back to article A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months

A fraudster exploited a bizarre weakness in Amazon's handling of customer devices to hijack a netizen's account and go on multiple spending sprees with their bank cards, we're told. If you have weird fraudulent activity on your Amazon account, this may be why. In short, it is possible to add a non-Amazon device to your Amazon …

  1. FozzyBear
    Black Helicopters

    The list of compelling reasons

    NOT to use these IoT, security riddled, privacy invasive, data slurping, inconvenient pieces of crap just keep mounting.

    1. Mark 85

      Re: The list of compelling reasons

      Can we add places like Amazon and others to that list?

    2. Doctor Syntax Silver badge

      Re: The list of compelling reasons

      It seems to be a compelling reason to use them if you're a fraudster.

    3. Warm Braw

      Re: The list of compelling reasons

      In this case, the victim didn't own the device in question.

      If there's a way an IoT device can siphon money from someone else's account, that would be a compelling reason for a certain section of society to get one immediately!

      1. dajames

        Re: The list of compelling reasons

        In this case, the victim didn't own the device in question.

        ... but DID have an Amazon account, which seems to be the source of the problem.

      2. teknopaul

        Re: The list of compelling reasons

        The device was a "Samsung Huawei" presumably the physical device does not exist.

        1. Andy Denton

          Re: The list of compelling reasons

          Indeed, my money's on someone exploiting a hardware manufacturer specific API these smart devices are supposed to use which perhaps hasn't gone through the same scrutiny that other, more widely-used APIs have.

      3. Flywheel

        Re: The list of compelling reasons

        compelling reason for a certain section of society to get one immediately

        They could get it from Amazon, for the ultimate irony!

  2. Blockchain commentard

    Hmm, just looked on my Amazon account. My LG TV isn't shown. Now I only use it for Prime viewing but it does offer to pay for films etc. so I'd expect it to be there. Worrying.

    1. Anonymous Coward
      Anonymous Coward

      Is your TV an Amazon TV?

      "In short, it is possible to add a non-Amazon device to your Amazon customer account and it won't show up in the list of gadgets associated with the profile."

    2. YetAnotherLocksmith Silver badge

      Uh-oh!

      Did you accidentally not buy it from Amazon? There could be trouble ahead!

      (That bit is a joke. Obviously Amazon don't make LG TVs, or indeed any TVs. Yet. Indeed, no TV will ever show up in that list on your account - that's the point of the article.)

    3. VinceH

      Optional

      You can add a PIN to your account for purchasing videos* via smart TVs and the like. While a PIN isn't the best solution, it's at least a small level of additional security.

      * I'm assuming that's what was being purchased in this case.

  3. cynicist365
    Meh

    Tie in all your services

    One ring to rule them all,

    One ring to find them,

    One ring to bring them all,

    And in the darkness, bind them.

    1. doublelayer Silver badge

      Re: Tie in all your services

      I suggest the following alteration:

      One ring to rule them all,

      one ring to find them,

      with many ways to see them all,

      and for the money, mine them.

      I think it fits with the business model of most providers.

      1. cream wobbly

        Re: Tie in all your services

        The rest of the rhyme is particularly applicable, as a sort of mythological bait-and-switch.

        Three Rings for the Elven-kings under the sky, [Books! get yer luvverly books!]

        Seven for the Dwarf-lords in their halls of stone, [We do CDs and stuff now]

        Nine for Mortal Men doomed to die, [You want handbags? Socks? Johnnies? Bikes?]

        One for the Dark Lord on his dark throne [I've got mine]

        In the Land of Mordor where the Shadows lie. [speaking of lie...]

        One Ring to rule them all, One Ring to find them,

        One Ring to bring them all [the mall, haha] and in the darkness bind them [mushrooms...]

        In the Land of Mordor where the Shadows lie. [I heard you the first time]

  4. whoseyourdaddy

    "Sis, you connected your TV directly to the internet?"

    "Geek Squad told me to."

    I'll be over there in ten minutes with a hammer and an Apple TV box.

    Hold him until I get there.

    1. phuzz Silver badge

      Surely a Raspberry Pi would be a better choice? I'm sure getting Apple's billing department to reverse charges isn't much fun.

  5. Dvon of Edzore

    Easy fix, hard to get enacted

    A pair of two-word phrases would cure such nonsense: Strict Liability and Treble Damages. If companies that handle transactions were held to this simple standard of care, the problem would vanish overnight. Not even a bozo wants to be paying three times the disputed amounts, plus attorneys fees if they dispute it. Arbitration clauses be damned, you screw up and don't 'fess up, you get smacked down harder.

    1. Charles 9

      Re: Easy fix, hard to get enacted

      But politicians and Lawyers are closely related. How do you get around that problem AND make sure it can't get undone down the road?

    2. Byham

      Re: Easy fix, hard to get enacted

      And if companies dispute the case in court and fail - the attorney's fees AND the damages rise to 10 times from treble.

  6. Anonymous Coward
    Anonymous Coward

    There seems to be something wrong here

    Quote "Thus if someone can get into your account". So how did this someone get into his account?

    Actually, I am calling bullshit on this. He is protesting far too much. And as for that bollocks about not closing his account? Am I the only one not buying that? Oh well, Downvote oblivion here I come.

    Cheers… Ishy

    1. Anonymous Coward
      Anonymous Coward

      Re: There seems to be something wrong here

      > Quote "Thus if someone can get into your account". So how did this someone get into his account?

      > Actually, I am calling bullshit on this. He is protesting far too much. And as for that bollocks about not closing his account? Am I the only one not buying that? Oh well, Downvote oblivion here I come.

      In his case I don't know how someone got into his account. But I could imagine that people in relationships that end badly could use this as a means of retaliation, so closing the loophole of not being able to see all devices is a must.

    2. whoseyourdaddy

      Re: There seems to be something wrong here

      I suspect his login was hacked from an unrelated website and someone found he uses the same creds across all accounts, including a very popular Amazon.

