Web Services // Retailer
“All a hacker needs to unlock your whole damn life is your name, email address, and a mailing address—and the mailing address doesn’t even have to be correct,” Gizmodo writes.
Amazon customer Eric Springer first suspected mischief of some sort after receiving an email from the tech giant that thanked him for contacting customer service. Springer hadn’t actually contacted customer service.
Troubled by the message, he connected with Amazon and managed to get a hold of a transcript of his supposed chat with customer service. He discovered that a social engineer—a hacker—was pretending to be him in order to gain access to critical information in Springer’s Amazon account.
The address the fake guy provided to the rep for confirmation wasn’t even the location of Springer’s real home.
It was a bogus address Springer had used to register websites online.
Springer breaks down the horror show on Medium:
“Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.”
Springer informed Amazon of the epic fail and the company promised to improve security.
Similar social engineering stunts ensued over the next two months, with the story ending where Springer closes his account and takes to social media to hold Amazon accountable.
“The biggest vulnerability isn’t a password or an email address; it’s the gullibility of the person on the other end of the line,” Gizmodo writes.
According to Ars Technica, Springer, an Australian developer, worked for Amazon as a software developer engineer up until a few years ago. He left to work on several Bitcoin projects, one of which was sold.
NEXT STORY: Wendy’s Bitten by the Payment System Bug