Baffled by bogus charges on your Amazon account? It may be the work of a crook's phantom gadget Last week, we spoke to an Amazon customer who was for months plagued by unauthorized purchases from their account. It appeared a fraudster's smart TV had been quietly linked to the victim's profile – a gizmo not visible in the usual account settings and could not be removed by even Amazon's own support team. Yet the phantom …
Not sure why you have received down votes for asking a simple question HOW?
Now for all we know there may some leakage going on that exposes user name and password, maybe a buggy app (anyone using PrimeMusic offline will know what a piss poor excuse of an app that is), someone on the inside addinh the accounts, some shit dev living it all exposed on a cloud server somewhere, or even some dodgy JavaScript that is ripping info.
Until they trace, it could well be compromised user info.
The Prime Video app on the device generates a six character code, you go to primevideo.com, log with Amazon credentials, and enter that code.
You can turn on 2FA but that won't get rid of devices which are already paired. Also on Android, if you pair the Prime Video app, the main Amazon shopping app works using those credentials too.
Which makes me wonder if they're real devices as one smart TV per compromised account seems a pretty expensive way to go about it. Perhaps somebody's spinning up Android VMs with Prime Video and Amazon apps linked to compromised accounts.
Logically, it probably starts with account access. This could be from password reuse, poor passwords, access to an email account, theft of credentials via malware, or the like. However, as we don't have many details, it is theoretically possible that there is another vulnerability somewhere that people have found. We don't need to assume that exists at the moment, but it's not beyond the bounds of possibility.
Everyone will have some type of security incident, and quite a few of those will be account accesses. However, the real problem is recovery from an event like this. Most accounts can be recovered by taking them over again, changing access methods, and enabling multi-factor. When this course of action is not sufficient, we have a problem.
Logically, it probably starts with account access. This could be from password reuse, poor passwords, access to an email account, theft of credentials via malware, or the like. However, as we don't have many details
From the article it is pretty clear that password reuse and poor passwords can be excluded in at least some cases, so that probably isn't how.
Just went and checked my own account.
You need to go to the following screens.
Your prime -> prime video -> menu -> settings -> your devices
And you can see what is registered for video playing.
However
If instead you go
Accounts and lists -> your apps and devices -> your devices
Then nothing shows up for video playback.
Amazon - a site where the path to right results is longer than the river it is named after!!!
I was going to comment about this in the comments of the other article: I'm a little curious that in my case, the latter method (Accounts and lists -> your apps and devices -> your devices) shows my Kindle and Fire Stick, whereas the former method (Your prime -> prime video -> menu -> settings -> your devices) doesn't show the Fire Stick. I thought it WOULD have showed up there, given what it is and what it's for.
Edit: And looking now, Accounts and Settings section of Prime doesn't seem to be working for me. (It initially appears, with the nav bar that includes Your devices, but then the content section immediately disappears to be left by an empty white space. Possibly a Javascript issue - I wasn't using this computer yesterday - or maybe they're tweaking things. I'll look again later; I don't have time to do anything now.)
Eek!
I just checked this on my account, where I don't have Prime at the moment...
Accounts & Lists - Your Apps and Devices lists (to parpaphrase a bit by taking off my name)
Fire TV stick
2nd Android Device
our prime -> prime video -> menu -> settings -> your devices gives:
Fire TV Stick
Hudl2
2nd Android Device
Android Device
Accounts & Lists -> Manage your content and Devices -> Devices gives:
Fire TV Stick (Fire TV Stik)
Kindle (Kindle Papaerwhite0
2nd Android Device (Kindle for android)
2nd Android Device (Amazon shopping App)
2nd Android Device (MP3)
Android Device (Amazon Shopping App)
Android Device (Kindle for Android)
Kindle Cloud Reader (Kindle Cloud Reader)
Hudl2 (Amazon shopping App)
Hudl2 (Kindle for Android)
Android Device (Amazon Music)
Android (Kindle for Android)
They all have my name at the start, and they have all been mine over the years, but that is frankly ridiculous that they have different lists. Maybe there are longer lists in other places!
It seems that, in their rush to provide yet another way to monitor consumer behavior for no benefit to consumers, all these "smart" thingamabobs are opening yet another Pandora's box worth of trouble.
The Internet appears to still be in its Wild West period. Maybe, in a few decades and after many, many lawsuits, companies will finally be capable of design products that do not shit on their their customers without them having a clue.
Maybe.
Nah, based on the problem as described in the initial report, it looked like the tip of a massive f*cking iceberg.
This is why I don't let third parties store my CC details. I'll plug 'em in when I actually want to buy something.
I think you're over-estimating Amazon's intelligence there. I recently had an order confirmation email from Amazon for something I hadn't ordered, but I noticed that it had been sent to one of my other email addresses (as had lots of "Welcome to Amazon"-type emails), so I assumed that someone had just made a typo with their email address setting up their new amazon account, as Amazon stupidly don't send you an 'activation' email when you set up a new account or register a new email address. So I contacted Amazon CS to tell them someone had accidentally set up a new account with my email address, and they said they'd contact the account holder to rectify the situation.
Can you see where this is going?
Within 5 minutes, I received an email from Amazon advising me that I'd used an email address to set up my new account that belonged to someone else, would I mind changing it?
When I called up Amazon again, the CS rep told me not to worry as even though I'd received the email, the Amazon account holder would have received it too as we both shared the same email address. 8-(
In the end I just did a "forgotten password" reset on his/her account (as authentication is by email) so they wouldn't be able to access the account any more, and ignored the subsequent password reset links I received when they tried to log-in a few days later. I had been tempted to place an order through the account for something personalised with the message "Get your bloody email address right you f***wit" but I guess that would technically have been theft so I never did.
Alternatively, VISA and Mastercard have provisions in their merchant agreements which allow them to reclaim money paid out to customers (I don't know if this is the case or not, but it really wouldn't surprise me ... having spoken to a lawyer about reclaiming money from a card company, I know they do follow up with retailers when they've had to pay out).
The banks and creditcard providers must be bearing a fair whack of the cost of this where they're the ones required by law to reimburse consumers.
Nope. Not how credit cards are wired, it goes like this: Credit card providers do not pay out any money they don't have and even then only after 3-4 months after the transactions were made.
A fraudulent transaction is therefore 'just' cancelled, sticking the merchant, who accepted the transaction with the losses - on top of the 3% service charge. Debit cards, OTOH, transfer the money directly so only Swedish* and straight-up idiots use debit cards on the Internet or while travelling!
The credit card provider simply runs a ledger recording the credit card transactions, at this stage presumably all authorised by the cardholder.
At the end of 'month 01', the credit card provider presents the ledger from 'month-00' to the cardholder.
Cardholder approves the ledger by paying it in part or full OR cardholder rejects transactions that cardholder claims are fraudulent. Cardholder has almost one month to pay the credit card provider.
The credit card provider now goes to the merchant accounts from where the fraudulent transactions were created and requests that the merchant proves that those transactions were correctly authorised by the actual cardholder. If the merchant cannot convince the credit card provider that the transactions are genuine and made by the cardholder, the credit card provider will remove that entry from the ledger and bump a 'fraud-metrics' against the merchant. If that metric goes high enough the merchant will lose access to credit card transaction clearing - for almost ALL cards, globally, because there exists a global credit card issuer cartel against scam-prone merchants.
Now, at 'month-03', the credit card provider has got the money for 'month-01' from the cardholder and at the end of 'month-03', they run down the ledger now containing only valid transactions and transfer the funds to the merchants.
I.O.W: Amazon will be stuck with the fraudulent charges. Too many of those and/or too much lip about not eating their losses willingly and they can lose their credit card facilities, temporarily or permanently.
*)
The Swedish banks for some obscure reason only offers 'Debit Cards linked to an account with an overdraft facility' marketed as 'Credit Cards' to the unsuspecting upcoming victims of credit card fraud. This of course causing an unpleasant discussion between the bank where the overdrawn account resides and cardholder on who gets to eat the loss.
It's probably just me, but if you leave your regular card details on Amazon, you WILL be stolen.
Like, every single fecking time.
Crooks, sure, but also Amazon, like their prime "service", for which you have a couple of months free service and then, without asking you anything, they'll charge you !
The only way to securely buy from Amazon today is to use ecards, AND make sure you discard them the minute it has been charged successfully.
Doing otherwise is doing it wrong. And also make sure you're never buying from anyone in China !
Not to support Amazon or anything, but everytime with Prime, Amazon make it crystal clear that after the free month trial you will be charged. If you forget to turn the thing off, then frankly that's your own fault and nothing to do with Amazon. You dont have to take the free trial. You can also take the free trial, make your purchase and cancel it the moment you're finished. But blaming Amazon for charging you for Prime the following month after they told you they were going to charge you if you didnt cancel is just stupid...
Also, getting a temporary Prime Membership can be cheaper.
I've often been offered 1 week of prime for 99p, which is cheaper than the (typical) £2.99 P&P being offered if there is no free shipping (small order say.)
If I cancel straight away, I then get offered up to an 89p refund!
I count this as a win...
"Not to support Amazon or anything, but everytime with Prime, Amazon make it crystal clear that after the free month trial you will be charged. If you forget to turn the thing off, then frankly that's your own fault and nothing to do with Amazon. You dont have to take the free trial. You can also take the free trial, make your purchase and cancel it the moment you're finished. But blaming Amazon for charging you for Prime the following month after they told you they were going to charge you if you didnt cancel is just stupid..."
I'm sorry, but this is untrue. I've purchased a lot of stuff through Amazon, in recent years, even last month, and you are NEVER given the option to opt-out from fucking prime. You NEED to get it to have your purchase, at least in France.
And it's not like I'm an idiot, my daughter reported the same thing.
I have no idea where you got this option and I am willing to learn, but frankly, I never saw it ....
As I said, the only option is to withdraw you payment mean.
I’m sure you’re not an idiot. However I’ve just gone to Amazon.fr, not signed in, and Prime is offered as a free trial (as in U.K.) so surely that implies it is not compulsory?
Since you are a Prime member (sounds a bit rude ;-( ) I guess you are not being given the option to opt out when you buy, but why would? What happens if you cancel Prime?
Just to follow up on RP's reply -
I've just logged into Amazon.fr (I don't have prime), chose something to buy and was offered a choice of a free trial with Amazon Prime and refusing the trial and just buying the item ("Continuer sans tester Amazon Prime") is clearly given as an option.....
It is just you.
I have my card details on Amazon (having used it for many many years) and I've never had any problem with fraudulent transactions (either on Amazon or the card account itself)
I've also bought from sellers in China a couple of times and never had any problems there either.
I imagine that nearly all Amazon users allow Amazon to hold their card details. If it was the case that these were always been stolen then Amazon would be overwhelmed and that's clearly not happening.
I stopped using Amazon with their devious and out of order default to Prime on transactions. I was able, once I found out they were charging my credit card, to get a refund but I tried to delete the account but that proved a challenge. Seems you have to negiotiate with Amazon to put your case for account removal. Anyone else tried to do this?
Just curious - but which country do you live in? I've heard others speak about Amazon defaulting to Prime, but I've never had that myself - Amazon often ask when making a purchase if i want to sign up to Prime but it definitely has never defaulted to Prime without my explicit approval.
It would be interesting to know if this is country specific behaviour. Maybe those lands with less stringent customer safety laws, as my current Abode possess.
Or, just do as I have and never buy anything from Amazon....... Never found anything I wanted that I can't get for a better or similar price elsewhere.
Yeah I know I can be ripped off there too, but Amazon are just a bunch of crooks, why should they go stomping on other crooks toes?
"Weren't Samsung TV's the common link here?"
No. In this article there are TVs which claim to be made by Samsung and Vizio. In the original article, the TV in question was supposedly a "Samsung Huawei", which is obviously not a real device at all and therefore has nothing to do with Samsung. Whatever the exact hacking method is, there's no indication it's related to any specific manufacturer. As others have noted, by far the most likely explanation is that the scammers are gaining access to accounts by completely normal means such as weak passwords and credentials from other breaches, and using them to add fake devices with names that could appear legitimate at a first glance.
Sneaky Amazon tries to store them anyway, head for the settings and make sure, I tell ya ... happened to me several times, oh, and I try to avoid Amazon whenever possible ... just not always feasible ...
I've noticed you can't use a CC for a one-time transaction *WITHOUT* it having to save it. Had ordered some parts for the in-laws through my Amazon account (regular, not Prime) and it stored the in-laws CC info. I just made sure to delete it from the saved cards list as soon as the product arrived.
There seems to be THREE lists.
• Mouseover Account & LIsts and choose Your Apps & Devices, click Your Devices in the "Manage" section
• Mouseover Account & LIsts and choose Your Account, click Content and Devices in the "Digital content and devices" section, click the Devices tab
• Mouseover Your Prime and choose the Amazon Prime link, click Prime Video in the grey header bar, click Settings in the Prime Video header bar, click the Your Devices tab in the "Account & Settings" section
I *think* you first two go to the same list. I deregistered all my devices in one and they’ve all gone — had to re-sign in again to kindle to continue reading a book. Your 3rd list was different for me and just contained fire stick (and a video I had viewed, deleted that too) and Alexa which I’ve never had but did set one up for a relative so it probably got added then.
So I can enable 2FA using an app like Google Authenticator. That sounds OK-ish, but then Amazon insists on setting up my phone as a secondary 2FA (text or voice).
I must be missing something here. The main reason for using an authenticator app is to avoid SMS hijacking, but a miscreant going down the backup 2FA route can still succeed?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