      Yeah, I would try Amazon first.

      I'm guilty of sharing logins until someone sent me a message:

      "We have your pornhub account password. Send a bitcoin to..."

      Yeah, I think my Mom is the only one who doesn't use pornhub.

      Fuck off.

      1. TDog

        Re: There seems to be something wrong here

        Actually, if her password is ************ (redacted), I think she does.

    3. doublelayer Silver badge

      Re: There seems to be something wrong here

      Well, let's round up a few suspects:

      1. Reused password.

      2. Poor password.

      3. Keylogger.

      4. Phishing email.

      5. Someone with a passwords file (especially children).

      6. Insecure IoT device (E.G. television watching Amazon's video service).

      7. Malicious attack by someone who knew the person.

      8. The poster was not the person whose account was accessed; they are the technical person who helped a family member or friend whose account was accessed using one of the above mechanisms.

      9. Amazon's had their system accessed and Amazon doesn't know or hasn't told us.

      10. Dumb luck.

      So maybe one of those was used to access the account. It's still a massive problem if you can't lock them out by changing the password and deleting connected devices and changing how 2FA is working and talking to normal customer support. I fail to see your objection to this quite likely possibility.

    4. Anonymous Coward
      Anonymous Coward

      Re: There seems to be something wrong here

      @the down voters.

      As I expected you have all totally missed my point. And I thought "Techies" are supposed to be clever. Thank fully I use a Macs for my business. (You may have listened to my mixes in certain clubs. There is a reason I am a ghost deejay). Which means I don't need a techie. More downvote oblivion by the sheeple.

      Cheers… Ishy

      1. Bob Asic

        Re: There seems to be something wrong here

        dick

      2. Kiwi

        Re: There seems to be something wrong here

        You didn't make a point. You made a wild and unjustified accusation.

        As to your comment about techies being clever - that's why you got so many downvotes. We're[1] clever enough to know the only "bullshit" was in your post.

        [1] Hopefully including myself among "techies" doesn't get me a visit from the Serious Fraud Office

      3. Anonymous Coward
        Anonymous Coward

        Re: There seems to be something wrong here

        "As I expected you have all totally missed my point", your point being that you feel the user is lying for which you give no evidence, however what was being discussed makes a lot of technical, historical and general life sense

        Recent media exposure of other companies abusing data sharing suggest that it is more than believable for Amazon to hide information to avoid users looking too closely at what is being done with their data

        As to you being a DJ, personally I see this as irrelevant, your suggestion that I might have heard your mixes, in my case atleast, suggests you have misjudged your audience. Even if I had heard your mixes (which I know I have not, too old for clubbing) it would not cause me to give your opinion greater credence.

        On the DJ subject and FYI for my part I never understood why playing someone elses music should give you automatic respect, the musician perhaps but not someone who chops up an artists work and claims it as their own ("my mixes").

        I hope this helps you not to feel rejected for any reason other than your own actions

  7. Anonymous Coward
    Anonymous Coward

    Devices generally have an api type login

    Which does NOT care if you change the password.

    So. Why The F are they not all listed so they can be revoked?

    1. YetAnotherLocksmith Silver badge

      Re: Devices generally have an api type login

      Bingo.

      Someone gets it.

      It's a different door with different keys, is a good analogy, and it's one of those hidden doors that looks like a bookshelf, in this case.

      1. dajames

        Re: Devices generally have an api type login

        It's a different door with different keys, is a good analogy, ...

        Well, sort of ...

        It's a different, secret, door that initially takes the same key as the main door ... but when you discover someone has been getting in and you change the lock on the main door the intruder can still get in through the secret door (either because the old key still fits or because it's been left ajar -- that part's not clear from the article) ... and as the door is secret you can't find it to nail it shut.

    2. Anonymous Coward
      Anonymous Coward

      Re: Devices generally have an api type login

      And... change the password, expire the token.

      If you're changing the password it is generally for a security reason, so any tokens issued for the API should also be revoked. Every device will then need you to log in again to get a new token.

    3. Anonymous Coward
      Anonymous Coward

      Re: Devices generally have an api type login

      Anything with "link your account" is always going to be a security hole and especially if a linked device can add a new link using the existing credientials.

      IMHO Amazon do not want to publish who is linked to their account for the same as for all the others like steam,fb etc, basically people would be able to remove the link that allows these third parties to spy upon the user and their transactions.

      Since Amazon here are taking pains to prevent the user from knowing which third parties can bypass authentication then you cannot see how many fourth parties may have been daisy chained into the loop.

      To my mind if a company allows account linking then they are responsible for any fraud that occurs using their system, if they do not allow you to see who is spying upon you then they are intentionally thwarting identity legislation

    4. SeanSkiVT

      Re: Devices generally have an api type login

      BINGO! The fact they don't expose all devices, as well as their most recent login date and location, is pretty customer-hostile IMO.

    5. Anonymous Coward
      Anonymous Coward

      Re: Devices generally have an api type login

      This. Jesus Christ on a fucking motorcycle riding with no helmet...

      Once enough damage is absorbed by the credit card companies, they'll unleash hell on Amazon, that will encourage a security upgrade.

  8. NetBlackOps

    I got nailed by this

    My story is exactly the same except this happened many months ago and Amazon had not a clue. I;ve done every IT gig you can over the last 40 years, from code monkey in Fortran on punch cards on up to CIO. I don't reuse passwords on any site that matters a damn (PasswordSafe); they are all long and random. Actually my banking password, due to restrictions, is the worst, still long though. And yes, haveibeenp0wned is a regular check.

    I went through the same tap dance, changing every thing including the debit card. The charges were for XBox-360 gift cards. After a bit of work on my end, Amazon cleared the charges. I just now checked my devices list, and aside from the Fire tablets and Firestick, no other devices are listed, despite adding two "smart TV's: to the authorized devices a couple of months back when I got Amazon Prime. [We're experimenting with cutting the cord here.] So, Amazon has some sort of problem here and it has been going on for a while.

