Amazon account - Someong just bought gift cards using my account.

Murphybear

varkanoid said:

This evening on the computer just got an email saying £50 had been put on my Amazon Gift Balance. Straight away went onto Amazon and yes its been added from my Current Account card thats in there. Whilst I was frantically figuring out what to do a £50 Google Play gift card appeared in my basket. I managed to cancel it out of there but it got put back in and paid for. I then changed my password quickly. Looks like I'd been hacked somehow.

Now before you think its a poor none techy person their computer must be compromised I`m an IT Support person of 30+ years, I've got Kaspersky Internet Security fully on etc etc. My Amazon account has got 2 factor authentication to my phone. So how did someone manage to figure out my password, bypass the 2FA which it will ask you for when you use a new browser and send the gift card to an unknown email address which doesnt even show up in the order. They also tried to archive both orders so I wouldnt notice it in there. 

My computer has been scanned malware free with 3 different scanning programs. This isnt a case of someone getting a keylogger onto my machine as no way have they got my password. It just shows you that 2 factor authentication is fallible and these hackers can bypass it just like that. To prove this I also used the sign out of everywhere link on the Amazon website to sign my account out of every device. Now when I log back in using my computer and mobile app it asks for 2FA code. So how can a hacker then get into my account without the 2FA code. Simple answer, 2FA is just not a safe way of securing your account.

I've reported it to Amazon Customer Services and they have passed it onto their security Team. However I dont trust Amazon anymore and I`m not leaving any payment cards on the account every again.

let this be a warning that these so called security measurements are not that secure.

That bit made me smile  .   As a 70 something female a lot of people think I couldn’t know anything about technology or computing.  Very occasionally I tell them I did some computing as part of my Physics and Astronomy degree (Univ of London).   If that doesn't work I then explain I taught  some at evening classes.  

varkanoid

MikeJXE said:

I removed my cards from Amazon when I got done a few years ago. 

I use eBay now if I want anything but I don’t keep a card on there either 

I ended up using Hyper Jar which I use for my kids spending money which can be preloaded so whenever I need to buy anything on Amazon etc just load it with the money and pay for it. 

Jami74

Hubby got an email in the middle of the night thanking him for his Amazon purchase. Originally thought it was scammy spam but checked his bank and there was a pending payment.

Logged into Amazon, couldn't see the order in his list of recent orders but eventually found it via cancel orders. Had a name and delivery address.

Cancelled the order, removed the 'new' address, removed his payment card, changed his password and froze his card in his banking app. He already had 2fa on and was sent a code to change his password. Pending payment has now gone from banking app and he received emails from Amazon about the cancellation and password changes.

Is there anything else he should do? His only device is his mobile. 

marcia_

Jami74 said:

Hubby got an email in the middle of the night thanking him for his Amazon purchase. Originally thought it was scammy spam but checked his bank and there was a pending payment.

Logged into Amazon, couldn't see the order in his list of recent orders but eventually found it via cancel orders. Had a name and delivery address.

Cancelled the order, removed the 'new' address, removed his payment card, changed his password and froze his card in his banking app. He already had 2fa on and was sent a code to change his password. Pending payment has now gone from banking app and he received emails from Amazon about the cancellation and password changes.

Is there anything else he should do? His only device is his mobile. 

 Have you reported to the bank his card may have been compromised? They will cancel
the card and issue a new one 

Mick_J

Just happened to me - £100 gift card emailed to somewhere !!! Emal from Amazon saying sale then later email saying refused, lucky not enough money in my account to cover it so bank refused transaction, sale recorded in cancelled orders.  reported to Amazon & password changed. Thinking if I had the money in my account it would have been paid !!   

flaneurs_lobster

Out of interest, was your Amazon password long, complicated and unique? Did you have 2FA set up?

Mick_J

flaneurs_lobster said:

Out of interest, was your Amazon password long, complicated and unique? Did you have 2FA set up?

Yep, old simple password for Amazon, different now and no 2FA.   but is it that easy to get into my account and send giftcards anywhere ?    seems it is.

flaneurs_lobster

The bit that can be critical is uniqueness. If you've used the same email/password elsewhere and that entity is compromised, then the bad actors (or their algorithms) will test that blagged email/password (and derived variations) on the popular shopping and email sites.

Obvious maybe, but get good strong unique passwords & 2FA on anything important but particularly on email accounts.

kingofthegroovers

This happened to me yesterday. The second time I've been hacked, first my google account.

The hackers hacked into my email account. Bought gift cards from Amazon and Ebay. Then they blocked incoming amazon and ebay emails and deleted transaction emails. They first tried with a bank that had no money in the account, so I got a declined message from my bank app. Logged in Amazon to find they bought £40 of gift cards and then paid with my other card.

These codes are sent to email, which the hacker was in, got the code. Deleted the email evidence as well as in the deleted email folder. I didn't know they hacked my email address at the time thought it odd I was getting no emails, so I changed my password and 2 factor authorisation.

Called my bank and amazon, thought I'd sorted it.

Then yesterday I got a message from an ebay seller sent to my account about a gift card. They had hacked into my ebay too. Probably sent a password reminder to my email address then deleted it, which is I'm gathering the same way they got into amazon.

£250 in gift cards again, £200 declined, but £50 went through. Because I'd changed my email password hours before, the hacker had to talk with the seller on ebay privately to get the code for the card. I got those emails different email address to the normal ebay.

Contacted the seller asked to cancel said I'd been hacked. The seller was unhelpful didn't care even though I'd shown proof of hacking and just told me the code had been given, and to check the terms and conditions on the listing.

My bank declined. Reported the fraud on ebay with ebay. They reset my account. I couldn't log back in locked out. Called them, they tried to help sort it, sending an email code to me to get back in the account. Nothing came. After 2 hours of investigating. Looked in my email settings to see the hacker had blocked all emails from Amazon and Ebay to help cover their tracks.

Sometimes they don't need passwords to log in your accounts. If they hack into your emails they can see your usernames in the emails you've stored for your accounts. They then just try logging in with the username and click forgot password and it sends to your email which they are in. Which I'm convinced this is exactly what they did here.

But how they got in my email is a mystery. I'd changed the password since being hacked to a very complicated one.

My other thoughts is they hacked my chrome browser. I am always logged into both ebay and email with that. I've since gone in password manager and deleted all saved passwords for every ecommerce site. I am going to use Firefox from now on, but never save a password in the browser. I've also chosen unique strong passwords for everything and changed them all.

Hope this helps anyone else experiencing problems.

kingofthegroovers

I forgot to add the buyer also deleted the transaction in my ebay account. The only way I was able to find it was the private messages sent to the seller had the order number in them, and they were also under my account payments section. But the actual orders themselves deleted from my order list.