Shady Password Reset Behaviour from Amazon

karvala

Just had an e-mail from Amazon suggesting that my account has had unauthorised access.  Now, my Amazon password was previously set to something long, completely unguessable and unbreakable by any current computing power, it is unique and not used anywhere else and I have only ever entered on my home malware-free computer.  As far as I can see, this can only be an inside job.  It is the second time this has happened to me.

In this case, the password reset behaviour is positively bizarre.  First, they want verification via SMS.  I do that, then it immediately sends a different code to e-mail and wants verification there too.  Okay, do that, but then it goes back to SMS and sends ANOTHER message there with a third code.  Do that, and back we go to e-mail for the FOURTH code to be entered.  At this point, I'm pretty suspicious.  Then it tells me it can't send me an SMS (strange, given that it's already sent me two) and insists I use WhatsApp to get the FIFTH code.  I do that, and it then it tells me that to login I need to switch country(!) and switches me over to an Amazon.com password reset (instead of Amazon.co.uk), and then declare that the account is locked due to suspicious activity (the irony was not lost on me).

What on earth is going on here?!  I double-checked by going from the Amazon site web address directly myself, I also tried going through the app on the phone which confirmed that the old password had been disabled.  I did the reset in a clean browser window, I have thoroughly checked for malware and there is no evidence of any, my e-mails show no sign of having been hacked.  At best this is a completely broken security process that has left me with a locked account, but it looks extremely dodgy to me.  The punchline, though, is that at no point have I been asked to actually enter a password, so if's some sort of very sophisticated transparent hijack attempt, it's not going to achieve much.

karvala

OMG, this just gets better and better.  Thought I'd better resolve this, but it turns out I can't.  Anyone remember "Keyboard not found.  Press any key to continue" from the old Windows days?  Well, Amazon have created their own special version of recursive hell for the modern era.

It turns out that to speak to customer service, you have to have an account.  If you try to access customer service without an account, it takes you to the account login.  If your account login does not work and cannot be resolved with the new methods due to some bizarre linked other country account nonsense (see above), then you need to contact customer services.  But to contact customer services, you must first login.  But to login, you first need to resolve your login problems by talking to customer services.  Etc. etc..  Brilliant!  Nevermind, I'll check the help page that tells me how to resolve the login problems.  Oh yes, it simply tells me to resolve them.  If you can't resolve them?  Sorry, topic not covered.  Okay, I'll follow the help part from the login screen where you have to go to get help if you can't login, assuming you can find it.  Did that, and followed the advice to go to the Recovery page and "upload some documents" (which sounds very shady, but whatever).  Except I can't, because to access the account login Recovery page....yes, you guessed it, you have to be logged in.  Kafka would be proud.

This is quite unbelievable, but I think they've actually done me a favour.  Looks like no more Amazon shopping for me, and quite frankly, good riddance to bad rubbish.

Emmia

Are you sure the email is from Amazon?
 
Because it could also be from a scammer, and you've just leapt through hoops, and provided a load of personal information.

HampshireH

Emmia said:

Are you sure the email is from Amazon?
 
Because it could also be from a scammer, and you've just leapt through hoops, and provided a load of personal information.

OP said they went though the browser not a link

GardenBirdWatcher

HampshireH said:
OP said they went though the browser not a link

I read that as after they went through all the hoops they double checked that the account was disabled by going directly to Amazon.

This:

karvala said:

Then it tells me it can't send me an SMS (strange, given that it's already sent me two) and insists I use WhatsApp to get the FIFTH code.  I do that, and it then it tells me that to login I need to switch country(!)

sounds a lot like a scammer to me - never known Amazon to use WhatsApp to send verification codes.

My guess would be that the email is a phishing attempt (easily verified by checking the URL of the link in the email) and the OP has provided the scammer with numerous verification codes, but the scammer has messed up his account hijack attempt and managed to lock the account.

karvala

Thanks All.  I can understand the comments and suspicion; it does sound a lot like scammer behaviour which is why I was so suspicious myself.  I've exploited a family contact to speak to a manager in the advanced accounts team at Amazon this morning, though, and it really was Amazon.  I did obviously check URLs throughout and, as I mentioned, I went through my own shortcuts on a clean browser (right from the start; the only things via SMS and WhatsApp were their verification codes that I typed in - I never clicked a link).  So while I certainly agree it looks like the sort of behaviour a phishing attempt hacker would engage in, this was actually Amazon.  That's my main point (apart from the absurdity of their systems) - their account locking and unlocking behaviour is so shady that it undermines what people are constantly being told about account security.

flaneurs_lobster

GardenBirdWatcher said:

HampshireH said:
OP said they went though the browser not a link

I read that as after they went through all the hoops they double checked that the account was disabled by going directly to Amazon.

