PDA

View Full Version : Amazon security leak?????


rans6andrew
2nd Jul 2016, 12:28
After I had finished work for the day, yesterday, and switched off my email machine to stop extra work from coming in to spoil my weekend, I received two emails from Amazon.

The first confirmed an order that I didn't place, the second confirmed that my Amazon account related email address had been changed to a bstrd isation of my old hotmail account that went awol several years back. Hotmail wouldn't re-enable my account because I could not provide them with a mobile phone number and we reached stalemate.

Alarm bells rang. I don't have any recollection of logging into Amazon, ever. I have ordered a few things from/through them, the most recent being in Feb 2015. The time before that was in 2013. They may have caused me to open an account but I have no hope of remembering either a login or password. Nothing in my email history suggests I actually accessed an account at Amazon.

The order which I have been notified of was for a novelty mask, costing just a couple of pounds. It is confirmed for delivery to my address and paid for by my Mastercard. I have been on the phone to Amazon and they have cancelled the order and intend to contact me through my own, current, email address in the next 48 hours.

I have also contacted my credit card account fraud line. They have stopped my card. They have also confirmed that it was used for a number of on-line purchases in the last few days, none of which I made and all for increasing amounts. I tried to log into my card account to see if I could start to figure out which transactions are genuine and which are fraudulent. This failed for two reasons. Since my card has been cancelled the account is locked out for 24 hours of working day (ie until monday afternoon) and secondly it is locked out permanently because I was sent a password in 2012 but have never logged in.

So, where is the leak? I have no email record of any Amazon account stuff so I am ruling out something nasty lurking in my email computer. Is that sensible?
I also trust my credit card supplier, they generally give me no trouble and have been most helpful today.
I can't imagine that it could be through the debris left in my hotmail account as it was several years ago when it became US .......
I am coming to the conclusion that it must be Amazon that has failed to protect my information.
Is my hacked Amazon account likely to be a problem? I don't need it and now my credit card has been stopped nobody should be able to cause me fraudulent expense?

Is there anything else I should do to protect my self?

Thanks.

Curious Pax
2nd Jul 2016, 13:38
If you have never used your credit card with Amazon then less likely to be them. You say the email account was a variation on your Hotmail account- is it (roughly) your name? ie is it a coincidence it was close, as they have acquired your credit card elsewhere and just set up an account with a name nearly the same as on the card? If so then places like petrol stations usually come on the radar as hotspots for skimming card details.

I guess the small initial purchases were testing the water before really giving the card a hammering, so we'll done spotting it when you did.

750XL
2nd Jul 2016, 13:45
I suspect your details were sold on for a few quid on one of the 'Dark Net Markets' for someone to chance their luck with your details.

A bit off topic, but I recently opened a Netflix Account paid through PayPal. A month or so later I noticed people from across the world had been using my Netflix account to watch shows. I've absolutely no idea how my username/password combination was leaked because it certainly wasn't guessed, and I wasn't the victim of phising links etc.

The only thing I could think of is someone on the inside leaking account details and flogging them on for a few quid at a time to Dark Net Markets

rans6andrew
2nd Jul 2016, 13:57
it was a pure fluke that I put my email on today and found the messages. I usually switch it off on Fri evening and avoid it until I start work on Mon morning. I was expecting a reply from a friend last evening but it was a bit slow coming so I looked for it this morning. My hotmail has been dead since long before my credit card was issued, start date 2014, soon to expire anyway.

I have used my credit card at Amazon, just once since the card start date, feb 1015. I don't understand the hotmail connection unless I placed an order with Amazon when my hotmail was still working - the remnants may have been loitering in the Amazon data.

The login name changed to a miss spelling of my christian name dot my surname in a way that is similar to my genuine old hotmail name, which all of my contacts would have in their address books as it was my only personal email for some time before I set up my own domain name account.

Geordie_Expat
2nd Jul 2016, 14:00
I don't have any recollection of logging into Amazon, ever. I have ordered a few things from/through them, the most recent being in Feb 2015. The time before that was in 2013. They may have caused me to open an account but I have no hope of remembering either a login or password. Nothing in my email history suggests I actually accessed an account at Amazon.



