Normal in the biz. "I don't know nothing about security, I just work here" Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, July 20, 2005 8:46 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Fw: A Story: Amazon.com Security Silliness > > http://www.ISAserver.org > > A forward from my post to Bugtraq-- I figga'd youz guyz would > appreciate it > ;) > > > ----- Original Message ----- > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > To: <bugtraq@xxxxxxxxxxxxxxxxx> > Sent: Wednesday, July 20, 2005 3:03 PM > Subject: A Story: Amazon.com Security Silliness > > > >I know this is not your classic bugtraq content, but it just > amazes me to > >see "security" procedures implemented that actually have the > opposite > >effect of what was (apparently) intended. Plus, bt content > seems a bit > >light today, so I figured I'd give you guys a little story. > > > > I needed some equipment next-day'd to me, so I went to > Amazon by vendor > > recommendation. I had an old Amazon account which I had > not used in quite > > some time, but created a new one because I knew the address > and account > > info were old. > > > > With the new account I ordered product from Amazon, as well as > > "marketplace" product which Amazon just acts as a portal > for-- a different > > 3rd person receives and ships the order themselves. The > only reason I > > ordered stuff directly from Amazon is that I wanted to hit > the "free > > expedited shipping" bracket- so in went a paperback of "The > Chronicles of > > Amber." > > > > The next day, I get my order confirmation in email to the > new account. > > Later that day, I get a *different* email from Amazon to > the email address > > on file for the original, old account. Apparently, an > "investigation > > specialist" saw two accounts that had the same credit card > numbers on > > file. Without even checking, they automatically deleted > my new account, > > and cancelled my orders for my "protection," notifying me > of this via the > > old account, telling me my credit card was compromised, but > they knew it > > was not because of their site. They cited the last few > digits of the old > > credit card number, which I did *not* use to purchase the > goods with the > > new account. > > > > Sure enough, I could not even log in with the new account > anymore to even > > view the status of the orders. Repeated emails to Amazon > customer service > > have still gone un-answered. The other items were 3rd > party-- I then got > > an email from the 3rd party saying they shipped the goods. > I emailed back > > saying that Amazon had cancelled all the orders. They said > "too late." > > At this point, nothing has been charged to my card. > > > > Today, FedEx arrives at my door with my book. A full two > days after they > > said they cancelled all the orders-(as of yesterday, it had > not shipped - > > I checked the number when it arrived) so they shipped it > *after* they > > cancelled my order. Sure enough, I now have a charge on > the card I know I > > used, though they said in the cancellation email that a > different card was > > used (telling me to check for fraud on that card.) > > > > So basically, they say they know my account was > compromised, but shipped > > the order anyway and billed my card *after* deleting my account, > > preventing me from looking at any information. Had I not > really been me, > > I would never had known this as the "ship to" was unique. > This was done to > > protect "me." They then screwed over the 3rd party vendor > by canceling the > > order the same day they it had already shipped from them, > preventing them > > from charging it against my card. Even today, there is no > charge. (But > > I'm working directly with them to resolve that- it arrives > tomorrow) > > Further, if it were fraud, I would be canceling/checking > the wrong credit > > card. I also have a nice email (minus the part where they > call out the > > end card numbers) that I could probably use to have the > real credit card > > charges taken off, since Amazon is saying the order was > fraud in the first > > place and the card used "apparently without authorization." > > > > If it were fraud, not only would the fraudster have > received all the > > goods, but I would have been (and was) charged for the > direct Amazon > > product, while the 3rd party vendor trusting Amazon got > screwed out of > > there product, while sending it to what was identified as > the fraudster. > > Had my original, old, email address not still been valid > somewhere, I > > would not even know that any of this were going on. And > they still have > > not returned a single email. > > > > I think this is a perfect example of security mechanisms > being put into > > place under the guise of protecting the customer, where no > thought has > > gone into how it could be leveraged against itself. Go figure. > > > > t > > > > > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >