Whois is great for social engineering attackers. You get a name, email, address, and the first service to attack.
Meanwhile, the ICANN is working around the clock to make it illegal for us to protect our personal information, and whois protection is becoming an increasingly niche service for registrars.
For example, gandi.net (and thus Amazon) doesn't hide your name when you have it turned on. By the time you find this out, it might occur to you to just type in a different name, but now you're violating ICANN policy. And it's already been scraped by any of those whois history websites.
In the UK this and a lot more is public information. As an example of what is available about me online (without paying a penny) just by searching for my name:
- The year I was born
- The district I was born (not the exact town, although that wouldn't be hard to guess)
- My mother's maiden name (which is what most banks et al ask as a security question...)
- The areas I've lived (based upon the electoral register, which you can opt out of but supposedly this impacts your credit rating)
- That I am a director of a company
This is just what is available for free - you can get the full records this is extracted from by paying a small fee.
If you know the name of my company (which isn't hard to find out), you can also find for free:
- My full name
- My address
- My date of birth
- Roughly how much I make a year
TL;DR; If you rely on this to 'identify' someone, you are doing it wrong.
>TL;DR; If you rely on this to 'identify' someone, you are doing it wrong.
Which is why the system is set up so that if I go to the bank with this information and take money as you, I have stolen your identity and thus you are the victim and are responsible for the losses unless you fight back. Identity theft was created so financial institutions could be lax with their verification process thanks to the blame being shifted.
In reality, identify theft doesn't exist. In my example I stole from the bank, no you, and you shouldn't at all be involved in the process.
...that's not what identify theft is. It doesn't have to involve stealing from banks, it just happens to be a popular use of it.
It definitely wasn't just "created" either. Pretending to be someone else to gain the benefits of their identity/reputation/privilege has always been around.
Your remark about opting out of the electoral register is not quite correct.
It is a requirement to register if requested, the fine for failing to do so is £80. However, it is always an option to not appear on the open register. The open register is publicly accessible, and being absent from it will not be detrimental to your credit rating.
I have always opted out of the open or edited register, and have never had a problem with this.
Seems like your details can still be used for credit checks and fraud prevention (which I imagine covers confirming identities and addresses) even when you opt out[1].
A related word of warning: Namecheap updated their registration page last year.
Now, when you register a domain it tells you free Whoisguard is included, but it doesn't make it clear that it's disabled by default."
Previously it just worked. Now you have to check another box to turn it on.
This change makes no sense to me. (If you want free Whoisguard, why would you not want it turned on?)
I was white-hot furious* when I discovered that a handful of new domain regs had leaked my contact details, and I began getting the inevitable spam calls and texts.
Worse, they'll happily sell you Whoisguard for domains that don't support it. When you discover it's not usable, they'll give you a refund, then include it again in the next billing cycle.
I switched to Namecheap based on recommendations here, and their previous stance on certain privacy issues, but I'm running out of alternatives.
A happy NameCheap user for years, I have started switching away. Their horrid "modern" 40px padding everywhere bubbly redesign makes GoDaddy look good in comparison. A major pain to manage more than a couple of domains, and numerous user feedback seems to fall on deaf ears, e.g. [1][2][3][4]
Example weird feature: all domains are shown, even ones that you've let expire/sold years ago, and there is no way to hide them.
Another ex-happy Namecheap customer here. Was going through credit card fraud issues back in July. In September out of nowhere get an email from Namecheap support that my July payment for one of the domains did not go through and I owe them $240 for the chargeback. No amount of reasoning got through to them - this is after several years of owning multiple domains with them. Dropped the penalty by $100, but that didn't exactly make it right. As I was considering my options, they locked all of my domains and redirected to parking pages. Had to pay up to get them back. Avoid at all costs.
TL;DR: Credit card was stolen, Namecheap penalized me for that and then blackmailed by locking all domains.
Hey romanhn - did you contact support and try to make it right by reversing the chargeback?
This isn't about blackmail as jewsin writes in the comments, it's about the reputation a business suffers with a chargeback. All you would need to do is reverse the chargeback and the full charge would go away.
Hi tamar - thanks for reaching out! I was in contact with multiple members of the support team throughout this ordeal. Supposedly they consulted with senior management as well. Business reputation was never mentioned - it was always about paying a fee to the payment processor. At no point was chargeback reversal brought up. To be perfectly honest, I know nothing about chargebacks (this wasn't something I initiated, it was fraud-related) and the idea of a reversal never popped into my head. I may try to bring this up with them again, but I'm not sure how much I can do half a year after the fraud occurrence.
Still, I think my original points stand. I find Namecheap locking out unrelated domains and redirecting traffic unethical and in bad faith of the service provider / customer relationship. Not to mention that the domains continued to point to parking pages even after I paid up.
Hey romanhn - so sorry for this. Can you share your ticket number? I think there was a definite mistake in the process here as that should have been broached and if it requires some updated training for the billing team, I'll put in my recommendation for that.
I'm sorry as well for the parking page situation - my guess is it didn't immediately propagate, but I'd have to investigate further as to why that happened. Usually, it's not about redirecting traffic but just not letting you get into your account. This does not sound like it should have happened at all. I sincerely apologize that this is what you encountered.
p.s. I love how trying to genuinely be helpful has resulted in an onslaught of downvotes. I'm going to assume you helped balance that out with an upvote. So thanks :)
p.s. I love how trying to genuinely be helpful has resulted in an onslaught of downvotes.
I wish people wouldn't do that. It does appear that Namecheap has behaved very poorly in this case, intentionally or otherwise. Sadly, downvoting a person who works for an organisation has become a proxy for downvoting the organisation itself on HN recently, which doesn't seem constructive, particularly if that person is trying to share relevant information and/or improve the situation.
I did upvote, don't think the downvotes are deserved.
Sent my ticket number via the contact form on the website from your profile. I see that you spearheaded the SOPA membership surge - it's what got me to join in the first place.
But locking all of romanh's domains, so he can't take his business elsewhere, and transferring all of the traffic intended for his systems to somewhere else, does sound a lot like blackmail, not to mention blatant violation of how domain registration is supposed to work.
Also, $240 because of one chargeback, and doing the above while the customer is trying to sort out a fraud issue? Neither of those sounds like normal practice for a responsible domain registrar either.
Obviously there are two sides to every story and we're only seeing one here, but that one does look pretty bad for Namecheap.
Another Namecheap "gotcha" is they auto-renew any domains you have setup for auto-renewal a full month before you're due for expiration. So if you're thinking of moving away, and trying to decide as the expiration date approaches, make sure to disable auto-renew on those domains while you decide.
It was my understanding that the registration time you have with one registrar carries over with the next registrar. In other words, if your domain is automatically renewed for a year and you move to a different registrar and pay for one year, your domain will be registered for two years.
I must say that I have never verified this myself, mostly because I've never needed it that bad. At least something worth looking into if that problem arises.
Not really a gotcha. Some TLDs require that early renewal and one month is how we handle to avoid any disconnection in service. But yes, if you move away after a domain is renewed (e.g. your domain expires in 2017, most registrars -- but not all -- will add a year to renew in 2018).
I recommend Gandi. They support almost all the TLDs, their web UI is very decent, their support is excellent and they live up to their "No bullshit" motto. They are also overall good guys, donate to the EFF, took public stances against sopa and such...
They're a bit more expensive when it comes to domains but we're talking single dollars a year here.
Name.com has been legit for me for about 10 years. Use code PRIVACYPLEASE for free whois privacy (this code has worked for the past ~5 years). I've also used IWantMyName for some TLDs that name.com didn't have and I liked that they had 2FA, but overall it was much less polished.
Ah, just Amazon (which uses Gandi under the hood.)
Many pluses: predictable, can be administered using the AWS CLI, consolidated billing with other AWS services. Heck, can even register domains from the CLI.
Only downside as others have pointed out is that Gandi doesn't make it at all easy to hide your name or company contact information.
lpsz - Tamar from Namecheap here. We're working on the padding. It's not that it's falling on deaf ears; it's just that it's taking time for us to implement and QA.
Also, the issue with all domains being shown is a bug. If you have a ticket number regarding this, please let me know and I'll investigate this further because it should be resolved.
Same here - a satisfied Namecheap customer for years, but forced to move my domains away recently. Ironically, what originally brought me there was exactly the huge level of support for Namecheap in HN ranks (well, and few instances elsewhere.)
