Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam

UPDATE, 12/18/2012: Amazon emailed me this morning to tell me they’ve terminated my account and let me know that I may have been phished. I was also told by the other woman I reference in this post that her account had been terminated as well. My Amazon Web Services account is in limbo, so I’ll be posting more about this shortly.

UPDATE #2, 12/18/2012 PM: It appears that the termination email was inaccurate. The account was only “frozen” and has since been restored to me, thankfully. (And moved to a different email address.) I’m following up with the other Amazon user to see if she’s had a similar outcome.

Someone has devised a relatively simple way of defrauding Amazon.com and they require very little hard information to pull it off. While this story is still developing, I’m writing this up in an effort to make Amazon aware of the problem and hopefully help them tighten their call center and live chat security.

You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadgets blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple. (The last four of your credit card, incidentally.) I’m sad to say that Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it’s hurting them directly.

I woke up this morning to find four tightly spaced emails from Amazon apologizing for the premature termination of our live chat session. They all differed slightly but were along the lines of “I couldn’t gather enough information to take action.” At first, I figured this was a bizarre phishing scheme, but the post-chat emails were true to Amazon’s normal format and linked to valid Amazon post-chat survey links. I did notice that the emails were being sent to my name with a dot bisecting the first and last name: GMail is “dot-blind”. You can literally email [email protected] and it would get through to the [email protected] account with no issues. But Amazon is NOT dot blind. [email protected] is a distinct Amazon account from [email protected], even though the email account is the same. (Because many providers are NOT dot-blind, this is actually normal practice.)

This was of particular interest to me as I have never given out my email address with a dot in it. Ever. More on that soon.

Finally, the last email indicated that “I did check on your account and found that no orders are present on this account. However if you’ll be able to provide us the order numbers, we’ll be able to proceed from there.” Someone is sniffing out order numbers.

Something wicked this way comes

Two hours later I received yet another post-chat email from Amazon Customer Service. Here it is:

Read More »

Posted in: Rants

Barnes & Noble Security Question Error Message Mocks You, Your Loved Ones

bn_security_question I finally bought a Barnes & Noble membership today. Despite almost always buying my books on the Amazon, (a site I much prefer referring to with the definite article “the” intact because it sounds cooler), I occasionally will pick one up from B&N if I really want a book that. day. I was buying $55 or so in books, with one being a bestseller which means 40% off, so I was looking at just over $10 off with a membership. $15 for a membership, sure, whatever.

In trying to link my new account from the store with an online account, it prompts for a security question. I select “mother’s middle name” since things like “what’s your favorite restaurant?” are ridiculously inane as I’ll almost *certainly* forget what I entered, which will promptly be followed by feelings of wanting to stab someone. And then I enter ma’s middle name: marie. Nevermind that the security answer is CaSe SeNsItIvE, (because, clearly, I should also be forced to remember if I proper-cased my answer) it goes ahead and tells me:
bn_error_message

Great. Now Barnes & Noble is calling me a liar AND insulting my mother. Swimming performance there, kids. [Really, the error message reads as follows: Your Security Answer is not formatted properly. A Security Answer must be 6–15 characters long, spaces allowed. Remember that Security Answers are case sensitive (i.e., "Dickens" is not the same as "dickens").]

The moral of the story? Don’t enforce ridiculous limitations on a security question if the user’s correct answer might violate those limitations. And don’t insult your customer’s mothers. (CrunchGear blogged about this too, some two weeks ago.)

Reblog this post [with Zemanta]

Posted in: Design, Rants

GigaOM Talks to Amazon’s Jeff Bezos about Amazon Web Services

GigaOM caught up with Amazon’s Jeff Bezos at the D6 conference this week. A lot of people on Wall Street have been struggling to make the somewhat obvious connection between Amazon as a retailer and Amazon as a web service provider. The background to the concept is really pretty self-evident: Amazon needed to develop amazing tools for their own internal scalability and data management needs and in doing so, determined they could scale those tools, make them available to developers for their own applications and commoditize the marketplace. So they did, as we describe after the jump.

Read More »

Posted in: Tech News