    1. Drat

      Re: I got nailed by this

      I find that shocking that Amazon have this giant security hole. How many other people have been hit by this and haven't noticed or just blame the kids? Of course Amazon will get a % of the sales...

      1. teknopaul

        Re: I got nailed by this

        Amazon making money on the whole thing is nuts. Any legal eagles know why Amazon cant be had for criminal behaviour if they are knowingly in cohorts with the crims.

        1. Kiwi
          Pint

          Re: I got nailed by this

          Amazon making money on the whole thing is nuts. Any legal eagles know why Amazon cant be had for criminal behaviour if they are knowingly in cohorts with the crims.

          That's the issue though. You and I suspect Amazon are milking this and dragging out the 'fix' to get a little extra profit. Some may suspect that Amazon or people within have been using this information deliberately, perhaps even from the very outset (perhaps a dev found a way to crack the API that links devices so login details are never needed - perhaps that was passed on to a manager who has enough knowledge to make use of it, perhaps the dev just decided to supplement their income).

          But the problem is proving it to a suitable standard in court.

          Amazon can claim "we're working on it but there's backwards compatibility issues and it only seems to affect 3 people", or "We're aware of the problem and will reverse charges when a customer complains, however we're still investigating the cause" (easy - let people see attached devices, all attached devices - and perhaps purchased made through each individual device and IP's/location etc etc etc etc)

          Making the claim is one thing. Proving it is another :(

    2. Robert Helpmann??
      Childcatcher

      Re: I got nailed by this

      It sounds to me that there is an additional issue with Amazon that allows the fraudsters to gain access to accounts and then the one being described in the article that allows them to retain it. Maybe an API that doesn't enforce timeouts for bad password attempts or they're vulnerable to MITM attacks or maybe have CSRF issues. There's definitely more to what happened than what is given in the article.

    3. Anonymous Coward
      Anonymous Coward

      Re: I got nailed by this

      Might even be someone at the "Smart" (ahem, are they *really?*) TV factory... do you know the brand of TV or the "App" (Yeah, right, you mean android/java/html5 rip off of an OS) manufacturer? I'd not be surprised if they were all the same.

      (If not directly the TV manufacturer, might be an engineering port/website left open/unregistered that's been claimed!)

      1. NetBlackOps

        Re: I got nailed by this

        The problem with that theory is that until very recently, well after the "hack" of my account, there were no "smart TV's" linked to my Amazon account. Just a Kindle Fire tablet and, at that time, I'd only order on Amazon using Firefox with it set to nuke everything after I close a tab for a site as well as nuke everything entirely when I close the browser. So, three possibilities come to my mind. My Amazon account got hacked; my linked Google account got hacked; or it's the API courtesy of either the Fire tablet or the API in general,

        Path analysis isn't that hard.

        1. JCitizen
          FAIL

          Re: I got nailed by this

          Forgive me if I'm not a browser expert, but I do know that usually zombie files and LSOs are not removable by most anything even after closing the browser; and that is why so many people use CCleaner to get rid of those objects. I know of no other cleaner that does. If you do, please enlighten me!

  9. streaky

    Blergh.

    Obviously this stuff should be revocable and Amazon's site suffers with a lot of inertia.

    BUT

    Remove all your payment cards so purchases fail until Amazon fix?

    1. Aristotles slow and dimwitted horse

      Re: Blergh.

      Yes that was my first thought, surely the easiest and most obvious first step to prevent any further fraud would have been to remove all payment methods - but unless I've missed it I can't see that this is mentioned in the "lockdown" actions in the story.

      1. Anonymous Coward
        Anonymous Coward

        Re: Blergh.

        I'm not sure about Amazon, but I've experienced many sites that don't let you remove a card unless you replace it with another valid one (fakes are rooted out via chargeback tests_

        1. jasper pepper

          Re: [we] "have taken a lot of time to do things right"

          I successfully removed all payment methods from my Amazon account. Although I should say I don't have Prime. I can see Amazon wanting to keep valid payment methods where you have signed up to be charged for ever and ever.

        2. VinceH

          Re: Blergh.

          "I'm not sure about Amazon, but I've experienced many sites that don't let you remove a card unless you replace it with another valid one"

          Amazon does allow you to remove all payment methods. I mentioned in the comments on another Amazon story that I recently placed on order on behalf of my mum via her account, and there was swearing due to the Prime trick. After placing that order, as I've done every other time I've done this for her, I removed the card.

          One possible gotcha when you do this is that it warns you the card will still be used for any existing orders that have been placed using it but not yet fulfilled - but given that (I assume) the orders placed via a smart TV were videos, they will have been fulfilled immediately.

    2. Venerable and Fragrant Wind of Change

      Re: Blergh.

      Am I the only one too paranoid to have added payment cards in the first place?

      And I don't just mean Amazon. With a macbook and an android 'phone, that's two app stores that keep asking me for a card they can hold permanently.

      1. katrinab Silver badge

        Re: Blergh.

        On the Apple store, I bought a £10 iTunes gift card and added that as my payment method. It has £7.03 left on it, and that's the maximum I could lose.

      2. MiguelC Silver badge

        Re: Blergh.

        I only use virtual credit cards for online shopping, and also make sure they're one use only. Even for subscriptions (Netflix, etc.) but for those I need to remember to create a new card before payment is due.

        1. Anonymous Coward
          Anonymous Coward

          virtual credit cards

          any recommendations ?

          1. Anonymous Coward
            Anonymous Coward

            Re: virtual credit cards

            starling, monzo, revoult, g̶o̶o̶g̶l̶e̶ duckduckgo it

            1. Anonymous Coward
              Anonymous Coward

              Re: virtual credit cards

              Thanks. Maybe a dead thread now - but does "chargeback" work on VCC's? It wasn't mentioned ATL, but it is *the* bombproof way to deal with incorrect charges.

