My Amazon account was hacked
I had just got back home after running some errands when my phone beeped. It was an email with the subject line 'Il tuo ordine Amazon.it che include "Casio A-158WA Orologio Vintage"’. Assuming it to be spam, I ignored it when couple of minutes later, I received another email with the subject ‘Il tuo ordine è stato cancellato’. I opened the emails to see both were from Amazon Italy where the first mail was a confirmation for an order placed and the second, a cancellation of the same order. Suspecting fraudulent activity (I briefly wondered if it could be a gift order placed by a friend) I decided to report it to Amazon when I received another email, this time purportedly from Amazon Germany ‘Ihre Amazon.de Bestellung von "Panda 3D Printed Mens..."’. It was a confirmation of an order placed. Till that point I suspected these were phishing emails since the German email id bestellbestaetigung(at)amazon(dot)de read suspiciously non–official. But the other details such as my address were accurate which raised my suspicion.
I deleted my credit card payment method from my Amazon account to be on the safer side and immediately reported these emails to the Amazon India customer care executive on chat who assured me it was a technical glitch which happens sometimes and that it will be rectified immediately. As an aside, I prefer chat to phone calls while dealing with customer care teams on all issues as it allows me to share images/screenshots/email immediately, multitask (making calls to bank, monitor email activity, etc.) and also put everything on record should there be a need to pull it out later. While still on chat with Amazon, the next email arrived ‘Aenderung Ihres Amazon.de-Kundenkontos’ informing me my email address has been changed from gmail to yopmail as per my request. It no longer seemed a technical glitch and I flagged this to the executive who informed me she was with the escalation team. I checked if I needed to block my credit card and was informed it was not necessary (this may have been the advice before the address change email I don’t remember now and will have to check the chat log which I do not have as the hacker had changed the email id).
Then came the next email from Amazon Germany ‘Ihre Nachricht an Walled stay’ with a copy of an email sent from my account on the order placed. I am guessing the change in email had not taken effect by then so I got a copy on my id. The email read:
hallo sir, can you help me? so here sir, this is a gift for my son, I want to change the address to Indonesia which aims to my son, because my son the birthday that I can not go because I was busy with my job pack, please help me sir, I will never forget the services of the father, the father can hopefully reward This is the address of my son's birthday:
Name: Amirudin Address: (Withheld) City: Cipondoh State: City Tangerang Province: Banten Postal code: (Withheld) Country: Indonesia Phone number: (Withheld)
Thanks Very Much Sir.
Simultaneously, I received a text from my bank on the credit card transaction for the order placed with Amazon Germany. I notified this to the Amazon India executive who seemed surprised at this development and informed me that since it was no longer a technical glitch (!) I would have to get this resolved by Amazon.com and that Amazon India would no longer be able to assist me with the matter.
I called my bank, got my credit card blocked and tried logging into Amazon.com when I realised I could no longer access my account. There was no Amazon account associated with my email. I was now locked out of my account. I tweeted for help to @Amazon @AmazonHelp and @AmazonIn while I tried reaching them on the helpline (Incidentally, it took over three hours for @AmazonHelp to respond to my plea).
The customer care executive who spoke to me arranged for a call back from Amazon.com and despite verifying my account details (previous order numbers, phone number, etc.) informed me that changing my email id from the fraudulent id and providing access to my own account would take anywhere between 24-48 hours – what the hacker managed to do in a matter of minutes with the help of Amazon Germany. In a stroke of genius, just before she hung up, she asked me to try accessing the account with the new email id and the old password. It worked! I changed the email back to my original id and also changed the password.
The Amazon.com executive called and transferred me to the retail department after I explained the issue to him. In a painful almost hour long call with the retail executive where neither of us understood the other person’s accent, after a long drawn process of verification, cross verification and repeated relay of order numbers, I was informed they were not able to pull out the details of the order placed in Germany. I was asked to now contact Amazon Germany. When I informed her I could not speak German, she tried her best to help me by emailing me links to web chat with Amazon Germany which did not reach me as the email change had still not taken effect and still showed the hacker’s yopmail on the system. It struck me that if I could access my account on Amazon Germany, I could simply cancel the order. I asked her if she could put me in touch with an English speaking executive at Germany or someone in her office who knew German. She could not help me with this. Nor could she help me navigate the Amazon Germany site.
Left to myself, with the help of Google translation and Amazon.com site for reference, I tried navigating through the Amazon Germany site and managed to get to their customer service chat. It was chilling to see the number of items placed in the cart. They only supported German chat and sent me a link from where I could email them for an English speaking executive to respond within 24 hours. This unfortunately did not take me directly to the email window and I still had to click on a few tabs to get the email window open. ‘CANCEL ORDER’ i wrote in the first email thinking a simple instruction/request should not be difficult to comprehend (this however did not work with the executive on chat) I followed this up with a detailed email explaining the issue and seeking a cancellation and refund.
Meanwhile couple of friends and contacts on Twitter put me in touch with Amazon India’s Minari Shah with whom I have shared all the details. I have also shared the contact details of the hacker as shared by him (which cannot be said with certainty are his own) for pursuing legal action.
Needless to say this has been a harrowing experience and I am fortunate to not have lost any money (assuming Amazon Germany doesn’t send me the Kungfu Panda t-shirt ordered by the hacker). But some questions linger:
- In cases like these involving unlawful incidents, shouldn’t the country office and Amazon.com step in and help resolve the issue for the customer instead of making them run around in circles trying to get through to customer care executives who don’t speak their language?
