Amazon's Customer Service Backdoor (medium.com) 131
An anonymous reader writes: Eric Springer describes his recent troubles with Amazon to highlight one of the biggest weak points in information security: customer service. You can use complex passwords and two-factor authentication all you want — all it takes is a low-level representative trying to be helpful and your account information is now compromised. In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number. That was enough to commit fraud with a couple of unrelated online services. Springer complained, but months later the same thing happened again. That time, he had Amazon put a note on his account not to give out his details.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
But that didn't help; the attacker contacted Amazon's phone support line instead, and gathered yet more information. Springer writes, "At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it's hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks." Springer's advice for fixing this: "Never do customer support unless the user can log in to their account. The only exception to this would be if the user forgot the password, and there should be a very strict policy." He also says email services should make aliases easier, and whois protection should be default.
Google... (Score:5, Interesting)
He thinks Google is more secure ... ?
Re:Google... (Score:5, Insightful)
Re: (Score:2)
Yeah, I always thought that one of the weirdest parts of The Internship was the part where they had them man the Google phone support help desk.
As far as I know, there is no such thing as the Google phone support help desk for Google's free products like Chrome and GMail.
Re: (Score:1)
There is, only the phone line isn't connected. It's so they can technically say they do have a telephone support department.
Re:Google... (Score:5, Interesting)
Well it's more like Google does not have Customer Service...
Well, they do, sort of.
A while back I ordered a nexus android phone direct from google for testing. I received the phone, my credit card was charged, I paid my credit card bill, and all was good.
About 4 months later, I decided to buy another nexus android phone direct from google. I logged in to my account and bought another phone.
A day later I get a rejection message that my account was suspended and to contact google. I call them, speak to someone (in the USA, judging by their accent). They explain that my account was suspended for security reasons, and they are transferring the call to their "security team".
Their "security team" is based in the Philippines, and they told me my account was suspended for suspicious activity, and to reactivate the account I needed to upload scans of my driver's license and passport, otherwise they won't reactivate my account.
Why does google flag this as a suspicious? I have no idea. If the initial order was fraudulent, I probably would have disputed the charge on my credit card instead of paying it months ago.
After much back & forth with their Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.
I told them to fuck off.
Re:Google... (Score:4, Insightful)
After much back & forth with [Google's] Philippines call center and being escalated, they won't budge - provide scans of my driver's license and passport, or they won't sell me a phone.
You obviously aren't pleased by this, but this is actually evidence that Google's customer service is significantly more careful with your account than Amazon's customer service (per the article).
Re: (Score:2, Insightful)
How do you know ?
No really, how do you know ?
What the OP and I do see is that they ask for stuff that could be easily used to do exactly that what its supposed to be warding off: identity spoofing.
In other words: that "helpdesk" (the higher management) is either as dumb as anything, or its actually an outfit to gai
Re: (Score:2)
Would you give some random joe a copy of the key to your house as proof that you're the actual resident ? Why not ?
No because I have papers that show my residency. Every so often they are asked for. You can't expect a service that provides proof that you are you and then refuse to give them proof that you are you.
Thanks but I'll stick with Google's approach.
Re: (Score:2)
You don't know the difference between authentication and authorization.
Re: (Score:2)
But, how is this more careful? How does an id and passport prove that you are you, unless you are actually in front of the person so they can compare you to your picture? All someone has to do is steal your purse/bag and they can upload scans of your id and passport.
It makes it so that someone at least has to steal your ID and passport. I don't know if they do, but they could also check with the issuing agency to find out if the document was lost or stolen.
Re: (Score:1)
Re: (Score:3)
Well it's more like Google does not have Customer Service...
Google does have customer service for any products that involve money. That's pretty much unavoidable. For free services, Google generally does not have customer service in the sense of people you can talk to, only online feedback forms which are largely unidirectional (you get no response).
Re: (Score:2)
Google Apps For Work has customer service. In order to get service, the user has to log into the account to obtain a PIN, which expires a set time after generation. This method mitigates the concern of a phishing attack.
I paid for my tablet (Score:1)
Then how do I get support for severe slowdowns on my Nexus 7 (2012) 8 GB tablet purchased from the Google store, which started after I installed Lollipop?
Re: (Score:2)
Then how do I get support for severe slowdowns on my Nexus 7 (2012) 8 GB tablet purchased from the Google store, which started after I installed Lollipop?
