I must admit: It’s been some time. But this particular topic is not only interesting but also critically impacting some people’s privacy.
Some things are shocking: Can a big company such as Amazon put your details at risk? Can Amazon easily be social engineered?
As of today we know: Yes, and it’s even easier than you might have thought. Eric Springer who is running virtual instances over at Amazon (spending over $ 600 per month) wrote a blog post on how his Amazon account has been social engineered and how he noticed it.
Basically the attacker always used the same schema:
- Go to the Amazon chat or phone support
- Use an address within the same zip code (e.g. a hotel) to be verified
- Ask where the last shipment has been sent to
- Amazon will leak the address of the last shipment
Amazon should really implement something like a customer service security pin which can just be seen and set within the account. Looking forward to hear the response from Amazon.