Image Credit: PHILIPPE HUGUEN / Getty Images
An Amazon user has posted evidence online of the retail giant’s customer service department handing over his personal details to a cyber criminal, leading to a new credit card being shipped to the attacker’s address and, eventually, the attacker managing to get a hold of details that would allow him to access the victim’s finances.
Eric Springer, an Australian developer who previously worked for Amazon as a software engineer, outlined his issues with the company’s handling of his private information in a post on Ars Technica. Describing customer support as a “security backdoor” that can be exploited by attackers, Springer details his experience with Amazon, describing them as the “most grievous offender” of willingly handing over their customers’ info.
According to Springer, he was first alerted to the attempts to access his after Amazon sent him an email thanking him for contacting the service, though no such interaction had taken place. Amazon then sent him a chat transcript of one of their customer support representatives holding a conversation with someone who had accessed Springer’s account – which was registered to “a fake address of a hotel that was in the same zip code where I lived,” as he had “used it to register some domains, knowing that whois information all too often becomes public.” However, using this fake address, the attacker easily managed to get the customer service rep to hand over his real address – the one Springer’s items are shipped to – along with his phone number.
A transcript of the attacker repeatedly asking for Springer’s credit card information.
Springer claims that the attacker used this information to “bounce around a few services” and even managed to get Springer’s bank to ship a new credit card to the attacker’s address. After contacting Amazon about this incident, the company informed that they would attach a note to his account in order to prevent it happening again, in order for future customer service reps to be able to see that his account is a target for attackers. However, a couple of months later and Amazon sends Springer an email thanking him for contacting them once again, with the attacker this time having entered into a text chat with an Amazon customer rep in order to get them to pass along his credit card number.
Despite this behavior being notably suspicious, and Amazon having allegedly attached a note to Springer’s account, the customer service rep does not report this incident, though also does not hand over his credit card details. However, after getting in touch with Amazon again to report this incident, the attacker again got in touch with Amazon – this time via phone, with the company refusing to provide Springer with a recording of the call – with the attacker seemingly getting his hands on Springer’s credit card number during this conversation. “Amazon completely betrayed my trust three times,” Springer wrote, adding: “I did absolutely everything in my power to secure my account, but it was hopeless. Today, I am in the process of closing my Amazon account and migrating as much as I can to Google services, which seem significantly more robust at stopping these attacks.”
While Springer concedes that “9999 times out of 10000 support requests are legitimate,” it’s still worrying to know how easy it is for attackers to get a hold of users’ personal information using Amazon’s own customer support team. Hopefully Springer’s story will lead to Amazon reevaluating their policies in this regard, and to be more wary of situations such as these arising again.