The 2012 Nexus 7 is out of warranty.
Re: (Score:2)
You are correct that this particular device is out of warranty.
But I have another question: Why do warranties on cellular devices tend to expire before the device would be paid off under the most common financing arrangement? Smartphones are often sold on a 24-month contract, yet not all are warranted for 24 months.
Re: (Score:1)
Where do you live? Just the State should do. Or, alternatively, look and see if you can find it yourself. I'll show you Maine's example:
http://legislature.maine.gov/l... [maine.gov]
Here's a good description from the AG:
http://www.maine.gov/tools/wha... [maine.gov]
See, specifically, 4 . 3 for a bit of a quick run-down. I'll quote it here:
The implied warranty of merchantability is created by Maine law and means that the product will
be fit for the ordinary purposes for which such products are used.6
For example, washing machines
must be fit for washing clothes. They must be able to do the job washing machines ordinarily do and to
last for as long as washing machines ordinarily last. The same is true for toasters, new automobiles,
mobile homes, clothing, furniture and every other item you purchase for family, household or personal
use. To prove a breach of the implied warranty of merchantability you must show that the product was
defective in design, materials, or workmanship.
(Emphasis added and emphasis mine.)
I have, in fact, used it for a cell phone that they said was no longer covered under warranty. Except, not really. What I did was contact the OEM for a repair. T
Re: (Score:1)
I was shocked, shocked I tell you, that I got a reply (some years ago) about a message I'd sent concerning their free email service. It was referencing a spam filtering issue, had a potential mechanism for improvement, and I was contacted several times for more information. No, I did not expect to get a response and yes, I am the only person that I know of who has ever had a response. I'm sure others have, I just don't know them. I've not even *read* about someone getting a similar response.
However, they di
Re: (Score:3)
Regardless of one's opinion of Google's security - this isn't exactly an apples to apples move. It's not as if you go to google.com to buy light bulbs or towels directly from them. You can search on Google for other vendors that might sell them; but at that point you are dealing with dozens of other businesses in addition to Google.
Re: (Score:3)
He's talking about Amazon Web Services and Google Cloud Platform.
There is a very small amount of overlap between Amazon Web Services support/accounts and Amazon.com support/accounts, but it is not entirely nonexistant (It is possible to be forwarded to the customer service team for one, after much cajoling / convincing that the other team exists at all, having first called the support team for the other. There is more overlap for Amazon Marketplace Web Services vs Amazon.com, though I have never experienced
Re: (Score:2)
He thinks Google is more secure ... ?
Have you ever tried to get Google on the phone?
Re: (Score:1)
How does he know that the "attacker" used Amazon? Seriously, how did he figure that out? Did they actually confirm that this was how they had gotten his information? I can't imagine an attacker telling you how they did the attack unless you'd hired them to attack you - which might be the case but they didn't mention this and it's a bit hard to imagine that the attacker, if hired, would then go on to commit fraud. The whole thing seems a bit melodramatic and a bit like someone has jumped to conclusions.
I gue
Won't work (Score:2)
Never do customer support unless the user can log in to their account.
Well, there's your problem. Most of the times I don't want to log in into an account, because:
And if I want to abuse the system on purpose, I can always pretend to be a computer-illiterate old granny.
Re:Won't work (Score:5, Informative)
The context of the conversation is customer service for people who already have accounts that can be exploited via the social engineering of said customer service.
Is he sure? (Score:5, Insightful)
While amazon screwed up here and enabled a social engineering attack:
Google services which seem significantly more robust at stopping these attacks
What is the evidence that he has to support this assertion? In his time at amazon, it seemed one party after some period of time started harassing amazon. Does he know that Google is more robust, or just that no one has gotten around to harassing him?
Assuming google is more robust, is it because they are 'just plain better' or because Amazon is so retail-heavy that it's much more difficult for them to block such attacks without royally pissing off their bread and butter retail customers?
It does surprise me that the support without logging in can do *anything* except help them reset their password. Resetting the password is more intrusive, though even this got notification sent to the legitimate account holder, so it wasn't a stealthy attack to begin with.
Re: (Score:2, Insightful)
While amazon screwed up here and enabled a social engineering attack:
Google services which seem significantly more robust at stopping these attacks
What is the evidence that he has to support this assertion?
