Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You could definitely verify that claim: 1) Try to extract your credit card from your account 2) Order something to a new address without having to verify your credit card.

You will find that both are not possible



The second one is possible with nothing other than an Amazon order number and some human social engineering; earlier this summer I got hit with someone who gained access to my Amazon order number for an Xbox One (I assume this happened because I was recycling my physical Amazon pack-in invoices [which included the order number] without shredding them), that person chatted with an Amazon CSR and got them to send a replacement order (saying the first never came) and even convinced them to send the replacement to another address that had never been associated with my account (which was a remailer service in Oregon). Even worse, they did this twice (two replacement orders for the same item sent to the same place staggered over 2 days).

I can imagine it would be much, much easier for such social-engineering replacement fraud to happen if someone actually had access to your account with all of its order number data in the clear.

They would be restricted to just reordering things you've already ordered in the past, but I imagine that it doesn't take too many incidents on your account (especially if they figure out you've given your password away freely to a third party) before Amazon shuts you down, with all of the pain associated with that if you're a prime/kindle/etc user.

This seems like a cool service, but there's no way in hell I'm giving anyone my Amazon password for any purpose.


Thanks for the tip on that attack vector- guess I should be shredding those invoices then.


It gets worse: attackers don't even need the paper invoices - at least in 2012, they were social engineering them directly out of Amazon CSRs [0].

[0] http://www.htmlist.com/rants/two-for-one-amazon-coms-sociall...


Try to extract your credit card from your account

I am not foolish enough to believe that my attackers are no more clever than myself. So whether I can extract my credit card from my account is not useful.


How about ordering a high-cost item from an attacker who sells on Amazon? How about AWS? How about Amazon Payments to order a service from the attacker's site?

In order to trust you with credentials, it is necessary that you show you have thought everything through. The user needs to know that you will not leak credentials. It's a very high bar. You have simply failed to clear the bar.


Order something that I don't want to one of my address just for trolling's sake would be annoying too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: