George, do you have any domains with your whois/registrar information matching your Amazon account information? I guessed that was the vector they used to attack me. I had several domains with my home address as my address, along with my email and name. Voila. The entire triangle of data the CSRs need.
I was able to get a CSR to show me some of the logs of the chats with the scammer, which was particularly enlightening:
I do, yes. The domain this linked post is on is registered to my current mailing address which is the same as the one I have on my Amazon file as my shipping and my billing address.
I've changed my Amazon email address as you suggested in your helpful email and hopefully that will be enough since I don't think it would be practical to try to put my mailing address back in the bottle at this point.
Maybe technically (or maybe not--never bothered to check), but I've never heard of it ever happening.
I usually put a legitimate address that's in the same city (and sometimes the same general area). Where I actually live is completely irrelevant wrt DNS and I can think of no reason to have it trivially available to anyone who can do a WHOIS.
Check if your domain registrar offers an anonymous registration service. Mine provides it for free, but some charge a small yearly fee. It is still fine per ICANN standards since it simply goes to a forwarding service.
From ICANN's perspective though, doesn't that mean that the owner of the domain is the registrar?
While most registrars would be perfectly fine, I worry about the one that is willing to take the domain for themselves (for a domain not worth going to court over).
While not exactly what happened, I remember the case of the @N twitter account be stolen (https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...), and wonder if having your actual information on the registration would help or hurt a situation like that.
How bizarre. What legit customer asks for fucking order numbers? A whole bunch of them?
They really need to train their customer reps better. Good customer service is not black and white, you can keep out the frauds and still offer excellent service.
| Why is Amazon's security for replacement orders so lax?
Amazon values customer satisfiction above their fraud write-off.
| Why would they send a replacement to an address that has never been associated with me, and is in a wholly different state than the one the original item was sent to?
Because the time between ordering an item, and defect can be sufficiently large to cover moves: people shift around all the time. It's entirely concievable you'd like to exercise replacement rights from Texas, even though you've ordered it from NY.
| How did the scammer know about my order in the first place to social engineer the replacement request?
Via: either buying order requests, using third-party honeypots to capture your info, using the domain registrar, or a combination of any of these.
| Why haven't Amazon black-listed the 13820 NE Airport Way; Portland, Oregon address as a destination for replacements? This package drop address shows up again and again when you Google around for people who have been hit by Amazon scams.
I suspect this might be http://reship.com/ (Alexa rank: 166K). This is entirely legit: if you're a UK customer who'd like to buy stuff that are exclusively US-only, reshippers are the cheapest way to do so. Based on their Alexa rank, I suspect Amazon makes quite a money on these customer segments. Blacklisting them also wouldn't help this case: reshipping companies can easily buy up a handful of different addresses in a range of cities, making this a game of whack-a-mole.
| Can I really trust this company to hold multiple credit card numbers of mine in their database, one click away from someone potentially ordering thousands of dollars of merchandise that they can apparently easily redirect to an address that should have been black-listed years ago, if there were any kind of sane security policy in place?
Note that no credit card, or password database has been compromised in executing this attack. This is social engineering corporate goodwill at it's vilest.
I suspect the root cause of this issue to be the friction-less execution of this engineering. A proper solution for this problem might be as simple as sending out an email with clickthrough-link-confirmation before replacement shipping; this would raise the bar from "knowing about an order" to "knowing about an order, and having an active compromise on the mark's inbox".
> | How did the scammer know about my order in the first place to social engineer the replacement request?
Via: either buying order requests
Looks like you can buy order requests from people who social engineered order numbers out of amazon reps via chat. A rep from amazon provided someone who didn't authenticate themselves amazon order numbers [1].
> using third-party honeypots to capture your info, using the domain registrar, or a combination of any of these.
But how does a "third-party honeypot" capture your activity on Amazon? What does a domain registrar have anything to do with placing orders on Amazon?
>What does a domain registrar have anything to do with placing orders on Amazon?
See someone make a blog post on their site about buying an Xbox from Amazon. Get WHOIS data from registrar. Have name and address of person who purchased Xbox. Use details to request replacement
I can't even imagine the justification in a board meeting that allows for shrinkage on their scale for such an easy resolution.
