Over the weekend a story appeared on Medium that will make any Amazon user wince. According to customer Eric Springer, all a hacker needs to unlock your whole damn life is your name, email address, and a mailing address—and the mailing address doesn’t even have to be correct.
Here’s the story: Four months ago Springer received an email from Amazon thanking him for contacting customer service. How polite! The only problem was, Springer hadn’t actually contacted Amazon at all.
Springer was troubled by the auto-reply email response he received, so he reached out to Amazon and managed to get a hold of the transcript. He discovered that a social engineer—a hacker—was pretending to be him in order to gain access to critical account information on Amazon.
The kicker is that the address provided to Amazon’s customer service wasn’t even Springer’s real home. It was a bogus address he used to register websites online. Yet with that confirmation, the hacker was able to get Springer’s real address. With Springer’s real residence, his email address, and his name, the hacker could do a good bit of damage.
Springer informed Amazon of the colossal failure on their part and the company promised to improve security. Eric assumed he was done with the mess—until he received another email from Amazon last week.
Again, he asked for the transcripts. And again, it showed that all a hacker needed to gain access was a name, email address, and mailing address. Eric’s only relief was seeing that the hacker failed to get a credit card number out of the overly helpful customer service representative. That’s an improvement from 2012, when hackers social engineered that information out of a customer service representative and gained access to the online life of Gizmodo-alum Mat Honan.
Curious to reproduce Eric’s story, Redditor bot-vladimir attempted the hack as well. They used the address of a nearby hotel and Amazon quickly handed over the redditor’s real address, much to bot-vladimir’s disappointment.
However in my own trial, I was met with much less success. I have an old address that’s publicly available online thanks to WhoIs, so I gave the hack a go. The Amazon Customer Service Representative seemed to pick up on my scam quickly and turned me down flat when I provided the old address. Then, after giving them my actual address, they refused to give out any more information until we had a chat on the phone.
So it seems success is entirely dependent on the customer service rep you happen to be speaking to. Mind you this is a fairly common target for social engineer hacks. The biggest vulnerability isn’t a password or an email address; it’s the gullibility of the person on the other end of the line.
The best way to protect yourself±besides avoiding the internet altogether—is to use a mailing address you’re okay with broadcasting across the internet. That could be your office, a local FedEx or UPS store, or an Amazon locker. Take the time to set up two-step verification too. That way hackers have at least one more hoop they have to get through before learning where you sleep at night.
We’ve reached out to Amazon for comment on the story and will update accordingly. For now this tale serves as a great reminder that even the best passwords and most carefully plotted online lives aren’t immune to a really savvy and determined social engineer.
Contact the author at firstname.lastname@example.org.