Google does not have customer service.
Simple (Score:2)
...because Google is intentionally near-impossible to contact as a user of their services? Do you have the phone number of Gmail Customer Support?
Re: (Score:2)
I'm also surprised that they kept just saying what the last order was, rather than asking what the item was.
Re: (Score:2)
Google require all sorts of real documents as evidence and don't budget to hand waving and lip flapping, that's IF you can get them on the phone. They are known to have far worse customer service, and in this case great customer service (being overly helpful) can be bad.
Re: (Score:1)
Re: (Score:2)
Reasons Google is more secure:
- Two Factor Authentication built into each and every service by default. Meanwhile you can't even enable two-factor for your AWS account, let alone your Amazon buyer account.
- No "online chat" customer service. Google has a very simple customer service model - you either fill out a form and start an email case, or you enter a callback number and they phone you, or the service has no customer service whatsoever. I know of no Google service that has an online chat.
password resets are a horrible weak link too. (Score:5, Insightful)
Banking websites require 1 capital, 1 symbol, and 1 number in the password, doesn't allow you to use the back button and logs you out after 5 minutes but then allows you to reset your password by knowing your pet's name, your birthday, or some other ridiculously easy to find information. Yes, the password is usually sent to an email address but that email address doesn't have any of the same security, a person is always logged in, and usually has similar easy to crack password resets. Oh, and let's not forget that they won't actually allow you to opt out of the password reset or set it to something reasonable (like maybe most recent deposit combined with text message combined with a letter they mail out combined with credit card number)
In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon) It's not like people weren't already familiar with pins with debit cards. It would have been trivial to just add the pins on in one go.
As long as we continue to operate on the premise that convenience is more important than security we are going to continue to have security problems.
Re: (Score:2)
There has to be a balance, however, or you risk rendering your service unusable. Nobody would buy anything online if the checkout process took 30 minutes, required a signed copy of your birth certificate from the doctor who performed the delivery, retinal scans from your grandparents and a full DNA workup.
Unfortunately, you also have to work within the limits of security unconscious morons who use 'P@55w0rd' and think they're being leet computer techies.
Re: (Score:1)
There has to be a balance, however, or you risk rendering your service unusable. Nobody would buy anything online if the checkout process took 30 minutes, required a signed copy of your birth certificate from the doctor who performed the delivery, retinal scans from your grandparents and a full DNA workup
that sounds like what the pharmacy requires to buy the good cold medicine now.
Re: (Score:2)
Set your secret question answers to random passwords.
This. My mother's maiden name really is YGIL68ovlh9p7 ;biy7/l gp79kl;yha47v clj 7i! We're European and African heritage... :-)
Just keep track of your 'answers' to your secret questions in a secure password manager like KeePass, and Bob's your uncle (or aunt).
Re: (Score:2)
Set your secret question answers to random passwords.
This. My mother's maiden name really is YGIL68ovlh9p7 ;biy7/l gp79kl;yha47v clj 7i! We're European and African heritage... :-)
I think you mean "My mother's maiden name really is YGIL68ovlh9p7 ;biy7/l gp79kl;yha47v clj 7i, you insensitive clod!"
Re: (Score:2)
Set your secret question answers to random passwords.
This. My mother's maiden name really is YGIL68ovlh9p7 ;biy7/l gp79kl;yha47v clj 7i! We're European and African heritage... :-)
I think you mean "My mother's maiden name really is YGIL68ovlh9p7 ;biy7/l gp79kl;yha47v clj 7i, you insensitive clod!"
Well done! You even got the glottal ; and superlative / correct!
Re: (Score:1)
security is not convenient,
and
convenience is not secure.
Re: (Score:1)
Don't use your real pet's name.
For most of us very few people have access to a little book in a drawer at home, but lots of people might know or easily guess our real pets names, first school and so on. So make up false answers and write them down. I'm going to do that with a handful of example questions, I won't write these down because they're not real, if you're doing it for real, write them in a book and put it with your underwear, or whatever, somewhere that if you saw somebody looking there you'd know
Re: (Score:1)
Re: (Score:2)
My first car was a Trebuchet.
My other car is a trebuchet.
Re: (Score:2)
Exactly. If it needs a PIN, it's a debit transaction, not credit.
