By Amelia Murray So why are all our Amazon accounts so easy to hack?
Last week, we exposed how fraud victims are snubbed by the online giant. Now, they say vital security checks just aren’t good enough . . .
SECURITY experts have raised serious concerns about how easy it is for fraudsters to hack into Amazon accounts. The warnings come as customers are mercilessly targeted by a new telephone scam where crooks posing as Amazon customer service staff try to trick customers into handing over their bank details.
Last week we exposed how Amazon fraud victims are being routinely fobbed off and refused refunds.
Since then we have been inundated with more letters and emails from shoppers who also feel let down after being charged for items they didn’t order.
Now we are calling on the retail giant to tighten its security processes.
Shoppers can set up an Amazon account with just an email address and a password. If you forget the password, you can reset it using a special code sent to your email account.
But it means that if crooks gain access to your emails they can also take control of your Amazon account. As most people store their debit or credit card details in their account, the criminals can then go on a spending spree. They are also able to change the delivery address so they receive any orders and will have access to personal details such as your telephone number, which they can sell on.
Experts say email addresses and passwords are routinely traded on the dark web following data breaches. For example, in September 2018 credit reference agency Equifax was fined £500,000 by the data watchdog following a cyber attack where information belonging to 15 million customers, including names, dates of birth, addresses, passwords, driving licence and financial details, was breached. Customers are also being tricked into handing over the information crooks need to hack into their Amazon account.
Action Fraud, the national fraud and cybercrime reporting service, says it has received more than 500 reports from people who have been targeted in a new Amazon scam in just three months.
Some victims have lost more than £400,000. Typically, the customer receives an automated call which says they have been signed up for an Amazon Prime subscription and must press 1 to cancel the transaction.
But if they press the button they are connected to someone posing as an Amazon customer service representative. They may claim you are owed a refund for an unauthorised transaction in a bid to trick you into handing over your bank details.
Or they may say they need access to your computer to fix a ‘ security flaw’. But if you agree they will in fact download malicious software that allows them to access your details.
Amazon customers are also targeted by phishing emails, where criminals pose as legitimate companies to steal personal information. These emails typically include a link to a website that requests you update your account details, such as your contact or payment information.
Crooks then use these details to hack into your account. Amazon says it will never send this type of email.
The good news is that there is an easy way to stop fraudsters spending your money, even if they get into your account. But Amazon does little to promote this security measure and, as a result, few people are aware of it.
Known as two-factor authentication, it enables customers to change their settings so a six-digit passcode is sent to their mobile phone after they enter their password.
It means that without access to their phone the crooks will not be able to gain access to their account.
Or, you could remove your card details altogether. Then, if you want to buy something, check out as a guest rather than logging in.
Jake Moore, a cyber security specialist from security firm ESET, says the whole online retail industry must do more to fight fraud.
He says: ‘Amazon is probably being targeted by criminals because of the data it holds and because it is easy to get into customer accounts. It offers two-factor authentication but has not publicised this. It could do a better job of letting customers know this is an option that could stop 80 pc of accounts being compromised.’
He adds that once criminals have your password and username for one service, they often check to see if you use the same log-in details on other sites using a free online tool.
So it is vital to use unique passwords for all your accounts. If you struggle to remember them, try a password manager which stores the phrases in an encrypted database. Mr Moore recommends Lastpass, which has a free version, and 1passwords.
Ray Walsh, of ProPrivacy, says: ‘The log-in process for Amazon is by default weak, unless you set up dualfactor authentication and use a robust and unique password. Amazon could do a lot more to remind users to ensure they do this.
‘One option would be to make dualfactor authentication compulsory for all accounts; however, for consumers who prefer convenience over security, the concern may be that this slows the log-in process and stops some consumers from using the service.’
An Amazon spokesman says: ‘We are constantly innovating to ensure customers’ information is secure. We have a range of rigorous fraud detection and prevention measures to protect our customers.’