jeffcoughlin.com

Amazon Security Policies Lax?

This may be nothing, but I thought it was worth blogging in case anyone thought otherwise.

I read a lot of books. A few months ago some stuff changed at work where I thought it would be easier to listen to audio books. So I re-enabled my old Audible account. Audible was recently purchased by Amazon, so after I logged in they wanted to merge my Audible account with my Amazon account. The process was pretty painless and I was on my way listening to some audio books.

A few months pass and I realize I'm just not listening to enough books to justify the account type I purchased (I now had way too many credits built up). So I logged into their site and learned that I could put my account on hiatus for a few months (meaning, I won't get billed, nor will I receive any new credits. But I'll be able to use my account and existing credits to purchase audio books). There was no option to do it in the settings screen though. After starting up a chat session with a representative I learned that only a representative could do it for me. Okay, works for me.

All they need to do is verify some security settings. What were those? My Amazon login (email address), my name, and my billing address. Yes, sir. That was it. That's all the info you need to start modifying someone's Amazon account info.

At this point I was very upset with the representative (sorry, Jessica. I know it's not your fault. I should have been nicer) and let her know how upsetting this was. I then asked her if she could update my credit card info, billing, or password. After a short pause she assured me that she could only update my Audible membership plan. Was she just telling me what I wanted to hear, or covering up a very large issue... I don't know (yet). I'm tempted to try again tomorrow with another representative and see if they can update any of those other fields of data.

But here's my question to anyone who cares: Even if they can only update my Audible membership data, is that not a valid reason to complain? I mean, this is Amazon. I get that they purchased this company and that it takes time to change policies, code, and [unfortunately] staff when you do a takeover, but hasn't it been long enough that Amazon would have taken care of any account security concerns before merging Audible's accounts with Amazon's accounts?

Perhaps I'm just getting upset over nothing and this is all just a moot learning experience.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Sean Coyne's Gravatar This is pretty much how that dude from wired got his iTunes, Amazon and Twitter accounts stolen a few months ago. It all started w/ lax policies at Amazon.
#1 by Sean Coyne | 11/4/12 10:47 AM
Sandy's Gravatar Two things: 1) were you logged in when you started the chat session? Is it possible they could tell that? You'd think if that was part of the security that she'd had mentioned it to you when you got upset, but you never know. If you tried it while not logged in, the story might have been different?
2) the guy who got his accounts stolen was victim to a COMBINATION of policies that when combined in a very particular way, provided a hole. Apple are the ones that only needed the last 4 of his credit card in order to change his password over the phone.
#2 by Sandy | 11/4/12 11:31 AM
Jeff Coughlin's Gravatar @Sandy, Yes I was logged in. I just checked and they are using liveperson.com for their chats which does support things like seeing your login info, sessions/cookies, and other info the developers decide to support (like what's in your shopping cart) and has supported these features for at least 13 years (since I started using them for clients). But the developers at Audible have to write the code to support that and train their chat staff to take advantage of the features.

Regardless though, even when I've used liveperson for my ecommerce customers, those customers still have strict policies and assume things like the fact that someone may have left their session logged in and possibly stepped away. I think it's great that the representative I spoke with at Audible said she needed to verify who I was for security reasons, but just asking for those basic/simple credentials was not very comforting.
#3 by Jeff Coughlin | 11/4/12 11:44 AM



BlogCFC 5.9.8.007 by Raymond Camden | RSS | Contact Blog Owner