky customer service department.

As the order was only still being prepared, I mashed the "request cancellation" button as quickly as possible and was satisfied to find it had been cancelled promptly. The rep wasn't able to help with my wayward, ill-requested refund, but I figured I had squashed the bug.

I was wrong. If at first, you don't succeed…

Two hours later, I receive another email, from yet another in the revolving door of CSRs, all of whom appear completely incapable of checking chat history or picking up on a potential fraudulent stream of activity:

This is Giovanni with Amazon.com Customer Service. The one you just conversed with previously.

Replacement Successfully replaced the order. Replacement OrderID: 103-7XXXXXX-XXXXXXX.
Thank you for your inquiry.

Did I solve your problem?

No. You did not solve my problem. Your desire to ship out $900 cameras with wanton, reckless abandon, while well-intentioned, is ruining my day because I don't want my account tagged for fraudulent behavior should I need an actual replacement order in the future.

I call in again and explain that whatever is happening needs to stop. The rep helpfully suggests I change my email address on my account. At the very least, I figure this will stop them from being able to make it over the most simple hurdle with the live chat corps, and comply. I ask to have my call escalated so that I can hopefully get some attention shined on this.

The supervisor is very apologetic and seems very confused that a replacement order could possibly be shipped to any address but the original. And yet, both replacement attempts (now cancelled) have tried to head out to Portland. They also insist that my account has been hacked. I explain that their reps are the weak link in as polite language as possible and ask if they can pull any chat transcripts from earlier today.

She can't find any chats. But I remind her of my "dotted" account. Sure enough, there's a chat from earlier today "but I can only send it to the email address on that chat". Go nuts. It's me anyway. (I've also since requested a password reset and logged into the dotted account to find the user changed his name to have some different last name. He doesn't control the email account, so he can't use the Amazon account.)Anatomy of a successful social engineering attack

Here's where the getting gets good:

9:22 AM Initial Question: Hi, my old account was hacked, and so was my email. I was wondering if you can help me get my order numbers off that account for warranty issues.

Vishnu (CSA) : Hello Chris, my name is Vishnu. I will be happy to help you.
Vishnu (CSA) : Before I can view your account I'll need to do a quick security check. Please confirm the complete name and billing address on your account.
Vishnu (CSA) : I hope we are still connected.
Chris : I'm sorry! I was doing something. My name is Chris Cardinal, my address is .
Vishnu (CSA) : Thank you for the information.
Vishnu (CSA) : In this case would you like to reset your password.
Chris : I don't have time for that right now, could you just help me get the order numbers from November 1st to now?
Vishnu (CSA) : Sure, please wait for a minute.
Vishnu (CSA) : The orders placed in the moth of November are as follows:
Vishnu (CSA) : 104-8XXXXXX-XXXXXXX
Vishnu (CSA) : Wednesday, November 7
Vishnu (CSA) : 107-0XXXXXX-XXXXXXX
Vishnu (CSA) : Monday, November 12, 2012
Vishnu (CSA) : v
Vishnu (CSA) : 109-9XXXXXX-XXXXXXX
Vishnu (CSA) : v
Vishnu (CSA) : Friday, November 23, 2012
Chris : Is that all?
Vishnu (CSA) : Yes, Chris. These orders were placed in the moth of November.
Chris : How about December?
Vishnu (CSA) : In this case I'll send you an pa sword reset e-mail and you reset your password.
Vishnu (CSA) : Please wait for a minute, Chris.
Chris : My email is hacked, I'd rather not.
Chris : I just need my order numbers right now, nothing else..
Vishnu (CSA) : Orders in the month of December:
Vishnu (CSA) : 107-9XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 107-6XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 105-6XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 106-8XXXXXX-XXXXXXX
Vishnu (CSA) : Thursday, December 13, 2012
Vishnu (CSA) : 106-2XXXXXX-XXXXXXX
Vishnu (CSA) : Saturday, December 15, 2012
Vishnu (CSA) : 106-6XXXXXX-XXXXXXX
Vishnu (CSA) : Saturday, December 15, 2012
Vishnu (CSA) : 106-2XXXXXX-XXXXXXX
Vishnu (CSA) : Sunday, December 16, 2012
Vishnu (CSA) : That is all, Chris.

Chris has left the conversation.

Pay dirt. As you can see, I've been a busy shopper. It's the holiday season and I'm also buying some accessories for the new camera. A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.

If you've used Amazon.com at all, you'll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

Oh good, another email:

Good day!

Per our conversation a few minutes ago, the replacement was successfully processed under order Id. No.: 103-4xxxxx-xxxxxxx. I gave you this confirmation but the replacement was then cancelled.

