A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months
Crook exploited security hole, hijacked punter's bank cards
A fraudster exploited a bizarre weakness in Amazon's handling of customer devices to hijack a netizen's account and go on multiple spending sprees with their bank cards, we're told.
If you have weird fraudulent activity on your Amazon account, this may be why.
In short, it is possible to add a non-Amazon device to your Amazon customer account and it won't show up in the list of gadgets associated with the profile. This device can quietly use the account even if the password is changed, or two-factor authentication is enabled.
Thus if someone can get into your account, and add their own gizmo to your profile, they can potentially persistently retain this access and continue ordering stuff using your payment cards, even if you seemingly remove all devices from your account, and change your login credentials.
Redditor fidelisoris this week shared their experience of this security hole, and how it appeared to be exploited by a crook to buy gift cards using their account's payment information. The Reg got in touch with the netizen and Amazon to dig into the fraud.
Rewind a few months, and our protagonist discovered unauthorized purchases on their account. They swiftly protected the profile: removed computers and other devices from the account, changed passwords, refreshed the multi-factor login, and so on. They also got the charges on their card reversed.
"I immediately did what any professional IT/IS guy does: I began the lockdown. All associated devices get removed from the account," fidelisoris, who asked us to use their internet handle, recounted.
"All active sessions get killed. I wipe browser cache. I do a full security scan of the system. I change my email password. I change my Amazon password. I even swapped my 2FA authenticator service. Then, out of increasing paranoia, I change the password on every associated site and service I can think of, including my banks and credit cards."
Normally, this would be more than enough to stop the fraudulent activity dead. Unfortunately, fidelisoris found the fraud continuing over the next few months, with the mystery thief getting back in each time to make more purchases.
Here is where the hardware comes in. Amazon allows customers to link their Android gadgets and gizmos to accounts, allowing them to make purchases, view content, and so on. So, in this case, it's an easy enough to fix, right? Just go into the online account settings, and unlink the offending unauthorized device and stop the fraud.
Unfortunately, our protagonist claimed, it wasn't that easy. It seems that while the website lists Amazon-made connected products, other devices, such as TVs, games consoles, and set-top boxes, may not be visible in the account online settings nor to much of Amazon's tech support staff.
In fact, according to fidelisoris, it took repeated calls to the support desk before they could finally find a staffer, on the Kindle team, who could use some specific internal software that allowed them to spot the mystery device – a rogue smart TV – that was being used to make the bogus purchases.
Here's how the netizen put it on Reddit on Wednesday:
I contact Amazon. I get the first representative on the phone, and I try to explain through my frustration what happened, and the history I mentioned. This time was odd; she seemed to hesitate when reviewing the account, placing me on hold to "talk to her resources", and then mumbling about policy and what she can and can't say.
Ultimately, she forwards me over to the "Kindle technical department" (I don't own a Kindle, mind you...) and I speak to another offshore gentleman. After another round of codes and account verification, I tell the tale again. However, this time, this guy pulls out a magic tool and tells me where the purchases were made -- I could jump for joy with some actual evidence being presented -- and he tells me it came from a smart TV called a "Samsung Huawei."
It wasn't my TV. In fact, I've never owned an Android device, or anything made by Huawei.
And then the penny dropped:
And the crucial point – more people may be bitten by this security oversight:
How many people have rogue devices fraudulently attached to their account without their knowledge, waiting to be exploited? How did they get there in the first place? Old exploit? Unknown backdoor in a smart device app? Who's to say? And if they were added before OTP enhanced security made it's way to that particular platform, they can circumvent all 2FA requirements perpetually until removed and re-added. That alone is a serious security problem at Amazon.
It is not clear how the scumbag got into fidelisoris' account in the first place – possibly by stolen credentials, or a bug in an application, or similar. For now, though, we're told Amazon tech support removed the malicious telly from their account. It's hoped that will staunch the fraud, though Amazon can't even confirm the equipment was the conduit for the fraudulent purchases in the first place.
The Register asked the cyber-souk for some clarification on the matter. "We take information security seriously and are investigating these claims," an Amazon spinner said.
fidelisoris told The Register the tech titan provided them similarly mealymouthed answers.
Amazon is saying nothing about the DDoS attack that took down AWS, but others areREAD MORE
For now, it certainly looks as though there is a glaring shortcoming in Amazon's customer service and its platform security that leaves punters potentially open to sustained fraud without any easy means of stopping it.
Meanwhile, fidelisoris says they have gone from victim to detective in this matter, and are leaving the account open for now in hope of uncovering an even greater issue: that there may be a hole through which crooks can add unauthorized devices to strangers' accounts without the need for any credentials.
"For those who suggested that the account should be abandoned and a new one created, I agree that is certainly the best move for security purposes. But now my inner-sleuth has come out," they said.
"Logic would assume that, now that all devices have been deactivated and no longer have the authority to access or purchase on my account... if another incident occurs, can we then suggest there is a greater possibility that a loophole exploit is still uncaught on one of these 'non-Amazon' device apps' code?"
If you or someone you know has experienced similar frustrations with Amazon or another retailer, please let us know. ®
Sponsored: Beyond the Data Frontier