To me, a simple resolution would be to escalate the "item not received," issue to a state side department (not in India, from what I'm understanding), track recent orders and customer interaction (super simple algorithm), and lastly and MOST importantly do not allow customer orders to be given out so freely with a verification of address and name (at least require an account pin or last 4 digits for the order in question).
If Amazon implemented at least these barriers, then the security of an account would fall where it should...back on the owner...not so easily be phished through Whois data, or just knowing someone has an Amazon account.
It's almost as if a black hat could use a phone book and tie names, with addresses and phone numbers and straight phish for data. This is just way too easy for fraud that the fact that it's Amazon is appalling.
> Amazon values customer satisfiction above their fraud write-off
I do get this, and as an Amazon customer, I'm glad this is their stance overall, but on the other hand it seems like they could handle this situation more securely than they do. It seems to me that you could have some sane middle ground where you do no-questions asked replacements, but with some caveats like no ability to change the address the item is being sent to from the original order unless the person you are communicating with can prove they are the account owner.
Maybe have a sort of two-factor system where the CSR can mark the order as "replacement approved" but you have to login to your Amazon account and take some action (just click a confirm button or whatever) to actually send the order out. At least in that case you wouldn't get cases like mine where someone managed to pull a replacement order without (seemingly) ever having actually had access to my Amazon account.
I'd think this could be prevented by a) stop giving out order numbers via chat and b) require customers to request replacements (or at least confirm them as you've suggested) by logging into their account.
As someone that moves around a lot, I appreciate how willing Amazon is to take care every order-related issue, with zero fuss.
I fail to see what the "security" issue is, other than Amazon choosing to lose some money on fraud. That's not a security issue to anyone outside of Amazon, and Amazon seems clear in their stance.
Edit: A much bigger problem is Amazon's use of OnTrac, which repeatedly fails to make deliveries. Even in downtown SF.
> Amazon values customer satisfiction above their fraud write-off.
I doubt this is the case. I've had to place chargebacks against Amazon to get my money back for purchases that were not delivered due to Amazon screwing up and telling the vendor that the software key(s) were not purchased.
For anything software related, they offer no refunds even when they and/or their vendor screw up to the point the product is unusable.
> I doubt this is the case. I've had to place chargebacks against Amazon to get my money back for purchases that were not delivered due to Amazon screwing up and telling the vendor that the software key(s) were not purchased.
There may be a difference between how they treat physical and digital purchases then, because my experience (and the experience of vast numbers of internet commenters) is that Amazon will refund or replace a physical order with basically zero investigation.
Yes, they have different policies depending on what you purchase and whom you purchase it from.
Frequently with physical products Amazon is able to place the majority cost [they only lose out on their commission] of the refund onto the supplier. [e.g. If Amazon's fraud check fails to catch a fraudulent order, they push the cost of the chargeback onto the supplier if it is a FBA or MFN item. They also do this if their system screws up and merges multiple products onto the same ASIN even tho they are different colors or whatever.]
My guess is the vendor in this instance was large enough Amazon had to make a different deal where Amazon was the one eating the refunds if it was Amazon's error. The vendor blamed Amazon. Amazon couldn't even figure out I issued a chargeback and successfully disputed it for my money back.
I thought they had an "ultimate" get your money back option, with the big limit of your only being able to invoke it 5 times in your life. I started to do it once, during which I noticed the limit and decided to reserve it for really big purchases.
I have noticed that there doesn't seem to be any category of items sold by 3rd parties with more fraud than software, although this doesn't sound like such a case.
What does Amazon do after you place a chargeback against them?
So far, nothing. I got my money back because they couldn't deliver the software during the entire dispute window. That being the case, the Credit Card company just handed me my money back.
From what I can tell, Amazon failed to process the chargeback correctly on their end and the order doesn't show it was ever done on Amazon's end. I'm not really surprised.
The last email I got from them on the subject was that the software was now available like 3-4 days after the dispute ended. I didn't even bother to download it since I just got it elsewhere with the refunded $$.
However, I didn't do the chargeback until after 3 separate CSRs [including 1 from the vendor] all told me they wouldn't do a refund.