But their "redesign" and presumably the backend changes tied to it (or lack of them, whatever the real case is) resulted in the worst experience I've ever had with this kind of service in years, culminating in what was the last straw - one of my domains getting shut down five times in a single month due to bogus "domain contacts verification" procedures, which their support wasn't able to solve from early December to when I finally decided to move away in mid-January (from a short exchange after I moved away I assume it's still broken today as they were apparently "investigating it" even after I was gone. That after having it in some or some other way "fixed" for about three times during the previous support exchanges.) Honestly though during that time my tickets mostly kept bouncing back and forth through customer reps that insisted on politely suggesting things like "to check my spam folder", even though I specifically explained every time that I was in full control of my mail servers and that it is them who don't deliver any kind of verification emails to those servers, so there was really nothing that could even end up in "a spam folder" and that yes, I actually thoroughly checked that, several times over. Yet my requests for them to check their own mail logs because I'm here actually losing access to my domains without being able to do anything about it were each time politely swept under the rug with generic assurances like "they're working on it and will keep me informed"... Then quickly closed the ticket as fixed. Every time after the one particular domain went dark (and with another domain randomly flipping into bogus unverified states in the frontend interface, clearly lingering on the edge of the same fate), the domain was reactivated either by me or the customer support, was either set to have its contacts covered by WhoisGuard (which doesn't even use the contacts verification process at all), or at a later point even manually set back to fully verified by their techs (and one time completely having all my zone data wiped without explanation or apparently without whoever caused it having a backup at hand to restore it from) - only to again and again end up suspended as "unverified" several days later, losing me access to its emails, websites, everything...
Now I could still go on and on about how clunky the entire new interface compared to the old one is (yes, the original was lackluster, but not even remotely this level bad and in fact I've never had a single technical issue with it, other than being somewhat hard to navigate) and that ever since the redesign the new frontend frequently displays outdated or plain wrong information, crashes with cryptic errors, sometimes just decides to log you out five times in five minutes for no reason, but I think this is getting too long as it is anyway, so enough.
When I finally grew tired of running through their customer support in a neverending circle (to their credit, they were always very polite and nice, but it felt like that's all that Namecheap support was really trained for. And that clearly doesn't make my domains magically work there), I moved to Gandi just basing on their overall popularity and good reputation with a few people. Already in a week time I had two great support experiences with them and got my issues resolved each time in literally a single step of exchange. In the first case I've received about a page-length of actual technical reply from their support rep that not only bothered to carefully read through several issues that I ran into when trying to run a Python app on their web hosting platform that I ordered for the domains moved there, they even included a how-to custom tailored to my specific use case that was way beyond what I originally asked for and that ended up saving me quite some time discovering it on my own, and also acknowledged that they had a major issue in their documentation system and that they had it quickly fixed in meantime. Now second time was less technical, as I accidentally burned a discount code while customizing and re-customizing some orders in what was probably an unexpected way for their interface, that ended in the code never being applied to any order but still ended up as used and lost... I wrote down the problem in a few sentences, customer support quickly verified it and issued me a new replacement code right with the initial reply in what had to be less than an hour. Can't really say I'll be missing Namecheap any time soon.
I've always wondered why I never see pairNIC mentioned on the "everybody knows godaddy is garbage but who should I use to register domains?" threads on HN.
I have used them since they opened (2002) and never used anybody else after that, because I have never been dissatisfied. (I don't remember if the box is checked by default, but they definitely offer whois privacy, along with services like custom/dynamic DNS and some other stuff, at no extra charge).
Their site is kinda barebones and old-school, but there are real humans in the rare case you actually need one, and they've never done me wrong.
So for whatever that's worth: another recommendation on HN.
I used Pair right after they were accredited as a registrar in the 90's up till the mid 2000's but found they were expensive both for domain registration and for hosting. Great customer service but for a commodity like a domain name it's just not worth it for me.
Last I checked pairNIC was > $15/year for .com etc. That adds up when you have many domains. Therefore I use pairNIC for the domains I really care about, and Namecheap for the rest.
Depends on who you're asking and from what timeframe you're asking about. They used to be absolutely horrid in the age of alternate and meta-TLDs when the real rush to nab a domain was on. I can't speak about present times, however.
Plus Whoisguard is only free for the first year. There's Google Domains for $12/yr but the dollar and some savings isn't worth the hassle of switching away from Namecheap.
Hiding your contact information is like security through obscurity. I'm not saying it's not a good extra step to decrease the frequency of attacks (much like changing an SSH port to 3857 or something), but it doesn't add any real security. This is the crux of the problem; our addressees and birthdays are treated like passwords by these companies.
Not really -- security by obscurity is a re-statement of the idea that the security mechanism shouldn't need to be secret for the security to have meaning. You're allowed to have secret data, just not secret mechanism.
And relying on what looks like secret data (changing the SSH port) where the number of bits of entropy is low enough that it's plausible to try them all (16) probably still counts as security by obscurity -- it might hide you from many attackers, but it's not enough to make you secure.
Relying on data that's not actually secret, just hard to find, is just insecure.
You change the ssh port to filter out false positives, if someone is attacking you on your weirdo ssh port, it's likely an actual attack that you need to pay attention to. You still need to do the rest of the security stuff.
Changed SSH port is not security measure. It's needed to keep your log files clear from random network scanning.
When your SSH port is something like 53148 and you see password brute-force activity in logs it's almost always mean that somebody intentionally scanning your server.
Just a note: if you do change it, keep it below 1024. Otherwise if ssh dies anyone on the server can create a client listening on that port and steal credentials.
That's a somewhat obsolete belief – people have been scanning arbitrary ports for many, many years and SSH daemons helpfully announce themselves to search engines:
This is a long-running problem and one with various popular solutions: restrict the source networks which you accept traffic for, disable password authentication entirely, and add some sort of rate limiting (e.g. 2004's fail2ban) for failures. Trying to reduce log volume by obscurity is futile - you really need to address the root problem and use tools which allow you to filter and aggregate effectively.
If you click-through the checkout with the 'Confirm Order' button at the top right away you can miss that detail - as I have twice.
One of the reasons I switched to Namecheap in the first place is because they were a registrar that didn't rely on bundling tricks. I'm considering moving all of my domains away.
Please can you tell me how I can verify whether my details have been leaked?
I've recently purchased a domain from namecheap, with whoisguard, and if I recall correctly I didn't have to turn it on. I whois'd myself and found that it didn't leak anything. It didn't occur to me that scrapers can get at the info before you protect it.
Perhaps this has changed since your experience? Please could anybody else verify one way or another?
I think the bigger problem is that public information like your name and address is sufficient for proving your identity. If we make whois information private, what about phone books, property records, direct mail databases, etc. etc.
If someone has your public name and address you're already at significant risk if you ever say anything controversial that gets attention. You're liable to being swatted, getting fake pizza orders, having people show up at your house, harassing you and much more. See Zoe Quinn, Brian Krebs, lots of less well known individuals, etc.
Which only proves your comment's parent's point even more.
{SWAT, pizza orders, etc} assume that the phone number that shows up on caller ID is authentication of the identity of the phone line on the other end. They could call back the number on caller ID to verify the original caller matched the person who picked up, but they don't.
Having knowledge of a Social Security number was assumed to be authentication, but it's increasingly obvious that such an authentication scheme is antiquated and was destined to fail from the beginning. When an identity thief can get a mortgage under my name with little more than credit bureau data on me, it costs only a little more than $15 to destroy my credit, my time, and my future because transactions don't have sufficient authentication.
These awfully designed authentication schemes will only magnify the problems as more companies (especially credit bureaus and data marketers) pass around data on me and make it easier for someone to buy it on demand.
>Having knowledge of a Social Security number was assumed to be authentication
No the people that designed and implemented Social Security knew it was not secure for identification purposes, the first few decades of the program even had "Not to be used for Identification" on the card.
Then the government, and financial industry got lazy and said "well since the majority of people already have these numbers assigned to them lets just use them for Identification as well" and made it a defacto National ID. Something it was never designed for, nor secure enough to be,
Keep in mind too that Caller ID is trivially blockable (and blocked caller id isn't remarkable enough to be super suspicious), and it's also easily within the capability of many of the 4chan/gg griefers to spoof "correct" Caller ID numbers as well.
Caller ID shouldn't be blockable, these days. It's a big ridiculous problem that we've defaulted to "you can intrude with communications anonymously" - and phone calls are definitely intrusive.
