Con-Artist Gets Man’s Personal Information with Amazon’s Customer Service’s Help

With how many credit cards and valuable frequent flier accounts our community has, we all have to be super-extra-vigilant that we are protecting our information and constantly checking our accounts.

Sometimes it feels like no matter how well you protect yourself, there’s nothing you can do to completely prevent fraud on your accounts.  I was one of 7,700 accounts of US Airways’ top tier elites who had their miles completely wiped out.  They were extremely tight on security in giving me access to my frequent flier account (I had to wait for information in the mail… sent bulk mail), but weren’t quite so vigilant when my information was given out in the first place.

I just read a case involving Amazon that not only was shocking, but repeated enough to show it wasn’t just a rogue customer service agent.

A con-artist (let’s call him CA for short) contacted Amazon’s customer service, pretending to be a different customer.  The CA targeted this man by accessing his personally identifiable information via his website who-is.

Except the customer didn’t use his real address when registering his information.

The CA contacted Amazon’s chat customer service.  Amazon’s customer service agent asked the CA to verify his address before giving out information.  The CA gave the agent the wrong address (the one from the WhoIs of the website) and the customer service agent thanked him and proceeded with helping him.

In the chat session, the agent gave him:

  • The customer’s address
  • Recent purchases
  • The gift card balance on his account

In follow-up chats, the agents gave the CA even more information.

Then if you read the comments on the article, you’ll see readers tried this themselves.  They gave the customer service agents at Amazon a wrong address, and were able to get the agent to give them their personally identifiable information.

This is ridiculous!

But I had a similar situation to this myself.  I found out a store credit card (who I am not naming because I think the vulnerability is still out there) who lets you reset your password just by using your security questions.  It didn’t even send the information to my email.  It didn’t email me to reset the password.  It let the person change my password right then and there.

I later found out that this store was targeted because it also lets you do a wedding website and registry.  Listing the wedding party makes it easier to find someone’s maiden name, so from now on, I’ve assigned aliases to my entire family that I use whenever using security questions, and I’ve decided what “cities” they were born in.

No matter how careful we are, we cannot prevent security flaws on the company’s side.  But we can do things to help prevent things from happening:

  • Don’t use your real address in a website who-is–either pay for privacy or register an address at some place like a UPS store.
  • Check your credit accounts frequently using a website like Mint.com
  • Be careful using ATMs.  Look at them before you insert your card.  See if anything looks strange.
  • Be careful when using public WiFi.  Us frequent travelers are on the road a lot and sometimes need to do banking on the road, but there are things we can do to prevent con-artists from stealing our information.  Forbes has a good article on that.
  • If you spot a confirmation email, a password change email, or a “thanks for chatting” email you don’t remember requesting, investigate immediately, before the con-artist has a chance to use your information.

The most you can do is be vigilant.  And hope you aren’t targeted.

Note:  A lot of media outlets call people who do things like this, “hackers”.  I call them con-artists because what they are engaged in is deception and tricks in order to get your money–they do not have as advanced computer skills as companies make them out to sound.  I’ve been told “we can’t stay ahead of these hackers…” when it is usually that the companies left some sort of vulnerability open that someone decided to take advantage of–you do not need advanced skills to take advantage of doors that are left open.  Hackers are a completely different thing.

About Jeanne Marie Hoffman

Former bartender, still a geek. One equal part each cookies, liberty, football, music, travel, libations. Stir vigorously. +Jeanne Marie Hoffman Jeanne on Twitter

Check Also

The Hyatt Credit Card Covers Damage to Your Purchases

I’ve been using my Hyatt Card a lot lately and I completely missed this benefit. …

2 comments

  1. I am pretty dumb, but what is a “website who-is”?

    • Jeanne Marie Hoffman

      When you register a domain name, you are required to provide your name, address, and phone number. You can look up who owns a website and get this personally identifiable information. You can pay to have a proxy company register your website for you so that you don’t have to provide your own information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.