The email address on file for an Amazon.com account should never be used anywhere else for anything.

There are multiple reports, spanning years, of attackers abusing the Amazon chat system to scam customer support representatives into divulging your personal information. All the scammers need is a victims name and email address.

Starting a chat with Amazon - without logging in first

For years now, Amazon has known about this security hole in their procedures and done nothing about it.

The latest victim account, from Eric Springer, is available online both from Ars Technica and Medium.

Springer is no rube. He's a techie that uses unique passwords, two-factor authentication and is well aware of phishing attacks. Heck, he even used to work for Amazon. But, he gave Amazon his regular email address. That was a mistake.

Via text chat, Springers scammer asked Amazon customer support where his latest order was being shipped. The Amazon rep validated the bad guys identity by asking for his name, email address and billing address. The scammer provided the first two along with a fake address. Not totally fake, it was the address of a hotel in the city where Springer lives. The important point being, it was not Springers billing address. Yet, the Amazon rep accepted it as proof of identity.

WTF?

Now validated, the scammer asked for the address where his last order was sent. Of course the bad guy does not know what Mr. Springer ordered, but this is not a problem - the Amazon rep politely asked if he was referring to the order of a Wacom tablet. The bad guy confirms this and the Amazon rep gives the scammer Mr. Springers home address and phone number as well as the DHL tracker number.

Its not clear what the attacker was after, but the scammer did convince Springers bank to issue a new copy of his credit card. Way to go Amazon.

The security here is disgraceful. Even if the scammer had provided Springers actual billing address, Amazon needs to do more to validate chat users.

Perhaps chat support should only be available after you have logged in to your account. Perhaps they should validate the IP address of the chatterer. Perhaps Amazon should call people back using a phone number on file. Perhaps they should email or text a one time code. Perhaps they shouldn't use an email address as their userid. And, how about actually validating the billing address? Something. Maybe even two things.

A few months later, Springer was targeted again.

The second attack, also by text chat, started again with the scammer asking Amazon for the status of his last order, one that he does not have the number for. But, this time the attacker knows Springers real address, so he gets by the same security check. As before, the scammer wants the shipping address of the order which the rep tells him was for a mosquito trap. This time, the purpose is clearer, the scammer is after the last four digits of Springers credit card. He doesn't get it.

A day later, the attacker again contacted Amazon, this time on the phone, so there is no transcript.

After the first two incidents, Amazon said they would "put a note" on Springers account. That too, appears to have been a scam, as were the company's two promises to have a "specialist" get back to him.

What happened to Springer was no fluke.

In response to the story, someone who commented on Medium.com was able to replicate Amazon's security failure. This anonymous person also passed the security check by providing the address of a hotel in the city where he lives rather than his actual billing address.

Screen shots of this persons chat transcript are available (Part 1 and Part 2). Note particularly, the comments by Bikash of the Amazon leadership team at the end.

SCAM HISTORY

More proof that this wasn't a fluke comes from a very similar 2013 incident documented by Scott Hanselman (Chasing an active Social Engineering Fraud at Amazon Kindle).

In this case, the scammers got Amazon to issue a replacement for a Kindle that wasn't broken and then tried to get the shipping address for the replacement Kindle changed. Here too, the scam was perpetrated over web chat without the scammer being logged in to an Amazon account. Hanselman writes

... this is a social engineering hack, not a "password compromised" hack. The person has reported that "Scott's" Kindle is broken and has asked for a replacement, but then later tried to redirect the delivery. The customer rep says they can't redirect it. However, it appears the bad guy tried multiple support folks until they finally got the package redirected.

... none of this required anything more than my address and my email. They were able to get the Amazon Customer Service to accept that they were me without my password or any additional verification.

You might think the bad guys could be found using the new shipping address for the replacement Kindle. But, the US-based address was a bit unusual. Hanselman explains:

It's a global shipping logistics company. The weird number at the end of their address is a Virtual Routing number. An address with a number after it allows folks to have a package mailed to them in the US, then the package is transparently forwarded overseas. This number points to an account they have with a post office in a country in Southeast Asia. They received packages from all over, consolidate them, then ship them on masse. This allows governments and companies (and apparently bad guys) to order stuff from companies inside the US, then pay the international shipping and tariffs as a large shipment when it's sent overseas.

It didn't take much research to find yet another account of this scam, by Chris Cardinal from back in 2012. In this instance, the scammers tricked Amazon into re-sending items that they claimed were never received. As with Hanselman, the scammers directed Cardinal's shipment to a "logistics company" that forwards mail overseas.

Yet again, all that was needed for the scammer to fake out Amazon was the victims name, billing address and email address.



DEFENDING OURSELVES

Clearly, Amazon has a problem, which means, their customers have a problem.

The elephant in the room is Amazon's use of an email address as a userid. Since they are so public, it does half the work for attackers. The best defense was suggested by Chris Cardinal, the 2012 victim.

I’ve since registered my Amazon account under a purpose-built email address that is only for Amazon.

That is, Amazon customers should provide the company with an email address that is not used anywhere else, for anything.

One way to get a unique email address is an alias.

Springer uses Fastmail, a commercial email provider that many techies recommend. Their cheaper accounts allow for 11 aliases, stepping up gets you 255 aliases. I used to use Earthlink as my email provider and they too offered aliases, but Fastmail aliases have an extra kicker.

Earthlink aliases were limited to the same domain. That is, michael@earthlink.com could be aliased as michaelxyz@earthlink.com or 123michael@earthlink.com or harvey@earthlink.com. Fastmail, however, owns quite a few domains. So an alias for michael@fastmail.com does not have to end with fastmail.com.

Another approach involves forwarding.

You could sign up for a new gmail account and then configure it to automatically forward incoming messages to your existing account.

Yahoo mail does not support forwarding, ISP email probably does. Certainly, anyone who owns their own domain can forward email. Outlook.com seems to support forwarding but when I tried to create a rule, it complained that one recipient was too many. Typical Microsoft.

There are two Gmail tricks to make unique email addresses that I would avoid using with Amazon.

The first involves adding periods. Gmail treats m.i.chael@gmail.com the same as michael@gmail.com, so you could give Amazon your normal Gmail account with an extra embedded period or two. But, if Amazon representatives ignore the billing address, they will probably ignore periods in an email address too.

For the same reason I would not bother using a plus sign to create a unique Gmail account. It strikes me as safer to give Amazon something like kmer7newg3kde5@gmail.com rather than michael+amazon@gmail.com.

Extra security when logging on Amazon.com

Ironically, as I was writing this, I went to change my wife's Amazon account over to a brand new, freshly minted email address. After logging in with her current email address and password, Amazon wanted still more identity proof as shown above.

Maybe I should have used web chat.