January 24th, 2016
(written by lawrence krubner, however indented passages are often quotes). You can contact lawrence at: firstname.lastname@example.org
Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.
Trying very hard to not take out my frustrations on an unrelated support rep, I contacted both Amazon Retail and AWS expressing my disappointment and asking them to put a note on my account that it is at extremely high risk of being social engineering, and I will always be capable of logging in. Amazon Retail said they would put a note, and have a specialist contact me (who never did) while AWS was dismissive of even a risk existing.
… I’m going to have to assume they got the last digits of my credit card, like they seem to be after.
At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.
After being the victim of these attacks for months, I’d like to make some recommendations for services:
NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expireSource