How Social Engineering Fooled Amazon Customer Service Reps Into Sharing A Customer’s Data

You generally expect that a company that has your personal information — like your address, recent orders, and billing information — is going to treat that data with some level of care. While you know their privacy policy might still allow some sharing for marketing reasons, you don’t expect their customer service agents to divulge it to anyone who happens to call up and pretend to be you.

Except that’s exactly what happened to one user, Eric, who wrote his story up on Medium. The hacker going after him didn’t do any fancy database work or complicated things with software. Instead, the attacker went after the weakest link in literally every single chain of security out there: the human element.

It all started with one piece of correct information: The attacker going after Eric’s account information had one piece of correct information to start with: a publicly available e-mail address. That let him claim to be Eric, with a level of plausibility.

But after that, it all started to rest on a foundation of lies and careful misdirection. When the Amazon rep asked for “Eric’s” address to verify his identity, the attacker had an address to provide… it just wasn’t the actual billing address.

The address was the one associated with the real Eric’s website, for anyone who ran a WHOIS check on his domain. It was a false address he had given on purpose, knowing that the privacy setting on his domain registration might be vulnerable (an instinct that was apparently correct).

If the Amazon rep had at this point checked that against Eric’s records and said, “I’m sorry, that doesn’t match our information” and pressed for further verification, none of the rest would have happened. But the rep didn’t — strike one against Amazon.

Nor was “Eric” able to verify the last order placed on Amazon, the one about which he was supposedly asking. The attacker claimed (correctly) not to have the order number handy, but just specified twice that it was the “most recent” order. The CSR oh-so-helpfully supplied the missing information, stating the contents of the real Eric’s most recent pending order. Strike two against Amazon.

With Eric’s real address and phone number now obtained, the attacker was able to use it to falsely verify his identity with other businesses.

Eric cleaned up the mess, got a new credit card, gave it a new billing address, and asked Amazon to make a note on his profile that he is often subject to this kind of attack. And all seemed well… until a couple of months later, when exactly the same thing happened again.

This time, the attacker used the address that they’d gotten from Amazon the first time… and amazingly, another Amazon rep once again happily filled in the chat with the items of the most recent order, and the new billing address.

The attacker also pressed the Amazon rep to share the last four digits of the credit card used to place the order, but at least the CSR held firm on that front and refused to provide card data… until a day later, when someone called by phone and seemed successful in obtaining it.

Eric was understandably frustrated after Amazon customer service failed to verify his identity and protect his data three times in as many months.

Unfortunately, this kind of social engineering appears not to be difficult to do with Amazon. After seeing Eric’s post, one reader felt concerned and tried exactly that kind of information fishing on a chat with Amazon customer service, about their own account.

The reader did the same thing Eric’s attacker had done: provided the correct e-mail address but an incorrect physical address, then asked Amazon for the correct address. As he showed in two screencaps, the Amazon rep in that chat made the exact same error, providing the real address and verification of last order placed to the person who provided no verification of their identity.

We’ve asked Amazon for comment on this story and will update if we hear back.

Amazon’s customer service backdoor [Medium]