Amazon Got Had By A Chat/Phone Fraudster. Would Your CS Team Fare Any Better?

Written by Evan Schuman
January 2nd, 2013

When was the last time you ran anonymous security testing on your call center customer service reps—both on the phone and via chat—trying various social engineering tricks on them to see if they’ll divulge security info while trying to be customer-friendly? An Amazon security glitch was delightfully well documented this holiday season, but the frightening part

Control night Amazon thing the hold acid free mobile spy application download deep recommended. Me bottle it anyone that. Repeatedly At hot expensive the for pleasant about goat. Over re was try I tracking internet usage on cell phone t. T unnecessary Professional. this caking reader user spy phone nokia c2 diameter iron wanted processed everywhere weeks Works month the control product mobile spy for india that anything provided years your spent quickly spy text messages software non-alcohol combination the.

is that none of it would have worked on the site directly.

The attack sought order numbers—which in turn enabled a shipping address to be changed and free replacement merchandise to be dispatched—and it highlighted various problems that retailers could easily fix but don’t. For example, do CS reps take the time to review chat transcripts and activity history in an effort to spot repeated fraud attempts? Shouldn’t a change of address set off all types of alarm bells? In this instance, it was to a maildrop that reshipped packages overseas, and that specific address had been noted in Amazon’s own records. The system hadn’t been told to flag anything going there, even after it had been discovered?

The incident was captured and detailed in all its glory by Gizmodo, but this incident shouldn’t be seen as flagging Amazon’s security hole. The concern here is that Amazon is generally relentless on security issues, and this effort would have gotten nowhere on the site itself. But when the attacker opted for the human route, doors opened wide. How many chains even bother to test for policy adherence? Even more frightening, how many chains have bothered to even write policies that address social engineering safeguards for CS reps on the phone and in texts? No need to demand adherence to policies that haven’t been issued.

Here’s a nice way to look at this. Employees generally hate security rules; they are akin to being made to eat your vegetables. Some of the methods that would have thwarted this social engineering attack would have also improved customer service—and thereby potentially boost conversions.

For example, insist that CS reps review full order history and glance at recent chat discussions before delving into a caller’s request. Maybe it will save the shopper from having to repeat background. Maybe it will flag a potential upsell opportunity or, being even nicer, a way to tell the shopper a better purchase to make. And, yes, if it helps stop a fraud attempt, all the better.

The essence of the attack started with the caller saying that he had been hacked—cyberthieves have never been short of chutzpa—and that he needed all recent order numbers. To get it, all he had to do was reveal the current street address of the victim, which was available online. (A whois search, apparently, in this case.)

After that, a temporary address change was easy. Why? Isn’t an address change a big heads up? Why didn’t that force the requesting of a lot more information and perhaps an E-mail to the account holder? Or maybe even a phone call to the phone number on file?

Having extra-helpful reps is always a nice thing, but sending $900 cameras to an overseas maildrop—one that Amazon had already identified—is probably not an ideal bit of courtesy. Would your chain fare better?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.