My Amazon account was recently hacked, and I was NOT thrilled when I discovered this unfortunate problem. I’m going to share how I discovered my account was hacked, what I did about it, how it was resolved, and what you can do to secure your personal accounts. I will write another article about making our systems more secure for our customers.
On December 27th at 9:36pm ET, I received this very helpful email from Amazon (email addresses changed):
Thanks for visiting Amazon.com! Per your request, we have changed the e-mail address associated with your account The e-mail address associated with your account has been changed. The old address was MyEmailAddress@gmail.com. The new address is NotMyEmailAddress@yahoo.com Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more. Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account. Thanks again for shopping with us.
Here’s the problem: I didn’t change my email address, in fact, I hadn’t used my Amazon account since I purchased my green-screen a few weeks ago. How did my email address change without my interaction with Amazon, and even more curious: who the heck is “NotMyEmailAddress@yahoo.com”??
I immediately attempted to login to Amazon with my email and password that I had been using… and no luck. I couldn’t access my account. What about Alexa? Could I still configure my Echo devices? I grabbed my iPhone and opened the Alexa app and was not greeted by the standard Alexa features, but rather this login screen (image modified to hide the email address):
Are you kidding? I couldn’t control my Echo devices, and also the home automation things that were connected to them. This was not going to get better, only worse… so I quickly searched for a phone number for Amazon Customer Service. Have you ever looked for the customer support phone number on Amazon’s web site? it is IMPOSSIBLE to find, because it’s not under “Help” or “Customer Support”. It’s hidden at least three clicks from the home screen, and even then, I still couldn’t find it… but I’ll help you with this pro tip: Bing has the Amazon Customer Support phone number listed as a quick result.
Strike one for Amazon customer support
I’ve been hacked and felt like they didn’t want to help me because they hid the information I needed to get help to fix it.
On the phone, I selected an automated menu to “get help with logging in to my account”. The customer service rep, Christine, was very friendly and asked me for my email and home address in order to work with me to get access to my account.
I think we found our problem… Christine only needed these two pieces of information to get me into my account? No password? No mobile phone? No other piece of information? What’s keeping someone from finding my email and home address from a database and calling to take over my account?
Strike Two for Amazon customer support
They EASILY give out your information without any personally identifiable information to confirm who you are on the phone.
Christine could not find my Amazon account with my email address, because obviously the attacker had changed the account’s email address to “NotMyEmailAddress@yahoo.com”. I gave Christine THAT email address along with my home address and was able to access my account. I told Christine that I didn’t request the email change and that I did not make any purchases or use any services since that email change. Christine took steps to freeze my account by removing purchasing capabilities, my credit cards associated with the account, and prevented anyone from logging in to the account. She told me that the case would be referred to their “fraud department” and I could call them in the morning to discuss next steps.
Reflecting on this call with Amazon: I now know that the attacker changed my email address on the account but did NOT change my billing address or shipping address. What if they changed one of those fields? Would I have been able to recover my account?
The next morning I called Amazon customer support and requested to speak to their “fraud department” about my problem. I was told “there is no ‘fraud department’ and that a ‘customer account specialist’ would get back to me in a few hours about my problem.”
Strike Three for Amazon Customer Support
What happened? What changed? Why doesn’t the Amazon customer support department know if they have a fraud department or not? I don’t know, but the lack of a formal and well-defined fraud department in the largest online retailer scares me.
I asked to speak to a supervisor to get to the bottom of this problem. The supervisor asked me if I had been accessing my Amazon account over an insecure wireless network like a coffee shop or an airport. No.. no, I had not been traveling in months, and I do not do any shopping on insecure networks. I found the suggestion that I was at a coffee shop using Amazon to be slightly presumptuous, but didn’t pursue it. The supervisor went on to explain that I would receive an email in the next few hours with instructions to recover my account. Once again, no personally identifiable information was requested.. no request to confirm a recent purchase or the last four digits of one of my credit cards that was on file. They only needed “my email address” What’s keeping an attacker from calling and complaining about this same thing and giving their evil-doer email address instead?
