back to article Baffled by bogus charges on your Amazon account? It may be the work of a crook's phantom gadget

Last week, we spoke to an Amazon customer who was for months plagued by unauthorized purchases from their account. It appeared a fraudster's smart TV had been quietly linked to the victim's profile – a gizmo not visible in the usual account settings and could not be removed by even Amazon's own support team. Yet the phantom …

  1. sorry, what?
    WTF?

    How is the device added...?

    It seems like you would have to know the username and password to do this. Is that the case?

    1. IGotOut

      Re: How is the device added...?

      Not sure why you have received down votes for asking a simple question HOW?

      Now for all we know there may some leakage going on that exposes user name and password, maybe a buggy app (anyone using PrimeMusic offline will know what a piss poor excuse of an app that is), someone on the inside addinh the accounts, some shit dev living it all exposed on a cloud server somewhere, or even some dodgy JavaScript that is ripping info.

      Until they trace, it could well be compromised user info.

    2. Dan 55 Silver badge

      Re: How is the device added...?

      The Prime Video app on the device generates a six character code, you go to primevideo.com, log with Amazon credentials, and enter that code.

      You can turn on 2FA but that won't get rid of devices which are already paired. Also on Android, if you pair the Prime Video app, the main Amazon shopping app works using those credentials too.

      Which makes me wonder if they're real devices as one smart TV per compromised account seems a pretty expensive way to go about it. Perhaps somebody's spinning up Android VMs with Prime Video and Amazon apps linked to compromised accounts.

    3. doublelayer Silver badge

      Re: How is the device added...?

      Logically, it probably starts with account access. This could be from password reuse, poor passwords, access to an email account, theft of credentials via malware, or the like. However, as we don't have many details, it is theoretically possible that there is another vulnerability somewhere that people have found. We don't need to assume that exists at the moment, but it's not beyond the bounds of possibility.

      Everyone will have some type of security incident, and quite a few of those will be account accesses. However, the real problem is recovery from an event like this. Most accounts can be recovered by taking them over again, changing access methods, and enabling multi-factor. When this course of action is not sufficient, we have a problem.

      1. A.P. Veening Silver badge

        Re: How is the device added...?

        Logically, it probably starts with account access. This could be from password reuse, poor passwords, access to an email account, theft of credentials via malware, or the like. However, as we don't have many details

        From the article it is pretty clear that password reuse and poor passwords can be excluded in at least some cases, so that probably isn't how.

  2. Giles C

    It is hard to find

    Just went and checked my own account.

    You need to go to the following screens.

    Your prime -> prime video -> menu -> settings -> your devices

    And you can see what is registered for video playing.

    However

    If instead you go

    Accounts and lists -> your apps and devices -> your devices

    Then nothing shows up for video playback.

    Amazon - a site where the path to right results is longer than the river it is named after!!!

    1. lglethal Silver badge
      Go

      Re: It is hard to find

      Just curious - if you dont have Prime can you still check that there are no video devices linked?

      Sorry at Work right now, so cant check...

    2. VinceH

      Re: It is hard to find

      I was going to comment about this in the comments of the other article: I'm a little curious that in my case, the latter method (Accounts and lists -> your apps and devices -> your devices) shows my Kindle and Fire Stick, whereas the former method (Your prime -> prime video -> menu -> settings -> your devices) doesn't show the Fire Stick. I thought it WOULD have showed up there, given what it is and what it's for.

      Edit: And looking now, Accounts and Settings section of Prime doesn't seem to be working for me. (It initially appears, with the nav bar that includes Your devices, but then the content section immediately disappears to be left by an empty white space. Possibly a Javascript issue - I wasn't using this computer yesterday - or maybe they're tweaking things. I'll look again later; I don't have time to do anything now.)

    3. Bert 1
      WTF?

      Re: It is hard to find

      Eek!

      I just checked this on my account, where I don't have Prime at the moment...

