[Infowarrior] - Amazon’s customer service backdoor
Richard Forno
rforno at infowarrior.org
Mon Jan 25 08:17:49 CST 2016
Amazon’s customer service backdoor
As a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away, I would have thought my accounts and details would be be pretty safe? Wrong.
Because when someone has gone after me, it all goes for nothing. That’s because most systems come with a backdoor, customer support. In this post I’m going to focus on the most grievous offender: Amazon.com
Amazon.com was one of the few companies I trusted with my personal information. After all, I shop there, I used to work as a Software Developer and I am a heavy AWS user (raking up well over $600/month)
It all began with a rather innocuous email:
< -- >
After being the victim of these attacks for months, I’d like to make some recommendations for services:
• NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
• Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
• Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
• Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire
For users, be extremely careful with the information you share. Even big companies like Amazon can’t keep it safe, they’re far from the worst.
https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4#.xorchqqof
--
It's better to burn out than fade away.
More information about the Infowarrior
mailing list