Amazon account - Someong just bought gift cards using my account.

varkanoid

This evening on the computer just got an email saying £50 had been put on my Amazon Gift Balance. Straight away went onto Amazon and yes its been added from my Current Account card thats in there. Whilst I was frantically figuring out what to do a £50 Google Play gift card appeared in my basket. I managed to cancel it out of there but it got put back in and paid for. I then changed my password quickly. Looks like I'd been hacked somehow.

Now before you think its a poor none techy person their computer must be compromised I`m an IT Support person of 30+ years, I've got Kaspersky Internet Security fully on etc etc. My Amazon account has got 2 factor authentication to my phone. So how did someone manage to figure out my password, bypass the 2FA which it will ask you for when you use a new browser and send the gift card to an unknown email address which doesnt even show up in the order. They also tried to archive both orders so I wouldnt notice it in there. 

My computer has been scanned malware free with 3 different scanning programs. This isnt a case of someone getting a keylogger onto my machine as no way have they got my password. It just shows you that 2 factor authentication is fallible and these hackers can bypass it just like that. To prove this I also used the sign out of everywhere link on the Amazon website to sign my account out of every device. Now when I log back in using my computer and mobile app it asks for 2FA code. So how can a hacker then get into my account without the 2FA code. Simple answer, 2FA is just not a safe way of securing your account.

I've reported it to Amazon Customer Services and they have passed it onto their security Team. However I dont trust Amazon anymore and I`m not leaving any payment cards on the account every again.

let this be a warning that these so called security measurements are not that secure.

MikeJXE

 I have a similar issue

4 debits last year for Amazon prime I did not make, was issues with a new card and bought something on 6th January this year, 7th January a debit for Amazon prime on my new card,

I now have my third new card in the space of 6 months.

I have no confidence in buying anything from Amazon till I get some guarantee


My issue has also be escalated to their security team 

varkanoid

Had something similiar with my son using Discord. His account got hacked. It had 2FA on the works. I did some digging and it turns out they use "tokens" so once you log onto your computer and do 2FA it creates a token that lasts a certain amount of time, say 24hrs. This token has your password and 2FA encrypted in it. On Discord people create dummy servers with enticing links which they had a "token grabber" inside. These are open source and you can freely download them from a well known Open Source website. My son reckoned he hadnt clicked on any links. Anyway hackers can then use these tokens to login to your Discord account completely bypassing your password and 2FA, they dont need them with these tokens and use your account. We contacted Discord CS about this they investigated it and even admitted that it was probably one of these token grabber apps that allowed someone in the account. Makes me wonder if Amazon use the same thing.

Also another weird thing with this Amazon purchase is I get an email for the first top up but I dont get an email for the purchase of the Google Play card. Yet my email address had never been changed!

varkanoid

Little update, Amazon have confirmed the unauthorised use of my account and have transferred the money back to my gift card balance. I have to wait 2 hrs to log back in but then I can see if they have done it or not.

MikeJXE

varkanoid said:

Little update, Amazon have confirmed the unauthorised use of my account and have transferred the money back to my gift card balance. I have to wait 2 hrs to log back in but then I can see if they have done it or not.

That was quick, mine was escalated Friday 

I'm not waiting for a refund as my credit card sorted that 

I just need to know why and will it happen again or not 

varkanoid

MikeJXE said:

I just need to know why and will it happen again or not 

It was quick surprised me wonder if they have had more than one happen this evening. Although I doubt we will find out why it happened.

MACKEM99

It may help some but I only load my credit card into Amazon when buying something and take it straight off afterwards.  This does not affect the order.

varkanoid

Amazon have refunded my £50. I`m going to do that for now ^ on just a bit of an issue with Amazon Prime we pay monthly and I`ll just have to keep paying it manually.

unforeseen

I use Monzo. Money is kept in pots and only moved to the 'main' pot when required. It means any attempt to take money that was not planned by me fails. 

booneruk

varkanoid said:
This token has your password and 2FA encrypted in it.

My son reckoned he hadnt clicked on any links

I seriously doubt an encrypted password is present in the token. The token will be a cryptographic encode of a random generated value that acts as an entry-pass. If your machine sends back a valid token when requested, it's authenticated.

It is likely your son did click something that was malicious in nature, and if using discord in a web browser this is even more likely. I guess if a user is browsing amazon on a compromised browser, or app, a similar attack could take place.

varkanoid

booneruk said:

varkanoid said:
This token has your password and 2FA encrypted in it.

My son reckoned he hadnt clicked on any links

I guess if a user is browsing amazon on a compromised browser, or app, a similar attack could take place.

Thats what everyone usually thinks but I wasnt. Amazon doesnt think that either, they just dont tell you what security holes they find.