I'm pretty much a hair away from blocking all calls without caller ID at my house so I can reliably lock out the remaining spam callers.
As a counterpoint, see billions of people every day.
This is getting to the point of paranoia at this point. You're already at significant risk if you ever say anything that gets attention by virtue of living in a society. But it comes with benefits, too...
Agree. Your contact info in whois adds little to any number of other public records that will contain your name, address, phone number.
It does make good sense to not use your primary "personal" email address in whois, nor your home address. PO Box rentals are fairly cheap and that's what I use for whois registrations.
USPS now supports a feature called "street addressing". Basically, instead of writing "PO Box #" as the address, you may write the actual street address of the same facility followed by your box number, something like "123 Main St #456". Private mailbox providers also often accept addresses like "123 Main St Apt 456", where 456 is the number of your mailbox as well.
USPS now supports a feature called "street addressing".
Keep in mind that street addressing doesn't work at all USPS locations, although it does work at most of them. You have to fill out a form with USPS or any mail addressed to that location will be returned as undeliverable.
I've found private mailbox providers to be preferable in most every way to post-office PO boxes. Private providers are "street addressed" to begin with, virtually always accept from all couriers, usually have longer hours, often can call or email you when you receive a package, etc. In most cities, there are also more of them than post offices, I suspect because it's such an easy business to start. Look around your neighborhood: copy/print shops, shipping stores, and small business supply stores probably also rent mail boxes.
I wish this was an industry with a bit more visibility. When you think about renting a "PO Box", there's a good chance that you'd be better off with a box rental from a private mail service.
Where I am (Australia) theres a whole bunch of places that'll provide "non Post Office PO boxes" who're perfectly happy for you to address things to "Suite 306" or "Apartment 306" as well as "PO Box 306" at whatever address the box is located. Fools _most_ of the "must be a real address, not a PO Box" restrictions.
(Interestingly StartSSL failed me on that once when I gave one of those as a personal address - they mailed me saying "that looks like a business address, we need a personal home address for personal identity validation") - I dunno of they Google Street-viewed it or of they've got some automated system that flagged it...)
USA is a little different. To get mail using the street address of the PO, boxholders have to sign an additional agreement, BUT:
1) it's free, and
2) they will also accept UPS/FedEx/DHL/etc shipments on your behalf for no charge! (they will sign for packages, but if "Direct" signature (the named recipient) is required, they can't accept those.)
If you just try using "UNIT #" or "APT #" or whatever, or you don't have this additional agreement signed, they can and will return to sender.
"Mailboxes etc." in the UK is a fairly widespread commercial PO box provider. I didn't realise that was their business until I found out about a local spammer using their Cambridge branch for their address :-)
You realize you should have done your homework and read your registrar's policies beforehand? I understand your overall point, but don't make it sound like Gandi did anything wrong here, just because you don't like it.
I would have left this very comment if you hadn't beaten me to it. :)
Gandi is very up-front about every aspect of their services. I found out that Gandi's whois privacy doesn't hide the name you provide as the registrant long before I entered my credit card details to provide payment information.
Their whois privacy is structured in this way because for many (all?) TLDs ICANN requires that the entity listed as the registrant be the actual owner of the registered domain.
According to the Wikipedia the word "geschäftsmäßig" includes private use website if it is even theoretically possible to get income from them, for example via ads. It quotes the ministry:
„Die Anbieterkennzeichnungspflicht muss praktisch von jedem, der ein Online-Angebot bereithält, erfüllt werden. Etwas anderes gilt nur bei Angeboten, die ausschließlich privaten oder familiären Zwecken dienen und die keine Auswirkung auf den Markt haben. Im Zweifel sollten Sie davon ausgehen, dass die Anbieterkennzeichnungspflicht besteht.“
Which roughly translates to: everyone has to do it, unless its a purely private service. So I guess you don't need it for you web-enabled password protected security cam, but you definitely need it for your blog.
At one point in the past it was argued that hosting your site with a provider that injects ads was sufficient to consider the page "commercial". I don't know what came of it, or what is now required for a page to be commercial.
They don't hide the name because you cannot hide the name while legally owning the domain yourself.
Services that hide the name actually result in a company (e.g. "Domains by Proxy LLC") purchasing and holding domain ownership for you, which is a very different legal arrangement with different risks.
Treat a domain like money: if you want it held pseudonymously, you put it in the ownership of a shell corporation you control (through power of attorney to the board of directors), but don't own any equity in.
While I would love to do that it just isn't feasible for me and probably most others. ICANN really needs to provide better controls to avoid resorting to such workarounds.
I've thought of checking that... Instead of Domains By Proxy LLC or whatever legally holding your account, setup an offshore shell corporation and use that to register my domains, becoming my own whoisguard in the process. It's going to be more expensive than these services, but the domains stay under your full control and you can keep your personal info private.
I actually like Gandi for this reason. Registrars have gone down in the past, and I don't want to have any difficulty proving that I'm the owner if that happens.
Besides, my primary domain is my full name dot com, so anyone who has any interest in the domain already knows my name.
If WHOIS is destroyed, your contact information will still be known by everybody you're in contact with, many you've only met, possibly many you haven't met but want to meet, and millions of employees of companies you've interacted with. There is no meaningful difference between that and public information.
It is Amazon's absurd assumption that your contact information is private that is at fault here. Trying to ameliorate this by contacting fewer people is self-destructive, and cannot achieve complete security unless you're willing to eliminate contact with everybody but those you trust with your accounts. Without a doubt it is Amazon's policy that needs to change.
There is definitely a meaningful difference between contact info being public and informal disclosure through normal contact. There's a reason doxxing is a thing.
For me the solution has been to stick with my national ccTLD registry. If your country has strong private protection laws then your national registry will shield your information for your ccTLD domains from public whois. It's not exactly bulletproof, they still make that information available from their whois database but it's just another step someone has to make to get to your information. That much said, on a ccTLD you should be able to get away with only just a name, surname and a valid email address.
What are the alternatives? Those fishy private protection companies? Technically once you sign up there, they own your domain, simple as that.
In Denmark (.dk), any citizen can get their address information removed from publicly available records. That means that any private individual or company cannot get access to your address information unless you manually give it to them. (Note: Government agencies still have access to this information.)
.dk-domains are owned by persons, not the registrars, and therefore the whois-information for .dk-domains follow the same procedure as addresses. So if you have 'address protection' as it is called, your personal information is immediately removed from your whois information.
Yes, it's awful. Fortunately, at least one registrar (Google Domains) has free whois privacy for all registrations and I think they prompt you about it by default, too (to agree to some legal terms).
You can register for domains through AWS Route 53 and it'll automagically register on Gandi with WHOIS protection and link it up inside Route 53. You then don't need to leave the AWS UI, it just seems like it works magically.
(I think this is true...I can't remember now actually).
I use https://ititch.com/ for over a year now. You can pay with bitcoin, they don't make much validation around whois input values. I use it for my domain registration and whois protection, they support IPv4 and IPv6 which in my country are not supported by biggest companies like 1and1. Customer support answers in less than 30hours.
It's not just whois. Our personal info is out there everywhere. Say, you're a developer who signs his OSS software tool with a certificate that comes with your home address...
OVH did this to me, I registered a .pw domain and I though it was WHOIS secure, but after registering... I found my full name, address and email were all public, forever. (Domaintools keeps a record of it)
I will never again register a domain with my real info. Sorry ICANN, I don't give a about you or your policy.
When we start using block chain to replace DNS and usernames to replace domains, and services to replace hosted servers, a lot of things will change. One is that there will be nobody to force us to verify who we are. These kinds of things serve no purpose other than to hand leverage up the chain.
1. Get a friend's permission to "hack" into his Amazon account (or "hack your own account").
2. Contact Amazon's customer service, try the same social engineering techniques that the OP documented.
3. Once you obtain some sensitive information from the account, scare the CS rep by saying: "Haha! I am actually not the customer. I am a journalist/hacker/whatever and wanted to see how easy it was to social engineer information out of your customer service department, and you failed. I would like to talk to your manager please."
Hopefully if enough people do this, it will get some internal attention at Amazon.
I think there is already enough here to shame Amazon into action if it gets on a major newspaper. Something like "Hackers break into Amazon account and Amazon will not do anything" Perhaps the Washington Post would be a good newspaper with credibility.
