Chat support is a wonderful thing. For us misanthropes, the ability to just log on and type out a question is a great feature for any company interested in modern customer support. No tinny hold music or unintelligible phone reps, just the exchange of easily transmitted information that’s pertinent to your problem. Maybe a little too easy, as a blogger who identifies himself as Eric Springer found out.
In a Medium post, Springer explained the steps that malicious impostors took to access sensitive information found in his Amazon account. Without needing any authentication details beyond his name, email, and a fake address that merely shared his zip code, an attacker (or attackers) was able to access his real personal address three times over the course of multiple chat supports with the online retailer.
Videos by VICE
Springer found out about the subterfuge after he received an automatic email from Amazon thanking him for the customer service interaction. Of course, he couldn’t remember having any customer service chat with Amazon, so he asked the company to forward him the chat logs. In the chat logs, he realized someone else had posed as him—and hadn’t even needed accurate information to do so.
No technical skills are required when it’s just you and a customer service rep
“…I can point out that address isn’t mine,” Spring wrote in the blog post. “It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.”
Once the imposter had convinced the customer service rep that they were Springer, they asked for shipping details from a previous order. The Amazon rep complied, revealing Springer’s actual home address.
People claiming to be Springer accessed his information on two more occasions.
“Amazon has completely betrayed my trust three times,” he wrote. “I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.”
Even worse, the steps were easily repeatable. Redditors in r/technology posted successful examples of accessing their own info, and Motherboard was able to recreate the trick.
Springer and Amazon did not immediately respond to a request for comment.
There is an oft-repeated adage that people are much better hacking targets then the computer systems that hold our sensitive stuff. These events are just more examples of the non-technical theft of identification details known as social engineering. No technical skills are required when it’s just you and a customer service rep. Knowing the right questions to ask can reveal details that should be kept hidden.
This isn’t the first time Amazon has been exploited for social engineering, either. In 2012, tech writer Mat Honan was infamously victimized by a clever social engineering attack that hit his accounts on Twitter, Apple, and Amazon.
“It’s an arms race,” said Hasan Cavusoglu, security researcher at the University of British Columbia. He explains social engineering is not a new development. “Organizations are investing in, not only technology, but changing these policies and training people to be more alert. But the challenge is, security is a moving target.”
Online companies that host our information are in a constant fight with attackers who have always raised the bar and sought new vulnerabilities. “[Companies] need to reevaluate constantly based on the changes in their environment,” said Cavusoglu.
Springer ended his post with some security recommendations for Amazon and its customers. The most obvious one would be for Amazon not to allow users to access account details without first being logged in. Tracking and verifying connection IPs and using burner emails also make the list. Although, with more of these incidents, maybe it’s time that companies are held to account.