Yeah this is what kills me; if I send something legitimately to an address it hasn't seen for me before it requires me to re-enter my full credit card number and other information to prove I am me; I don't understand why they don't do the same for replacement orders. It doesn't seem like that hard of a problem to solve when not solving it means they are out $1000 worth of product from my account alone times however many people this has happened to.
But when you add a new address to your account, shipping to that new address could cost you money. When Amazon ships a replacement to a new address, it could cost them money. The risk profile is very different, so the implementation is different.
For the record, I don't understand why Amazon keeps allowing this. It seems like it could be fixed without much of a hit on customer experience, and the fraud ultimately does cost all of us more, as they have to cover those costs through higher prices.
Because someone can argue that they don't have access to their email right now (on a trip or something). Or that the associated email has "been hacked".
And contribute further to the customer's unhappiness? "I got hacked near Christmas, and then Amazon wouldn't help me so some of my presents didn't get delivered right."
I don't see why anyone cares if Amazon is liberal in replacements. So long they're not somehow hurting your account standing with Amazon, it's Amazon's choice.
I wouldn't want my e-commerce store to fulfill orders for a compromised account without talking & confirming some key details with the customer. This HN post is testament to some funky ordering going on.
My experience has been positive with Amazon and there has been situations where they've gone out of their way to make the customer happy. I'm fairly confident that a situation like yours can be resolved with Amazon over phone.
Lots of people still don't have smart phones, or computers they travel with. And so they do not use email when they travel.
And believe it or not there are still people in this world that may only have an email address with their employer which they don't access regularly outside of work.
And now back to the original article:
We are only getting one of many parts of this story, for all we know the scammer perfectly told a sob story about ordering a gift for their grandson who they haven't seen in several years and will be visiting soon but it didn't arrive in time for their trip and now would like it sent directly to the grandson while they are visiting him so they can still see the joy their gift will bring him.
My point is I don't assume that Amazon isn't trying pretty hard to prevent this fraud, and I don't assume scammers aren't putting in quite a bit of work to commit it.
The way this is played up makes it sound like a security issue, but it's a social issue above all else.
A story I've been meaning to write for a while, but aligns well with this: I bought a kindle a while back, with the (kinda expensive) case because I knew I would break the screen if I didn't.
I broke the screen anyways (some badly aligned books in my bag I think). I sent a kinda annoyed email at amazon about how their case didn't seem to help me much.
The next morning somebody from Amazon called me, trying to help me out with seeing if they could fix the screen (reboot style things). I was fairly confident I destroyed the screen, but they offered to replace it for me for free if I sent them back the old one at their cost.
The issue was that I was heading off to Japan the day after (from France), and so it would be a bit complicated for me to go to the post office on a sunday night to send it off. Instead, they offered to just send me the replacement to my address in Japan, no questions asked.
At no point did I prove anything about my story, I could have walked away with 2 Kindles (granted, one is probably blacklisted now, if I put it online). They did know I had bought one recently (which let them get my phone number through my account), but still.
Amazon has some pretty great customer service, and honestly requiring "proof" would, although for a rational human being would seem normal, have caused me great grief and I would just think about my 300g brick that I used for all of 1 week.
Anyways, I like Amazon a lot more than I probably should and take any opportunity to tell this story. Fraud is the small cost to pay compared to the goodwill you end up with by trusting (or at least pretending to trust) your customers.
The wifi on the replacement Kindle stopped working though... been too lazy to figure out why though.
Yup, it's me. The issue is mentioned many many times on Amazon forums,and everyone reports the same thing. Sometimes it's enough to change the name of your wifi network,sometimes it won't help. I also found a post somewhere talking about how the Wi-Fi kernel driver of the Paperwhite actually crashes in presence of certain networks, and nothing helps except for a reboot - and obviously if that network is still there it will crash again.
It seems to be mostly triggered by BT/Virgin Media routers here in the UK:
It's free for a year but Amazon customer service is usually pretty generous.
I had a kindle break after about a year and a month and they still sent me a free replacement. My father had his break after 2 years of heavy use, called Amazon and they offered him a discounted price on the Paperwhite.
Amazing that the scammer is even able to have the fraudulent replacement item sent to a different address than where the order was originally sent not once, but twice and an address not associated with the account nor confirmed/verified and could possibly be linked to multiple accounts.