This already happened to Matt Honan back in 2012, where the hacker used social engineering on both Amazon and Apple to take over his twitter handle (oh and also wiping all his devices via iCloud). http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
It looks like both Amazon and Apple have fixed _some_ issues since then - Amazon is no longer leaking last 4 digits, but instead they're still leaking other info. Apple now requires more information to reset accounts and to wipe devices.
Apple set up 2FA for certain actions (changing passwords, adding or removing devices from an account, etc); Amazon has yet to do anything related to 2FA for normal customer accounts.
The option is only (at the moment) available for Amazon.com accounts, but if you enable it there is will also be turned on for other domains Amazon.co.uk etc.
Amazon hasn't given permission. I suspect they'd be quite unhappy. Having said that, I personally think they ought to expect it, and be responsible for whatever failings it discovers.
> Hopefully if enough people do this, it will get some internal attention at Amazon.
This is very smart, why has no one thought of this before? When people post it on Medium and share it on HN/Reddit it will not get enough internal attention at Amazon for sure. So let's do something totally stupid which could easily get us in trouble with the law enforcement to make a shitty point to Amazon so that they can notice something is wrong on their end.
There is no point in getting a friend involved. Just see how much sensitive data Amazon will give you without giving them any of your login credentials.
Amazon does not care. A fraudster used our startup bank account to pay at Amazon. We told them, they did not blacklist the user to use our account or take any actions beside removing the bank account (ours) from his Amazon account.
The fraudster did this at least 3 times with increasing amounts of money. Amazon did not care. Only when we went to the police did this stop.
Amazon sold me a phone, the box arrived empty (I wonder why they do not check the weight when it leaves their warehouse, DHL printed a weight on the box that was less than the phone alone). It took Amazon support months to solve this, especially they could or would not cancel the attached mobile phone contract for months.
I had a situation where Amazon couldn't bill my bank account, so they blocked logging in.
I verified with just name and address to a customer service rep and asked for the steps I'd have to do to unlock it again, and they told me that (a) the transaction failed, (b) they told me my IBAN. In plaintext. The full IBAN. (c) and then they told me the steps to fix it (wire them the money that I was owing them, plus 6 EUR. Standard procedure in Germany).
In the end, everything worked again, but, the fact that they gave out by IBAN — enough info for anyone to go and pull money from my account — is making me so angry.
Could you tell how knowing IBAN enables someone to take money from your account? As far as I understand, the only think that can happen with IBAN is to receive money.
Maybe you're thinking of credit card number? The CC's I had had different CC number and IBAN account.
SEPA direct debit allows you to pull money via IBAN (+ BIC, depending on the countries involved in the transaction).
Specifics vary from country to country. Some require active approval from the customer (IIRC France, probably more), others "just work".
Fraud is not as common, since bank accounts that are allowed to debit money this way are generally only available to companies who have to sign paperwork ensuring that they have written permission from each debitor. Additionally, although this might be country-specific as well, chargebacks can be initiated without providing any reason for at least 8 weeks, and in case of a fraudulent transaction, up to 13 months.
Thanks! That's something new that I didn't hear before. For interested parties seems [0] has some information. I need to check with my bank then to see how it works in my country.
If you call a bank or another entity, that has your bank information on record, and claim to be someone specific, can answer basic questions and knows the full IBAN - perhaps they believe you are who you claim to be. This is social engineering, and it works.
I think parent specifically mentioned that just IBAN is enough which sounded very unprobable for me. Another comment explained that it's possible but in very specific accounts.
How would you pull money from an account by knowing just the IBAN? That's just the public address of your bank account and can be used to give you money, but you need all kinds of authentication to actually get money out of that account.
SEPA Direct Debit, or "Elektronisches Lastschriftverfahren".
You can go to amazon, give them your IBAN, and buy things, and they’ll use direct debit to get the money from the account specified by the IBAN, no further authentication necessary.
Obviously, you can do chargebacks, but this is still something they shouldn’t publish.
I had a similar experience buying a somewhat expensive watch through them - my wife was surprised to receive a very fancy, and empty, box. However to their credit they sent another one immediately, no questions asked. I really hope for Amazon to fix the issues OP pointed at, as an amazon.de customer I'm extremely happy with them.
> services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service
What you may want is a catch-all email - which lets you do @domain.com -> nmjohn@domain.com (where is everything besides already defined addresses) - that way you can make up emails on the fly without having to setup the alias beforehand.
I've had that setup for 5 or 6 years now, and it works extremely well. A handy side-effect of this is it makes it easy to see which companies sell your email address to spammers when you included the name of the original company in the email you register with
I've done this and once had a phone rep from Geico who was convinced I worked for them because my email was something like geico@example.com. This was probably in the late 90s when email was still new to many people. She was really confused that I wasn't getting the employee discount. "Are you sure? Does a family member work for Geico? No? Are you sure?..." I don't think she ever did really understand what was going on.
Perhaps I could have saved even more than 15% if I'd just gone with it. :D
Fastmail and Gmail support a local suffix of the form yourname+amazon@gmail.com. That's a plus character between the local name and local suffix. If you use a password manager, you can replace a predictable suffix like "amazon" with random hex value.
Unfortunately, many sites borked their e-mail address validation and do not accept the plus character. (Amazon permits it.) Also, you'll ocassionally find a customer service ticketing system that expects replies to come "From" your account's e-mail address. (Many mail clients can alter that header, but it's a pain.)
Panix.com supports this, plus an alternate that works almost everywhere. You can use "whatever@yourname.users.panix.com", and it ends up in your inbox, filterable by the "To:" address. I create a new email address for every company I sign up with.
Gmail also supports you.r.nam.e@gmail.com (add random dots to the local-part). (Almost?) every system considers '.' a valid character. However, you need to keep track of which tagged address goes to what service, much like the case of a tag with random hex digits.
I fear that customer support might still accept emails without the suffix from the "customer". These are people, not robots, so if the address is close or in the vicinity of being correct, they might accept it. Same goes for the dot characters allowed in gmail addresses.
I strongly second this concern. I generate random strings as answers to my recovery questions. When I recently got asked one of the questions the support rep let out a sigh when asking (presumably because he saw the "crazy" answer) and then said "yeah yeah, alright" when I was about half way through the answer. That any company even suggests these insane security questions that anyone can trivially research is completely beyond me.
An idea I just had which is buried in a deep thread lower down...
Not that I trust the "security questions", but if Amazon lets you use freeform questions as well as answers, it might help to make your first security question "Have you noticed this account has two factor authentication turned on?" with an answer like "Yes, so Amazon Customer Service will take additional care when being asked to reveal account information, right?"
Even if you can't do freeform questions, perhaps the answer to "What's your mother's maiden name?" could be something like "Have you noticed this account has two factor authentication turned on? Please take extra care before disclosing account details to anyone, Thanks."
I would recommend strongly against that. You'd be far better off picking something plausible, so if someone does impersonate you it's obvious.
Remember it's a human verifying this. The attacker just needs to answer: "oh, yeah i just spammed the keyboard with some jibberish" and he's in.
The other thing I noticed by the attacker going after me, sometimes he'd call/contact the service multiple times in a row. All he needs to do is find out from 1 support rep that the reset password is randomly generated. Then tell another support rep that its "some jibberish" and he's in.
For those sort of "mother's maiden name" type questions, I generally use a fake but plausible name. Probably not as secure as a random string (especially as the name is reused across a few services), but makes it near impossible to research, and avoids a random string not being accepted/treated as an error/truncated like your example etc.
I'll try to avoid ranting here, but anything is a legal email address per the RFC (even an @ sign in a username, or an email address without any @ sign).
RFC 821 is the original and 2821 summarizes it plus the few that came after to add and clarify.
The only true "RFC email validity check" is to send an email to whatever address they provide.
It ceartainly does not allow yourname.amazon@gmail.com if you don't own yournameamazon@gmail.com. You can do suffix with + and random . but not suffix with .
Note, though, that catch-all emails will also catch a ridiculous amount of spam. Creating each account name individually avoids that problem, at the cost of some extra trouble when registering a new service.
An intermediate step that may work if you don't expect people to target you individually: have one or more required substrings for the email local part, and catch all mail to addresses containing that substring.
I created my catch-all on a subdomain. While it gives a problem with certain websites (don't consider it a valid e-mail address), I barely receive spam on it.
My school's student addresses ended in @u.northwestern.edu. You can imagine this was annoying sometimes when email addresses ending in .edu were used to verify student status.
