RE: Fw: A Story: Amazon.com Security Silliness
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Jul 2005 20:54:21 -0500
Normal in the biz. "I don't know nothing about security, I just work
here"
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, July 20, 2005 8:46 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Fw: A Story: Amazon.com Security Silliness
>
> http://www.ISAserver.org
>
> A forward from my post to Bugtraq-- I figga'd youz guyz would
> appreciate it
> ;)
>
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: <bugtraq@xxxxxxxxxxxxxxxxx>
> Sent: Wednesday, July 20, 2005 3:03 PM
> Subject: A Story: Amazon.com Security Silliness
>
>
> >I know this is not your classic bugtraq content, but it just
> amazes me to
> >see "security" procedures implemented that actually have the
> opposite
> >effect of what was (apparently) intended. Plus, bt content
> seems a bit
> >light today, so I figured I'd give you guys a little story.
> >
> > I needed some equipment next-day'd to me, so I went to
> Amazon by vendor
> > recommendation. I had an old Amazon account which I had
> not used in quite
> > some time, but created a new one because I knew the address
> and account
> > info were old.
> >
> > With the new account I ordered product from Amazon, as well as
> > "marketplace" product which Amazon just acts as a portal
> for-- a different
> > 3rd person receives and ships the order themselves. The
> only reason I
> > ordered stuff directly from Amazon is that I wanted to hit
> the "free
> > expedited shipping" bracket- so in went a paperback of "The
> Chronicles of
> > Amber."
> >
> > The next day, I get my order confirmation in email to the
> new account.
> > Later that day, I get a *different* email from Amazon to
> the email address
> > on file for the original, old account. Apparently, an
> "investigation
> > specialist" saw two accounts that had the same credit card
> numbers on
> > file. Without even checking, they automatically deleted
> my new account,
> > and cancelled my orders for my "protection," notifying me
> of this via the
> > old account, telling me my credit card was compromised, but
> they knew it
> > was not because of their site. They cited the last few
> digits of the old
> > credit card number, which I did *not* use to purchase the
> goods with the
> > new account.
> >
> > Sure enough, I could not even log in with the new account
> anymore to even
> > view the status of the orders. Repeated emails to Amazon
> customer service
> > have still gone un-answered. The other items were 3rd
> party-- I then got
> > an email from the 3rd party saying they shipped the goods.
> I emailed back
> > saying that Amazon had cancelled all the orders. They said
> "too late."
> > At this point, nothing has been charged to my card.
> >
> > Today, FedEx arrives at my door with my book. A full two
> days after they
> > said they cancelled all the orders-(as of yesterday, it had
> not shipped -
> > I checked the number when it arrived) so they shipped it
> *after* they
> > cancelled my order. Sure enough, I now have a charge on
> the card I know I
> > used, though they said in the cancellation email that a
> different card was
> > used (telling me to check for fraud on that card.)
> >
> > So basically, they say they know my account was
> compromised, but shipped
> > the order anyway and billed my card *after* deleting my account,
> > preventing me from looking at any information. Had I not
> really been me,
> > I would never had known this as the "ship to" was unique.
> This was done to
> > protect "me." They then screwed over the 3rd party vendor
> by canceling the
> > order the same day they it had already shipped from them,
> preventing them
> > from charging it against my card. Even today, there is no
> charge. (But
> > I'm working directly with them to resolve that- it arrives
> tomorrow)
> > Further, if it were fraud, I would be canceling/checking
> the wrong credit
> > card. I also have a nice email (minus the part where they
> call out the
> > end card numbers) that I could probably use to have the
> real credit card
> > charges taken off, since Amazon is saying the order was
> fraud in the first
> > place and the card used "apparently without authorization."
> >
> > If it were fraud, not only would the fraudster have
> received all the
> > goods, but I would have been (and was) charged for the
> direct Amazon
> > product, while the 3rd party vendor trusting Amazon got
> screwed out of
> > there product, while sending it to what was identified as
> the fraudster.
> > Had my original, old, email address not still been valid
> somewhere, I
> > would not even know that any of this were going on. And
> they still have
> > not returned a single email.
> >
> > I think this is a perfect example of security mechanisms
> being put into
> > place under the guise of protecting the customer, where no
> thought has
> > gone into how it could be leveraged against itself. Go figure.
> >
> > t
> >
> >
> >
> >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
