It turns out if you want to break into someone else’s Amazon account, you don’t need to know their password, mother’s maiden name, or what their first pet was called. You just need to keep asking for information. That’s what happened with the case of Eric Springer, who found that Amazon customer support had handed over his personal information with just some gentle prodding.
Although Springer describes himself as a security-conscious individual, using long passwords and two-factor authentication where possible, he recently discovered that his Amazon account had been “hacked” when the retailer emailed him as a follow up to a support chat. Knowing that that hadn’t taken place, he looked into it and was able to recover a chat log between someone claiming to be him and an Amazon employee.
Although that support worker did ask for information on Springer to confirm it was really him, for some reason they accepted an address that was merely near to where Springer was located, cribbed from a Whois lookup of his website. The phony customer then pressed the support worker for more information and was quickly told the real address and phone number of Springer, as well as the balance of any gift cards on the account.
“The attacker gave Amazon my fake details from a Whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my credit card,” Springer broke down on his blog, after expressing sheer amazement that such a security hole could exist in the Amazon support system.
That wasn’t the end of it either. Despite letting Amazon know that his account was at risk of being socially engineered, Springer found several months later that another incident had taken place, when his personal information was coaxed out of an Amazon support rep. They even tried (albeit unsuccessfully) to discover the last few digits of his credit card.
Perhaps catching on to the fact that Springer was aware of their actions, the nefarious individuals going after his account then contacted support by phone and seemingly were able to acquire his credit card details.
As well as providing a number of strongly worded recommendations to Amazon, Springer also encourages everyone to be very careful with any information shared with any service, as you never know how it could be used to compromise other data.