Shipped To:

Shipping To:
Mr Chris Cardinal
13820 NE Airport Way
K5981
Portland, Oregon 97230
United States
Primary Phone: 647-234-1819

It seems that we are still currently working on this matter. I am so sorry for the inconvenience.

This guy is persistent!

As you can see in the last line, it now appears that they have put the brakes on issuing new orders, per my insistence that they freeze the account and challenge for something other than billing address.

I've been told the issue has been forwarded to their fraud prevention department and should expect to hear back soon. In the mean time, where did this guy come from and where was my replacement order going?

A few possibilities: I've tweeted about my desire to buy a Canon T4i recently. I didn't mention Amazon or that I did buy it, but someone who is searching for model numbers has a place to start. My Twitter name is my actual name. My actual name's first Google result is usually my cake contest website, Threadcakes. And up until early this afternoon, the whois information for my domain included my name, email address, and mailing address. Means, motive, opportunity, and enough to bypass Amazon's CSR and get pretty much anything he needed.It's happened before

So what about the mysterious Portland address? It's actually owned by a company called ReShip.com: a company that allows you to have a "virtual" mailing address which will forward packages and mail out of the US. Clearly, the camera was on its way overseas.

Googling the address yielded almost nothing. Except, of course, a wonderful gem: a posting on Amazon's own forums of a user complaining about the exact same behavior occurring on their account, on December 4th, 2012. Even better, they were buying a Canon camera. The post was deleted, but Google's cache still had it. Here's what they had to say:

I recently bought two electronic items over the Black Friday week, a Canon PowerShot S100 12.1 MP Digital Camera with 5x Wide-Angle Optical Image Stabilized Zoom and a Yamaha RX-V671 7.1-Channel Network AV Receiver. I received both items promptly.

But then a few days after receiving my Yamaha I get an Amazon email saying they are sorry my Yamaha receiver didn't arrive and were shipping a replacement order right away. The email was a valid Amazon email with valid link. That shipment went to some unknown address at 1711 Cudaback Ave, Niagara Falls, New York 14303. That turns out to be a shipping and storage facility.

When I called Amazon about this, the friendly customer rep from India said another customer used my email by mistake and that he would take care of this.

A few days later another apologetic email from Amazon arrived, saying that they were sorry my Canon S100 did not arrive and a new shipment will be sent. This shipment is going to another warehouse at 13820 NE Airport Way K5981, Portland, Oregon 97230. Again I emailed Amazon but this time I haven't gotten a response.

Both shipments have my name as recipient but with addresses I've never shipped anything to. Both mysteriously showed up in my Amazon address list, too, before deleting them. One of them has my old landline phone number while another number has 7165554985 listed.

It's clear that there's a scam going on and it's probably going largely unnoticed. It doesn't cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it's also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They're unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.

There's a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That's the sort of thing you're really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon's reps were willing to assign the replacement shipment to a different address is beyond me. I was told it's policy to only issue them to the original address, but some clever social engineering ("I'm visiting family in Oregon, can you ship it there?", for instance) will get around that.

So what now?

So what can be done? Amazon can challenge with a phone pin, like GoDaddy uses: a pin number that is separate from your account password and only used for dealing with their customer support telephone service. Amazon can challenge replacement requests with the last four of your payment method. This was never asked of the fraudster. They could also do better to collate chat/support history. This user had at least 4 separate live chat requests nearly simultaneously, like raptors testing a fence for weakness, all asking about the same account email address. That should be a huge red flag to Amazon. Instead, no one rep knew about the other. And when he went to place his replacement order two hours later under a different rep, they never knew there was a history where he was complaining about his "account being hacked."

Amazon could also reach out to the police and request they subpoena ReShip for the account holder's information for their box there, but they're almost certainly out of the country and thus out of anyone's jurisdiction. So the problem comes back on Amazon. I appreciate their willingness to help and to basically operate with a no-questions-asked mentality. But this is too few questions. And even though the fraudster never gained access to my account, it scared me. I didn't know what else he could convince the CSRs to do: they thought they were speaking with me, so perhaps they could change his account email address. At that point, he could repurpose the entire account with my payment methods intact and order as much as possible. Since he's shipping to essentially a dead-drop address anyway, he could make out with a great deal of expensive gear before my credit card sounded the alarm or hit its limit.

I hope that Amazon considers adding something other than basic identifiable information to access and manipulate accounts like this. It's frustrating, worrying, and your name, email, and mailing address are typically easily tracked down. In the mean time, they're going to be paying for an insane amount of fraud, right under their noses, facilitated by their ever-too-cheerful customer service reps.

Image credit: Flickr/amandagroe (Creative Commons)


Chris Cardinal is a former Gizmodo contributor who is currently Managing Partner at Synapse Studios, a Tempe, Arizona web development company (they're hiring!). You can read more of his writing here , and follow him on Twitter.