Amazon Replacement-Order Scam
Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are “dot-blind” (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren’t immediately apparent to Chris.
Details here:
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
[…]
It’s clear that there’s a scam going on and it’s probably going largely unnoticed. It doesn’t cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it’s also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They’re unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.
There’s a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That’s the sort of thing you’re really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon’s reps were willing to assign the replacement shipment to a different address is beyond me. I was told it’s policy to only issue them to the original address, but some clever social engineering (“I’m visiting family in Oregon, can you ship it there?”, for instance) will get around that.
EDITED TO ADD (1/14): Comments from the original author of the piece.
Ryan • December 21, 2012 7:31 AM
I’m still a bit uncertain how the “missing dot” factored in to this particular heist, but reading through the articles I found out a cool trick I never knew about gmail: sub-addressing by using plus notation. When signing up for a service or mailing list, add +[something] to your address (e.g. ryan.excelon+amazon@gmail.com) and the mail will still go to you, but you have made it harder for a hacker to guess what actual address you used for the service and you can quickly filter/flag/delete messages by the +[something] value you added.