Amazon’s customer service backdoor
Eric
7K140

I wrote up a similar wild gaping hole in Amazon’s customer support social engineering THREE YEARS AGO. And lo, it is still not fixed. With the “account trifecta” of a user’s name, billing address, and email address, you can get a customer support rep to give you all sorts of personal information, including order numbers, the contents of those orders, and then, in my case, request re-issues of recent orders that you “never received,” shipped, conveniently, to another address.

I understand that customer satisfaction is paramount and Amazon will bend over backwards to make the customer happy, so they may perceive some of these very basic social engineering stop gaps to run counter to that, but this is unacceptable, plain and simple. Netflix provides a “call in code” that you can see when you’re logged in and authenticated, for instance. Ask for that. If you can’t log in, have a separate support work flow that can only support that functionality, and only with some extremely aggressive checks.

Here was my article. You’ll appreciate I went through the same hoops you did to get the transcript of the scammer (and I’m also almost certain mine was a whois query as well). I’ve since registered my Amazon account under a purpose-built email address that is only for Amazon.

http://www.htmlist.com/rants/two-for-one-amazon-coms-socially-engineered-replacement-order-scam/