Follow

Apparently someone managed to call Amazon's support, tricked and convinced them into changing my account's email, ordered something, and eventually proceeded to delete my entire account.

Now Amazon's support refuses to help me for data protection reasons 😂

Looks like it's enough to know someone's address to hijack their account.

Update: support refuses to help me via email, because they need me to call and confirm my postal address to prove my identity.

They don't even seem to realize this is exactly where the entire dilemma started 😩

Also I simply don't know the postal address the hijacker changed my account to.

Last but not least, they can't help because the account is now deleted. They sure do seem to still store a whole lot of data associated with it still, though.

@fribbledom I have learned to live without amazon now for a few weeks and it does work...and it's not necessarily more expensive. The only downside is that it is not that convenient to return stuff.

@Anke That sums it up quite nicely in a four-letter word. I actually came up with another four-letter word first, but yeah 😆

@fribbledom Sounds very shitty 😟 You're probably better off just opening a new account, if you still have some gusto for it.
@fribbledom Can't you simply use switzerland's GPDR equivalent to ask for all data they have about you? :)
@fribbledom on the other hand, they can say it has been deleted and the answer would be only your calls to support you just did...

@ckeen Probably not, because I can't prove my identity to them. They seem to ask me for the postal address the hijacker entered.

@fribbledom email bezos and you're ok!!! ahahaha that's shitty on so many levels, amazon really sucks

@fribbledom Egh, Amazon support.. if you keep drilling down, you may eventually find someone actually understands the issue.

(I had a terrible time trying to point out I'd like packages for me left only at *this* address, not a neighbor)

@fribbledom I hope you are in the UK and can flag that to the ICO.

If you are in europe your local data agency should be able to help.

Thats clearly a data breach and amazon will comply to the investigation if the ICO is involved.

@fribbledom hmm didn't Amazon offer 2FA? I had thought it would be overkill, but now i'm seriously considering it 🤔

@fribbledom @aslmx But still questionable if that helps to be protected against such obvious support process flaws ...

@fribbledom

‘And he says "Your password has been sent to your e-mail address"
I'm like: I can't get in my e-mail address!
What about "can't get in my e-mail address" do you not understand’

Body Count - Institutionalized 2014

m.youtube.com/watch?v=fqIp3i1Z

@fribbledom Ouch! "Call and confirm your postal address"? As if that's as secret as your password?

It sounds like a good thing (relatively speaking) that Amazon deleted your account. At least the thief can't run up more charges on you. But how stupid can big companies be?

@fribbledom If you can confirm your real address they should still be able to check that it was the old address on the account before it was attacked.

@penguin42

This might help me right now, but I feel like that's just making the problem even worse:

It's bad enough they accept my current address as a valid form of authentication, but now even all my previous addresses suffice, too?!

@fribbledom I'm betting the attacker had something more than your address - perhaps date of birth (hmm cake...)? Maybe an order number/item? Still, you can't expect Amazon to fix their screwup without some proof of something!

@penguin42 I'm happy to prove my identity to them, but they're not even accepting a proper form of identification.

Instead they ask me questions only the hijacker would be able to answer at this point.

Heck, even an email to the original address would suffice to prove it... you know, like virtually every other service handles such situations.

@fribbledom @penguin42

Likely: they are comparing your address history to what they have.

@fribbledom I'm now very happy that I recently turned on 2FA with Amazon.

I wish I had useful advice to offer, but dealing with them is always "interesting."

@fribbledom Write a detailed blog post of rants and submit it to Hacker News, if it ever hits the front page you issue will be resolved soon. :doge: It seems to be one of the few effective ways to deal with companies from the Silicon Valley...

@tatey I'm still a bit in shock myself. Probably not much harm done eventually, but it really makes me question Amazon as a company to handle all kinds of sensitive personal data.

@fribbledom That's terrible. They should be able to avoid basic social engineering attacks like that! So sorry you're suffering from their lack of security.

@fribbledom this is a HUGE security issue and you should be loud about it

@fribbledom

You will have to file a police complaint, if you haven't done so already. Because:

* You have been a victim of crime (identity theft, privacy breach)
* You may be a victim of future crimes (see identity theft above)
* You may be the target of claims for compensation or other demands by other victims (including Amazon themselves)
* If you're really unlucky you could be accused of complicity with the perpetrator.

@fribbledom
At least they did you a favour by deleting your Amazon account.

I had to do it myself instead. This was 2-3 years back when trying to order some computer equipment, and you realise that 90% of the “sellers” are obvious scams. You try to report it and they don't give a flying.

Now I just buy online from a number of independent shops. The first time I always call them on the phone to see if there's an actual human with whom I would like to do business.

@61 Just to be clear: the account got deleted by the hijacker, not by Amazon themselves. Seems it's a useful tactic to further complicate things for the rightful account holder.

@fribbledom
Yes, I understood that correctly. 🙂

File your police report. You can accuse Amazon of whatever you want in there, then send a copy to Amazon's local presence in your jurisdiction (you will find them in the business register).
If you're in the #EU / #EEA writing to your data protection agency and consumer rights organisation are good ways to go.
Lastly, use the tools the #EU puts at your disposal - 1/2

@fribbledom Years ago I complained about certain business practices (companies like Dell refusing to sell cross-border) and recently new legislation has been passed to that effect. Hard data helps the bureaucrats push things in the right direction. If you don't do that, the lobbies win. - 2/2

@muesli I can only think of two things that happened here: human error or social engineering.

Social engineering, well, someone knows a lot about you. Home addresses, telephone numbers, emails, past purchases, full name, birth date, and so on, that they were able to pass all vital questions. Even the last 4 digits in your cards.

Human error — whoever that agent was did not follow protocols and procedures. In services where credt cards are involved and there were a certain total amount of purchases in the whole account (we call this "high paying/spending customer"), ALL information in your account must be answered correctly, and questions that no one else can ever know, like how many purchases you made, the dates, what was your first purchase, when did you create your account, etc., are also asked.

No form of social engineering can pass such a barrage of verification questions if the agent is doing their job properly. The sad thing here is, most human errors are due to stress, pushing one to their limits, their work environment itself, their work practices, not because the agent was sloppy and irresponsible. Unfortunately, the customers are the ones who suffer the most.

But if you do complain and request an escalation, it will be investigated. Here's the thing, accounts are rarely deleted. It always have some encrypted back up somewhere that will require papers of approvals to be retrieved and decrypted, and only one or two people can see. It is for cases like these. Once proven, especially if you are a high spender, the agent will be terminated and even face a court case and banned from the industry too. (That's how it is even if you say you don't want it to happen to the agent.)

But since the GDPR and mandatory total deletion laws, no records may exist for EU customers. That's the painful catch of the new EU laws. Totally no more records, not even in back-ups, for later investigations or recovery if needed.

@fribbledom ugh that's terrible!! I'm so sorry you're going through this.

@fribbledom Amazon is a literal Nazi company, so the sooner you'd leave it, the better.

@fribbledom I'm curious, are you an Amazon Web Services customer? Because that greatly raises the stakes on your Amazon account.

@fribbledom in my experience you can get support to bypass almost every security check, I've only ever used it to recover my own account but still. Humans are almost always the biggest security flaw.

@fribbledom You should refute the charge on your card or PayPal.

@fribbledom Oh fuck that's what horrible.

I'm going to go make sure I have de-DRM'd copies of all my Kindle purchases now.

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!