I waited the required amount of time, and sure enough the following email arrived with the details of my account recovery:
Hello, Thank you for telling us about the unauthorized activity in your account. To protect your information, the credit card details in your account cannot be accessed via our website. We also do not display full credit card numbers in your account. We have taken these steps to restore your account: -- Disabled the password to your account. -- Reversed any changes made by this party. -- Canceled any pending orders. Please allow 5 hours for these actions to take effect. After 5 hours, you will be able to reset your password and regain access to your account. On the Sign In page, select "Forgot password?" and follow the instructions. After you enter your email or mobile phone number, you will receive an email or SMS message containing a personalized link. Click the link and enter your new password. If you have any trouble resetting your password, call Customer Service at: Customers in the U.S. or Canada: 1-866-216-1072 International customers: 1-206-266-2992 You will also need to: -- Re-enter your complete payment method information the next time that you place an order. -- Re-enter any addresses that you recently added to your account. -- Check your subscriptions, if you have any. You may need to update them. We do not know how this person got your sign-in information because that happened away from our websites. Some techniques include using malicious software to capture a user's keystrokes, trying common passwords, and sending fraudulent emails that request account information (known as "phishing"). To learn more about safe online shopping, visit the "Security & Privacy" section of our Help pages. Sincerely, Account Specialist Amazon.com
This email leads to more questions:
- What changes were made by the attacker on my account?
- Why does it take 5 hours to give me a “reset my password” one-time use link?
- The attacker got my password? Perhaps… but my experience prior to this email indicates that they could EASILY have gotten access to my account by just calling customer service and pretending to be me.
- What did they do when they got my account? They didn’t purchase anything…
Disappointed, I waited my designated five hours and went back to the Amazon website and clicked through the “Forgot Password” link on their sign-on page.
Clicking that forgot password link prompted me for my email address or mobile phone number.
I thought I had my phone number registered with the account, but my email address worked to trigger an identification email to my preferred email address. What bothers me is that “Customer Service” link at the bottom. If you click that, you’re prompted to call a 1-800 number for customer support… <sigh>
After keying in the six-digit code that I was sent, I finally had control of my account again. The first thing I did was set up two-factor authentication to limit my future exposure. This took a bit of a search, as the two-factor capabilities are not promoted or very visible on the Amazon site.
How to Configure Two-Factor Authentication with Amazon
I recommend everyone set up two-factor authentication for Amazon and any other service that offers this capability. Here are the steps to add this extra-security measure to your Amazon account:
1. Login in to your account, and click the “Your Account” button on the right side. On the resultant screen, click the “Login and Security” button in the top middle.
2. Click the “Edit” button next to the last item on this screen, labeled “Advanced Security Settings”
3. On the next screen, you can choose to authenticate with a phone or an authenticator app. I strongly recommend you choose the authenticator app, as the phone authentication sends a text message that COULD be intercepted if someone really wants to get into your account.
There are several authenticator applications available for iOS, Android, and Windows Phone devices. I recommend you choose either the Google Authenticator app or the Microsoft Authenticator app for their ease of use and configuration. They both offer the same capability of taking a picture of a QR Code, like the one in the above screenshot, and generating codes for you automatically. My Microsoft Authenticator app on my iPhone looks like the following:
Just click the plus symbol in the top-right corner to add a new account, and choose the “Other Account” option to add your Amazon account.
The app opens the camera and you can point your phone at the QR Code shown on the screen, and Amazon with your email address will be added to the main screen. The next time you login to Amazon, you will be prompted to key in this 6-digit number after your password.
Amazon does do an interesting thing on devices that don’t support a secondary prompt for this code. The service will reject your password, and you will need to key in your password with the six-digit code appended to the end. If my password is “SuperSecret” and my authenticator displayed the 871255 code as shown above, I can then use the password “SuperSecret871255” to access Amazon services.
Summary
Attackers are out there, trying to get access to any and all information related to spending or personally identifiable information. Among their motives: they want to resell your identity, they want your credit cards, and they want access to services as you so that they can send phishing emails to everyone on your contacts lists. Protect your accounts by setting strong passwords, use a password manager like LastPass or 1Password, and configure two-factor authentication everywhere it is available like Google Mail, Amazon, Outlook.com, OneDrive, and GitHub. It’s easy, fast to do, and will make your accounts much more secure.