>My school's student addresses ended in @u.northwestern.edu. You can imagine this was annoying sometimes when email addresses ending in .edu were used to verify student status.
Sorry, could you repeat that? yourname@u.northwestern.edu certainly matches \.edu$.
Unless you're worried about the false-positive for a non-student with a different subdomain?
And you can imagine how maddening it is when 90% of students worldwide don't have a .edu, but some do.
Only one university in Germany has a .edu, and their students obviously manage to get far more benefits than those of us with an @informatik.uni-kiel.de email.
99% of times we need to send proof that we are students, what is interesting is that many companies accept that even if it's not in English. Probably on good faith.
In Brazil, universities can use .edu.br, but we have few universities providing email addresses to students and also, the majority of grad schools in Brazil are not universities but a small college called 'University Center'
One method that I've seen used (heard it described by a guest one of Leo Laporte's podcasts a looooong time ago) is to iterate account names by year. For example, this year the email address would be pyre2016@example.com, and next year it will be pyre2017@example.com. Not sure how well it works, but the idea is that by that every year you start over with a fresh address (that takes a while to get onto spam lists).
I'll note that I don't use this method as it seems too high maintenance and the effectiveness is unclear.
I believe the real issue here is its not uncommon for spam services to try to locate valid email addresses. Generally, an email server won't accept email to an invalid users and will probably start flagging the incoming server/domain as those attempts start to cross a threshold of some sort. OP is talking about *@example.com as a catchall which means a spammers script will sit there and email a dictionary of usernames against your domain until it crosses it's own threshold. It's not too hard to add an alias for each name as you go along but it really depends whose list your domain gets on.
I was talking about making those actual accounts vs. aliases to the catchall address. That method makes no sense if each pyre<year>@example.com email address was just an alias to the catchall because pyre<previous_year>@example.com would still be caught by the catch-all, even if you disabled the alias.
Make sure you keep a list somewhere of which site got which email address.
I used to do this too and it was great, but then when I started trying to recover accounts that were a few years old, I had a heck of a time remembering what email address I had actually given them in the first place!
I was doing that but some companies think you are "hacking" if you put the company name in. Like I don't think you can do facebook@mydomain.com on Facebook.
So I think that was grand-OPs point to a degree. If you can't always do companyname@mydomain.com there is a change you will forget what you used: Example:
aws vs amazon-web-services vs amazon.web.services
facebook vs fb vs fbook
Or for example I've used Rally the project management tool but my health insurance uses a (terrible) "rewards" program called "werally" but it's ALWAYS referred to "rally". It can get unmanageable.
Now I use 1Password to track all of this stuff which works well so I think there are solution but I do understand the grand-OPs point.
Every time I've tried to use that feature, the email field in the registration form I'm trying to fill out rejects it because they don't like + in an email address. There are a lot of not-quite-correct email form validation routines out there. Or maybe this is selection bias: the forms where I'm most likely to want to use the + are with the companies that are most likely to want to resell my email address, and they may be intentionally rejecting the +.
Lots of programmers try to write regular expressions to validate e-mail addresses, but it's extremely difficult for them to get it right, because valid e-mail addresses as defined by RFCs 822 and 5322 fall outside the set of formal languages describable by most regular expression libraries. See this fun stackoverflow answer [0].
"The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over."
That's why nothing will change if these estimates are even in the right universe. Nobody wants to inconvenience the vast majority of customers to prevent a minuscule number of issues.
Came here to say just that. I did general customer support for a telco for a few months a while back, and most of the general public can't really deal with high security for personal information. If you were as strict with security as you should be, you'd be locking half of your subscribers out of their accounts eventually. This would create a phenomenal amount of follow-up paperwork for your company, meaning higher costs on your end and greater resentment on the customer's end - costs go up for you and customers head elsewhere.
It's why banks still use laughably short and simple PIN codes.
While that's true, and perhaps even needs to be "the default", there really needs to be a way to say "Hey, I'm concerned, and am prepared to take responsibility for my own access credentials. I demand you categorically _do not_ disclose any of my personal information to anyone without a warrant or court order." And for that sort of demand to have appropriate legal teeth to ensure people collecting that data are sufficiently motivated to act properly on it.
Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)
I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...
> Startup idea: Whitehat Social Engineering (as a service). You authorise a whitehat team to attempt to social engineer all your discoverable internet presence/accounts to see what personal information their systems and/or customer service will disclose based on existing publicly available data. (I suspect legally that'd at least be on the white-ish side of grey rather than blackhat...)
You'd need to take care to avoid getting people locked out of their accounts, but otherwise that sounds like a useful service for the small fraction of people who have a high enough profile that others may actively target them. I don't know if that represents a large enough target market for a sustainable business, but it might.
> I wonder how long it'll be before (or how long ago it became) sensible to register a shell company as the holder of any public record you're legally required to make public? It's probably much easier to roll your shell companies "registered address" if you discover it's been compromised than it is to move house every time Amazon's customer service goes "above and beyond" on your behalf to your attackers...
Depends on how easily you can register a shell company that doesn't itself have easily traceable public records of ownership. Little point in the indirection if you can then look up the shell company and its official owners and legal contacts.
Whitehat Social Engineering won't be "a unicorn", so don't expect Sandhill Rd to invest, but it's not like whitehat pentesting is a unicorn type idea either, and there's lots of people running successful and profitable <sneer type="SV Startup DoucheBro">lifestyle businesses</sneer> doing that.
Unfortunately, far more people think they want that than can take full personal responsibility for it.
See also: people who don't understand that full-disk encryption means they lose their data if they forget their passphrase. That doesn't make full-disk encryption in any way bad, but if you train people to think that all accounts have a "forgotten password" option, they might get a nasty surprise.
Sure - it needs to be somewhat difficult to turn on, and turning it on needs to very clearly include an "I accept all responsibility for this" declaration.
Most of "us" already deal with these things though - there's no "forgot password" for my ssh keys or my ssl keys or my topt seeds - there's no "forgot password: for my 1Password and Keypass safes. We occasionally get to laugh at out less diligent colleagues and peers who belatedly reveal the time they "lost" the ssl private key or the production webserver ssh key, but it's not like we see critical infrastructure falling apart regularly because of forgotten-but-unretrievable passphrases.
But I suspect you're right, there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..." if Ama-Face-Goo-Yah-stagram allowed this...
very clearly include an "I accept all responsibility for this"
It can't be a simple checkbox, or an Agree button. Make someone type, exactly:
I accept all responsibility for this
Even then, the majority of the general public (as opposed to computer nerds) would be awfully upset at being locked out.
You're exactly right: there'd probably be a whole lot of "Hold my beer and watch me turn on full personal responsibility here! Oh, hang on - shit. Oooops..."
While ago I setup FDE on a new drive, put the passphrase in my encrypted password file, put the new copy of the password file on the encrypted drive, and then proceeded to wipe machine that had the only other copy of that password file (well at least the up-to-date version with that passphrase). A nasty surprise indeed. Thankfully I only lost a month's worth of files (mostly photos).
Heh. In the spirit of it being my turn to ' … belatedly reveal the time … " I mentioned upthread…
One time I had my carefully encrypted secrets thoughtfully spread across my laptop drive, my iPod as backup #1, and an external hard drive as backup #2. All of which I had in my backpack one night - which I proceeded to leave at a restaurant where I'd been sitting outside on the sidewalk tables, and I didn't notice until _way_ after they'd closed for the night. (I used up a _great_ deal of luck that night - we went to that restaurant enough to be "regulars", and the waitstaff found it and knew it was one of ours, and it was waiting for me when they opened the next day...)
Then again, in this case it might be salvageable by having an option of turning up with an ID in person. Could still be faked, but it would be a lot more work at least.
Until/unless we can find and implement a workable way to make this a problem Amazon is financially on-the-hook for, instead of Amazon (et al) customers.
I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?
I wonder if there are applicable PII laws in his jurisdiction that'd have Amazon able to be held liable for disclosing his address? (I think there are here in Australia(1), but that doesn't mean regular Amazon customers have any chance of prevailing in court against Amazon's in-house legal team...)
In the US, the relation Legal Name ~ Home Phone Number ~ Address is emphatically not private. It's in the phone book, it's in directories published by local school districts, it's on public property ownership records, in some cases voter registrations are subject to FOIA, it's on corporate registrations, amateur radio licenses, FAA pilot licensing (including small drones), all kinds of professional certifications and business licensing which is published on the internet, etc.