Isn't this a bit of a contradiction ? I wasn't aware you could order through Amazon without an account.

Pontius Navigator
2nd Jul 2016, 14:43
I had a similar problem with eBay. The idea is that you log on to check/dispute the transaction. It will be a fake web site but one that will actually connect with eBay or Amazon but capture your password on the way.

Your credit card details are freely available if you buy things over the phone. Your email address is also in the public domain.

The main give a way is the original message email address may be from a genuine hacked site or a hackers site.

I got one from my brother in law yesterday. It appeared genuine but the flags were an old email address, a strange origin time and a spam link.

Pontius Navigator
2nd Jul 2016, 14:45
The other thing to watch for is an expensive item delivered by Amazon. You ring Amazon and they send a courier to pick if up. The thief gets there first and tells you it was fraud and collects the parcel.

ExXB
2nd Jul 2016, 16:57
NEVER, NEVER, NEVER, EVER, EVER, EVER click on a link in an e-mail. Use your own favourites in your browser or type it in yourself. Even if you are 236.7% certain it actually came from whomever it says it's from, you are probably wrong.

I also recommend you DON'T save your credit card details with any retailer. Yes it's a pain to type it in every time, but you are much safer. Many password managers (I recommend* 1Password for Mac and PC) will paste that information for you.

*Spoken as a happy customer, I have no other relationship with this company

tdracer
2nd Jul 2016, 17:15
There are dozens of ways your cc info can be compromised - even if you never use for on-line purchases. Basically any time you use a cc, there is the possibility of it getting compromised.
Your only real protection is to set up the on-line accounts with the cc company and regularly check for unauthorized use - I check every day or two. Sure enough, about a year ago, two charges showed up on my AmEx for cell phone purchases - same day - total about $1000. I immediately called AmEx and they took care of it, removed the charges, and sent me a new card. Biggest hassle was that I have a number of bills that auto-pay through the AmEx - I had to go into all those accounts and update the payment info.

MSF
2nd Jul 2016, 18:10
If you use firefox, be sure to set a master password to guard your settings.

Gertrude the Wombat
2nd Jul 2016, 18:20
Many password managers ...
"Password manager?" - one stop shop for criminals. Hack your password manager and they've instantly got all your accounts in one go. Dream target.

rans6andrew
2nd Jul 2016, 19:58
I don't let any of my machines remember any of my passwords for anything except for one machine which only gets used for email. I do let a couple remember the login for Pprune but nothing else. I also exclusively use FF browser and run it in Private browsing mode. On my Linux machine it always launches in Private but I have not been able to persuade any of my Windoze machines to do this.

lomapaseo
2nd Jul 2016, 20:09
many of my posts on PPrune are faked by somebody else, it's just that I agree with most of them or realize that alcohol was probably involved.

axefurabz
3rd Jul 2016, 10:16
lomapaseo (http://www.pprune.org/members/48942-lomapaseo) :D:D:D

ExXB
3rd Jul 2016, 15:17
"Password manager?" - one stop shop for criminals. Hack your password manager and they've instantly got all your accounts in one go. Dream target.

Pretty unlikely they could get to my Mac and then guess my 39 character master password.

Clue - It's a phrase ... spaces, numbers, special characters and upper and lower case. Easy peasy to remember, impossible to guess.

glad rag
3rd Jul 2016, 16:11
Talking about CC details being recorded once at Toulouse the check in system was being French [sorry] and as it was a security procedure of some kind the [by now stressed] check in madam was writing down everyones cc details for some reason I was unaware of.
Odd.

reynoldsno1
4th Jul 2016, 01:04
I can't imagine that it could be through the debris left in my hotmail account
I could - hotmail nowadays is a nightmare. I no longer use it to connect to online accounts I use regularly - just one-offs. It seems to attract the more nefarious types.

