Is there anything we could do to make you (and many more with the same sentiment) more comfortable? We are thinking of writing a blog post of what happens in the background would that help? Any other ideas?
There is absolutely nothing you could say or do that would make me give you my password. Also, I assume, you need to store it in the clear to use it.
You claim to not have access to credit card information or being able to order something, but I already have to trust you to believe that claim. Also, Amazon could change their policies at any time -- after all you have credentials, Amazon could decide to trust you.
You could definitely verify that claim:
1) Try to extract your credit card from your account
2) Order something to a new address without having to verify your credit card.
The second one is possible with nothing other than an Amazon order number and some human social engineering; earlier this summer I got hit with someone who gained access to my Amazon order number for an Xbox One (I assume this happened because I was recycling my physical Amazon pack-in invoices [which included the order number] without shredding them), that person chatted with an Amazon CSR and got them to send a replacement order (saying the first never came) and even convinced them to send the replacement to another address that had never been associated with my account (which was a remailer service in Oregon). Even worse, they did this twice (two replacement orders for the same item sent to the same place staggered over 2 days).
I can imagine it would be much, much easier for such social-engineering replacement fraud to happen if someone actually had access to your account with all of its order number data in the clear.
They would be restricted to just reordering things you've already ordered in the past, but I imagine that it doesn't take too many incidents on your account (especially if they figure out you've given your password away freely to a third party) before Amazon shuts you down, with all of the pain associated with that if you're a prime/kindle/etc user.
This seems like a cool service, but there's no way in hell I'm giving anyone my Amazon password for any purpose.
I am not foolish enough to believe that my attackers are no more clever than myself. So whether I can extract my credit card from my account is not useful.
How about ordering a high-cost item from an attacker who sells on Amazon? How about AWS? How about Amazon Payments to order a service from
the attacker's site?
In order to trust you with credentials, it is necessary that you show you have thought everything through. The user needs to know that you will not leak credentials. It's a very high bar. You have simply failed to clear the bar.
Just an off-the-top-of-my-head idea: Could you give people a bookmarklet or an extension that they can run when they are on their order history page that exports all the Amazon product IDs?
I was going to write something similar to this. One issue, though, is that it doesn't necessarily track new purchases.
To do that as well, it needs to be an extension and it should also monitor whenever you buy something. If there is a concern that purchases might happen when on another computer, you could allow the user to enter their password into the extension so that the extension can monitor things for you in the background. While users don't have a guarantee that the extension is using the password securely, at least it is possible for the source code to be inspected.
You can actually download your entire order history as a CSV (which is kind of fun -- on the account page, find "Download Order Reports"), which could then be uploaded into this service to get a report on everything you've purchased. The only sensitive information included in the report is name and address.
There is no way I'm giving out my Amazon creds which also house AWS, Amazon Payments, Amazon Sellercentral, etc...
Much more cumbersome for users but I see a report option where you can generate .csv's of every item you ordered, maybe those could be uploaded to your service, but unfortunately if I can't use this service without handing over my creds I'm not going to use it.
> Is there anything we could do to make you (and many more with the same sentiment) more comfortable?
No. Asking people to give out their passwords is fucking horrific. You can't do anything with Amazon, but bad_guy could do something with $other_service and you're just encouraging people to be lazy with passwords.
It's hard enough to get people to choose good passwords and not store them in stupid ways.
I'm not sure, but Mint.com seems like a good place to look for ideas. They have somehow persuaded me and millions of others to hand over all our banking passwords.
Gaining this trust, though, will probably not be easy. One advantage a site like Mint has is that they have so much content and so many partnerships that it is clear they are not a scam, have enough at stake to not misuse my information, and probably have the resources to keep it safe. A site like yours, however, could easily have been cobbled together in a number of hours by a scammer. (I don't mean this as a criticism -- I actually like your site. It just doesn't have anything on it to suggest that you are the sort of business I can trust with my passwords.)
It helps at this point that Mint itself and its corporate owner Intuit have a long history of reasonably good online security (certainly better than some banks I've used), plus the whole "owned by Intuit" thing gives a solid paper-trail to keep anyone from recourselessly running away in the night with my information.
