"We're working for you..." ..we just don't have the slightest clue what we're doing, is all... -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, July 20, 2005 6:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] Fw: A Story: Amazon.com Security Silliness http://www.ISAserver.org A forward from my post to Bugtraq-- I figga'd youz guyz would appreciate it ;) ----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> To: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Wednesday, July 20, 2005 3:03 PM Subject: A Story: Amazon.com Security Silliness >I know this is not your classic bugtraq content, but it just amazes me to >see "security" procedures implemented that actually have the opposite >effect of what was (apparently) intended. Plus, bt content seems a bit >light today, so I figured I'd give you guys a little story. > > I needed some equipment next-day'd to me, so I went to Amazon by vendor > recommendation. I had an old Amazon account which I had not used in quite > some time, but created a new one because I knew the address and account > info were old. > > With the new account I ordered product from Amazon, as well as > "marketplace" product which Amazon just acts as a portal for-- a different > 3rd person receives and ships the order themselves. The only reason I > ordered stuff directly from Amazon is that I wanted to hit the "free > expedited shipping" bracket- so in went a paperback of "The Chronicles of > Amber." > > The next day, I get my order confirmation in email to the new account. > Later that day, I get a *different* email from Amazon to the email address > on file for the original, old account. Apparently, an "investigation > specialist" saw two accounts that had the same credit card numbers on > file. Without even checking, they automatically deleted my new account, > and cancelled my orders for my "protection," notifying me of this via the > old account, telling me my credit card was compromised, but they knew it > was not because of their site. They cited the last few digits of the old > credit card number, which I did *not* use to purchase the goods with the > new account. > > Sure enough, I could not even log in with the new account anymore to even > view the status of the orders. Repeated emails to Amazon customer service > have still gone un-answered. The other items were 3rd party-- I then got > an email from the 3rd party saying they shipped the goods. I emailed back > saying that Amazon had cancelled all the orders. They said "too late." > At this point, nothing has been charged to my card. > > Today, FedEx arrives at my door with my book. A full two days after they > said they cancelled all the orders-(as of yesterday, it had not shipped - > I checked the number when it arrived) so they shipped it *after* they > cancelled my order. Sure enough, I now have a charge on the card I know I > used, though they said in the cancellation email that a different card was > used (telling me to check for fraud on that card.) > > So basically, they say they know my account was compromised, but shipped > the order anyway and billed my card *after* deleting my account, > preventing me from looking at any information. Had I not really been me, > I would never had known this as the "ship to" was unique. This was done to > protect "me." They then screwed over the 3rd party vendor by canceling the > order the same day they it had already shipped from them, preventing them > from charging it against my card. Even today, there is no charge. (But > I'm working directly with them to resolve that- it arrives tomorrow) > Further, if it were fraud, I would be canceling/checking the wrong credit > card. I also have a nice email (minus the part where they call out the > end card numbers) that I could probably use to have the real credit card > charges taken off, since Amazon is saying the order was fraud in the first > place and the card used "apparently without authorization." > > If it were fraud, not only would the fraudster have received all the > goods, but I would have been (and was) charged for the direct Amazon > product, while the 3rd party vendor trusting Amazon got screwed out of > there product, while sending it to what was identified as the fraudster. > Had my original, old, email address not still been valid somewhere, I > would not even know that any of this were going on. And they still have > not returned a single email. > > I think this is a perfect example of security mechanisms being put into > place under the guise of protecting the customer, where no thought has > gone into how it could be leveraged against itself. Go figure. > > t > > > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.