VP959
4th Jul 2016, 09:49
My wife and I have been hit by this type of fraud a few times now, me twice, her once. It's a complete pain, but frankly I don't think there is much you can do to stop it, other than the obvious things, like having a good security strategy for anything you do online (as mentioned above). Even then you are going to have your details collated. It's big business gathering data and collating it into a usable format, and there are lots of companies out there doing it. A lot of software and apps that are "free" are really just gathering data from you as a form of payment. This is how some companies make their money; even Microsoft seems to be heading the same way with its Android-like "give the OS away and make the money from the data gathered" approach that it looks like it may be moving to.

Part of the problem seems to lie with the big databases that contain all this data that is being bought and sold all the time. In themselves they don't have enough on you to allow a fraudster to do the whole job, but they do provide 90% of the data needed. Many of these databases are not as secure as I'd like, as a friend (whose day job is penetration testing of online systems) showed me a couple of years ago. Retailers buy, as well as sell, your personal data and many of those are notoriously poor at maintaining good security.

Our experience has been that three attempted thefts that we were subjected to all followed that same pattern, a couple of small transactions followed by attempts at large ones. Two were picked up before the large transaction (by our bank), one wasn't (Barclaycard failed to spot it until my credit limit was reached).

In the one case my wife experienced we never found the source of the data breach. She does shop a great deal on line, using her iPad, and uses different secure passwords with stores. We, and the bank, suspect the fraud was most probably someone in one of the online stores she'd used, but the bank chose not to do any in-depth investigation, they just gave her a new card and wiped out the theft amounts from her balance.

In the two cases I've experienced, one was years ago, when I was caught (along with hundreds of other people) by the gang that had fitted hardware into a motorway services card reader on the M27. I only know that because we we told when the gang were caught, by the police (who retrieved our details from the gang after arrest) not the credit card company, they don't seem to chase these things up as far as I can see. The second case was a restaurant that had an employee skimming credit card details. He was doing something clever to read the card data and had, apparently, watched over my shoulder when I typed in my PIN to the portable machine. He was caught as well, but again the credit card company didn't tell me, the restaurant did after he was caught and dismissed (and gave us a voucher for a free meal). Interestingly, although I got the money back from the credit card company (eventually) and although the employee was caught, he wasn't prosecuted. I have absolutely no idea why, as the restaurant owner seemed very concerned that one of his employees had been a thief, yet no one seemed to press for a prosecution.

We've been lucky since, and not had any other major problem with cards in the past couple of years, despite our online spending having been pretty high over that period. Some of that may be down to me having switched to using Linux and my wife using her iPad, both of which are less likely to be targeted, I believe, than Windows machines. Some is almost certainly down to the banks (or at least our current bank) having better security systems (I've noticed that they do pick up a significant number of online transactions and seek confirmation from me over the phone now, which never used to happen). Some may well be down to our experiences having made us a great deal more security conscious.

I've no doubt the fraudsters will catch up again soon, though, it's been a multi-million pound theft activity for years, so there are always going to be people trying, and succeeding, to overcome any security measure anyone puts in place.

rans6andrew
4th Jul 2016, 19:24
After Amazon changed my email back to "my" address it would appear that I have some visibility on what is happening. It reads that I bought some gamer's headphones and then, once the credit card stuff had happened, changed the delivery address. So, they know where the culprit lives, but they won't tell me and there is no indication that they will share this info with the law. So nobody will get prosecuted.

I still can't log into "my Amazon account" as I don't know what password to use, it may not even be my password any longer, more likely the crook has changed it to "his password" and will more than likely change the associated email again. It is the closest thing to perpetual motion I can think of.

I will just ignore it now that my credit card can't be used and, if I ever need anything from Amazon again I will start a new account with a new password.

VP959
4th Jul 2016, 21:07
Years ago, companies would only deliver goods bought online or by mail order to the card holder's address. Now it seems they deliver anywhere, irrespective of that.

I suspect that the minor inconvenience of only delivering goods to the card holder's address might well stop the majority of this type of fraud, for only a relatively minor inconvenience to customers.

G-CPTN
4th Jul 2016, 21:44
Years ago, companies would only deliver goods bought online or by mail order to the card holder's address. Now it seems they deliver anywhere, irrespective of that.

