Schneier on Security's Journal
[Most Recent Entries]
[Calendar View]
Friday, December 21st, 2012
| Time |
Event |
| 6:20a |
Amazon Replacement-Order Scam Clever:
Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Details here:
If you've used Amazon.com at all, you'll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
[...]
It's clear that there's a scam going on and it's probably going largely unnoticed. It doesn't cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it's also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They're unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.
There's a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That's the sort of thing you're really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon's reps were willing to assign the replacement shipment to a different address is beyond me. I was told it's policy to only issue them to the original address, but some clever social engineering ("I'm visiting family in Oregon, can you ship it there?", for instance) will get around that. | | 12:12p |
This Week's Overreactions Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome. (It's not a new phrase -- Google shows hits back to 2001 -- but it's new to me. It reminds me of this.) I think of it as: "Something must be done. This is something. Therefore, we must do it."
I'm not going to write about the Newtown school massacre. I wrote this earlier this year after the Aurora shooting, which was a rewrite of this about the 2007 Virginia Tech shootings. I feel as if I'm endlessly repeating myself. This essay, also from 2007 on the anti-terrorism "War on the Unexpected," is also relevant. Just remember, we're the safest we've been in 40 years. | | 4:58p |
Friday Squid Blogging: Laughing Squid The small San Francisco film and video company is celebrating its 17th anniversary.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. |
|