Seems like a blatant oversight in loss prevention and fraudulent data sifting. Not only does it admit that an account has been compromised in some shape (socially most likely), but it disappointingly shows incompetence in Amazon CSRs.
If I recall, to deliver to a new address, Amazon requires you to verify by entering the card details you are using for the purchase, to prevent fraud. They should be doing the same here.
In which case, you would simply get in touch with support and prove your identity and purchase some other way as my thinking is that this would a rare occurence, since receiving a faulty purchase pair using a card that has expired and you no longer hold whilst living at a completely different address is a freak event. Plus, couldn't you still use the expired card as verification even it expired?
Yodel (especially poor UK courier) lost an expensive item once. Once I got through to a human at Amazon, they took me at my word and the replacement item was on its way that day. A few weeks later the original turned up, looking very battered.
The amount of goodwill I have towards Amazon because of that experience is tremendous. I took out Prime, and I look there first for everything now. I can absolutely see that being worth the shrinkage.
My experience with Amazon customer service hasn't given me any faith in their competence.
Years and years ago I ordered a few items, mostly DVDs. I got the items. Months later I get an email from Amazon customer service saying I owe them money from that order because I never paid for it. I said "huh?" I call customer service and I found out it was because there was a chargeback. I didn't do a chargeback so I was confused.
Eventually I figure it out because the CC number shows up on the invoice with the last 4 digits. I accidentally transposed the last 2 digits of my CC number. I combed through my CC statements and found out that I indeed wasn't ever charged for the original items. Apparently the card was valid and was charged even though it was someone else's card. That means they didn't even do the least bit of checking to see if the billing address was the same or even name.
I call up and told them what happened. They just were dumbfounded and confused about the whole situation and didn't know how to handle it. They just kept insisting I return the items and they'll give me a refund. I think she was confused as to what I was even trying to tell her since I received the items. I said I didn't want to return them and even if I did they were now used items. They said "what's the problem then?" I told them they THEY sent ME and email saying how I owe money. I wanted to take care of it. Well finally the customer service rep just took down my right CC number and presumably wrote it in as a note in the logs or something.
I was never charged for the order.
---
Even more years ago my college boyfriend told me that when he was like 17 him and his friends played some kinda "prank" where they ordered some expensive cameras shipped to the school and put in some fake name and credit card. Apparently according to him the cameras shipped. Kids freaked out they would get in trouble, they told a science teacher. Science teacher took care of it and called Amazon before the cameras arrived to say that it was just some kids messing around.
I used to be an Amazon customer service rep. I know for a fact that replacements can only be sent to the original address. However, you can change the address after the order's been made. Calling into customer service to change this address is going to be risky, so doing it self-serve online is probably what's being done here. These hackers had access to your account I suspect.
Thanks for the insider info. One question I have though is if they did have access to my account and are able to change addresses after an order is made online, why not go for the gusto and make really expensive orders using my on-file credit card numbers instead of just doing replacement items?
In any case, I've changed both my password and my email address on Amazon, so if they did have access to the account that should solve that issue for now. The whole situation has made me paranoid enough that I'm considering creating a locked-down custom VM used solely for Amazon shopping.
It's because they didn't want to alert you of the charge. Coming from a previous blackhat, the last thing a blackhat would want to do is alert you that something is happening. How often do you check your bank account? Probably once a day, maybe more. How often do you check your Amazon? Maybe only when you're going to buy things. I have my accounts set to text/notify me with every transaction detail.
Another reason why it'd be a replacement is because you don't get charged anything directly. They're betting you see the $0.00 charge, no bank activity, and you'll just brush it off like it was just a glitch. Not only this, but half the people who do this aren't even 18 and they're just reading tutorials on forums for how to get free stuff by social engineering or "hacking."
Just a note that Amazon have been known to ban accounts if you action too many returns. The bans are very rare, but they are for life and across all Amazon properties. Hit up Google for more.
This is my primary lingering worry about the whole situation, that it may impact my ability to get replacement items sent out if I actually need them in the future.
Hopefully they take your Amazon history into account when figuring this sort of thing out because I've been a customer for a very long time and have spent an amount of money that would likely seem obscene (if I totalled it up) over the years.