- Doesn’t Amazon have language support for its customers in emergency situations like these? How difficult is it to integrate translation software with chat software (with usual disclaimers) in countries where English is not used at all, to facilitate at least basic conversation and process simple requests like cancellation of an order?
- Why is it easy to use credit cards outside India without the two-step verification process that is mandatory in India? Shouldn’t this at least be made an opt-in? (I never understood the one-click ordering option and how/why anyone might opt for that) Update: In a later chat with an Amazon executive, I was informed these requirements are based on country-specific regulations. I don’t know if the responsibility of Indian regulators extend to protecting their customers’ money in foreign lands – it ideally should. In this case a simple requirement like making Indian credit cards automatically go through the two-step verification process could have helped. (Update: 2 factor authentication 2FA can be enabled on Amazon.com for enabling two step verification for account login: https://www.amazon.com/gp/help/customer/display.html?nodeId=201962420 Go do it now. Thank you for the tip Kiran Jonnalagadda and Sushovan De . Even the Amazon executive I had discussed this issue in detail with did not inform me of this feature on Amazon.com)
- Why does Amazon save credit card details by default and not make it optional for customers?
- What would Amazon do with the contact details of the hacker? Will he go unpunished? I suspect no action will be taken against him. It would be good to hear from Amazon on this front.
- I had 5k gift card balance on my account which was left untouched (assuming these are not accessible to other countries) but when I had checked if there was a provision to freeze all activity on my account on the basis of the evidence I had provided, I was informed that would again take 24-48 hours. Why doesn’t Amazon have a speedier crisis response and issue resolution system where illegal activities are involved?
- Where exactly was the vulnerability which the hacker was able to exploit? What steps could be taken to eliminate/minimise these? (Please respond with your comments and tips, it would help many of us)Update: Check whether your username or email has been breached on this website https://haveibeenpwned.com and change passwords (use different passwords for different accounts) of accounts that have been breached. You could also sign up on that site to receive notifications as and when there are breaches involving your email id. Thanks @greatbong (Arnab Ray) for this useful tip. Ideally you should not store your credit card details on any site. You could also consider using password managers like password1 or lastpass. There are additional tips shared by a banker friend towards the end of this post.)
- Why doesn’t Amazon have a system like that of Google where every suspicious activity is reported/ looked into? (like logins to country sites the customer has never accessed for instance, or logins from different location/IP)
- Why does Amazon make it so easy to change account details like email address without any confirmation mail from existing address and why doesn’t it allow customers to challenge any change in account details by providing a link in its confirmation email sent to customer post changes made. The mail I received from them simply stated that my email had been changed. It assumes that access to account is authenticity.
- How well trained are the customer care executives in crisis response? The executive I spoke to did not advise me to change my password even once, maintained it was a technical glitch (how from Amazon sites I had never visited I wasn’t told) wasting precious time before acknowledging it was a serious security issue which they couldn’t help me with and even advised me that getting my credit card blocked was unnecessary. While I understand that there may have been instances where similar technical glitches may have occurred, I am not sure the executives are adequately trained to handle security breaches.
- On hindsight, changing my account password was the first step I should have taken. With all that was going on and trying to prioritise between deleting credit card details, blocking my credit card and cancelling orders and stopping further transactions on my account, I did not consider it. Since at first I thought the emails I received were phishing emails and later I assumed that since my account was hacked I no longer had control over my account, it did not strike me that if I could access the account to delete my credit card payment method and chat with the cc executive, I could have also changed my password. This is the default first step whenever any account is compromised, one that I am well aware of, and while it wouldn’t have changed anything going by the sequence of events, it surprises me that neither did it strike me nor was I advised by the Amazon executive to change the password.
- Why are there no filtering mechanisms to differentiate urgent pleas from routine requests on social media from Amazon? They did not respond for hours. (I wonder how many hacking incidents take place at Amazon)
Update: I have received a response from Amazon Germany that my order will be cancelled (Google translate to the rescue again). I am awaiting confirmation from them that it has been cancelled and the refund process initiated. Meanwhile my account has apparently been put on hold by Amazon.com for ‘sanitising’ purposes and I will hear from them in 24-48 hours after which I will have access. I will be quite happy to not have any access to Amazon or any ecommerce site for a long long time.
Latest update: All orders have been cancelled (including one legitimate order which I had placed and had not asked them to cancel). Since I have blocked my credit card, apparently the refund is taking time. Everything - I have been assured - will be resolved in couple of days. I’ll wait.
PS: This, from a friend in the banking sector:
Some tips that banks don’t explicitly tell you:
1. Don’t use unmanned ATMs. See if you can find an ATM inside a bank branch’s premises
2. Don’t let websites store your card number. Always unselect the option. If sites store card details automatically (like Flipkart) go to Settings and delete.
3. During online shopping, always use OTP (and not PIN or password). Limits risk to only that transaction and not after.
4. Cover your card’s expiry date and CVV using a sticker or bindi. Don’t let a snooping cashier memorise it
5. Don’t tell your PIN to the cashier to make checkout faster. Walk over to the swiping machine and type it yourself
6. Disable your card for international use if your bank has the feature. Enable it only when you go abroad or shop on international sites
Do not store card details on any site. The fraudster will just copy paste the saved card details onto other international websites that don’t require 2FA. Delete card details after every transaction.