I suspect that the minor inconvenience of only delivering goods to the card holder's address might well stop the majority of this type of fraud, for only a relatively minor inconvenience to customers.
It is my experience that once the initial order is executed, the account holder is permitted to add alternative recipients to receive 'gifts'.

I have several such alternatives, some sharing my surname and others not.

I do all my present buying for birthdays and Christmas 'online'.

rans6andrew
5th Jul 2016, 12:05
Some of the items "bought on my behalf" are going to come to me as the scum tried to change the delivery address after the goods were shipped. I am going to get a Witmood Smart Bracelet at the beginning of August. Some novelty masks will be here next week.

Amazon have allowed me access to my account and I have changed the password to something original. It would seem that I have moved to Indonesia since Friday!

I just need my credit card supplier to get his finger out and issue a new card with a new number and then let me see into my account........... then I can start sorting out the remaining chaos.

rans6andrew
23rd Jul 2016, 22:20
since I was notified, by Amazon, of purchases going on through my account but not made by me, I have had a flood of emails which all look to be from Amazon. I found that the story they tell doesn't stack up regarding the actions taken by Amazon to stop activity in my account. I know this as I have stopped the credit card associated with the account and have not bought anything since. To try to find which, if any, emails might be genuine I set my mail browser to show all headers. Strangely, Amazon isn't mentioned in any of the "from" or "to" names of servers or originators for most of the emails received. In a genuine Amazon sent email, "Amazon" is mentioned in several "from" and "to" nodes. Today I got another email providing me with much valid info and a link to go in to reset all of my account. On the face of it the link went through the Amazon.com website but hovering over it and looking at the true URL it didn't have any Amazon.com part, it went to yanabuy.fr, which is part of the path the fraud email takes to come to me. I didn't click the link but I was tempted to do so and enter a load of bolleau in my info.

Is there anyone I should be sending this stuff to? Perhaps to get it investigated?

G-CPTN
23rd Jul 2016, 22:41
Most responsible organisations have an address to inform them of fraud attempts such as phishing.
Not all will acknowledge receipt and even fewer will respond with an explanation - in fact I don't think I have ever received an explanation.

http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=201489190

If the above link doesn't work for you, search on Amazon and Phishing or enter 'phishing' into Amazon 'Help'.

What should you do with the suspect email?

Do one of the following:

1. Open a new e-mail and attach the e-mail you suspect is fake. Note: Sending this suspicious e-mail as an attachment is the best way for Amazon to track it. ...

or

2. Forward the e-mail to [email protected]

UniFoxOs
24th Jul 2016, 08:07
Years ago, companies would only deliver goods bought online or by mail order to the card holder's address. Now it seems they deliver anywhere, irrespective of that.

Some religiously stick to this, others don't give a damn. The ones that do are a real pain to me as I have to have heavy stuff shipped to my home, and then transport it elsewhere.

Gertrude the Wombat
24th Jul 2016, 10:32
Is there anyone I should be sending this stuff to? Perhaps to get it investigated?
Most people get several of these every day. I'm not aware that we pay enough taxes to employ the vast army of public servants that would be needed if we were to report every one of them!

VP959
24th Jul 2016, 10:59
It seems to be a growing problem, though. There was a bit on the news a few days ago saying that most theft was now online fraud (not sure of the validity of this - I didn't catch the name of the source), and that the police were essentially powerless to do much about it, as the pressure is on them to put most of their resources into solving "real" crime.

My experience with banks and credit card companies is that they don't seem to investigate it, either, they seem to just accept that its a cost of doing business and adjust their charges accordingly. Retailers just don't do a thing, it seems. They may report it to the police and bank or card company, but seem disinterested in doing any more. When I got annoyed enough to want to do some detective work of my own when someone scammed my card company out of a load of money, the majority of it with an online camping goods supplier in the Cotswolds, the retailer didn't want to help me at all. The retailer had the address the goods had been despatched too, but the police hadn't asked him for it(!) and he wouldn't give it to me, citing the DPA. When I pointed out that the DPA didn't apply, as I was the registered card holder and the purchase had been made in my name, with my personal details, he still wouldn't help, and made some comment about "it's why we have insurance" or something similar.

