Eric Springer, a former software developer at Amazon, revealed in a Medium post on Sunday that the e-commerce site's customer service was putting customers at risk of identity theft. On three different occasions, Springer's account was compromised by someone who obtained his personal information from Amazon's customer service representatives.
Springer explained that Amazon sent him an email thanking him for his recent inquiry—one that he hadn't made. When Springer probed further, he was sent a chat transcript of his supposed conversation with customer service. By providing verification of Springer's identity with a street address that he had used to register a few domains, the attacker had obtained his real address and phone number. Springer shared screenshots of the chat transcript:
With this information, Springer said, the attacker "had enough to bounce around a few services, even convincing my bank to issue them a new copy of my credit card." Springer told Amazon about the incident and asked that they flag his account. But a few months later, after Springer had shared his new address and credit card information with Amazon, he received another email about a recent inquiry to customer service. This time around, the attacker attempted—and failed—to obtain the last four digits of Springer's credit card. After Springer asked yet again that Amazon "not give out my details to anyone with a name and address," he opted to delete his address from his account.
And it's a good thing he did: Soon after, Springer was informed that the attacker had called Amazon directly and that customer service had no record of the conversation. From Springer's post:
This time, I can’t get a transcript of the conversation. They contacted Amazon by phone, and they don’t have a recording to give me. I’m going to have to assume they got the last digits of my credit card, like they seem to be after.
At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.
If a company of Amazon's stature is susceptible to an attack based on human error, then many other companies may be as well. Reports like Springer's could damage user sentiment about Amazon's customer service, which until now has largely been positive, according to a recent study by Forrester Research. As Springer recommends in his post, Amazon and other companies should, first and foremost, make it imperative that users be capable of logging into their accounts before they honor customer service requests. And in the meantime: Loyal Amazon users should keep an eye out for customer service emails that land in their inbox without warning.