Earlier this week my wife had the unfortunate experience of having her Amazon account totally hijacked. The hijacker was able to take complete control of her account and lock her out. They then had the ability to place orders on her credit card but they did not have the ability to glean the details of the credit card itself.
This proved to be a serious wake up call to her about the need for excellent password security (especially where credit cards are involved) because until this incident she had been content with an easy to guess password. All the hijacker needed was her email address, which is not hard to come by, and then to try several obvious password iterations.
Thankfully not long after the hijacker had gained control we realised what was happening and were able to take some action by cancelling our credit cards. That was necessary because an Amazon representative made it clear that if they were going to do anything it would be within 48 hours, which was too long to sit around whilst someone spent money we wouldn’t get back!
After taking over the account by changing the registered email address and then changed the email address again to a second email address they owned, the hijacker then changed the password. Lastly, and very cleverly, they created a new account using my wife’s email address and original password.
The point of doing it in that order seems to be that my wife received only an email to notify her that the email address had been changed, to a “burner” email address, but she didn’t know that her password had been changed*. Amazon sends emails to confirm changes to account details, in this case the old email address and the new one. She also wouldn’t receive an email from Amazon containing the actual email address that the hijacker going to use with the account, just the “burner” address that would quickly be removed from the account.
Once we realised what was happening I started trying to get into the account in browsers that were already logged into the account. It wasn’t possible to change anything without the new password but I did find out the actual email address the hijacker was using when I was taken to the login page. So when my wife was through to a representative from Amazon we could let them know the account was hijacked and the email address being used on the account.
I said above that creating the new account with my wife’s email address was a clever step. That’s because once we were in contact with Amazon they sent her a link to reset her password, but the reset was being performed on the newly created account not the original! Eventually the Amazon representative told us that Amazon would look into the issue but it would take up to 48 hours. That’s a long time especially given that the representative said they could tell something was wrong from a cursory look (the missing orders going back a few years associated with my wife’s email address). But at least we had found the email address that was associated with the account so Amazon could investigate.
This experience has lead me to these conclusions :
1. Strong passwords are essential for Amazon. They are important anyway, but in Amazon a hijacker can completely shut you out of your account with just your password. I have recently become very impressed with 1Password as a solution for generating and storing strong passwords. Their methodology is secure and their apps and browser extensions are excellent.
2. Amazon, and other companies with similar protocols for handling changes of account information, should update those protocols by sending a link within their courtesy email to override the change if it was not initiated by the account owner. That function is already being used by Evernote (for example). So below is an example of best practice from Evernote!
3. Although I have been a fan of two step authentication for a few years now, this further highlighted the security benefits of using two step. With this set up even if the hijacker knew my wife’s email address and password they would not have been able to break in. Google Authenticator is an excellent app for generating new “random” codes (offline) every thirty seconds.
So please stay safe online – get your passwords strong now and enable the two step where you can!