Amazon’s customer service backdoor

As a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away, I would have thought my accounts and details would be be pretty safe? Wrong.

Because when someone has gone after me, it all goes for nothing. That’s because most systems come with a backdoor, customer support. In this post I’m going to focus on the most grievous offender: Amazon.com

Amazon.com was one of the few companies I trusted with my personal information. After all, I shop there, I used to work as a Software Developer and I am a heavy AWS user (raking up well over $600/month)

It all began with a rather innocuous email:

Weird, I didn’t contact Amazon support?

At first, I assumed it might be a mistake or a delayed email from the time I contacted them months earlier. But curiosity got the better of me, and I contacted Amazon to ask what it was about. They told me that “I” had a conversation with Amazon support? What the hell? It was a text-chat, and they emailed me a transcript:

Let me just stop right there, so I can point out that address isn’t mine. It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.

Let’s continue:

“That’s all I needed”.

Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.

Trying very hard to not take out my frustrations on an unrelated support rep, I contacted both Amazon Retail and AWS expressing my disappointment and asking them to put a note on my account that it is at extremely high risk of being social engineering, and I will always be capable of logging in. Amazon Retail said they would put a note, and have a specialist contact me (who never did) while AWS was dismissive of even a risk existing.

Fast forward a couple of months, I made the big mistake of thinking the risk was gone, giving Amazon my fresh credit card and now new address details. I receive another email. I feel a pit of my stomach.

So once again, I contact Amazon support to see what happened. This time I had the pleasure of dealing with a support agent who seemed 100% incapable of realizing that someone was impersonating me. I had trouble keeping my composure when he told me I should change my password to prevent people impersonating me. Eventually I had to basically tell him that it was “me” that contacted support and I wanted “my” transcript, which he provided.

Using the address they got the last time from Amazon..
Again?! For fucks sake.

And then goes on to unsuccessfully try get the last digits of my credit card:

Yeah, that totally looks legit.

Guess I should count my blessings they didn’t give the last digits of my credit card. I again contact Amazon to reiterate how important it is that they keep my account secure, and not give out my details to anyone with a name and address. They promise they’re putting a note on my account, and it’ll never happen again. And I will be contacted by a specialist (never happened, again)

This time I decide I can no longer trust Amazon with my address, and delete it from my account.

Fast forward another day:

This time, I can’t get a transcript of the conversation. They contacted Amazon by phone, and they don’t have a recording to give me. I’m going to have to assume they got the last digits of my credit card, like they seem to be after.

At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.

After being the victim of these attacks for months, I’d like to make some recommendations for services:

  • NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
  • Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
  • Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
  • Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire

For users, be extremely careful with the information you share. Even big companies like Amazon can’t keep it safe, they’re far from the worst.