Why would I want to enter my PIN into a keypad at the grocery store, in full view of dozens of strangers? What assurances do I have that the keypad itself doesn't have a skimmer installed on it?
Chip and Pin was designed to prevent people from being able to easily clone a physical credit card. It's outdated and doesn't really do much to help protect against modern skimming and POS compromise attacks.
Why would you *NOT* want to enter a pin? It's not like your credit card pin has to be the same as your debit card pin. How is not having a pin any more secure? You can argue that it doesn't add much additional protection but it's hard to argue that requiring a pin makes a credit card less secure. The only disadvantage I see with having a pin versus a signature is that it's easier to detect a forgery than if someone steals your pin. I think all debit and credit transactions including ATM withdrawals sho
Re: (Score:1)
Its called a "liability shift", after they converted to Chip-n-pin in Europe they outright wouldn't recognize any fraud complaints as they claimed their security was now foolproof. It took several news stories with demonstrations of card hacks before they finally admitted that the system could be (and was) breached. In the US they seem to be working on a variation of the concept, saddling businesses (who will of course then offload their losses into their customers) with the fraudulent charges.
Re: (Score:2)
In the US, the liability shift moves liability from the banks to the business only in one case: The bank has issued chip cards for the account and the merchant processes the transaction via swipe. If a chip card hasn't been issued, the bank is still liable. If the transaction was processed using the chip, the bank is still liable.
Re: (Score:2)
A jury is relatively easily convinced that someone stole your credit card and used its chip for an unauthorized transaction. That same uneducated jury is also easily convinced (by the other party) that if the correct PIN was used, you must have been present/authorized the transaction
Please cite a case that actually went to a jury where the jury was so convinced. Seriously. Because otherwise its a neat theory but with no basis in reality. And it doesn't line up with anything I've seen or experienced. And I say this as someone not just as a consumer, but as IT for businesses with dozens of retail locations, so I see it from the vender side as well.
despite the fact that a 4 decimal digit PIN is astonishingly weak and easy to guess by any modern security standard, nevermind the possibility of an over-the-shoulder attack observing you entering it.
a) If you have a 4 digit pin, it should be pretty easy to convince this hypothetical jury that it could be easily lifted from you over the sho
Re: (Score:1)
Chip and PIN isn't perfect... but nothing is. It is better than what we have now (i.e. nothing, or chip and signature.) It does a great job at protecting against someone scanning a photo of my card and doing a CNP transaction. Even if other people saw my PIN entered, and know my CC#... big whoop. Without the chip being used, they can't do a charge transaction, which is another nice thing.
Now, if CNP transactions can be addressed it would plug that hole. Visa has a protection module, but from what I've
Re: (Score:2)
Why would I want to enter my PIN into a keypad at the grocery store, in full view of dozens of strangers? What assurances do I have that the keypad itself doesn't have a skimmer installed on it?
Yes please don't. I don't want to have to lean over you to look at your pin code when I swipe your card. I prefer to simply be able to swipe your card and scrawl some incomprehensible crap on a small docket for me to prove I own your money.
Thanks by the way.
It's about increasing average security (Score:2)
I agree with you that the number of printable ASCII strings of a given length that include at least one lowercase letter, at least one uppercase letter, and at least one digit or punctuation character is smaller than the total number of printable ASCII strings of the same length. But it's about increasing the average security of an account, especially if the distribution is currently skewed toward more easily guessed passwords. If you make the least complex password more complex, you increase the expected t
Re: (Score:2)
In the USA they recently rolled out "Chip and Pin" technology for credit cards but decided that "Chip and Pin" was too inconvenient so instead just made it "Chip" so that when/if they ever implement "Chip and Pin" they will have to retrain everyone a second time (aka won't happen anytime soon)
It's actually worse than that. They gave everyone cards with a chip, but the vast majority of retailers still require swiping the card. The terminals support reading the chip, but you can't use it even if you want to.
Re: (Score:1)
Re: (Score:2)
Compromised immune system much? (Score:2)
Do you also have groceries delivered? If not, you can shop at brick-and-mortar stores when you make a grocery trip.
You said "diseased creatures". Does this mean you have a compromised immune system? If you do, and you receive disability allowance for it, then yes, Amazon may be a prudent choice.
