0

My mother recently had her Amazon account (buyer, not seller) hacked. She is not a security expert but does work in database management, so she is definitely not computer illiterate. I am also not a security expert but I work as a software engineer, and still this situation is strange to me. She asked me for advice and despite our best efforts, the hack is still ongoing. I would like to know how this hack could have been carried out, and what steps should be taken to stop further damage.

Here is the sequence of events, to the best of my memory (as she told the story to me over several phone calls):

  1. Two weeks ago my mother noticed a $50 Nintendo eShop Gift Card ordered by her Amazon account. She immediately understood that her account was hacked.
  2. She immediately changed her password (I later learned that this was a 1-character change) and turned on two-factor authentication (2FA) going to her cell phone. She assumed that this process would "kick off" the hacker who might still be logged in, in their own browser session.
  3. A couple days later another unauthorized purchase was made, again for a Nintendo eShop Gift Card. During this time, my mother did not receive any messages related to 2FA.
  4. The hacker added a new credit card to the account, using a name and card number that we do not recognize. The billing address was left unchanged.
  5. My mother called me at this point asking for advice, since she didn't understand how the hacker still had access to the account after the password was changed and 2FA was turned on. I was also confused, and advised her to change the password to a completely different one, and then call Amazon for advice. I was unable to find an option on Amazon's website to force other account sessions to be logged out. I also hypothesized that her computer could be compromised, for example with a keylogger that would make password changes useless (but how does that get around 2FA?). I also considered the possibility of malware on her computer placing the fraudulent orders on her behalf, but it would take an incredibly specialized attack to do this, and it doesn't seem like an extremely skilled hacker would go through that trouble for a couple hundred dollars in gift cards.
  6. She spoke to an Amazon representative. The representative did not know whether the process of changing a password will automatically log out other sessions, but the representative did make a request for that to happen (by putting the account "on hold").
  7. My mother changed the password to a completely different one, using a different computer.
  8. Today another unauthorized purchase was made, $40 worth of Nintendo eShop Gift Cards. The hacker also added a credit card with my father's name and his work address, but we do not recognize the card number. Again my mother has not received any suspicious 2FA messages.

Questions:

  • How might this attack have occurred?
  • What can we do to stop the attack?

So far all of the following has been unsuccessful: two password changes, the latest being a completely different password set on a different computer, adding 2FA, and having the account put "on hold" which according to the Amazon representative should log out other sessions.

k_ssb
  • 101
  • 4
  • 4
    "_The hacker also added a credit card with my father's name and his work address_" Forgive me if this seems impertinent, but are your parents together? If yes, can we assume you've checked that your father hasn't performed these actions (perhaps buying birthday presents; perhaps as part of a "send me gift cards" scam)? If your parents are separated/divorced, might he be the one who has/had access to the account? The steps in [mallocation's answer](https://security.stackexchange.com/a/233244/61744) would seem especially important if he did. – TripeHound Jun 15 '20 at 09:37
  • @TripeHound This is not my father's doing. They are still together, and my father has his own Amazon account, and he does not have access to either computer my mother used. Knowing him, I cannot think of a reason for him to be making these purchases at all, not to mention through my mother's account. – k_ssb Jun 16 '20 at 04:02

2 Answers2

3

What can we do to stop the attack?

The damage and the extent of the breach might be more than you think of. The email account that is tied to the Amazon account needs the same security steps implemented or re-implemented, like changing your passwords to one with a completely different set of characters & theme/nature and the setting up of 2FA.

It is possible for the breached access to have gotten past the need to enter 2FA. Under 'Two-Step Verification (2SV) Settings' > 'Require OTP on all devices'

1

Do check on the number of 2FA apps enrolled as well.

2

You can also rule out the possibilities of her cellphone being breached by using your phone's authenticator app as hers. Find the breach, plug it!

Community
  • 1
mallocation
  • 1,668
  • 5
  • 20
  • While I don't use Amazon, I would add there's a possibility that a cookie or token was stolen. Quite possible is hasn't expired, or due to design, won't. Not sure if there's a "sign out all other devices" button either... – dark_st3alth Jun 15 '20 at 23:20
  • I asked my mother to check her OTP settings, and indeed there are no devices where OTP is suppressed, and it's been that way since 2FA was initially turned on. – k_ssb Jun 16 '20 at 04:03
1

Here is a Reddit thread that seems to outline a similar situation: https://www.reddit.com/r/sysadmin/comments/dpbt3t/the_perils_of_security_and_how_i_finally_resolved/

TLDR: The OP was able to determine the device making the purchases was a smart TV which was not seen as a logged in device on their Amazon account. This was discovered by getting forwarded to the "Kindle technical department". Upon this discovery, the Amazon representative was able to deauthorize and delete the device from the account. The OP also detailed how this device was able to able to bypass any 2FA on the account.

hydr0gen
  • 11
  • 1