              1. MrReynolds2U

                Re: virtual credit cards

                "chargeback" is the process of reclaiming a disputed payment.

                Do you mean "pre-authorisation" which checks if the card can cover a payment and reserves that amount ready to be "authorised" (claimed) later. It's a common practice when setting up online payment methods or using Pay-at-Pump petrol (gas) stations. In fact it used to be a stipulation of the card companies that an online retailer could not take money from your card until they had shipped your order.

  10. Anonymous Coward
    Anonymous Coward

    Samsung TV apps

    I noticed that my Samsung TV had several apps installed tha I could not remove that were similar to apps found on my Android phone.

    After I swithched to IOS I found that I could now uninstall the apps in question that were on my Samsung TV.

    I had never linked anything from my phone to my Samsung TV myself.

    I now have my Samsung set up on it's own isolated network and sinkhole any Samsung related connections using a Pi-Hole.

    If I were a betting man I would wager that Samsung was giving access to third parties such as Amazon and vice-versa.

    Much like Facebook allowing phone manufacturers and data providers to access low-level data of users Facebook accounts through the "Facebook Partners" program I believe that Samsung and Amazon (and everyone in-between) also have similar partnerships that could allow this kind of cross-device exploitation.

    I too had an interesting and revealing phone conversation with my phones data provider customer service rep a few months ago where the agent accidently mentioned my Samsung TV on an unrelated issue.

    When I asked him how he knew I owned a Samsung TV he said he misspoke and denied he could see what devices were on my home network.

    This is nothing new of course, many phone apps (such as Facebook) actively scan the users internal WIFI network, bluetooth and NFC in search of neighboring devices.

    With so much user data being shared amongst third parties behind the scenes this kind of thing is bound to happen.

    1. Androgynous Cupboard Silver badge

      Re: Samsung TV apps

      I've never figured out how to remove those apps. After coming back and finding the babysitter had added the TV to the wireless network to use them, I ended up blocking the TV's MAC address at the router. The hoops we have to jump through...

  11. ChrisBedford

    All those precautions and 'they' left out the most obvious one

    Why didn't 'they' (let's face it, *he*) delete the credit card from 'their' Amazon account? That would have been my *first* action, forget changing all those passwords.

    Each time I've used the 'purchase with one click' option on Amazon I've mentally cringed at the potential loophole there. But let's face it, it's really convenient, innit...

    1. Anonymous Coward
      Anonymous Coward

      Re: All those precautions and 'they' left out the most obvious one

      Deleting the card isn't going to help much though, because the charges would just go through onto the replacement card.

      Unless you meant to type "why didn't he completely abandon that Amazon account and start a new one". That would certainly work but such an extreme measure isn't something most people would go with unless they were aware that Amazon had a whopping security hole in their account management.

      1. Natalie Gritpants Jr

        Re: All those precautions and 'they' left out the most obvious one

        Surely that's not an extreme measure?

        1. YetAnotherLocksmith Silver badge

          Re: All those precautions and 'they' left out the most obvious one

          Cancelling your cards (and effectively closing your bank account for every single payment mechanism you use) is fairly extreme for a strange purchase on Amazon, I think - all that extra work and hassle, for a start.

          Have you stopped a bank card recently? There's dozens of places that have the details, that you have to chase down.

          So no, killing the card certainly shouldn't be your first step. It hasn't been compromised!

          1. Anonymous Coward
            Anonymous Coward

            So no, killing the card certainly shouldn't be your first step. It hasn't been compromised!

            I disagree IMHO card has been compromised simply by passing it to any service that allows liinking of accounts.

            In answer to the question "who do you trust" then your thinking should be no one and certainly never anyone who offers you a reward to allow them to share your information

          2. el_oscuro
            FAIL

            Re: All those precautions and 'they' left out the most obvious one

            I have had to kill credit cards to get rid of "pre-authorized" charges. You sign up for some service and they start billing your CC automatically "for your convenience", and then make it impossible to close the account. First offender was AOL but there have been plenty since. I no longer even bother trying to close the account - I just get a new credit card. A good way of cleaning out the leeches that attach to any card over the years. Anything I actually still use will get the new card number.

            But the worst offender was PayTrust after they got bought out by Intuit. Since it was a bill paying service, they had my bank account on file and made cancelling the account even more hyperimpossible than learning to fly or making something invisible.

            So I put a stop payment on any charges from paytrust - even that didn't work for awhile - they just kept running up charges until after about 6 months they gave up.

            1. Anonymous Coward
              Anonymous Coward

              Re: All those precautions and 'they' left out the most obvious one

              What about when the credit/debit card naturally expires, and you get issued a new one with a new 3 CVV number? Is that sufficient, or do you need to kill the account completely?

              1. Anonymous Coward
                Anonymous Coward

                Re: All those precautions and 'they' left out the most obvious one

                I remember reading something a while back about banks waving through transactions for expired cards when they were for Amazon. As if Amazon gets VIP treatment, no questions asked, in that regard. It doesn't surprise me now.

                1. Jamie Jones Silver badge
                  Thumb Up

                  Re: All those precautions and 'they' left out the most obvious one

                  Hmmm, that's a bit short-sighted of them, in my opinion. Not only would the charge be easily disputed, it will mean more hassle for the bank as more people cancel cards completely!

                  Doesn't surprise me though...

                  Cheers for the reply

        2. Anonymous Coward
          Anonymous Coward

          Re: All those precautions and 'they' left out the most obvious one

          I've spent over 20 grand on Amazon over 20 years. The purchase history is useful. Sure, I could archive it off, but that would be the "hassle".

      2. Stoneshop
        FAIL

        Re: All those precautions and 'they' left out the most obvious one

        Deleting the card isn't going to help much though, because the charges would just go through onto the replacement card.