> I wonder what the PCI implications are if it's true that Amazon gave away his last four cc digits over the phone?
Absolutely none, unfortunately. Merchants are specifically allowed to store the first six and last four digits of a credit card number in any form they like.
Minuscule number of issues that can lead to identity theft. I'm fairly sure that most countries have laws stating companies must prevent this to a reasonable extend, even if it means being inconvient to 99.99% users calling. This is after all a simple way to teorists to get a new identity. At the very least they should be able to flag accounts are high risk, and special procedures and senior staff handling such cases.
That said, the author have a very good point. If you cannot log into your account, they should not assist you. MS Support/Store does something similar. They send an email with a code to the address they have on record. If you cannot tell them the code they send, they will not help you. So if you cannot log into your account, they can assist you in password recovery, and take it from there.
I'm probably going against the flow here, but I value convenience over security.
I had my identity stolen once, and it sure was annoying... if also a little fun. A credit was opened in my name, that I had to fight to close, and I was even interrogated by police because false me was associated with shady characters (surprise!) but in the end it wasn't the end of the world.
Security "features" however, are usually so annoying they destroy the will to live. They would be tolerable once, but they're constant, and constantly remind you that you are, in fact, a suspect. They pretend to "protect" you but actually dehumanize you and every interaction you have with other humans (not to mention security theater, where the features don't increase security in any way but are simply there to make you "feel" safe).
Being alive is to be at risk, and at the mercy of bad guys. We should accept it and enjoy life before we all die in the end anyway.
Except if they became reliable for the damage caused by the infromation they released of course. They would then have a financial incencitive to have better security checks.
This is exactly the same thing that let someone delete Mat Honan's (Wired author) accounts back in 2012:
Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information.
I worked for Amazon for four years. For nearly the entire time I worked there, I, as an engineer, had access to every customer's purchase history, contact information, email addresses, etc. The reason? On occasion, I'd need to get a user's email address to reach out to them if they reported bugs. The one service that offers employees this access is all or nothing. Either you get to see a customer's email, credit card number, and purchase history - or you get to see nothing at all.
Everyone knew that I had this access, and everyone knew that it was against Amazon's own policy to give me access. But to them, that was easier than fixing the service so that it was more useful.
Perhaps I'm just clueless, but something tells me that any relevant competitor to Amazon - say, I don't know, Google - would choose to fix the service instead.
>Perhaps I'm just clueless, but something tells me that any relevant competitor to Amazon - say, I don't know, Google - would choose to fix the service instead.
Why? The attitude you describe (do what's easy, not what's right) is endemic to any organization over a certain size in my experience.
Yes, Amazon is doing it wrong. But the much bigger problem is that your bank lets fraudsters impersonate you using easily obtained information such as your name and address. It is completely backwards that you need an impenetrable wall and moat around the place where you buy books and groceries, because, once you get past it, then the place where you store all your money and get your mortgage is as easy to penetrate as a piece of tissue paper. The root cause of all identity theft are the incredibly lax security policies of the financial system.
If you own a home in the U.S., anybody already can get your address legally and easily from your county or district property appraiser's/assessor's website. Along with how much you paid for it, and when you bought it. So calling Amazon CS rep is a hard way to go about it. :)
Ah... if you're a resident of Sweden, anybody can get your full name, address, date of birth, civil status, list of company engagements (e.g., board member, owner of a firm, etc.) and the make and year of any cars registered by going to one of several websites - http://www.ratsit.se/ being one of the most popular ones. No login needed. This information is public data straight from the government. (Exceptions: people < 16-18 years old (afaik), and people with protected identity (about 15K out of 9.8M)).
Call or visit the Swedish Tax Agency if you want further info, such as personal identity number ("personnummer" - think Social Security Number but used for absolutely everything), taxed income, identity and full info of parents (including mother's maiden name - so much for that), etc. You don't have to tell them who you are or why you want this information.
Enter a street address on a site like ratsit.se and you'll find all the people registered on that particular address. I could go on. When I talk about this with friends in countries like Germany and France they're often flabbergasted; in Sweden we're so used to it that we think it's natural. We're basically doxxed by our own government by default. A stalker or identity thief's paradise. It's messed up.
I believe that such openness from the govnerment is actually helping you implement a more sound security procedure. If all of that information is well known to be publicly available, there is much more awareness that it is unless as authorisation.
Having someone's personal identity nummer (personnummer) is in itself enough to do a lot of damage.
Many Swedish online shops will happily send you goods along with an invoice that you pay later. The invoice option is often only available if you provide your personnummer - which as I mentioned is public information, a phone call away - and have the goods sent to the address tied to that number. If you live in a house with a mailbox outdoors, a thief could order stuff to your address and empty the mailbox before you. "Stuff" could also be things like mobile phone subscriptions and whatnot.
Or, having your personnummer, someone could send a form to the tax agency to have your official address changed! I believe they do send a letter to the old address saying the address has been changed to <new address>. But there's time to do bad stuff in between the time of the change and your discovery of it. (If, indeed, you do discover it. You might be traveling somewhere, a fact that might've been gleaned from your social media activity.)
And, as breakingcups points out above, even if it were the case that sound security procedures were implemented in Sweden, that wouldn't matter much for the numerous non-Swedish services most Swedes use every day.
Anyway -- people being able to do stuff in your name is just one thing. I don't want the whole world to know my address, or marital status, or date of birth, etc - period. It's about privacy.
It's the same in most countries. Opencorporates.com is the first place to look. Some countries, like New Zealand, have images of corporate documents online for free, which gives you a copy of the signature as well.
Like domain names, privacy when you have a company is hard.
Hawaii county removed the ability to search by name several years ago. You can still get name and mailing address for any property, but you have to search based on the physical address or otherwise query the correct property record. You can't just do a "let's see what John Smith owns" type of search.
You MIGHT still be able to search by name in the old fashioned way, by going into the office, but I am uncertain about that.
Buying the property through a Revocable Living Trust can make this harder (providing the name of your living trust doesn't contain your name, like most do!). Can cost only a couple of dollars to record the living trust, plus it helps with estate planning. Make sure the utilities are in the name of the trust as well, so they don't share your name+address.
But the deed of trust the buyer signed is in the public record (every Texas county of medium-to-large population has scanned land records online) and has the amount of the mortgage issued on its front page so that gets you close. That goes double if the form has an FHA case number at the top because it usually means the deed of trust is within 5% of the purchase price.
No, not all of the time, but very often enough to make it useful for social engineering.
As someone who has trained customer support agents, I can attest to the fact that most agents have to be taught every scenario. If it slightly deviates from the one they have been trained on, they are clueless.
Not saying all customer support people are like this. However, majority of people are. They rely on pre-written scripts. When a question is asked, they search for the template question with the answer.
You're absolutely right about the majority. If someone is capable enough to understand customer needs and resolve issues outside of predefined scripts they are capable enough to be working beyond customer support. Customer support representatives are largely people who exist as an interface between a customer who doesn't understand a system and a system that doesn't understand the customer needs.
Most companies would do well to invest in "Customer Support Engineer" type roles, putting people who understand systems and are informed problem solvers on the front lines, people who can identify technical solutions to customer problems. Customer Support Representatives problem solving seems to begin and end with what they've learned from the latest ZenDesk Webinar. Most companies seem to believe that fast and friendly messages are what customers want, through twitter and Facebook, when the reality is they want their problem solved and the business most benefits when the cause is identified and solved for all customers, not the symptoms for one customer.
Most companies could slice their customer support costs in half and increase their customer satisfaction substantially if they invested in building out roles for problem solvers instead of ticket solvers. 1 ticket solved is 1 ticket solved. A problem solved can be hundreds or thousands of future tickets prevented and an improved customer experience.
(This comment isn't a slight against customer service representatives, they serve an important purpose at many companies and often provide great value. This comment is a slight against the companies that choose to hire a dozen more customer support representatives instead of addressing the core issues that are driving people to their support.)
I think you substantially over-estimate the number of tickets which can actually be 'solved' like this, and dramatically under-estimate the cost it would take to solve the problem. I'd have a hard time believing that the large number of companies who all operate this model are getting the cost-benefit analysis wrong by such a large margin as you seem to suggest.