      Accounts & Lists - Your Apps and Devices lists (to parpaphrase a bit by taking off my name)

      Fire TV stick

      2nd Android Device

      our prime -> prime video -> menu -> settings -> your devices gives:

      Fire TV Stick

      Hudl2

      2nd Android Device

      Android Device

      Accounts & Lists -> Manage your content and Devices -> Devices gives:

      Fire TV Stick (Fire TV Stik)

      Kindle (Kindle Papaerwhite0

      2nd Android Device (Kindle for android)

      2nd Android Device (Amazon shopping App)

      2nd Android Device (MP3)

      Android Device (Amazon Shopping App)

      Android Device (Kindle for Android)

      Kindle Cloud Reader (Kindle Cloud Reader)

      Hudl2 (Amazon shopping App)

      Hudl2 (Kindle for Android)

      Android Device (Amazon Music)

      Android (Kindle for Android)

      They all have my name at the start, and they have all been mine over the years, but that is frankly ridiculous that they have different lists. Maybe there are longer lists in other places!

      1. Richard Parkin

        Re: It is hard to find

        Yes, I found a similar list but all iOS or Mac with one fire stick. No idea that existed. I think I’ll deauthorise them all and see what happens. None have the identical name to my current iPads (2j and iPhone.

      2. anothercynic Silver badge

        Re: It is hard to find

        Deauthorise them all, then reauthorise them one by one.

    4. Jay 2

      Re: It is hard to find

      Wow. Prime lists my FireTV, iOS devices, TV, BluRay, PS4.

      But the other one only lists the FireTV.

  3. Pascal Monett Silver badge

    Ah, the joy of Smart

    It seems that, in their rush to provide yet another way to monitor consumer behavior for no benefit to consumers, all these "smart" thingamabobs are opening yet another Pandora's box worth of trouble.

    The Internet appears to still be in its Wild West period. Maybe, in a few decades and after many, many lawsuits, companies will finally be capable of design products that do not shit on their their customers without them having a clue.

    Maybe.

  4. sbt Silver badge
    Alert

    "...that seemed to be a one-off, a weird technical glitch that led to one isolated case"

    Nah, based on the problem as described in the initial report, it looked like the tip of a massive f*cking iceberg.

    This is why I don't let third parties store my CC details. I'll plug 'em in when I actually want to buy something.

  5. Doctor Syntax Silver badge

    It seems like a reasonably obvious step in the process of adding a device would be to send an email to the customer's registered address asking for confirmation. But as the reasonably obvious seems to be something that persistently eludes Amazon it's not surprising if they don't.

    1. Anonymous Coward
      Anonymous Coward

      RE: It seems like a reasonably obvious step...

      Netflix does send an email. Must not be too hard.

      1. Loyal Commenter Silver badge

        Re: RE: It seems like a reasonably obvious step...

        Netflix doesn't let you buy XBox gift cards through your TV either, does it?

    2. NightFox

      I think you're over-estimating Amazon's intelligence there. I recently had an order confirmation email from Amazon for something I hadn't ordered, but I noticed that it had been sent to one of my other email addresses (as had lots of "Welcome to Amazon"-type emails), so I assumed that someone had just made a typo with their email address setting up their new amazon account, as Amazon stupidly don't send you an 'activation' email when you set up a new account or register a new email address. So I contacted Amazon CS to tell them someone had accidentally set up a new account with my email address, and they said they'd contact the account holder to rectify the situation.

      Can you see where this is going?

      Within 5 minutes, I received an email from Amazon advising me that I'd used an email address to set up my new account that belonged to someone else, would I mind changing it?

      When I called up Amazon again, the CS rep told me not to worry as even though I'd received the email, the Amazon account holder would have received it too as we both shared the same email address. 8-(

      In the end I just did a "forgotten password" reset on his/her account (as authentication is by email) so they wouldn't be able to access the account any more, and ignored the subsequent password reset links I received when they tried to log-in a few days later. I had been tempted to place an order through the account for something personalised with the message "Get your bloody email address right you f***wit" but I guess that would technically have been theft so I never did.

  6. Anonymous South African Coward Silver badge

    Amazon will have to overhaul its system from top to bottom, and sideways if they want to get this issue sorted out for good.

    1. Steve Davies 3 Silver badge

      Amazon overhaul?

      The chances of that happening is probably as close to zero as makes no difference.

      Whatever they do (or don't do) there are shoals of hungry Piranahs out there waiting to pounce on an unsuspecting user and strip them bare in minutes.

    2. Anonymous Coward
      Anonymous Coward

      @Anonymous South African Coward

      Why should they bother ? They're making insane amount of money anyway. Are you going to move to the competition ?

