Amazon customers report being charged with strange orders without their knowledge, even though their account was protected by two-factor authentication. Hackers seem to have managed to break the security of double authentication and pretend to be fake sellers to better steal their money.
Several Amazon users who complain about strange orders placed without their knowledge while their account was protected by double authentication. This security mechanism means that an additional one-time code is required to log in. This code can be created using a generator, either via an application on the user's smartphone, or via a code received by SMS.
Amazon: customers see strange orders appearing in their history
Once connected, the pirates order an amount of several hundred euros from fake sellers, and immediately set the status of the order to “Delivered” which prevents any refund. The goal is, as you may have understood, not to receive the product, which would involve providing an address other than that of the account owner – but to extort money. Seller accounts claim to be based in China.
They give the appearance of genuine accounts although the items they are supposed to sell regularly disappear from the catalog. They seem to operate in several languages and therefore in many countries. The victims say they have all since changed their passwords and received a refund from Amazon. One big question remains: how did they manage to circumvent the double authentication of the Amazon site?
For the moment the platform does not really provide an explanation. While going to the Amazon help pages, however, we realized that the site actually offers two methods of two-factor authentication. One via a code generator installed on your smartphone, the other via a code received by SMS. Amazon also encourages its customers to enter their phone number in order to use double authentication via code received by SMS in case the generator no longer works.
Amazon Accounts Appear Vulnerable to SIM Swapping
“To enable Two-Step Verification, you are required to add a secondary phone number so that you have an alternative option to receive the security code in the event that you no longer have access to your primary mobile device“ , explains Amazon. Of course, it is impossible to say as it stands about the techniques that these pirates really used to place these orders – a thorough investigation would probably be necessary to find out.
More we have already known for some time that not all two-factor authentications are created equal. The codes received by SMS, in particular, represent a gaping security hole. We talked to you some time ago about the worrying technique of SIM Swapping: it involves a pirate pretending to be the customer of an operator in order to obtain a copy of his SIM card.
Also read: Facebook – two-factor authentication makes your phone number public
The attacker can then receive these single-use codes and log in as he pleases to his victim's accounts that use two-factor authentication. Have you enabled two-factor authentication on Amazon? Have you ever noticed strange commands appearing in your history? Share your feedback in the comments section of this article!