Amazon Customer Support Has Gaping Security Hole
Some poor soul became the victim of a hacker’s social engineering scheme, and was livid enough to tell the tale.
Eric Springer, a former Amazon employee who worked as a software developer in the company’s search and discovery segment (as well as a self-described regular Amazon shopper and “heavy” Amazon Web Services customer), shared his experience in a post on Medium. He described—and published transcripts documenting—how imposters were able to trick Amazon (AMZN) customer support representatives into revealing his personal information.
Get Data Sheet, Fortune’s technology newsletter.
Springer became suspicious that something was amiss after receiving an unprompted email from Amazon.com: “Thank you for contacting us.” Weird—must be an error or a delayed message, he reasoned. Unfortunately, that theory proved incorrect.
Springer learned the truth after the company sent him the transcript of a conversation he reportedly had with a service rep. In it, an identity thief masquerading as Springer managed to finagle details about Springer out of an unwitting employee.
Here’s how the attack worked. The hacker was able to confirm “his” (i.e. the victim’s) name, email address, and a fake (albeit plausible) street address obtained through a simple “whois” query—a search for certain limited details about a person listed in an Internet domain name registrar. (Springer had registered a fake street address with the registrar to prevent his true address from leaking.)
For more on Amazon’s security, watch:
The attacker then requested to know where Springer’s latest order was being shipped, which yielded Springer’s true street address.
“Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange,” Springer wrote in his post. “Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.”
Attempts to have Amazon put a note on his account to beware of social engineering trickery didn’t help either. Attackers were later able to extract an updated street address for Springer using the old address they had already stolen. A little while later, the attackers apparently succeeded a third time.
“At this point, Amazon has completely betrayed my trust three times,” Springer wrote. “I have done absolutely everything in my power to secure my account, but it’s hopeless.”
Fortune contacted Springer to learn more. “Truth be told, I kind of singled Amazon out because it made for the most entertaining screenshots, other services have screwed up even worse,” he said. Springer also said he has spoken with several people at Amazon who have promised to prioritize a fix for the issue. (Amazon did not immediately reply to Fortune’s request for comment.)
Social engineering schemes are an all too common, though under-appreciated, attack vector for hackers. They require minimal technical ability, and instead prey on weaknesses that exist in organizations’ security procedures. To improve what Springer deems a presently flawed situation, he provides a few recommendations, including stronger authentication measures on the part of online services.
NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire
The alarming takeaway here is that it doesn’t matter how security conscious a user might be. Even top intelligence officials as high on the food chain as John Brennan, director of the Central Intelligence Agency, and James Clapper, director of National Intelligence, appear to have targeted with these types of attacks in recent months. A person is only as secure as the company holding their data.