  7. Venerable and Fragrant Wind of Change

    Liability

    The banks and creditcard providers must be bearing a fair whack of the cost of this where they're the ones required by law to reimburse consumers.

    I wonder if Visa and Mastercard might need to consider/threaten their ultimate sanction - to withdraw their service from Amazon?

    1. Anonymous Coward
      Anonymous Coward

      Re: Liability

      Alternatively, VISA and Mastercard have provisions in their merchant agreements which allow them to reclaim money paid out to customers (I don't know if this is the case or not, but it really wouldn't surprise me ... having spoken to a lawyer about reclaiming money from a card company, I know they do follow up with retailers when they've had to pay out).

    2. fajensen Silver badge
      Coat

      Re: Liability

      The banks and creditcard providers must be bearing a fair whack of the cost of this where they're the ones required by law to reimburse consumers.

      Nope. Not how credit cards are wired, it goes like this: Credit card providers do not pay out any money they don't have and even then only after 3-4 months after the transactions were made.

      A fraudulent transaction is therefore 'just' cancelled, sticking the merchant, who accepted the transaction with the losses - on top of the 3% service charge. Debit cards, OTOH, transfer the money directly so only Swedish* and straight-up idiots use debit cards on the Internet or while travelling!

      The credit card provider simply runs a ledger recording the credit card transactions, at this stage presumably all authorised by the cardholder.

      At the end of 'month 01', the credit card provider presents the ledger from 'month-00' to the cardholder.

      Cardholder approves the ledger by paying it in part or full OR cardholder rejects transactions that cardholder claims are fraudulent. Cardholder has almost one month to pay the credit card provider.

      The credit card provider now goes to the merchant accounts from where the fraudulent transactions were created and requests that the merchant proves that those transactions were correctly authorised by the actual cardholder. If the merchant cannot convince the credit card provider that the transactions are genuine and made by the cardholder, the credit card provider will remove that entry from the ledger and bump a 'fraud-metrics' against the merchant. If that metric goes high enough the merchant will lose access to credit card transaction clearing - for almost ALL cards, globally, because there exists a global credit card issuer cartel against scam-prone merchants.

      Now, at 'month-03', the credit card provider has got the money for 'month-01' from the cardholder and at the end of 'month-03', they run down the ledger now containing only valid transactions and transfer the funds to the merchants.

      I.O.W: Amazon will be stuck with the fraudulent charges. Too many of those and/or too much lip about not eating their losses willingly and they can lose their credit card facilities, temporarily or permanently.

      *)

      The Swedish banks for some obscure reason only offers 'Debit Cards linked to an account with an overdraft facility' marketed as 'Credit Cards' to the unsuspecting upcoming victims of credit card fraud. This of course causing an unpleasant discussion between the bank where the overdrawn account resides and cardholder on who gets to eat the loss.

    3. Dan 55 Silver badge

      Re: Liability

      Amazon already pay a higher commission because they don't ask for the CVV although as everything is negotiable and Amazon is Amazon I guess it wouldn't be as high as other places.

      1. Is It Me Bronze badge

        Re: Liability

        I thought that they just took on responsibility for the loss rather than pay extra, at least that is what my memory of reading about it a few years ago was.

  8. Anonymous Coward
    Anonymous Coward

    ecards

    It's probably just me, but if you leave your regular card details on Amazon, you WILL be stolen.

    Like, every single fecking time.

    Crooks, sure, but also Amazon, like their prime "service", for which you have a couple of months free service and then, without asking you anything, they'll charge you !

    The only way to securely buy from Amazon today is to use ecards, AND make sure you discard them the minute it has been charged successfully.

    Doing otherwise is doing it wrong. And also make sure you're never buying from anyone in China !

    1. lglethal Silver badge
      Facepalm

      Re: ecards

      Not to support Amazon or anything, but everytime with Prime, Amazon make it crystal clear that after the free month trial you will be charged. If you forget to turn the thing off, then frankly that's your own fault and nothing to do with Amazon. You dont have to take the free trial. You can also take the free trial, make your purchase and cancel it the moment you're finished. But blaming Amazon for charging you for Prime the following month after they told you they were going to charge you if you didnt cancel is just stupid...

      1. Richard Parkin

        Re: ecards

        Also if you have a free trial you can cancel it immediately after signing up (maybe next day to be safe) and the free month or whatever will still apply. No need to ‘remember‘ to cancel.

        1. Bert 1
          Pint

          Re: ecards

          Also, getting a temporary Prime Membership can be cheaper.

          I've often been offered 1 week of prime for 99p, which is cheaper than the (typical) £2.99 P&P being offered if there is no free shipping (small order say.)

          If I cancel straight away, I then get offered up to an 89p refund!

          I count this as a win...

      2. NightFox

        Re: ecards

        Yes, especially as IIRC, Amazon is one of the few companies who still let you use the full trial period even if you cancel on Day 1, and actually email you reminders when the end of your trial is coming up.

      3. Anonymous Coward
        Anonymous Coward

        Re: ecards

        "Not to support Amazon or anything, but everytime with Prime, Amazon make it crystal clear that after the free month trial you will be charged. If you forget to turn the thing off, then frankly that's your own fault and nothing to do with Amazon. You dont have to take the free trial. You can also take the free trial, make your purchase and cancel it the moment you're finished. But blaming Amazon for charging you for Prime the following month after they told you they were going to charge you if you didnt cancel is just stupid..."

        I'm sorry, but this is untrue. I've purchased a lot of stuff through Amazon, in recent years, even last month, and you are NEVER given the option to opt-out from fucking prime. You NEED to get it to have your purchase, at least in France.

        And it's not like I'm an idiot, my daughter reported the same thing.

        I have no idea where you got this option and I am willing to learn, but frankly, I never saw it ....

        As I said, the only option is to withdraw you payment mean.

        1. Richard Parkin

          Re: ecards

          I’m sure you’re not an idiot. However I’ve just gone to Amazon.fr, not signed in, and Prime is offered as a free trial (as in U.K.) so surely that implies it is not compulsory?

          Since you are a Prime member (sounds a bit rude ;-( ) I guess you are not being given the option to opt out when you buy, but why would? What happens if you cancel Prime?

        2. RedCardinal

          Re: ecards

          Just to follow up on RP's reply -

          I've just logged into Amazon.fr (I don't have prime), chose something to buy and was offered a choice of a free trial with Amazon Prime and refusing the trial and just buying the item ("Continuer sans tester Amazon Prime") is clearly given as an option.....

    2. Cederic Silver badge

      Re: ecards

      While I'm sure it isn't just you, it certainly isn't everybody.

      I've been an Amazon customer for twenty years without suffering fraud.

    3. RedCardinal

      Re: ecards

      It is just you.

      I have my card details on Amazon (having used it for many many years) and I've never had any problem with fraudulent transactions (either on Amazon or the card account itself)

      I've also bought from sellers in China a couple of times and never had any problems there either.

      I imagine that nearly all Amazon users allow Amazon to hold their card details. If it was the case that these were always been stolen then Amazon would be overwhelmed and that's clearly not happening.

  9. Nickckk

    Cancel the account challenge

    I stopped using Amazon with their devious and out of order default to Prime on transactions. I was able, once I found out they were charging my credit card, to get a refund but I tried to delete the account but that proved a challenge. Seems you have to negiotiate with Amazon to put your case for account removal. Anyone else tried to do this?

    1. lglethal Silver badge
      Go

      Re: Cancel the account challenge

      Just curious - but which country do you live in? I've heard others speak about Amazon defaulting to Prime, but I've never had that myself - Amazon often ask when making a purchase if i want to sign up to Prime but it definitely has never defaulted to Prime without my explicit approval.

      It would be interesting to know if this is country specific behaviour. Maybe those lands with less stringent customer safety laws, as my current Abode possess.

      1. Jess--

        Re: Cancel the account challenge

        UK here and most purchases through amazon I have to hunt for the small greyed out text "proceed without prime" instead of the big pay now button (that includes prime)

        1. Richard Parkin

          Re: Cancel the account challenge

          Yes, it’s easy to accidentally sign up to Prime, done that, but never seen default to Prime in U.K.

          1. PhillW

            Re: Cancel the account challenge

            Or, just do as I have and never buy anything from Amazon....... Never found anything I wanted that I can't get for a better or similar price elsewhere.

            Yeah I know I can be ripped off there too, but Amazon are just a bunch of crooks, why should they go stomping on other crooks toes?

  10. GreggS

    Samsung

    Weren't Samsung TV's the common link here?

    Seems it might be a problem there.