>> Hopefully they take your Amazon history into account
But of course they won't. Your experience with them clearly demonstrates that reality. No leg of that octopus knows what any of the other legs are doing.
I found it also pretty odd that I could use my Prime account to order things for a friend using my address for shipping and billing and his bank details for direct debit (which is the most common means of payment here on Amazon.de, I guess).
The other way around (his address, my bank details) also works without any further verification.
So I could basically just enter someone's bank details and hope the order ships to my anonymous forwarding address before they notice. The victim will then order her bank to refund the fraudulent direct debit transaction (thanks to SEPA she now has 13 months to file the request). Amazon will probably suspend the account but the perpetrator will obviously not care.
Even if it's less convenient (because not instantaneous) Amazon should be doing something similar to what PayPal does: transferring a few cents together with a verification code to the account for verification.
This scenario would hopefully only work if the account itself was compromised. But when looking at how overcredulous customer support seems to be it might well be possible to pull this off without actual access to the account.
I do this frequently, the use case is ordering things for my father, who's certainly capable of doing this on his own, but since I buy so much stuff from Amazon, starting a year after they opened, it's the most convenient way.
Only difference is I'm in the US and charging it to a credit card of his. And a Prime account is not required (we recently split the difference on getting one). And if they're looking for fraud, that we have the same last name, and his billing address is about a mile away, could reassure them.
Amazon probably won't suspend the account because they don't like losing customers. Same reason they're generous with the returns.
Verifying via a few cents is enormous in terms of ease-of-use. Holy crap, now I have to log into my bank and check transactions just to buy some stuff? No thanks.
And, I know this isn't great logic, but I hope Amazon does nothing like PayPal.
It happened to me in a brick and mortar shop : I went to the shop to have my laptop repaired and they told me it was impossible since I had been reimbursed when I gave them the laptop back 6 months ago (the same laptop I had in my hands).
They never told me what happened but I suspect someone in this shop took the money and declared the laptop returned.
> Amazon is out quite a bit of product and a lot of trust from me.
The product is still a drop in the bucket for Amazon. Hopefully some of you actions will trigger their fraud protection dept. to blacklist the address or maybe they think it's not worthwhile blacklisting a whole address with multiple suites for a tiny amount. Anyway, I don't think it's reason enough to lose trust in Amazon. As long as they got the honest customer covered, it's OK to lose some when you are running a business of Amazon's scale.
As @sdrinf mentioned, it's social engineering at play. Maybe they can raise the bar to placing phone orders/replacements. Or maybe they think, they'll lose more business by adding a teeny hurdle than gain on fraud recovery.
A times B times C equals X. If X is less than... we don't care kind of thing (Fight Club recall reference)
Amazon almost certainly has many customers using shipping forwarders. In Central America, I see banks advertising cards with a US shipping-forwarding address, specifically to buy from Amazon.
Amazon would have to be taking in huge amounts of losses due to fraud to consider killing off all these customers.
"Also, our secure server software (SSL) is the industry standard and among the best software available today for secure commerce transactions."
Hey! What the heck? I'm in the security industry and had no idea about this new "secure server software" and why is the TLA SSL? What the heck? I've been on vacation for the last week, when did it hit?
On a serious note, I understand that some security teams hire non-technical types into the team but it's always the responsibility of senior staff to make sure they are at least understanding the basics, especially when communicating with customers. Say it with me: Secure Sockets Layer (SSL). There's a credibility problem here somewhere.
First, they'll be negotiating TLS in nearly all cases.
Second, they were not defining the acronym. They're just stating they have software to help secure things, and as an side it's called SSL. They mention SSL because some users may have heard of this and it signals that Amazon's doing the right thing.
It's extremely straightforward: they value customer satisfaction considerably above their own fraud write-offs. That's literally it. It's a bit silly, because there are a number of measures the CSRs could take to prevent someone with JUST your email, address, and name from accessing your account (Netflix asks for a "call in code" visible when you're logged into the site, for instance), but they don't.
The CSRs are in India and basically told to satisfy any "did-not-arrive shipments". The fact that they are also willing to ship to an alternate address is completely insane. But my scammer told them they were "on vacation" and appealed to that side of the customer satisfaction coin.
