Ack! A stranger’s TV hijacked my Amazon account – and the web giant would do nothing about it for months • DigitalMunition

A fraudster exploited a bizarre weakness in Amazon's handling of customer devices to hijack a netizen's account and go on multiple spending spree with their bank cards, we're told.

If you have weird fraudulent activity on your Amazon account, this may be why.

In short, it is possible to add a non-Amazon device to an Amazon customer account so that it won't show up in the list of gadgets associated with the profile. This device can quietly use the account even if the password is changed, or two-factor authentication is enabled.

Thus if someone can get into your account, and add their own gizmo to your profile, they can persistently retain this access and continue ordering stuff using your payment cards, even if you seemingly remove all devices from your account, and change your login credentials.

Theft

Redditor fidelisoris this week shared their experience of this security hole, and how it was exploited by a crook to buy gift cards using their account's payment information. The Reg got in touch with the netizen and Amazon to dig into the fraud.

Rewind a few months, and our protagonist discovered unauthorized purchases on their account. They swiftly protected the profile: removed computers and other devices from the account, changed passwords, refreshed the multi-factor login, and so on.

"I immediately did what any professional IT/IS guy does: I began the lockdown. All associated devices get removed from the account," fidelisoris, who asked us to use their internet handle, recounted.

"All active sessions get killed. I wipe browser cache. I do a full security scan of the system. I change my email password. I change my Amazon password. I even swapped my 2FA authenticator service. Then, out of increasing paranoia, I change the password on every associated site and service I can think of, including my banks and credit cards."

Normally, this would be more than enough to stop any sort of fraudulent activity. Unfortunately, fidelisoris found the fraud continuing over the past few months, with the mystery thief getting back in each time to make more purchases.

Here is where the hardware comes in. Amazon allows customers to link their phones and other gadgets to accounts, allowing them to make purchases, view content, and so on. So, in this case, it's an easy enough to fix, right? Just unlink the offending unauthorized device from the account and stop the fraud.

Unfortunately, our protagonist found, it wasn't that easy. It seems Amazon only lists connected devices that are made by Amazon, such as Kindle hardware. Other devices, like TVs, games consoles, and set-top boxes can't be seen in the account settings nor by much of Amazon's tech support staff.

In fact, fidelisoris recounts, it took repeated calls to the support desk before they could finally find a staffer, on the Kindle team, who could use a special piece of internal software that allowed them to spot the mystery device – a rogue smart TV – that was being used to make the bogus purchases.

Here's how the netizen put it on Reddit on Wednesday:

And then the penny dropped:

And the crucial point – more people may be bitten by this security oversight:

It is not clear how the scumbag got into fidelisoris' account in the first place – possibly by stolen credentials, or a bug in an application, or similar. For now, though, we're told Amazon tech support removed the malicious telly from their account. It's hoped that will staunch the fraud, though Amazon can't even confirm the equipment was the conduit for the fraudulent purchases in the first place.

DigitalMunition asked the cyber-souk for some clarification on the matter. "We take information security seriously and are investigating these claims," the Amazon spinner said.

fidelisoris told DigitalMunition Amazon provided them similarly mealymouthed answers.

Amazon is saying nothing about the DDoS attack that took down AWS, but others are

READ MORE

For now, it certainly looks as if there is a glaring loophole in Amazon's customer service and its platform security that is leaving punters potentially open to sustained fraud without any easy means of stopping it.

Meanwhile, fidelisoris says they have gone from victim to detective in this matter, and are leaving the account open for now in hopes of uncovering an even greater issue: that there is a hole through which crooks can add unauthorized devices to strangers' accounts without the need for any credentials.

"For those who suggested that the account should be abandoned and a new one created, I agree that is certainly the best move for security purposes. But now my inner-sleuth has come out," they said.

"Logic would assume that, now that all devices have been deactivated and no longer have the authority to access or purchase on my account... if another incident occurs, can we then suggest there is a greater possibility that a loophole exploit is still uncaught on one of these 'non-Amazon' device apps' code?"

If you or someone you know has experienced similar frustrations with Amazon or another retailer, please let us know. ®

Sponsored:
Serverless Computing London - 6-8 Nov 2019

Comments are closed.