    1. mj.jam

      Re: Samsung

      Could just be that they have a way of pretending to be a certain device so they just connect up to each account in this way. Once they have it working, there is probably little need to modify their scripts, so they may all appear the same.

    2. Cuddles Silver badge

      Re: Samsung

      "Weren't Samsung TV's the common link here?"

      No. In this article there are TVs which claim to be made by Samsung and Vizio. In the original article, the TV in question was supposedly a "Samsung Huawei", which is obviously not a real device at all and therefore has nothing to do with Samsung. Whatever the exact hacking method is, there's no indication it's related to any specific manufacturer. As others have noted, by far the most likely explanation is that the scammers are gaining access to accounts by completely normal means such as weak passwords and credentials from other breaches, and using them to add fake devices with names that could appear legitimate at a first glance.

  11. Ozan

    Worrying

    Good thing I have habit of never saving my credit card details in any online shop.

    1. Hans 1 Silver badge

      Re: Worrying

      Sneaky Amazon tries to store them anyway, head for the settings and make sure, I tell ya ... happened to me several times, oh, and I try to avoid Amazon whenever possible ... just not always feasible ...

      1. Ozan

        Re: Worrying

        I know what you mean. So many web sites try their hardest to store credit card info.

      2. jelabarre59 Silver badge

        Re: Worrying

        Sneaky Amazon tries to store them anyway, head for the settings and make sure, I tell ya ... happened to me several times, oh, and I try to avoid Amazon whenever possible ... just not always feasible ...

        I've noticed you can't use a CC for a one-time transaction *WITHOUT* it having to save it. Had ordered some parts for the in-laws through my Amazon account (regular, not Prime) and it stored the in-laws CC info. I just made sure to delete it from the saved cards list as soon as the product arrived.

  12. Rainer

    Probably not too hight on the list

    A lot of people won't even notice the small charges, so Amazon might actually improve its bottom-line by this.

  13. Test Man

    There seems to be THREE lists.

    • Mouseover Account & LIsts and choose Your Apps & Devices, click Your Devices in the "Manage" section

    • Mouseover Account & LIsts and choose Your Account, click Content and Devices in the "Digital content and devices" section, click the Devices tab

    • Mouseover Your Prime and choose the Amazon Prime link, click Prime Video in the grey header bar, click Settings in the Prime Video header bar, click the Your Devices tab in the "Account & Settings" section

    1. Richard Parkin

      I *think* you first two go to the same list. I deregistered all my devices in one and they’ve all gone — had to re-sign in again to kindle to continue reading a book. Your 3rd list was different for me and just contained fire stick (and a video I had viewed, deleted that too) and Alexa which I’ve never had but did set one up for a relative so it probably got added then.

  14. cynic 2
    WTF?

    Amazon 2FA

    So I can enable 2FA using an app like Google Authenticator. That sounds OK-ish, but then Amazon insists on setting up my phone as a secondary 2FA (text or voice).

    I must be missing something here. The main reason for using an authenticator app is to avoid SMS hijacking, but a miscreant going down the backup 2FA route can still succeed?

  15. narf

    there is an option "require OTP from all devices" in your account settings. If enabled I believe it requires all devices to re-authenticate with MFA next time they log in. I wonder if that would fix the problem?

    1. Dan 55 Silver badge

      Thing is once they're paired they're always logged in. You have to turn on 2FA, deauthorise them, and then authorise them again.

  16. Daedalus Silver badge

    Mr. Bezos's Neighbourhood

    Can you say "Class Action Lawsuit"? I knew that you could.

    1. NightFox

      Re: Mr. Bezos's Neighbourhood

      Oooo, thank you. The only one I'm left missing from my Internet Forum Bingo Card for today is "If you're not paying for it, then you're the product"

  17. Loyal Commenter Silver badge

    Still smells like an API flaw to me

    Possibly a session-hijacking flaw that allows a bad actor to MITM a legitimate session between a device and Amazon's servers and use it to add a bogus device?

    1. NetBlackOps

      Re: Still smells like an API flaw to me

      That's the conjecture I'm left with from running down the decision trees.

  18. David Roberts
    Holmes

    Fire Stick?

    I noticed that my fire sticks advertise as WiFi devices.

    Allegedly it is for the remote control.

    I wonder if there is a vulnerability?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019