Amazon plans to monitor the keyboard strokes and mouse movements of customer service employees in an attempt to stop rogue workers, imposters, or hackers accessing customers' data, according to a confidential Amazon document obtained by Motherboard. The document also includes several concrete instances where people managed to steal Amazon customer data.
Although the document says Amazon has considered deploying a solution that captures all of a worker's keystrokes, the tool the company has seemingly leaned towards buying is not designed to record exactly what workers type or monitor their communications. Instead, the system generates a profile based on the employee's natural keyboard and mouse movements, and then continuously verifies whether it seems the same person is in control of the worker's account to catch hackers or imposters who may then steal data. The move highlights the sorts of tools companies may increasingly deploy as working from home or remotely continues during the ongoing pandemic, and the issues Amazon is already facing with the theft of customer data.
"We are considering an option that will include capturing all keystrokes and with this functionality turned on, we may not be able to deploy the off-the-shelf solution," the document reads.
Do you know about any company employees leveraging their access to user data? Or do you know more about surveillance of workers? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
The document argues that Amazon needs keyboard and mouse monitoring to combat several different threats. One is that people posing as customer service employees have successfully accessed Amazon customer data, according to the document. According to a set of manual audits, an Amazon security team found 4 cases where imposters accessed such data, the document adds.
"We have a security gap as we don't have a reliable mechanism for verifying that users are who they claim they are," the document reads.
The document also points to the "high data exfiltration risk" that comes with more employees working from home; the company's limited security tools to verify the identity of external, outsourced workers specifically; and Amazon operating in what it describes as high risk areas with a high level of corruption and crime.
A bar chart in the document lists which countries Amazon operates in face the highest number of Amazon security threat incidents. At the top is India with more than 120, followed by the Philippines with just under 70, and then the U.S. with nearly 40. The chart doesn't provide more context around what exactly happened with those incidents.
The document later points to several use cases, including one where a customer support worker may walk away from their computer without locking it. In this example, their roommates may have expressed interest in seeing what public figures buy from Amazon, and so then look up that information with an internal search tool, the document says. In another, a customer support worker could buy a so-called USB Rubber Ducky device for $50 which lets them input keystrokes at "superhuman" speeds, and steal thousands of customer records in less than an hour, it adds. In a third, a hacker may have bought a customer service worker's password and their multi-factor authentication device from the employee, and then logged in to steal data, the document says.
"We are considering an option that will include capturing all keystrokes and with this functionality turned on, we may not be able to deploy the off-the-shelf solution."
Security, finance, legal, and other Amazon teams reached a consensus on using a product from a cybersecurity company called BehavioSec, the document reads.
"Behavioral biometrics uses characteristics of human behavior to authenticate individuals based on how they digitally engage their devices and apps, such as mouse movements, typing rhythm, touch and swipe gestures, or how they hold their device," BehavioSec's website reads. Buying BehavioSec software for around 750,000 users, at which point licensing the software will become cost effective, will cost $1,360,000, the document says. BehavioSec did not respond to a request for comment.
The goal ultimately is "by end of 2022, reduce imposter take over by 100 percent to zero cases by year," the document adds.
For legal reasons, the document says Amazon is "facing challenges around collecting keystrokes data." For that reason, the company looked more at "privacy-aware" models that instead collect anonymous keyboard data, the document says.
Barbara Agrait, a senior PR manager at Amazon, told Motherboard in a statement that "Maintaining the security and privacy of customer and employee data is among our highest priorities. While we do not share details on the technologies we use, we continually explore and test new ways to safeguard customer-related data while also respecting the privacy of our employees. And we do this while also remaining compliant with applicable privacy laws and regulations."
Subscribe to our cybersecurity podcast CYBER, here.