When our dear friend Mat Honan got hacked earlier this year, it was because of gaping security flaws in Apple and Amazon’s customer service systems. It hasn’t been fixed. Amazon’s customer service has another security flaw, and it’s being exploited to hijack Amazon accounts and snag false replacement orders. And the scammers don’t even need to know your account’s password.
Chris Cardinal, the unlucky guy who had his Amazon account scammed, tells the chilling tale of how he began receiving official emails from Amazon about chat sessions he never made with Amazon. What was the person trying to chat with Amazon customer service reps about? Cardinal’s Amazon order numbers.
Soon after, Cardinal started receiving e-mails about actual replacement orders being shipped to an address that wasn’t his. The scammer got a handle on his Amazon order numbers and got replacements sent to another address. How? It’s scary how easy it is.
9:22 AM Initial Question: Hi, my old account was hacked, and so was my email. I was wondering if you can help me get my order numbers off that account for warranty issues.
Vishnu (CSA) : Hello Chris, my name is Vishnu. I will be happy to help you.
Vishnu (CSA) : Before I can view your account I’ll need to do a quick security check. Please confirm the complete name and billing address on your account.
Vishnu (CSA) : I hope we are still connected.
Chris : I’m sorry! I was doing something. My name is Chris Cardinal, my address is .
Vishnu (CSA) : Thank you for the information.
Vishnu (CSA) : In this case would you like to reset your password.
Chris : I don’t have time for that right now, could you just help me get the order numbers from November 1st to now?
Vishnu (CSA) : Sure, please wait for a minute.
Vishnu (CSA) : The orders placed in the moth of November are as follows:
Vishnu (CSA) : 104-8XXXXXX-XXXXXXX
Vishnu (CSA) : Wednesday, November 7
Vishnu (CSA) : 107-0XXXXXX-XXXXXXX
Vishnu (CSA) : Monday, November 12, 2012
Vishnu (CSA) : v
Vishnu (CSA) : 109-9XXXXXX-XXXXXXX
Vishnu (CSA) : v
Vishnu (CSA) : Friday, November 23, 2012
Chris : Is that all?
Vishnu (CSA) : Yes, Chris. These orders were placed in the moth of November.
Chris : How about December?
As you can see, the customer service rep gave out the order numbers with little resistance. And once the scammers got their hand on order numbers, they were able to finagle free replacement orders sent to another address with only a little bit of social engineering (I’m in Oregon right now, can you ship it there?). As secure as Amazon can be, it’s clear that the weak point in its security remains in customer service. And as hackers and scammers get savvier with social engineering solutions, they’ll continue to exploit the flaw.
Read more about the chilling tale at Chris Cardinal’s HTMList. It involves a lot of odd emailing, talking to CSRs and reverse engineering. Well worth the read. [HTMList]