Having an Amazon account hacked is the nightmare scenario for any user of the service. It’s impossible to say how common the problem is but there have been enough anecdotes on public websites in the last year to say that the risk of hijacking is real.

As we noted in an article looking at Amazon security settings last year, users can turn on two-step verification (see discussion below) via SMS or through an app but only if they are using US Amazon.com accounts. UK and other non-US users can only access the same security feature if they sign up for US accounts first and then enable it for the Amazon.co.uk site. It’s a workaround but a needless one that Amazon should put right as soon as possible.

amazon istock 22kay22

Amazon account security - types of Amazon fraud

Amazon fraud can be broken down into several types; purchase fraud against buyers, fake goods scams (caveat emptor), and fraud against sellers (caveat venditor) in the firm’s Marketplace. The latter is a complex topic that could consume several articles so we’re going to focus on the former in which accounts are hacked and goods are fraudulently bought and sent to third-party addresses at the account holder’s expense. Since Amazon watches for out-of-character goods fraud some attackers avoid detection by asking for refunds on goods already ordered.

How do hackers compromise Amazon accounts in the first place? The commonest method is some form of phishing through which criminals get their hands on a user’s Amazon ID and password. Once they have control of the account it can be surprisingly difficult to get it back. Amazon’s customer’s service seems to be chaotic at times and finds it hard to distinguish between people who have genuinely lost their account access and those who merely think they have because after receiving a bogus shipping email (see below).

It’s rarer but still possible that old-fashioned keylogging malware, in which the user’s account details are stolen remotely from their PC, could be to blame. This makes account resets a particular trial as the hacker will know the new credentials and keep changing them to block access.  

If they have got hold of Amazon credentials, attackers will try other accounts that might use the same password (people often re-use them). That means PayPal, Gmail, e-commerce store accounts - you name it and the hackers will try it.

Amazon account security - phishing attacks

No matter how immune you believe you are to phishing attacks, you almost certainly aren’t. The criminals know this and use a number of techniques to hook people. Common examples include:

- A spoofed email that appears to be from Amazon for an imaginary order for a sizable sum which should be queried using a bogus login page.

- In a variation on this, a bogus dispatch confirmation message.

- Notification of a refund after an order was double billed with a request for address confirmation.

There are numerous others (including ones that push other threats such as ransomware) but we publish these to illustrate the point that phishing messages can be hard to resist. Any regular Amazon user confronted with what appears to be an order confirmation message for something they haven’t bought will be concerned. It is that psychological vulnerability that makes phishing so successful.

Anyone who enters their username and password into the phishing page will have handed access to their account to criminals who will then use to change registered addresses and purchase goods to send to them using linked credit or debit cards.

Amazon account security - unlink payment cards

Amazon was built to make buying things as easy as ‘one click’ and for that reason it asks users to fully register a card to make any purchase. Once a new card has been added, it rarely asks for the CVV verification number. This means that anyone who breaks into an Amazon account can buy things without entering a new card number or verifying it, an obvious worry.

It is possible, although very inconvenient, to keep registering and deleting credit cards for every purchase. This doesn’t mean that thieves can’t buy goods though a user’s account simply that they can’t do it using a registered card.

Amazon account security - two-step verification

As previously noted, the obvious answer is to turn on two-step verification (also called two-factor authentication or 2FA) under Your Account >Settings >Login and Security Settings>Advanced Security Settings. As far as we can tell UK users still can’t access this unless they already have a US Amazon account and turn it on there first. This a concerning anomaly for such a large company as two-step verification offers a simple, no-cost boost to account security.

Once activated, the users must enter a 6-digit onetime code sent to their registered phone by SMS each time they log into Amazon from any computer that hasn’t been whitelisted. Alternatively, Amazon offers an Authenticator app that will generate codes without the need for a phone signal.

In July 2016, the effectiveness of this form of security was called into question by none other than the US National Institute for Standards and Technology (NIST), which pointed to the potential for SMS codes to be intercepted using rogue man-in-the-middle apps, bogus authentication requests or just read from phone lock-screens. NIST would rather people move to using apps or, better still, hardware tokens such as the FIDO U2F key Techworld have covered in the past. Unfortunately, these only work on some services and Amazon is not currently on the list.

Imperfect it might be but the single best way to add a free layer of security to any Amazon account is still by turning on two-step verification.