Howto social-engineer someone's address and other sensitive info from Amazon

Originally published at: http://boingboing.net/2016/01/24/howto-social-engineer-someone.html

…

The sad fact is that if your information is on a networked computer it is vulnerable to hacking, it is just a question of how much your information is worth to an attacker.

And the corollary to that is the more effort you make to prevent your information from ending up on a networked computer, the more you will be perceived as having criminal intent. For example, the author’s own suggestion that if an access is coming from a recognized tor or vpn exit node, flag it as suspicious.

This reminds me of another social engineering story. I think it was the guy with the N Twitter handle. One of the takeaways was to use different accounts for various services even when purchased from the same vendor. Having your Amazon shopping account broken into sucks, but your credit card protection will usually take care of the financial side of that. Having your AWS and EC2 instances hacked can be significantly more damaging and much more difficult to recover from.

Fast forward one year:

Amazon’s Customer Service Atrocious, Gave Me Third-Degree Over $5 Order

This isn’t that scandalous. The main concern is that the rep accepted a wrong billing address, and that’s bad, but it’s not completely outrageous if their policy is to confirm only the postal code. The whole reason standardised postal codes exist is that no other part of an address is reliable; what’s called “620 Stewart St” one time may be called “Ramhorn Ranch” another, with both being the correct address, and refusing to serve a customer based on that sort of discrepancy would lead to a lot of frustrated customers.

If the author hadn’t given a fake WHOIS address (which, hmm), then the substance of his complaint would be “Amazon gave out my phone number to someone who knew my name, email and postal address”. Would you care?

The only “hard part” is matching the street address anyway. For my specific last name and geography, they’d have to pick my last name out of 6 in the whitepages. After one mismatch, Amazon should have emailed me with a notification that someone attempted to get my info.

Why doesn’t Amazon randomly give out wrong information? The customer support person, every once in a while, could ask the customer: “Did you mean the 55-gal drum of person lubricant?” This might catch some fraudsters.

Also, Amazon should email the account every time there’s an interaction with the customer service reps, no?

The big problem here isn’t Amazon at all, from what it says in the article. They did screw up, but as far as I can see from that article, the information they gave away was his street address and his phone number, which are frequently treated as public information by all kinds of sources.

Back in the old days, you’d just look his name up in the phone book - remember those? The phone company used to pay to print copies of everybody in the city’s address and phone number and give them free to everybody. That doesn’t work for phone numbers any more since so many people use cell phones, but the information is still usually treated as public. Nowadays there are any number of services, free and paid, which will let you dig up that information for someone.

The big problem is any service which treats a caller knowing a person’s current street address and phone number as proof of their identity, such as his bank which apparently considers it good enough validation to change their address and send out a new credit card. Those are the companies he should really be lambasting here.

The broader problem still is there is not a cross-institution consensus on what pieces of information are considered secret and proof of true identity, and what information is considered public record and can and should be readily handed out.

The street address the shipment was going to. And what that shipment was, and his gift card balance (and, even, a handy-dandy URL so the impersonator could track the shipment all the way to its destination!). And, on a second event, the new address a shipment was going to, and what the shipment was. And no one knows what information was given over the phone call that there’s no transcript or (available) recording of. And all of that given to someone who only had his email address and a completely incorrect mailing address.

So, yeah, Amazon (or, rather, their (probably outsourced) customer service reps) really screwed up here, and totally deserves to be lambasted as a concrete example of the problem.

Yes, I agree Amazon deserves to be scolded over this, but in the scenario he describes it’s not the weakest link by any means.

Reread what he wrote? The primary reason he gives for objecting so strongly to what they gave out in the first instance was not that somebody could find out about his shipment, it’s that the street address the shipment was going to was his home address, and that was because he says that information was used to get control of other accounts.

If your street address and phone number - or even the last 4 digits of your credit card - is enough information to take over your account, you have much bigger problems than Amazon.

Interestingly, the information Amazon gave could also be enough to work one’s way through a question like “what is one of the most recent transactions on this account?” It’s hard to determine exactly what information could have facilitated exploits with other companies. On the other hand, it’s pretty clear and easy to prove how Amazon screwed up.

Last four of the credit card has always been a pet peeve of mine, since I discovered that a lot of phone companies and ISPs let you use it (or, sometimes, last four of the SSN!) as validation for account changes. Thankfully the SSN practice has finally started being phased out…

I think the issue is that the scammer gave amazon the fake whois address, and amazon happily accepted that because it had the same zip code, even though the address they then gave out didn’t match.

Well now it will be.

Yes, that’s… what I was saying? My point was that the human-readable parts of postal addresses are notoriously unreliable, to the point that if you try to match any part of an address apart from the postal code, you will frequently be telling legit customers that they have the address wrong. It’s not an unreasonable policy to only check the postal code, even if the rep can see that the rest of the address appears to be wrong.

That might sound bizarre, but it’s actually not rare for a property to be associated with more than one door number, or street name, or city name, or for any of those fields to be missing, or in a different order, and this is without even getting into international addresses. There’s literally no part of an address you can rely on, except for postal codes, which exist for that exact reason.

And it’s a pretty narrow window of opportunity for fraudsters; most means of getting your correct zip code would involve getting your correct full address anyway.

One would think, however, that the customer who entered the address that they want to have items shipped to would be able to regurgitate the address that they would have items shipped to.

Of course, simply knowing an email address and a physical address really shouldn’t be confirmation for giving out private information, in any case.

This topic was automatically closed after 5 days. New replies are no longer allowed.