Re: (Score:1)
It is a tough decision. On one hand, too loose, and you get the issue with TFA. Too tight, and you will get people locked out, and walking off to other sources because they can't log in.
Some sites think they are smart, and use some oddball info from Lexis-Nexus where they give you vague multiple choice questions with "none of the above". Miss one, you get royally locked out.
My personal take is that I like how Network Solutions did things. They asked for a fax or photo of one's license to verify an accou
Re: (Score:2)
I frequently find better bargains at my local brick and mortar stores - and I don't have to pay S&H
Also, even when you can find it cheaper online, a store will likely price match. I'm with you. I am however disappointed because more and more it's the case that retail doesn't even bother to stock the products I would want. They generally have low quality cheap versions, sometimes store branded to mask ability to compare and demand price match.
Embarrassing past purchases; local selection (Score:2)
This bullshit of having to provide payment information - even when you're no going to buy anything - is just stupid.
Apple's requirement to provide payment information in order to activate an iOS device is to make eventually buying something on iTunes Store or App Store more convenient.
Lastly, just delete you payment information and that'll make the account useless.
Unless someone tries to blackmail you with purchase history. I know someone who purchased adult toys on Amazon in the past but doesn't want that to leak to the public.
Online shopping has jumped the shark. The deals are gone - I frequently find better bargains at my local brick and mortar stores
Provided you can even find a particular product locally. More obscure products are easier to find on Amazon, eBay, or a niche site. I never managed to find a Nokia N900 phone,
Does not surprise me.... (Score:5, Interesting)
Back when Amazon.com had been in business for a few years I called their tech support to recover my password.
They read the password to me over the phone. That means passwords at that time were not stored as a hash but as clear text in their database.
Mod parent UP! (Score:2)
Amazon managers: Don't mod the parent comment down. Instead, fix the problems!
Re:Does not surprise me.... (Score:4, Interesting)
At the end of the 1990's I worked for one of the phone company "bells" that later became part of Verizon. At the time, customer service could pull up a webpage that had your account password as a field, but in display it was hidden with bullets (HTML input tag, type password IIRC). So all you could do was clear the field, type in a new password for the customer and click update. (The customer was then supposed to use that password to go online and change it to something else). Anyway, some technical support rep on customer service duty picking up an extra shift figured out you could just view that page's source and see the existing password in the clear, since it was the html tag obscuring it and not the database being hashed or anything. Well designed security there :-)
Re: (Score:2)
Amazon security very lax (Score:1)
There is a person in the UK that occasionally types in my email address for their Amazon UK account. Although they shouldn't do that, Amazon UK doesn't verify the email address by requesting a reply. As a result, Amazon UK reroutes all of the customers communication to me.
In addition, it is almost impossible to contact Amazon UK without logging into the misdirected account (easy to do, since there is absolutely no check to a password reset requested other than to click the link on the email, and since the
Re: (Score:2)
I'm guessing because none of the banks with a branch in town are among the banks that offer a virtual credit card.
public information (Score:1)
Wait what?
Public information, stuff that shows up in phone directories ("white pages" as we used to call 'em) was enough to commit fraud with some online services?
Amazon may have a problem here -- there are many reasons that company should be burned down and the ground salted -- but think
Did you post a review? (Score:1)
Re: (Score:2)
Amazon has this amazing review site where you can post reviews of all the products and services. Just log in and post a scathing 1 star review.
Can you point me to the AWS review site? I'd like to read their reviews.
Shatner! (Score:5, Funny)
In this case, a bad actor was able to use Amazon's online chat support and a fake address to get the rep to tell him Springer's real address and phone number.
Shatner must be stopped.
Re: (Score:2, Insightful)
Seriously though, even SSNs aren't so hardcore anymore. Wake me up when you have a web site that stores plaintext passwords and lets CS read them - which surely exist even today, so give them a low-level password. Y'all ARE avoiding reuse by maintaining tiers, right?