Reading through this thread, I've now taken action to use a unique email for important accounts. I was already using [name of service]@[some other domain I only use for email].com. However, I just changed now to [random # and chars]@domain.com.
An additional thing I'm doing is reviewing what accounts have my credit card. One of the things I like about my Bank of America credit card is that I can use their ShopSafe feature to generate a card number for specific accounts.
So if I'm buying transit pass on a website probably made by incompetent people, I generate a new credit card number and use it one time. Same thing with doctors that want me to write my credit card info on a piece of paper and mail it back to them.
If I were the OP or someone equally sure I was likely to be targeted via my Amazon account, I'd consider:
Using a unique email address.
Using a unique physical address (both for my account details and for my delivery addresses).
Use a unique credit card (I'd probably get a refillable prepaid gift card, and set up some auto topup to ensure it's got my expected monthly Amazon bill available as "credit", but not much more).
I'd probably move any AWS billing to a different Amazon account.
If I were more paranoid (or being actively targeted), I'd probably also try to go unique on _everything_ I tell Amazon; phone numbers, different city/state/zipcode (as well as street address), company name, website url, alternate contacts - then I'd set up "Security questions" with unguessable questions/answers (perhaps diceware/xkcd style "correct horse battery staple" type ones, that a CS rep could easily read out and verify - rather than a base64 GUID...).
Not that I trust the "security questions", but if Amazon lets you use freeform questions as well as answers, it might help to make your first security question "Have you noticed this account has two factor authentication turned on?" with an answer like "Yes, so Amazon Customer Service will take additional care when being asked to reveal account information, right?"
Use an special email address. In India, you can use Netbanking for making payments where the bank handles the transaction and the merchant doesn't get any of your information like card details, etc.
I think the best solution, for now, is to just regularly check your full credit report for anything you don't recognize and watch your credit card, debit card statements for any purchases you don't recognize.
I've had credit cards get compromised in the past, and it was actually quite painless to have my bank (Chase) shut the card down and issue a new one.
Your information can be stolen from SO MANY sources and not just Amazon customer service. It's impossible to guarantee who sees any of your personal information once you share it with ANYONE on the internet (Amazon, Google, some random retailer, domain registrar, etc.).
The server at your local Applebees could steal your CC info.
Be sensible with where you share personal information, but don't be unreasonable. It's safe to use Amazon.
Just watch your credit report (regardless of whether you feel you're at high risk) and bank statements.
The problem is Amazon has thousands of poorly trained first-level support staff with far too much power and information.
What we need is a global security standard for support staff, with a template as to what information is accessible by staff and what isn't. And what is available to better trained 2nd-level support, etc.
And then each company can say they are certified for this particular security standard, and then you can't get social engineering attacks where you attack one large corporation, get partial information, and then feed that into another large organization to get other information. This was done previously using Amazon, again, to get enough information to take someone's Twitter account, if i remember correctly.
Not Amazon. Essentially every company. Your typical first tier support rep is paid perhaps $9-10 an hour, utterly hates their job, and has access to scary amounts of account information. It doesn't help that call center turnover rates are often so high that it isn't unusual for the median experience of reps to be 6 months, or less.
The bottom line really is that so far these kinds of social engineering attacks haven't been enough of a problem for companies to have the slightest economic incentive to improve the situation.
The vast majority of services use email address to identify you so diversifying your email addresses helps a lot. I've known about every hack/info leak ahead of everyone else for that reason - I use a unique email for every service.
I also use different cards for the major online retailers / tech giants so knowing the last four digits from my Amazon account is useless to validate anything else (though this does require having several credit cards or debit cards).
Whois privacy is absolutely required.
Unfortunately if someone is determined enough, almost all ISPs, cell companies, retailers, etc will happily give them control of your entire digital life. You can only minimize the risk somewhat.
It makes me wonder, if the person is unsuccessful at authenticating, does the real owner get a follow up email? For instance, maybe he had to try 5 times to contact support before he found an agent who authenticated me using a fake address.
Wow. I had a similar experience with Skype too. They couldn't care less that someone had got access to my account and made calls. The attacker even added his own mobile number (in a different country) but Skype wouldn't bother investigating or escalating...
We had our AWS account hijacked three years ago. Someone had taken over our admin email by hijacking the DNS. They had hacked into our DNS account (with another provider) and changed the MX for our domain. Then they contacted customer support and convinced them to disable two factor authentication. Then they started to play with our account, starting and stopping servers.
Taking back the DNS took time. Meanwhile the hijackers were logged in, and could not be logged out by Amazon. This took more than a day. It took us two full days to get all back to normal.
The good thing is that they could not login to our servers. What they wanted is still not clear, and who did this - we saw some suspicious traffic from Russia, but that's all.
>Email services should allow me to easily create lots of aliases
I use blur from Abine.com, gives me a new email that forwards to my main, as many as I want, integrated with a browser plugin that barely adds time to signup.
On the other hand, 2FA opens up the "I lost my phone" customer support channel which might be just as weak.
For example, you can turn on 2FA for sending money via Bank of America's webpanel. As in, you log in with username/password and need 2FA for some restricted actions.
Well, phone up customer support and they'll remove your 2FA if you can provide them some secret details... all of which are displayed on the webpanel to anyone that was already able to log in.
If they were following a script and the script were careful, saying "I lost my phone" would cause them to try to contact your phone, and when you answered and said you still had it, would put a fraud alert on the account and stop all further attempts to social engineer customer service.
But most companies aren't anywhere near that careful.
Wouldn't that allow somebody who stole your phone to lock you out of your bank if they answered the call? Seems like that'd make a stressful situation potentially worse if thieves knew they could do that. Especially if they called from a number that's linked to the bank anywhere and something like Google's dialer surfaces who it is - your bank calling seems like a potential "maybe I can get more" for a thief so they might be inclined to answer and impersonate.
I would prefer that my bank, if it detects fraudsters trying to pull some sort of trick involving my account, to freeze things until I show up and present ID. That's inconvenient, but clearly better than the alternative.
Banks would never do that, if just because they'd risk losing business in places where there's no local branches. Many of the national banks that offer the best conditions have no presence in a lot of metro areas.
And even if you make sure your bank has a local branches (which really, I've not gone to one in years, why would I need one?), what happens when you are on a trip, and your accounts are frozen? I've had my CCs frozen because the bank considered my expenses during a trip to be potentially fraudulent, but I could clear it up over the phone. Do we have to devolve back to carrying thousands in cash, like in the old days?
Security is always a tradeoff between avoiding fraud and being usable, and the tradeoffs that are great for some people in some situations are unacceptable for others.
My bank did this. They had actually made a mistake on their end; one of their reps put a hold on my account (presumably a suspicious transaction), but didn't put it in right so it registered as being my request.
I called up, asking why there was a hold, they said I put it there, I said I didn't. There was a long pause, followed by "for security reasons, we won't be able to help you with anything related to your accounts until you come into a branch and present photo ID".
It was a bit inconvenient, but I have to say I was pretty impressed.
In an ideal world, the bank would direct you to a notary public who would check your identity and public key fingerprint. (Sadly, the present state of things is probably too dysfunctional to manage that.)
Possibly but you'd want to be damn sure it was actually the bank calling you. What's to stop a scammer claiming to be from the bank calling you.
"Hi I'm from bank xxxx calling to warn about some potentially fraudulent transactions we've detected on your credit card before we can continue please answer a few security questions to verify your identity."
I suspect some people would fall for that and tell the 'bank' their personal details.
I've yelled at most of my banks for cold calling me exactly like that. My response is, "Can this be corrected online? Otherwise, I will call the 800 number myself and if you could provide any specifics that might speed up that next call I would appreciate."
In the past I've also sent letters to bank security teams not to cold call and ask for personal details.
One of my banks actually switched to a standard recorded message that ends in a "Please call our 1-800 number at your earliest convenience." Better.
> On the other hand, 2FA opens up the "I lost my phone" customer support channel which might be just as weak.
"I lost my phone" (or "my phone stopped working") does need some solution, though.
The right way to handle "I lost my phone" seems like one of two possibilities: either come into a branch and provide legal identification matching what you used to open the account (and get "yourself" on camera doing so), or have a token mailed to your physical address on file (which you cannot change at the same time as a lost phone claim).
Shout out here to NearlyFreeSpeech who do this right. They give you a set of verification actions:
You provide a scanned copy of a government-issued photo ID.
You provide a scanned copy of a statement showing both the most recent deposit and a name and address matching one of your accounts.