        'Deleting the payment info from the Amazon account' and 'getting the credit card revoked and replaced' are two not entirely equal actions.

    2. ICPurvis47
      Devil

      Re: All those precautions and 'they' left out the most obvious one

      I had a similar experience, I decided to change from the AA to another provider. I told the AA that I was not renewing, and told my bank not to honour any request for payment from the AA. They still managed to get paid, so I had two rescue services. I complained to the bank, and they refunded the charge, and I then cancelled my debit card and asked for a new one. 12 months later, the AA managed to get paid again, even though the original card had been cancelled. It took a long time for the bank to refund me this time, but they are under strict instructions NOT to pay the AA again. We will just have to see what happens next time.

      1. Killfalcon

        Re: All those precautions and 'they' left out the most obvious one

        Was it a direct debit? Those are tied to accounts, so changing the card won't affect it (I'm guessing not, as the Direct Debit Guarantee should have gotten you your repayment pretty sharpish).

      2. Anonymous Coward
        Anonymous Coward

        Re: All those precautions and 'they' left out the most obvious one

        What? the AA don't have some special relationship with the bank where they can force transactions through. Either you were using different card details or you set up a direct debit or a standing order.

        1. Emjay111

          Re: All those precautions and 'they' left out the most obvious one

          This can happen, especially with the AA.

          It's not a direct debit, it's a continous payment authority, and it can roll over even when your card expires.

          Happened to me, and it's a very real thing. More info here:

          http://www.theukcardsassociation.org.uk/individual/repeat-payments-on-your-card.asp

          This line in particular explains it simply: "If your card expires during the course of your CPA, you should check with the retailer whether your new card details have been automatically updated with them, as this will not always be the case."

          In other words, the bank informs the merchant of the new card details - without any action from the cardholder.

          1. Anonymous Coward
            Anonymous Coward

            Re: All those precautions and 'they' left out the most obvious one

            Hmm, fair enough. I didn't know that. I have always had suppliers asking when a card expires as the payment didn't go through. However the same page about CPA also states you can cancel directly with the bank and the CPA will be removed and the card details will no longer be sent to the company.

            The AA would not be able to bypass this.

            1. Killfalcon
              Facepalm

              Re: All those precautions and 'they' left out the most obvious one

              The AA _sh_ould not be able to bypass. Everything in this is a process implemented and followed by humans, possibly using computers, hundreds of thousands of times a day in dozens of banks and hundreds of companies.

              There's always room for a fuckup-in-a-million event.

      3. Hairy Scary

        Re: All those precautions and 'they' left out the most obvious one

        You should read the AA's terms and conditions, it states that if you cancel your direct debit they will continue to take payments from the bank account you used to set up the DD (is that legal?). You can only cancel through them, not your bank.

        I was always under the impression that you could get a DD canceled by your bank but apparently not now, to be fair I have never tried to cancel my AA subscription and if I did I would certainly get in touch with the AA first then cancel with the bank, however if you cancel through them and they still take payments then there is a problem.

        1. Kiwi

          Re: All those precautions and 'they' left out the most obvious one

          You should read the AA's terms and conditions, it states that if you cancel your direct debit they will continue to take payments from the bank account you used to set up the DD (is that legal?). You can only cancel through them, not your bank.

          A big part of why I don't allow any DD's. Burnt once (badly), never again.

          You're giving control of your bank account to another party. A party who may not honour your request to no longer have anything to do with them, and a party who hopes you'll forget and not notice the small monthly charges.

          When I am starting with a company there's a few options - I can set up an automatic payment (where I control the if, when and amount), I can come in and pay in store, or I can do business with someone else. I say once I won't do DD. They complain, I say I won't do DD because being badly burnt, they say 'trust us we'll never do that', I say you can let me do it my way or I'll go elsewhere. If they still say 'we only do DD' I hang up/walk out. Customer respect goes a long way.

          1. Kiwi
            Pint

            Re: All those precautions and 'they' left out the most obvious one

            Cool! I've picked me up another stalky random downvoter!

            1. Kiwi
              Pint

              Re: All those precautions and 'they' left out the most obvious one

              I've picked me up another stalky random downvoter!

              Looks like they went through the first 2 or 3 pages of my posts and added a DV to each. If they do a few more pages I'll finally reach 2,000 DV! Come on Stalky, just another half hour or so of mindless clicking and you can help me achieve my goal before the year is out! :)

              (PS I have a fairly good idea who you are too. Noticed certain patterns the last couple of times this happened..)

              1. trindflo Silver badge
                Pint

                Stalky downvoters

                I've noticed you only get them when you call people on their shite. Thanks for doing that!

          2. Anonymous Coward
            Anonymous Coward

            Re: All those precautions and 'they' left out the most obvious one

            The only way for any company to take money directly from a bank account using account details is via a direct debit. They can't do it any other way (apart fro a very brief window where some companies can reclaim money paid in error into someones account).

            A Direct Debit usually has quite good protections as if you complain then all money should be returned and you can cancel it via the organisation or directly with you bank at any time (more protection than giving out your credit card details).

            If an organisation abuses this or sets up a new DD or tries to reactivate a DD by pretending you have authorised it they are at risk of losing their authority to process them - An organisation has to go through the process of being authorised before they can take money on Direct Debits, it's not open to everyone.

            1. Kiwi
              Pint

              Re: All those precautions and 'they' left out the most obvious one

              The only way for any company to take money directly from a bank account using account details is via a direct debit.

              Yup.

              Thing is.. They get to say how much and when. And a 'typo' on their part might mean they take more than they're supposed to. Like maybe several months worth of payments in one hit.

              Banks also tend to charge fees for automatic payments failing. HP/Loan etc companies charge fees when you don't meet the payment. A missed mortgage payment can get dicy PDQ, and missed insurance payments can mean late fees and cancelled policies.

              You might get the money back PDQ but as MachDiamond said, you're going to be out of pocket for other stuff. You may even get the payment reversed that day and the money in your account less than 24hrs later, but you could still be broke for a while.

