A fraudster exploited a bizarre weakness in Amazon's handling of customer devices to hijack a netizen's account and go on multiple spending spree with their bank cards, we're told.
If you have weird fraudulent activity on your Amazon account, this may be why.
In short, it is seemingly possible to add a non-Amazon device to an Amazon customer account so that it won't necessarily show up in the list of gadgets associated with the profile. This device can quietly use the account even if the password is changed, or two-factor authentication is enabled.
Thus if someone can get into your account, and add their own gizmo to your profile, they can potentially persistently retain this access and continue ordering stuff using your payment cards, even if you seemingly remove all devices from your account, and change your login credentials .
Redditor fidelisoris this week shared their experience of this security hole, and how it appeared to be exploited by a crook to buy gift cards using their account's payment information. The Reg got in touch with the netizen and Amazon to dig into the fraud.
Rewind a few months, and our protagonist discovered unauthorized purchases on their account. They swiftly protected the profile: removed computers and other devices from the account, changed passwords, refreshed the multi-factor login, and so on.
"I immediately did what any professional IT / IS guy does: I began the lockdown. All associated devices get removed from the account," fidelisoris, who asked us to use their internet handle, recounted.
"All active sessions get killed. I wipe browser cache. I do a full security scan of the system. I change my email password. I change my Amazon password. I even swapped my 2FA authenticator service. Then, out of increasing paranoia, I change the password on every associated site and service I can think of, including my banks and credit cards. "
Normally, this would be more than enough to stop the fraudulent activity dead. Unfortunately, fidelisoris found the fraud continuing over the next few months, with the mystery thief getting back in each time to make more purchases.
Here is where the hardware comes in. Amazon allows customers to link their Android gadgets and gizmos to accounts, allowing them to make purchases, view content, and so on. So, in this case, it's an easy enough to fix, right? Just go into the online account settings, and unlink the offending unauthorized device and stop the fraud.
Unfortunately, our protagonist claimed, it wasn't that easy. It seems that while the website lists Amazon-made connected products, other devices, such as TVs, games consoles, and set-top boxes, may not be visible in the account online settings nor to much of Amazon's tech support staff.
In fact, according to fidelisoris, it took repeated calls to the support desk before they could finally find a staffer, on the Kindle team, who could use some specific internal software that allowed them to spot the mystery device – a rogue smart TV – that was being used to make the bogus purchases.
Here's how the netizen put it on Reddit on Wednesday:
And then the penny dropped:
And the crucial point – more people may be bitten by this security oversight:
It is not clear how the scumbag got into fidelisoris' account in the first place – possibly by stolen credentials, or a bug in an application, or similar. For now, though, we're told Amazon tech support removed the malicious telly from their account. It's hoped that will staunch the fraud, though Amazon can't even confirm the equipment was the conduit for the fraudulent purchases in the first place.
The Register asked the cyber-souk for some clarification on the matter. "We take information security seriously and are investigating these claims," an Amazon spinner said.
fidelisoris told The Register the tech titan provided them similarly mealymouthed answers.
Amazon is saying nothing about the DDoS attack that took down AWS, but others are
For now, it certainly looks as though there is a glaring shortcoming in Amazon's customer service and its platform security that leaves punters potentially open to sustained fraud without any easy means of stopping it.
Meanwhile, fidelisoris says they have gone from victim to detective in this matter, and are leaving the account open for now in hope of uncovering an even greater issue: that there may be a hole through which crooks can add unauthorized devices to strangers' accounts without the need for any credentials.
"For those who suggested that the account should be abandoned and a new one created, I agree that is certainly the best move for security purposes. But now my inner-sleuth has come out," they said.
"Logic would assume that, now that all devices have been deactivated and no longer have the authority to access or purchase on my account … if another incident occurs, can we then suggest there is a greater possibility that a loophole exploit is still uncaught on one of these 'non-Amazon' device apps' code? "
If you or someone you know has experienced similar frustrations with Amazon or another retailer, please let us know. ®
Serverless Computing London – 6-8 Nov 2019