This:

karvala said:

Then it tells me it can't send me an SMS (strange, given that it's already sent me two) and insists I use WhatsApp to get the FIFTH code.  I do that, and it then it tells me that to login I need to switch country(!)

sounds a lot like a scammer to me - never known Amazon to use WhatsApp to send verification codes.

My guess would be that the email is a phishing attempt (easily verified by checking the URL of the link in the email) and the OP has provided the scammer with numerous verification codes, but the scammer has messed up his account hijack attempt and managed to lock the account.

Yes, scam attack. Sounds like the OP has done the full-on panic response.

If your account had had "unauthorised access" and you have an unguessable password (and hopefully 2FA) then what's the point of changing it? Any "inside job" would already have access to your account and wouldn't need the password/2FA - and the password would be encrypted anyway so of no use to them.

I'd be more concerned about any payment method details that were set up on the account. Now that the account's locked to you, getting any payment method disabled will have to be at the card issuer/payment system end.

flaneurs_lobster

karvala said:

Thanks All.  I can understand the comments and suspicion; it does sound a lot like scammer behaviour which is why I was so suspicious myself.  I've exploited a family contact to speak to a manager in the advanced accounts team at Amazon this morning, though, and it really was Amazon.  I did obviously check URLs throughout and, as I mentioned, I went through my own shortcuts on a clean browser (right from the start; the only things via SMS and WhatsApp were their verification codes that I typed in - I never clicked a link).  So while I certainly agree it looks like the sort of behaviour a phishing attempt hacker would engage in, this was actually Amazon.  That's my main point (apart from the absurdity of their systems) - their account locking and unlocking behaviour is so shady that it undermines what people are constantly being told about account security.

Glad you sorted it.

What was the cause of the original (apparently genuine) alert?

Just to confirm, Amazon are now using WhatsApp to send OTP codes? And if you don't have it or it's on a different number to that known to Amazon?

And switching you from .uk to .com?

Routinely, or just in exceptional circumstances?

karvala

Thanks; glad to have it sorted.  I was tempted to leave it but thought I should make a more serious attempt to resolve it.

They had no insight into the original alert but observed that it could have been a false positive.  That fits with the fact that I did have stored payment details (I've since removed those; just not worth the risk) but no fraudulant transactions were made.

Yes, Amazon will use WhatsApp to send OTP codes, apparently if they cannot get SMS messages through reliably.  The phone signal in my area is rather variable, so sometimes I will get SMS messages and then two minutes later SMS messaging will no longer work for a while.  I assume that is what happened here; some messages got through, others failed to send and so Amazon resorted to WhatsApp in those cases.  I'm not sure what would happen if you don't have WhatsApp, but if SMS messaging is working reliably then probably you'll never need it.

The .com switching was what really surprised me this time; I've never experienced that.  Apparently if you have a .com account (I created mine decades ago before I had a .uk account, and haven't used if for about 20 years) it acts like a master account.  If there is a lock on the UK account that is failing to lift for whatever reason (it wasn't clear why in this case) it will revert to the .com account and try to get you to login and resolve it there.  It also means that you can't actually delete the .com account (which I has asked them to do) without deleting all of the accounts (so I'm stuck with it).  It's not routine and will only happen if you have a previously-created .com account.

flaneurs_lobster

Thanks for the explanation. 

Bit surprising that a company such as Amazon are not using 2FA via their own app(s) and instead require you to use a third-party authenticator app (or SMS).

booneruk

flaneurs_lobster said:

Thanks for the explanation. 

Bit surprising that a company such as Amazon are not using 2FA via their own app(s) and instead require you to use a third-party authenticator app (or SMS).

You can enrol a 2FA app and make it default rather than SMS, but you need to do it through the fiddly account security screens. It should be default in this day and age (even if certain types think 2FA apps are all about tracking and spying)