Customer support, Amazon backdoor
Could a conscious user in security issues use best practices — unique passwords, two-factor authentication, use only his trusted computer to log on, and the ability to identify phishing sites a mile away — be completely sure that nothing threatens his accounts or personal data? Unfortunately no.
When someone purposefully watches over you - all these tricks become useless. The fact is that most systems have a backdoor, user support. In this post, I'm going to focus on the worst offender: Amazon. com. It was one of several companies with which I could entrust my personal data. In the end, I shop there, and besides, I used to work as a software developer and therefore consider myself to be a fairly large AWS user (with a turnover of more than $ 600 / month).
It all started with a fairly innocuous email.
')
The first thing I assumed was that there should be an error or an overdue message from the answering machine (a month ago I contacted support). But curiosity took over, I contacted Amazon to clarify with them what was wrong. They calmly answered that I spoke with the support of Amazon. What the heck? It was a text correspondence, which they were able to provide me by e-mail.
Let me point out that the address indicated in the correspondence does not belong to me. This is the address of the hotel, whose zip code is the same as mine. I used it to register multiple domains, knowing that the information on Whois is too often public. For registration, I used the area in which I live, so that my static IP matches the data specified in Whois.
We continue:
Wow. Just wow. The attacker showed Amazon my false data, which he took in the domain Whois and in return received my real address and phone number. Now they got enough data to get hold of and access to some services and even convince my bank to issue a new copy of my credit card. It was very difficult to restrain oneself in order not to throw out all the indignation of support. I contacted Amazon Retail and AWS, expressing my disappointment and asked them to set a mark in my account that the risk of hacking and logging into the account is very high. Amazon Retail said they’ll mark my account and a specialist will contact me (who hasn’t been contacted). At the same time, AWS ignored the existing risk.
Fast rewinding events a couple of months in advance, I made a terrible mistake and thought that the threat was over. I provided Amazon with fresh credit card information and new address data. In return received another letter.
I again contacted Amazon support to figure out what was going on. This time I was lucky to talk with a support employee who was 100% not sure how it was possible for someone else to speak on my behalf. It was really hard for me to hold back when he started telling that you need to change your password so that such situations with “twins” do not arise in the future. In the end, I had to admit that it was “me” and demand from him a printout of “my” dialogue (and he could still provide it).
Next, the attacker shows unsuccessful attempts to get the last 4 digits of my credit card.
I guess I was lucky that Amazon did not give out data on my credit card. And again I get in touch with support, repeating how important it is not to transfer my data to other individuals. They again promise that they will add a note to my account and a specialist will contact me (and again, no expert).
This time, I decided that I couldn’t trust Amazon with my address data and it’s time to remove it from my account.
Now go to the second day of my adventures with Amazon:
This time I could not get a printout of the dialogue, as the attackers contacted Amazon by phone and they did not have a record. I thought with horror that now the attackers managed to get the last digits of my credit card. As it turned out, the fears were not in vain.
This time, Amazon finally betrayed my trust in them (or more precisely, three times already!). I did everything in my power to provide the necessary account protection. But it turned out to be a hopeless affair.
At the moment, I'm already in the process of closing my account on Amazon and migrating to Google services, which seem to be more resistant to this kind of attack.
I would like to advise users to be extremely careful with the information that they place in their accounts. After all, even such a giant as Amazon cannot adequately protect data from various hacker attacks.
The original of this post and you can find on Eric's blog .
When someone purposefully watches over you - all these tricks become useless. The fact is that most systems have a backdoor, user support. In this post, I'm going to focus on the worst offender: Amazon. com. It was one of several companies with which I could entrust my personal data. In the end, I shop there, and besides, I used to work as a software developer and therefore consider myself to be a fairly large AWS user (with a turnover of more than $ 600 / month).
It all started with a fairly innocuous email.
')
The first thing I assumed was that there should be an error or an overdue message from the answering machine (a month ago I contacted support). But curiosity took over, I contacted Amazon to clarify with them what was wrong. They calmly answered that I spoke with the support of Amazon. What the heck? It was a text correspondence, which they were able to provide me by e-mail.
Let me point out that the address indicated in the correspondence does not belong to me. This is the address of the hotel, whose zip code is the same as mine. I used it to register multiple domains, knowing that the information on Whois is too often public. For registration, I used the area in which I live, so that my static IP matches the data specified in Whois.
We continue:
Wow. Just wow. The attacker showed Amazon my false data, which he took in the domain Whois and in return received my real address and phone number. Now they got enough data to get hold of and access to some services and even convince my bank to issue a new copy of my credit card. It was very difficult to restrain oneself in order not to throw out all the indignation of support. I contacted Amazon Retail and AWS, expressing my disappointment and asked them to set a mark in my account that the risk of hacking and logging into the account is very high. Amazon Retail said they’ll mark my account and a specialist will contact me (who hasn’t been contacted). At the same time, AWS ignored the existing risk.
Fast rewinding events a couple of months in advance, I made a terrible mistake and thought that the threat was over. I provided Amazon with fresh credit card information and new address data. In return received another letter.
I again contacted Amazon support to figure out what was going on. This time I was lucky to talk with a support employee who was 100% not sure how it was possible for someone else to speak on my behalf. It was really hard for me to hold back when he started telling that you need to change your password so that such situations with “twins” do not arise in the future. In the end, I had to admit that it was “me” and demand from him a printout of “my” dialogue (and he could still provide it).
Next, the attacker shows unsuccessful attempts to get the last 4 digits of my credit card.
I guess I was lucky that Amazon did not give out data on my credit card. And again I get in touch with support, repeating how important it is not to transfer my data to other individuals. They again promise that they will add a note to my account and a specialist will contact me (and again, no expert).
This time, I decided that I couldn’t trust Amazon with my address data and it’s time to remove it from my account.
Now go to the second day of my adventures with Amazon:
This time I could not get a printout of the dialogue, as the attackers contacted Amazon by phone and they did not have a record. I thought with horror that now the attackers managed to get the last digits of my credit card. As it turned out, the fears were not in vain.
This time, Amazon finally betrayed my trust in them (or more precisely, three times already!). I did everything in my power to provide the necessary account protection. But it turned out to be a hopeless affair.
At the moment, I'm already in the process of closing my account on Amazon and migrating to Google services, which seem to be more resistant to this kind of attack.
I would like to advise users to be extremely careful with the information that they place in their accounts. After all, even such a giant as Amazon cannot adequately protect data from various hacker attacks.
The original of this post and you can find on Eric's blog .
Source: https://habr.com/ru/post/275947/
All Articles