Yup. I had the same thing with Logitech - my mouse broke while I was visiting my parents in an entirely different country, and they sent me a replacement there, without having to send the old one back. I just explained I was on vacation and it was fine,they just asked me to give them the new address.
Another angle: this is why I shop at Amazon, and make a point to buy items fulfilled by them directly.
Any time I have had a problem with an Amazon item, they have made it insanely easy, and cheap, for me to get a new one.
With the Kindle 2 (first one with the directional nub) the screen was VERY fragile. I used the official case but just putting it in my bag caused the screen to crack 3x in a year. When this would happen, I'd call Amazon and they'd have a new one on my doorstep the next morning. Then I'd use that box to send the old one back, no questions asked. Sure I could have been a fraudster and probably could have somehow kept 2 Kindles, but I appreciated the customer service.
[Aside: no I'm not just an idiot, the Kindle 2 really was that fragile. I've had a Kindle of every generation and never broken any other screen, but broke that one 3x].
Sorry if the title is confusing, it reflects my thought process as I was figuring out what was going on here in that the title I was going to use was "Amazon orders are subject to replacement fraud" and then I learned about the fact that this has been going on for quite some time and was reported on quite a bit back in 2012 (though I hadn't personally heard of it back then, as far as I remember), thus the added "(still)".
But.. yeah, I can see how that would be confusing as a lead-in.
Presumably there's some Durden-esque equation for costing this, wherein increased earnings from customer retention and goodwill more than offset estimated losses through fraud.
I bet there's a thread on socialengineered dot net about this. I'd do a google search for "site:socialengineered(dot)net amazon replacement"
Obviously I'm not going to link to a scam site, but you can get in through and read the articles through Google so you don't have to register with them. I saw this site with another Amazon scam where people were requesting refunds saying not shipped, etc.
My site (which is woefully unfinished even for its originally intended purpose) is primarily used as a photo-blog showing photo albums to remote friends and family. This rant was the first text-heavy traditional blog-post I've made to it. I need to put some work into making the UI make sense for posts made in that context.
Not just returned to sender. I've had people tell me they were able to have Amazon reroute the package to them, and then be told to keep it. It's like a free Xbox (or camera or whatever) without having to do the dirty work of perpetrating the scam yourself!
Yeah, I read about that on Chris' blog (the one linked in my post here). Unfortunately I didn't notice until both items were delivered (at least to the the Portland, Oregon destination) so there was no chance for me to undo the damage.
I'm not really interested in staking out the address these items to sent to, as mentioned I think it is just some sort of remailer service anyway so it wouldn't be useful unless the police could get a warrant to figure out where the redirected packages went to. I don't really care that much because Amazon is the one who lost out here financially, not me; but I still do feel a tiny bit violated that my account was used for this.
This is probably easier to do when the scammer isn't using a re-mailing service as this scammer is doing, though I imagine the authorities would have more luck compelling them to release the actual destination.
Nope. I had my Kindle replaced 3 times, and never had to send the old ones back, even though I said to the rep that I have no problem with that.
Basically the original Paperwhite had a wifi bug where in a presence of certain SSIDs it would crash the wifi driver and the wifi would stop working entirely. So I would ring up amazon,explain the situation, they would send me a new paperwhite, the same thing would happen, rinse&repeat. They never acknowledged that it's actually a bug in their software,they just kept sending me new paperwhites. After I got 4 of them, I finally managed to convince the person on the phone that sending me new paperwhites does not fix my problem, and they agreed to send me the new paperwhite 2 - which did indeed fix the problem. I was told explicitly that I don't have to send the old kindles back - but they are blocked from joining the Amazon network again, so you can only use them offline. Still, looks like a massive waste for Amazon,but I guess it's like nothing for them.
Nope, that's what I thought it might be at first (though I think that would freak me out even more) but based on everything I heard from the Amazon CSRs this was someone replacing an item I had legitimately ordered (and received just fine more than a month ago), but social engineering the CSRs to send the replacement item to some random other address.
I was able to get a CSR to show me some of the logs of the chats with the scammer, which was particularly enlightening:
http://www.htmlist.com/rants/two-for-one-amazon-coms-sociall... (Thanks also for linking to my post in your article. It's insane this is still going on.)