You complete SMS verification. (SMS must be previously configured.)
You complete 2-factor verification. (2-factor auth must be previously configured.)
You correctly answer your security question. (Security question and answer must be previously configured, below.)
You use an ssh key to create a file with a specific name on one of your sites hosted here. (Must be previously configured, won’t work if account is empty.)
We try and fail to contact you via your currently configured email address. (This one may take a long time.)
You can then pick how many of these you want to require to get your account back (and which you want to configure), including an option not to help at all in the case you lose your account.
Nah. Them having a set of your scanned docs just means that if something like what happened to OPM happens, the attacker now conveniently have scanned copies of your docs.
2FA is useful if someone knows your password (e.g. you re-use it, and it gets leaked) but it's not useful in this case. I have 2FA setup on my accounts, and when ever contacting customer support I've never had to prove I own the device.
This is Amazon's problem for using street address (!) as a password. If there's an authentication issue, they should at least email or call or SMS you.
It is rather unfortunate yet at the same time unsurprising. :(
Two years ago I found out that Amazon allows multiple accounts to be set up using the same email address with different passwords (!!!) - which means that the potential attack vector is larger for no good reason.
I don't recall how this happened but I can only assume at the time I signed up to AWS and I might have reset/changed the password somehow that resulted in the system creating another copy of my account.
So all the information (credit cards, addresses, etc) of the "old" account still existed until I deleted them. But let's say if someone who has no idea that they have more than one accounts with Amazon, they could easily leave their information intact in their "old" accounts, which if they have weak passwords can easily be compromised.
Unfortunately Amazon did not take this report seriously, and to this very day this issue still persists.
I meant that there isn't a supported way by Amazon. What about purchase history? Kindle books? Coupon credits? You're gonna manually migrate all AWS services you use one by one? What about AWS credits you might have gotten?
While you can certainly register two accounts and start all over, it's clear I meant an intentional support by the system to allow one to separate the two.
Couldn't customer service just treat all sensitive information like the they treated the last 4 digits of the CC in this scenario? Verify only, reveal nothing. I'm sure almost all legit customers don't have even 5 possible addresses they may have shipped to, make them say what they think it is.
That would be the basic standard to which all CSRs are trained to, and deviating from that is 100% deviating from protocol in almost any case, they do it for individual reasons (speed, a good customer survey, whatever)
When I trained Apple techs the clear communication was that people use pretexting for not just mundane things like credit card theft, but to commit violence against other people (especially in the case of domestic violence where they have some personal details and can try to get more).
Anything but the strategy of verify only is putting people's lives in danger.
The OP says he is "a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away..." yet I do not think he enabled 2FA on Amazon.com. If he did customer service would not have helped the hacker pretending to be him. As their help page says, "If you need help from Customer Service after enabling Two-Step Verification, you'll need provide a security code similar to when trying to sign in to your account." https://www.amazon.com/gp/help/customer/display.html?nodeId=...
Actually, I do have 2FA enabled on my account. But I don't think I had it enabled at the time for the very first attack.
Interestingly, last night I did get an SMS: "Message from Amazon Customer Service: xxxxx is your Amazon security code" even though my 2FA is not an SMS (it's using authenticator).
I don't have access to the recording, so I have no idea what actually happened. But based on the email ("here's the details" on your order) I'm almost certain they were successful. Probably just told them that they lost the phone, or something. At this point, they've now been able to get almost everything possible about me.
Also interestingly, not once did Amazon recommend that I use 2FA to avoid social engineering. I was told by two different support reps to change my password though.
I was excited about Amazon enabling 2FA. I started using it rightaway but it doesn't work with their extended applications. e.g. signing in on Roku, Amazon photos uploader app for Mac, Amazon video on Android/iOS.
Amazon should simply treat users with active 2FA accounts as high security accounts. High security accounts must go through a much more rigorous validation when speaking with support.
I'm concerned that names and addresses alone seem to be enough for these guys to do meaningful ID theft with. The phone book is full of names and addresses anyone can get their hands on easily. Even these guys in India - there's whitepages.com. Not sure why they're going to all the trouble of trying to game Amazon's customer support.
On that note, I order alot from Amazon and throw out their boxes in the trash outside all the time. Sometimes I notice that neighbors (presumably) take those boxes for their own use before trash pickup comes along. All of them have my name and mailing address on them...
I've been using my local USPS PO box for domain registration for the past few years. It pays for itself when you figure in the cost of add-on services from registrars. I also use it as an address for similar in-person sign up forms also. Aliasing services like Fastmail are also a solid part of the equation. Use it as much and in as many places as possible. You could also try an IRL alias-type hack by giving out a slightly different name (middle name, title, etc.) when filling out your address.
This article has taught me a valuable lesson: I should be using the email+suffix@gmail.com feature in each service I'm signed up for. Seems like an easy enough change.
Ideally, the suffix would be some non obvious function of the service name, which I can remember easily. Like taking the second letter of the service name and relating it to an object I encounter a lot in my life.
Working in the same neighborhood as Amazon's new headquarters, I've become convinced that not all is well with their security. All those blue badges with their employees' full names dangling from their belts while they're in line at the local food trucks is a social engineer's dream come true.
Expect to see some high-profile breaches.
I find it a bit weird that address and even credit card number are confidential information. Credit card numbers are not really secret, you hand them out to random waiters in random restaurants. Maybe part of the fault lies with the other companies who accept that information as ID?
Simply create an LLC and have it manager-managed, as opposed to member-managed, As long as you either do no business or legitimate business, the owner (member) into is protected, and it will list your registered agent and their office address as the site owner.
That's probably wishful thinking. I haven't checked Amazon's terms of service, but nowadays you can count on both of these being true:
- you agreed to arbitration
- you agreed to disallow class action lawsuits
I.e. thanks to the Supremes[1]:
As a result, businesses that include arbitration
agreements with class action waivers can require
consumers to bring claims only in individual
arbitrations, rather than in court as part of a
class action.
I'm pretty sure those kind of terms, at least in The Netherlands and most of Europe, are illegal. So lets Class-action them in Europe instead? I'll pitch in 100 euros.
Any lawsuit, class action or otherwise, requires the claimants to have suffered whatever harm they're suing over. You can't sue a company because they injured someone else.
(IANAL and I'm only familiar with English law, but I'd be very surprised if there was anywhere where that isn't true, it's pretty fundamental)
I might be being pedantic, but the only mention of 2FA in the OP is:
"As a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away, I would have thought my accounts and details would be be pretty safe? Wrong."
Are you sure the author enabled 2FA on his Amazon retail account, or was it only enabled on his AWS account? The two systems do not share the same 2FA.
FYI I enabled 2FA on my Amazon retail account and when I called customer support they verified it. Once the verification failed and they refused to give me support.
Anyone else confirm a similar story with 2FA and support? Anyone willing to explicitly test this out?
There's no reason to assume he wasn't using 2FA. The title says "backdoor" and that's the point: they didn't verify identity... they asked for name, email and a nearby address.
This was probably downvoted as it didn't help OP, however, this is really good advice. I'm doing it now - 2FA is enabled for all my work stuff but I hadn't gotten around to enabling it on Amazon. Didn't know they had it.
If you login to amazon.com and enable 2FA, then when you login to amazon.co.uk (same username etc.) it will ask you for the 2FA code. It seems if you have an account for one Amazon domain you can login to all with the same credentials.
His Amazon account wasn't even logged into, the CS rep gave up his information without the attacker being authenticated, and the attacker used that to login to other non-Amazon systems.
Its interesting how easy it is to do something like this, yet legitimate third-party sellers can‘t even talk to a live customer support rep. when their account is suspended.
Same sh#t happens with Apple Support all the time, for few years in a row. Someone was after my last 4 digits, requesting password resets to Apple ID, like 14 times a day, and then impersonating me, talking to support.
Customer support is what Amazon adds to the otherwise simple service of operating an online catalogue, stocking products and sending them out when ordered.
As you can see here, they are not doing a good job even in that department. Taking huge profits for basically failing.
Meanwhile, the ICANN is working around the clock to make it illegal for us to protect our personal information, and whois protection is becoming an increasingly niche service for registrars.
For example, gandi.net (and thus Amazon) doesn't hide your name when you have it turned on. By the time you find this out, it might occur to you to just type in a different name, but now you're violating ICANN policy. And it's already been scraped by any of those whois history websites.