Howto social-engineer someone's address and other sensitive info from Amazon

Eric Springer is a former Amazon engineer and a heavy AWS user. He's posted a long, terrifying explanation of how identity thieves have been able to repeatedly extract his personal info from Amazon's customer service reps by following a simple script.

Springer was tipped off to the attacks by messages from Amazon thanking him for contacting their customer service by text-chat. He retrieved the chat transcripts from Amazon and discovered that the crooks followed a simple script, almost to the word, to get information out of the Amazon support reps. Worse, Amazon's reps continued to give up his data after he reported the first fraud and asked the company to put a fraud alert on his account.

Let me just stop right there, so I can point out that address isn’t mine. It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.

Amazon’s customer service backdoor [Eric Springer/Medium]

(via Waxy)

Notable Replies

  1. The sad fact is that if your information is on a networked computer it is vulnerable to hacking, it is just a question of how much your information is worth to an attacker.

    And the corollary to that is the more effort you make to prevent your information from ending up on a networked computer, the more you will be perceived as having criminal intent. For example, the author's own suggestion that if an access is coming from a recognized tor or vpn exit node, flag it as suspicious.

  2. shenza says:

    Fast forward one year:

    Amazon's Customer Service Atrocious, Gave Me Third-Degree Over $5 Order

  3. Why doesn't Amazon randomly give out wrong information? The customer support person, every once in a while, could ask the customer: "Did you mean the 55-gal drum of person lubricant?" This might catch some fraudsters.

    Also, Amazon should email the account every time there's an interaction with the customer service reps, no?

  4. The big problem here isn't Amazon at all, from what it says in the article. They did screw up, but as far as I can see from that article, the information they gave away was his street address and his phone number, which are frequently treated as public information by all kinds of sources.

    Back in the old days, you'd just look his name up in the phone book - remember those? The phone company used to pay to print copies of everybody in the city's address and phone number and give them free to everybody. That doesn't work for phone numbers any more since so many people use cell phones, but the information is still usually treated as public. Nowadays there are any number of services, free and paid, which will let you dig up that information for someone.

    The big problem is any service which treats a caller knowing a person's current street address and phone number as proof of their identity, such as his bank which apparently considers it good enough validation to change their address and send out a new credit card. Those are the companies he should really be lambasting here.

    The broader problem still is there is not a cross-institution consensus on what pieces of information are considered secret and proof of true identity, and what information is considered public record and can and should be readily handed out.

  5. The street address the shipment was going to. And what that shipment was, and his gift card balance (and, even, a handy-dandy URL so the impersonator could track the shipment all the way to its destination!). And, on a second event, the new address a shipment was going to, and what the shipment was. And no one knows what information was given over the phone call that there's no transcript or (available) recording of. And all of that given to someone who only had his email address and a completely incorrect mailing address.

    So, yeah, Amazon (or, rather, their (probably outsourced) customer service reps) really screwed up here, and totally deserves to be lambasted as a concrete example of the problem.

Continue the discussion

10 more replies