        2. Anonymous Coward
          Anonymous Coward

          Re: All those precautions and 'they' left out the most obvious one

          "I was always under the impression that you could get a DD canceled by your bank but apparently not now"

          If you're within the EU/EEA, the Payment Services Regulations 2009 requires that you be able to cancel a CPA by notifying *either* your bank or the retailer. The situation may vary in other jurisdictions ;)

          1. Anonymous Coward
            Anonymous Coward

            Re: All those precautions and 'they' left out the most obvious one

            The UK isn't included then. Seeing as we left on the 31st?

            1. John Brown (no body) Silver badge
              Joke

              Re: All those precautions and 'they' left out the most obvious one

              "Seeing as we left on the 31st?"

              Which 31st? What year?

    3. adam 40
      Facepalm

      You can't delete the card

      Last time I got paranoid I wanted to delete all my cards and it (Amazon) wouldn't let me.

    4. NetBlackOps

      Re: All those precautions and 'they' left out the most obvious one

      Something else very interesting turned up last night. I went to order a blanket (err, "duvet") and some one else's credit card is listed in my payment options. That'll be interesting to run by Amazon.

      1. Kiwi
        Pint

        Re: All those precautions and 'they' left out the most obvious one

        some one else's credit card is listed in my payment options.

        I was wondering if that was the case with the story myself. Not that someone had 'hacked' the account but that somehow a fault in Amazon's system was crossing cards and accounts (or devices and accounts etc).

        How many people, when things are working as expected ("I click on 'Watch the movie' and I get to watch the movie" or "I buy stuff and it arrives") don't actually pay any attention to making sure it truly is working as expected? People who buy a lot of little trinkets and other things all the time tend to have some much going on in their accounts (and maybe not much going on upstairs) that incorrect billing wouldn't be noticed.

        And then there are those who properly filled out the forms, yet for some reason Amazon never charges their credit card so they happily purchase stuff, never bothering to notify Amazon nor ever considering that those charges may be getting paid by someone else.

  12. Anonymous South African Coward Bronze badge

    All your Amazon accounts are belong to us.

  13. cantankerous swineherd

    delete payment methods from the Amazon account, job done.

    1. TwistedPsycho

      We could of course go whole hog and remove all our cards from Amazon, go to the local supermarket and buy Amazon gift cards £100 at a time to register.

      1. Tony Paulazzo

        *remove all our cards from Amazon*

        Or do what I do, have an online only debit account with a limited amount of cash in there, strictly for everything online. Online banking makes it simple to transfer cash from one account to another in seconds.

        Point of fact it would take a bank seconds to create an online limited pool in your main account that texts a needed response to you whenever anything gets paid for, even quicker!

        But yea, not showing all connected devices in your Amazon account should be grounds for an FTC / ASA investigation.

        1. batfink

          What happens if that account goes into overdraft?

          1. Tony Paulazzo

            It won't go into overdraft, no overdraft facility. Strictly a debit account, so cash must be in there.

            1. Anonymous Coward
              Anonymous Coward

              Remember to also ask them to cancel the "shadow Overdraft". That's the one you don't apply for or know you have and the bank won't tell you about it.

              Although I think this was due to be stopped when the new overdraft laws came into force.

              1. Kiwi

                Remember to also ask them to cancel the "shadow Overdraft". That's the one you don't apply for or know you have and the bank won't tell you about it.

                Had that bit of joy with the ANZ (who I am no longer a customer of nor will ever deal with again, fsck you very much!). Done without my asking or authorisation, charged IIRC $20 every time for the privilege. Got very pricey once when I was out for a weekend and did a gas purchase knowing I had about enough in there but not sure exactly how much (like I knew it was about $45 but was it $45.60 or $45.70?). The purchase went through. Later I brought lunch meaning to pay with the cash I had in my wallet, only remembering my account was empty a millisecond after I hit "enter", but the payment went through. I though that perhaps my boss had been nice to me and put my pay through on the Friday since I was going away (instead of the Monday) so over the weekend I happily spent, getting charged $20 each time.

                The bank of course refused to refund the charges even though they'd put the thing on without my approval or even notifying me. Took a complaint to the banking ombudsman to get my money back. Oh, and about $70 worth of purchases (filling the tank and a few pies/drinks here and there) netted me nearly $300 in 'fees'.

                Never again ANZ. No wonder you so consistently get awarded "NZ's worst bank".

            2. NetBlackOps

              Try explaining that to Bank of America. Even my debit card can go into overdraft despite me explicitly telling them, via their form, that they are not to allow it.

        2. Anonymous Coward
          Anonymous Coward

          FTC is American, ASA? What has the advertising standards agency got to do with it?

  14. MatsSvensson

    Magic tool

    "this time, this guy pulls out a magic tool and tells me where the purchases were made"

    Wanna bet, that magic tool was some raw SQL or similar typed in?

    1. YetAnotherLocksmith Silver badge

      Re: Magic tool

      If you think a 2nd line tech gets "raw SQL access" to the whole of Amazon's payments system, think again!

      But if you're correct, then Amazon have much bigger issues than a few rogue smart devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: Magic tool

        Back when I was a 2nd line tech the whole team had raw SQL access to millions of card payments so I wouldn't rule this out.

        Not as big as Amazon I admit but then their tech only needed access to the devices table or equivalent.

        AC to prevent you finding out where, it's actually one of the most secure places I've worked!

        1. Anonymous Coward
          Anonymous Coward

          Re: Magic tool

          Yeah a very, very big company has a 'PCI compliant' system where they don't know your admin passwords into your(their) system. Whenever they want to do work for a support request they need you to open up an admin account for them temporarily.

          However after not much time, due to the inconvenience, they just cut the encrypted password for the admin user out of the SQL database, added their default one in, did their work and then reset it back afterwards (most of the time).

