Amazon Customer Support Has Gaping Security Hole

January 25, 2016, 5:46 PM UTC
Operations Inside An Inc. Fulfillment Center On Cyber Monday
Boxes move along a conveyor belt at the Inc. fulfillment center on Cyber Monday in Robbinsville, New Jersey, U.S., on Monday, Nov. 30, 2015. Online sales on Cyber Monday may rise at least 18 percent from a year earlier, slower growth than during the holiday weekend, as consumers start their Internet shopping earlier, according to forecasts by International Business Machines Corp. Photographer: Michael Nagle/Bloomberg via Getty Images
Michael Nagle—Bloomberg Bloomberg via Getty Images

Some poor soul became the victim of a hacker’s social engineering scheme, and was livid enough to tell the tale.

Eric Springer, a former Amazon employee who worked as a software developer in the company’s search and discovery segment (as well as a self-described regular Amazon shopper and “heavy” Amazon Web Services customer), shared his experience in a post on Medium. He described—and published transcripts documenting—how imposters were able to trick Amazon (AMZN) customer support representatives into revealing his personal information.

Get Data Sheet, Fortune’s technology newsletter.

Springer became suspicious that something was amiss after receiving an unprompted email from “Thank you for contacting us.” Weird—must be an error or a delayed message, he reasoned. Unfortunately, that theory proved incorrect.

Springer learned the truth after the company sent him the transcript of a conversation he reportedly had with a service rep. In it, an identity thief masquerading as Springer managed to finagle details about Springer out of an unwitting employee.

Here’s how the attack worked. The hacker was able to confirm “his” (i.e. the victim’s) name, email address, and a fake (albeit plausible) street address obtained through a simple “whois” query—a search for certain limited details about a person listed in an Internet domain name registrar. (Springer had registered a fake street address with the registrar to prevent his true address from leaking.)

For more on Amazon’s security, watch:

The attacker then requested to know where Springer’s latest order was being shipped, which yielded Springer’s true street address.

“Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange,” Springer wrote in his post. “Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.”

Attempts to have Amazon put a note on his account to beware of social engineering trickery didn’t help either. Attackers were later able to extract an updated street address for Springer using the old address they had already stolen. A little while later, the attackers apparently succeeded a third time.

“At this point, Amazon has completely betrayed my trust three times,” Springer wrote. “I have done absolutely everything in my power to secure my account, but it’s hopeless.”

Read more: Hacker Targets National Intelligence Director’s Online Accounts

Fortune contacted Springer to learn more. “Truth be told, I kind of singled Amazon out because it made for the most entertaining screenshots, other services have screwed up even worse,” he said. Springer also said he has spoken with several people at Amazon who have promised to prioritize a fix for the issue. (Amazon did not immediately reply to Fortune’s request for comment.)

Social engineering schemes are an all too common, though under-appreciated, attack vector for hackers. They require minimal technical ability, and instead prey on weaknesses that exist in organizations’ security procedures. To improve what Springer deems a presently flawed situation, he provides a few recommendations, including stronger authentication measures on the part of online services.

NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.

Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.

Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.

Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire

The alarming takeaway here is that it doesn’t matter how security conscious a user might be. Even top intelligence officials as high on the food chain as John Brennan, director of the Central Intelligence Agency, and James Clapper, director of National Intelligence, appear to have targeted with these types of attacks in recent months. A person is only as secure as the company holding their data.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward