Cardinal found that the "mysterious Portland address" is, "owned by a company called ReShip.com: a company that allows you to have a "virtual" mailing address which will forward packages and mail out of the US. Clearly, the camera was on its way overseas."
And he wrote that a CSR told him that, "all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They're unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests."
That, he noted, would make it, "dirt simple for me to get and receive a second camera for free. That's the sort of thing you're really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked."
Matt Johansen, a WhiteHat security threat research manager, said he hadn't seen a scam with this exact method, but the technique was old. "This kind of social engineering has been used for quite a while in various forms with other online retailers," he said. "
"The people paid to run these live-chat customer support systems, or even over-the-phone call centers, are trained to get on and off the phone or chat as quickly as possible, he said. "The 'hackers,' in this case, use that to their advantage by describing what a hurry they are in."
Some commenters on Cardinal's story agree, contending that happy customers are much more important to Amazon than a bit of fraud. "The customer is happy, and Amazon only takes a small drop out of their ocean of profits ... so I predict that they will do nothing about this," wrote "Brian M."
Johansen agreed. "The people on the other end of these customer service calls and chats are trained to satisfy the customer as quickly as possible," he said. "This mentality, especially during holiday season ramp-up, is reiterated to them much more often than any resemblance of security training or fraud spotting and prevention."
Cardinal argues that Amazon could make it much more difficult for scammers simply by requiring a phone PIN that is separate from an account password and only used for telephone service. He suggested that Amazon also challenge replacement requests by asking for the last four digits of the payment credit card.
But even that, Johansen said, might put legitimate customers off. "A phone PIN would be terrific solution but is a very invasive one that most companies wouldn't be willing to take," he said. "That extra step for customers might be seen as an annoyance that Amazon isn't willing to put them through due to its impact on the overall service experience."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Sign up for Computerworld eNewsletters.