          Another, very big, top tier payment provider had a system which to make some of the lower level customisation they logged into the system. A small mistake by them while they were working remotely and I now knew their master password to their payment system and many other passwords to other systems which they used across their client base. Their password was surprisingly rude and unprofessional for a company of that size so I suspect it was the same password that had been around since they were a much smaller company.

          1. Angry IT Monkey

            Re: Magic tool

            It doesn't mean the passwords are old, how many of us have worked at big companies where *none* of the staff were rude and unprofessional?

            1. Anonymous Coward
              Anonymous Coward

              Re: Magic tool

              I have, you wanker.

            2. Anonymous Coward
              Anonymous Coward

              Re: Magic tool

              It doesn't *mean* that. Hence the wording *I suspect*, to reference an opinion.

              However adopting a password like the one they used as a universal superadmin password, seemed very unusual and was of a short enough length that it would've been unlikely to be used by any serious company at that time. I'm not going to put the password here, but I think most would agree it seemed like it wasn't a recent company decision to use that password and that password policy.

        2. Anonymous Coward
          Anonymous Coward

          Re: Magic tool

          Raw SQL access is all fun and games until Little Bobby Tables phones up with a customer account query.

      2. Kiwi

        Re: Magic tool

        If you think a 2nd line tech gets "raw SQL access" to the whole of Amazon's payments system, think again!

        Ahem.. If 'complete strangers' manage to be getting such access...

        (But your implication - perhaps lower-level techs do get such access and perhaps one (or more) of them is actually responsible for the problem in the article?

    2. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Giant Shortcoming in Amazon Customer Services?

    Who would have thought it.

    Not me and probably not many here.

    Amazon just want two things.

    Your money and your data. (like many others in this day and age)

    You pays your money and takes your choice.

    I choose NOT to do busines with Amazon unless I really, really, really have no other choice.

    1. Not previously required

      Re: Giant Shortcoming in Amazon Customer Services?

      I also prefer to shop elsewhere unless Amazon is the only source - but that's about ethics and convenience. The limited amount of shopping I do on Amazon presumably poses the same security risks as if I made multiple purchases daily, in the context of this story.

      Whatever faults there are in the OP's story, the fact that account owners cannot see and delete all the connected devices is clearly a security risk.

  16. quattroprorocked

    ICO and GDPR anyone?

    Clearly not taking their duty of care seriously.

    ALL devices MUST be visible to users and first line support.

    How did they ever design such a system in the first place?

  17. zaax

    This is very bad, the national papers should get a hold of this

  18. Tom Melly

    Why is anyone blaming anyone but Amazon?

    This is a clear and serious problem with Amazon, yet, somehow, some commentators on here are suggesting the customer is at fault? Are you insane (or just work for Amazon)?

    1. Kiwi
      Trollface

      Re: Why is anyone blaming anyone but Amazon?

      Are you insane (or just work for Amazon)?

      Well, most of the posts in this thread seem to have a solitary downvote. I guess Amazon's most loyal fan and all his friends are here!

  19. VulcanV5
    Unhappy

    Amazon takes security seriously. As in my case.

    This is the text of an email I received out-of-the-blue from Amazon a couple of weeks ago:

    Hello,

    We are writing to let you know that your name, email address, and phone number were disclosed by an Amazon employee to a third-party in violation of our policies. As a result, the employee has been terminated, and we are supporting law enforcement in their prosecution. No other information related to your account was shared. This is not a result of anything you have done, and there is no need for you to take any action.

    Sincerely,

    Amazon Customer Service

    Please note: this e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

    So. That's all right then. No-one at Amazon for me to talk to, no further details available. Employee. . . terminated. Ah. (email from no-reply@amazon.com, not amazon.co.uk).

    1. Not previously required

      Re: Amazon takes security seriously. As in my case.

      Terminating the employment would be appropriate. Terminating the employee seems a little on the harsh side.

    2. Zippy´s Sausage Factory

      Re: Amazon takes security seriously. As in my case.

      I genuinely hate those "no reply" emails, and I tend to send a snarky email to support every time I get one. In this case, the use of one is spectacularly awful.

  20. lglethal Silver badge
    Facepalm

    So they've tracked the Perp, right?

    I kind of doubt that any TV (smart or otherwise) has the ability to start obfuscating its IP address or using VPN's to bounce around the world, so the rep got the IP Address for the TV, and passed it over to the relevant authorities, right? And they've got in contact with the ISP, and gone around to the address provided by the ISP, and collared the miscreant, right?

    If none of this has happened, you really have to aks the question why not? It would seem this really does fall under the "low hanging fruit" branch, since the usual obfuscation that a crim can make is unlikely to be available from a TV. Go after them, and maybe you can learn how they got into the account in the first place and do something about it.

    But I'm dreaming arent I? As if anything will happen...

    1. stiine Silver badge

      Re: So they've tracked the Perp, right?

      Its an android device, how can you say it can't run a vpn over port 443 to exfiltrate everything about your tv's environment to samsung/lg/etc.

    2. Anonymous Coward
      Anonymous Coward

      Re: So they've tracked the Perp, right?

      Android TV is basically full Android - there are definitely VPN apps for it, e.g. NordVPN for Android TV.

  21. Captain Scarlet
    Alien

    Dont save credit cards on site

    I hate sites that insist you have to have a card saved, Amazon being one of them.

    I would prefer the bother of putting in my card details every time (Including on mobile type stores such as Google Play Store).

    Then again most people call me an alien for being paranoid.

    1. R J
      Big Brother

      Re: Dont save credit cards on site

      My thought exactly. I wouldn't trust writing down my credit card details on a piece of paper and hand it out to the staff in a shop I go to every now and then just because of any imagined convenience. Much less do the same online.

      I never save those details online. And if some stupid site does it for me, I delete it at once and stop using that site.. but of course, Amazon (and the others) want you to spend your cash as easily as possible, and don't give a damn about your security, privacy or data. Well, ok.. they care about your data, since they'd LOVE to sell it onwards.

