Question

Eric received an email from Amazon Customer Service that said "Thank you for contacting us." But Eric did not contact them. Instead, an attacker had contacted them and pretended to be Eric. When Amazon Customer Service asked the attacker to identify himself all he had to do was give Eric’s name, email address, and mailing address—which the attacker got from Whois, which contains Eric’s registration information for his website. However, Eric knew to protect his actual mailing address so the registration information on Whois was actually a hotel close to Eric’s house. Because the information matched what was on file, Customer Service told the attacker the mailing address of Eric’s order, which was his real home address. Eric contacted Amazon, found out these details, and told them not to release any of his information to anyone who contacted Customer Service, to which Amazon agreed. Fast forward two months. Eric again received another "Thank you for contacting us" email. After contacting Amazon again, he found that this time the attacker had tried to get the last four digits of Eric’s credit card number on file through more social engineering tricks.

Fortunately, this time Amazon did not surrender that specific piece of information (although they had ignored his previous instruction not to give out any information). Had they provided the credit card number the attacker would have had enough information to pass the "I’m-the-real- Eric" test on almost any of Eric’s online accounts (using his name, email address, mailing address, and last four digits of his credit card) and trick their Customer Service into resetting Eric’s password. This would then allow the attacker to get into Eric’s online accounts and purchase a virtually unlimited number of items charged to Eric’s credit card. What went wrong? Should the first Amazon Customer Service representative have been reprimanded? What policies should Amazon have had in place to prevent this? What technologies should there be in place to prevent this? As a customer, what should you do to protect your online accounts?

Write a one-page paper on your analysis.

Answer 1

The customer identity verification process at Amazon was not comprehensive and strong. An attacker had posed to be Eric and had obtained his mailing address. The verification process just asked the attacker to confirm name, email address and mailing address. These are the basic information which is accessible to all. Hence the attacker could easily pose to be Eric and get information from the customer service center at Amazon.

When the first attacker call had happened and Eric had contacted the customer service at Amazon, informed about the imposter and had asked them not to disclose his information to anyone. Amazon did not take any other step apart from this. However, the customer service got another call from the imposter, 2 months forward, and they again failed to identify the hoax. The customer identity verification procedure at Amazon customer service center was not adequate. Anyone can pose to be any customer and can get vital information. This is clearly data theft and can be considered a type of cyber crime.

The first customer care representative did not do much to report about the imposters to the higher authorities. This was a matter of concern for the company and a loop hole in the customer identity verification system. This could have led to major data leakage and could have been foundation of a cyber crime. The first customer care representative needs to be counselled by the management.

The policies and technologies which could have prevented this situation are as follows:

· A comprehensive customer identity verification process asking some difficult questions from the customers could have been a better way

· The customer data must be stored in various layers of protection

· The customer data must be encrypted to save it from any cyber attack and data leakage

As a customer, I would have ensured the following to keep my data safe online:

· Having updated firewalls on my system

· Not giving all information on any random site that I visit

· Having complex passwords and security questions for online accounts