A flaw discovered last week by Chris Cardinal, managing partner at the Web development company Synapse Studios, is apparently doing more harm to the e-commerce giant than its customers — at least so far.
That makes it less of a public relations nightmare than the flaw that last summer resulted in a hacker securing the digital identity of Wired reporter Mat Honan and then erasing his cloud accounts and taking control of his Twitter feed.
Amazon’s media relations had not responded to both emails and calls seeking comment.
But Cardinal, who reported on it in HTMList, said his recent experience is proof that the company needs to lift its security game. “Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it’s hurting them directly,” he said.
This time, Cardinal wrote, the problem was with customer service, not weaknesses in the web services. He said scammers used his name, address and order history to defraud the company into sending “replacement” products to a different address than Cardinal’s even though he had already received those products.
Cardinal wrote that one morning in mid-December he started receiving emails from Amazon Customer Service representatives about problems with an order for a camera and filter he had already received.
Within hours, customer service had sent him emails apologising for the problem, saying a replacement order had been created and a refund requested on his credit card for the first order, which supposedly had not shipped or had been stolen in transit.
The email said the order would be shipping to his name, but at an address in Portland, Oregon.
“Hm. I’ve heard great things about Oregon, but I’ve never been myself,” he wrote. “More to the point, my camera is sitting here with me right now. Definitely don’t need a replacement. Amazon is shipping a phantom replacement to a phantom Chris Cardinal at a phantom address in the Pacific Northwest.”
As he tried to cancel the replacement orders and tell Amazon Customer Service about the fraudulent activity, Cardinal said he was caught in a, “revolving door of CSRs (customer service representative), all of whom appear completely incapable of checking chat history or picking up on a potential fraudulent stream of activity.”
With a bit more sleuthing, Cardinal he said he found a social engineering forum where users were offering to buy Amazon order numbers. “Why? Because as it turns out, once you have the order number, everything else is apparently simple,” he wrote.
He said while Amazon “is essentially very secure as a web property,” requiring a password to do just about anything online, including changing an address or adding a credit card, “the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.”
Cardinal found that the “mysterious Portland address” is, “owned by a company called ReShip.com: a company that allows you to have a “virtual” mailing address which will forward packages and mail out of the US. Clearly, the camera was on its way overseas.”
And he wrote that a CSR told him that, “all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They’re unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.”
That, he noted, would make it, “dirt simple for me to get and receive a second camera for free. That’s the sort of thing you’re really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked.”
Matt Johansen, a WhiteHat security threat research manager, said he hadn’t seen a scam with this exact method, but the technique was old. “This kind of social engineering has been used for quite a while in various forms with other online retailers,” he said. ”
“The people paid to run these live-chat customer support systems, or even over-the-phone call centers, are trained to get on and off the phone or chat as quickly as possible, he said. “The ‘hackers,’ in this case, use that to their advantage by describing what a hurry they are in.”
Some commenters on Cardinal’s story agree, contending that happy customers are much more important to Amazon than a bit of fraud. “The customer is happy, and Amazon only takes a small drop out of their ocean of profits … so I predict that they will do nothing about this,” wrote “Brian M.”
Johansen agreed. “The people on the other end of these customer service calls and chats are trained to satisfy the customer as quickly as possible,” he said. “This mentality, especially during holiday season ramp-up, is reiterated to them much more often than any resemblance of security training or fraud spotting and prevention.”
Cardinal argues that Amazon could make it much more difficult for scammers simply by requiring a phone PIN that is separate from an account password and only used for telephone service. He suggested that Amazon also challenge replacement requests by asking for the last four digits of the payment credit card.
But even that, Johansen said, might put legitimate customers off. “A phone PIN would be terrific solution but is a very invasive one that most companies wouldn’t be willing to take,” he said. “That extra step for customers might be seen as an annoyance that Amazon isn’t willing to put them through due to its impact on the overall service experience.”
Read more about malware/cybercrime in CSOonline’s Malware/Cybercrime section.