Don't use the same email address for both (Score:3)
Why would an IT professional use the same credentials for his AWS account as he does with his Amazon retail account? Just use a different email address for the AWS account (and not the email address that you've published on your business card, WHOIS, LinkedIn, etc). Either use a second email account just for AWS (they are free, you know?), or use an alias (i.e a gmail username+somespecialalias@gmail.com address)
He likely uses is Amazon credentials in several different browsers, the Amazon App, Kindle App, perhaps an Amazon instant video viewer on his TV, an Amazon Kindle device, etc. He's trusting a lot of different consumer apps and devices to keep a secret that could affect his livelihood. Not to mention the problem he's complaining about -- customer service for a retail company that wants to make sure he gets his packages.
address and phone seriously? (Score:2)
...real address and phone number. That was enough to commit fraud with a couple of unrelated online services
This is the problem... when the fuck does it make sense to regard that information as sensitive. In a sane world the companies that allow anonymous customers to set up an account with so little info and verification would be responsible for the fraud.
Amazon has no idea what security is (Score:4, Interesting)
I tried to contact Amazon support and have them fix this problem with out ruining this kids Christmas. Amazon's response? No problem here with their processes, however I should give him my email address as far as they are concerned he owns my gmail account I've had since the closed gmail beta... After much arguing Amazon wasn't budging, I had already explained that gmail ignores dots in your address among other things, so u.ser@gmail.com u.s.e.r@gmail.com us.er@gmail.com, and user@gmail.com etc all are the same account but amazon will register individual accounts for them, my problem is I use a . in mine just for readability and spam identification and is how I have *MY* amazon account registered. Additional fun is anything after a + sign in your email gets ignored too, so you can use an email like user+is.the.CEO.of@gmail.com and it'll just send any email to that to user@gmail.com, maybe I could have used this and told them that this is not a gmail problem and they should fix it? This behavior on google's part is in my opinion: fantastic, it's an epic step on account security meaning someone else can't come along and pretend to be me just by adding or removing a dot from their email address. Blaming Google in this case was a weak attempt at avoiding responsibility.
Long story short, Amazon didn't care that I could reset this kids password and buy whatever it is I wanted using it, as far as they were concerned this wasn't their problem. Here's amazon's official response I got before I escalated it to Jeff Bezos and spoke to the executive of customer relations (this is a thing by the way, anyone can do this)
"Unfortunately, this is an issue that will need to be resolved by Google. We would normally be able to temporarily disable your account in order to sort out the email issues, as these issues can be caused by typos on another person's side. However, as this is not an email typo issue, we will not be able to resolve this issue ourselves. Samantha L"
I would really like to know beyond handing over my account, what they think Google is going to do about it?
Re: (Score:3)
Re:Amazon has no idea what security is (Score:5, Informative)
Re: (Score:2)
It's frustrating how many services don't verify emails, they just run with whatever the user enters and blindly start sending out all sorts of account details and spam. I've had accounts set up using my email address for RBS bank, XBox, EA, Hilton hotels, the official job site for the European Space Agency, and probably three dozen dating sites. Most of this seems to be coming from one guy in Scotland who thinks my email address is his, and he enters it everywhere. I did take the time to send the bank an em
Re: (Score:2)
So, I looked up the SMTP RFC, and yeah, the "local-part" (as it is determined) is to be treated as opaque by everyone BUT the domain in the address. Meaning that everyone must treat the addresses differently regardless of how GMail or anyone else interprets the semantics...
AND THEN, it turns out that while things are required to be case-insensitive, things are ALSO required to be case-sensitive. Basically, no one should ever assume that the local-part of the email address can be treated as caseless.
So, ther
Not sure he has clean hands... (Score:2)
The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Am
Never do Customer Service unless customer logs in (Score:2)
Unfortunately if you fail to pay in Amazon the first thing they take away is your way to log in. :(
This ad (Score:1)
No different from Apple (Score:1)
Re: (Score:2)
When you are a customer at Amazon.com, you are very unlikely to lose any money, even if someone hijacks your account. Your risk is extremely low.
When you are a customer with Amazon Web Services, *any* breach or security is exceedingly dangerous and can be severely expensive. Your risk is low because security tends to be high. Any sign of a potential security flaw should be taken very seriously.
Re: (Score:3)
Really? I have never felt scared in a Wal-mart parking lot. I don't even hear about much crime there either, they have cameras everywhere in their lots.
Be afraid. Be very afraid. [peopleofwalmart.com]
Re: (Score:2)
Re: (Score:3, Insightful)
the summary is confusing. unless he only has an amazon account for Amazon's cloud computing platform, what would be the point of migrating to Google? And google is only 'more robust' because they make it EXTREMELY hard to actually contact a live person.