RE: Fw: A Story: Amazon.com Security Silliness
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Jul 2005 18:57:56 -0700
"We're working for you..."
..we just don't have the slightest clue what we're doing, is all...
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, July 20, 2005 6:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Fw: A Story: Amazon.com Security Silliness
http://www.ISAserver.org
A forward from my post to Bugtraq-- I figga'd youz guyz would appreciate
it
;)
----- Original Message -----
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, July 20, 2005 3:03 PM
Subject: A Story: Amazon.com Security Silliness
>I know this is not your classic bugtraq content, but it just amazes me
to
>see "security" procedures implemented that actually have the opposite
>effect of what was (apparently) intended. Plus, bt content seems a bit
>light today, so I figured I'd give you guys a little story.
>
> I needed some equipment next-day'd to me, so I went to Amazon by
vendor
> recommendation. I had an old Amazon account which I had not used in
quite
> some time, but created a new one because I knew the address and
account
> info were old.
>
> With the new account I ordered product from Amazon, as well as
> "marketplace" product which Amazon just acts as a portal for-- a
different
> 3rd person receives and ships the order themselves. The only reason
I
> ordered stuff directly from Amazon is that I wanted to hit the "free
> expedited shipping" bracket- so in went a paperback of "The Chronicles
of
> Amber."
>
> The next day, I get my order confirmation in email to the new account.
> Later that day, I get a *different* email from Amazon to the email
address
> on file for the original, old account. Apparently, an "investigation
> specialist" saw two accounts that had the same credit card numbers on
> file. Without even checking, they automatically deleted my new
account,
> and cancelled my orders for my "protection," notifying me of this via
the
> old account, telling me my credit card was compromised, but they knew
it
> was not because of their site. They cited the last few digits of the
old
> credit card number, which I did *not* use to purchase the goods with
the
> new account.
>
> Sure enough, I could not even log in with the new account anymore to
even
> view the status of the orders. Repeated emails to Amazon customer
service
> have still gone un-answered. The other items were 3rd party-- I then
got
> an email from the 3rd party saying they shipped the goods. I emailed
back
> saying that Amazon had cancelled all the orders. They said "too
late."
> At this point, nothing has been charged to my card.
>
> Today, FedEx arrives at my door with my book. A full two days after
they
> said they cancelled all the orders-(as of yesterday, it had not
shipped -
> I checked the number when it arrived) so they shipped it *after* they
> cancelled my order. Sure enough, I now have a charge on the card I
know I
> used, though they said in the cancellation email that a different card
was
> used (telling me to check for fraud on that card.)
>
> So basically, they say they know my account was compromised, but
shipped
> the order anyway and billed my card *after* deleting my account,
> preventing me from looking at any information. Had I not really been
me,
> I would never had known this as the "ship to" was unique. This was
done to
> protect "me." They then screwed over the 3rd party vendor by canceling
the
> order the same day they it had already shipped from them, preventing
them
> from charging it against my card. Even today, there is no charge.
(But
> I'm working directly with them to resolve that- it arrives tomorrow)
> Further, if it were fraud, I would be canceling/checking the wrong
credit
> card. I also have a nice email (minus the part where they call out
the
> end card numbers) that I could probably use to have the real credit
card
> charges taken off, since Amazon is saying the order was fraud in the
first
> place and the card used "apparently without authorization."
>
> If it were fraud, not only would the fraudster have received all the
> goods, but I would have been (and was) charged for the direct Amazon
> product, while the 3rd party vendor trusting Amazon got screwed out of
> there product, while sending it to what was identified as the
fraudster.
> Had my original, old, email address not still been valid somewhere, I
> would not even know that any of this were going on. And they still
have
> not returned a single email.
>
> I think this is a perfect example of security mechanisms being put
into
> place under the guise of protecting the customer, where no thought has
> gone into how it could be leveraged against itself. Go figure.
>
> t
>
>
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