The scammers know that the chance of them getting caught is very low, and it is probably why theft has shifted to online fraud, as it's a far lower risk to the thief than breaking and entering to steal stuff to sell.

As above, the volume of scam emails is vast, millions are sent every day, and it isn't practical to stop them, unless we change the way email works. Email is inherently very insecure, as it evolved without a thought to security or the sort of issues we now face everyday. It's dead easy to encrypt email, using public/private keys, and if we were to switch to such a system then we could practically put all the email scammers out of business. The technology exists, and is used in some secure messaging apps, but there is no will by governments to allow it to be implemented. My own view is that this may well be because it would jeopardise their ability to look at email traffic, but there is also commercial resistance, as there are plenty of other players who don't want email traffic to become secure and unreadable to anyone other than the recipient.

Gertrude the Wombat
24th Jul 2016, 11:54
It's dead easy to encrypt email, using public/private keys, and if we were to switch to such a system then we could practically put all the email scammers out of business. The technology exists, and is used in some secure messaging apps, but there is no will by governments to allow it to be implemented.
You can encrypt your email if you want to, nobody's stopping you. Most people don't, mostly because of the faff of getting your recipients to understand how to decrypt it, but also because it makes you look like a tinfoil hat nerd.

VP959
24th Jul 2016, 12:01
You can encrypt your email if you want to, nobody's stopping you. Most people don't, mostly because of the faff of getting your recipients to understand how to decrypt it, but also because it makes you look like a tinfoil hat nerd.
I know. I can easily encrypt email, and do so very occassionally when I want to send someone I know something that I want to remain confidential, but it is a faff, as encryption isn't natively supported by many email apps, headers have to remain unencrypted (because if they are encrypted the servers can't read them and direct them) and the person I'm emailing has to be savvy enough to be able to use PGP.

If we had an email system where all the data was always encrypted, and the act of adding someone to your address book stored the key at the same time, then it would reduce the level of fraud via email.

Some banks already do this by using a secure messaging system built in to their online systems. My bank and credit card company do this, and only use email to alert you to a secure message waiting in their system. This means that I can be certain that a phishing email from either of them will be fraudulent, as neither uses email like this. If it's not on their secure messaging system it's fake.

Gertrude the Wombat
24th Jul 2016, 14:08
If we had an email system where all the data was always encrypted, and the act of adding someone to your address book stored the key at the same time, then it would reduce the level of fraud via email.
The open source weenies will tell you that if you can't already get Thunderbird add-ins that do all that (I suspect you probably can) then you're free to write them yourself and contribute them to the community :D

VP959
24th Jul 2016, 14:36
The open source weenies will tell you that if you can't already get Thunderbird add-ins that do all that (I suspect you probably can) then you're free to write them yourself and contribute them to the community :D
You're almost certainly right, but the key issue here is that the email used by the vast majority of users is inherently insecure and very easy to spoof. I'm sure many of us know that we can look at headers and see where an email has really come from, rather than where it's pretending to come from, but the scammers rely on the fact that there are large numbers of people that don't even know how to do this basic level of checking.

I know it's a legacy format problem, and that the people that came up with the email system most of us use never envisaged the problems many face from the inherent insecurity of it, but I can't help thinking that it would be useful if there were a step-change to enable encryption and source verification by default, rather than stick with the very old format that the majority use.

The problem seems two fold:

Firstly there are so many hundreds of millions of people using email that getting them all to switch to a new format would be a nightmare, worse, by far, that a company like Microsoft or Apple switching the way their operating systems work.

Secondly, there is pressure from people, like the intelligence services (and others) to maintain unencrypted email. I can understand the argument of the intelligence services, but given that email-induced fraud is probably more than their budget, they do, perhaps, need to put this in perspective. All those companies that make a lot of money from knowing who your emailing and collating the data to sell to advertisers would also be less than keen to see an encrypted system, I'm sure.