    2. Jamie Jones Silver badge
      Joke

      Re: Dont save credit cards on site

      I think they cal you an alien due to your thumbnail pic ^^^^^^^^^^^^^^^^^^^--------------->>>>>>>>>

    3. anonymous boring coward Silver badge

      Re: Dont save credit cards on site

      I'm not downvoting you just because I disagree.

      But I you send your card details to someone they are likely stored, even if you aren't able to recall them for your own usage later. I don't have a problem with actually seeing and using my stored card details on, for example, Amazon, Paypal, eBay, etc.

    4. MachDiamond Silver badge

      Re: Dont save credit cards on site

      You aren't paranoid at all. Convenience = less secure.

      I continue to get paper bills/statements in the mail wherever possible and pay my bills manually. I don't use Amazon, but I do buy things off of eBay using Paypal. I never opt-in to automatic or one-click payments. I've been through the automatic payment hell cycle before. One time when I moved it took months to get my Sat TV cancelled (new flat had cable), etc. With manual payments, I'm not out the money every month until I get them sorted out. I'm also able to pay bills when there is money in the account. I've had automatic payments get deducted before my paycheck was posted due to a bank holiday that delayed my direct deposit and the bank deciding to place a hold on the money that they had never done in the past. It's in their fine print they can do that and it cost me several hundred in fees upfront since everything gets submitted twice. I did get about half of the fees reversed, but it took a month. In the mean time I'm eating Ramen noodles or beans on toast for most meals.

      It's much easier to stay on budget if it takes a little bit of work to buy stuff. When all you have to do is see something shiny and twitch your index finger, you lose the thought process where you should be asking "do I really need this? Do I really need this now? Is this a good price?" I pay for most stuff with cash. No cash, no buy. I might fancy having a nice steak for dinner, but if I don't have cash in pocket, I'm not going to be able to splash out for it. If I have my whole paycheck available via a small piece of plastic, I can get in real trouble. What I really want is to pay off the mortgage and get a new(ish) car.

      Make it hard for anybody to get your money, authorized or not and you'll be in a better position when you favorite online merchant is hacked. When, not if. If you opt out of them retaining your card number, there shouldn't be any leak. If they did keep the card on file, they owe you big.

  22. Peter Galbavy

    This is odd, because "yes" if you look under "My Devices" you only see Amazon branded ones, but if you go to "Manage My Devices" under the Kindle page(s) you see all your connected/permissioned "apps", including those running on non-Amazon kit: https://www.amazon.co.uk/hz/mycd/myx#/home/devices/1

    1. batfink

      Of course - the Kindle page would be the obvious place to look for a listing of your other devices.

      1. PeterI

        Hmm my Samsung smart telly shows up on my amazon account under the prime video tag, it doesn't show on the kindle page.

        https://www.amazon.co.uk/gp/video/settings/your-devices/ref=atv_set_your-devices

        along with the iPad & phone.

        1. Ma Sh

          Samsung TV and Bluray player

          Just looked at my Amazon Prime Devices and aside from various iOS devices, can see the following:

          Samsung Smart TV (Samsung Hawaii)

          Samsung TV (Samsung TV)

          ... which I think are the Bluray player and then the TV.. Weird it comes up as Hawaii though...??

          1. Anonymous Coward
            Anonymous Coward

            Re: Samsung TV and Bluray player

            Um.. This could be quite important to the whole story... Have you alerted the El reg journo?

        2. Jamie Jones Silver badge

          Blimey. I don't use Amazon on the android, yet that page shows 5 android devices registered... Unfortunately, it doesn't show anything else.. Usage details would seem obvious to include...

    2. joshimitsu

      I can see my PS3 registered there, and phones running the Android apps for Kindle and Prime Video.

      The list even includes a VM running under Bluestacks.

      Amazon support should have pointed this out.

      BTW I don't think TVs should be allowed to order stuff beyond movies - was this because of the Alexa integration? "Alexa order some more toilet roll".

      1. Captain Scarlet

        "Amazon support should have pointed this out."

        They are probably unaware.

      2. Stoneshop
        Big Brother

        BTW I don't think TVs should be allowed to order stuff

        Ordering stuff is what I do (or not), and I'm not delegating that to some device that pretends to be smart.

        1. John Brown (no body) Silver badge

          Re: BTW I don't think TVs should be allowed to order stuff

          "some device that pretends to be smart."

          The device doesn't pretend t to "smart". The act of pretending implies intelligence. It's only marketing that tell you these devices are "smart".

          For that matter, it still sounds like an odd word to use here in the UK. We don't really use smart to mean clever in the UK. We would normally use...erm....clever. Or bright. Smart usually means well dressed, smartly turned out, wearing your best suit etc.

          1. Kiwi
            Pint

            Re: BTW I don't think TVs should be allowed to order stuff

            Smart usually means well dressed, smartly turned out

            Think you hit the nail on the head right there.

            When you look at the polish/newshiny on many "smart" devices (especially what comes from the coloured pencil dept), it's your very definition that they come under. When you look at the insides - well, neither "smart" nor "clever". Perhaps that's why so much effort is put into making it harder for people to open them up, less chance we can see what a WTF??? they have inside.. :)

    3. Alterhase

      The fact that all your devices appear under the Kindle pages on "Manage My Devices" jibes with the reference in the original story to a Kindle support person being able to see the rogue device.

  23. Loyal Commenter Silver badge

    How do we know it was actually a TV?

    It might have identified itself to Amazon as a TV. "Samsung Huawei" makes me immediately suspicious that it was not. Presumably teh connection is done over the internet.

    I'm sure I could open up Fiddler right now and make an API request to one of Amazon's publicly accessible APIs telling it all sorts of things that aren't true, including user agent, IP address et al.

    I suspect an undisclosed flaw in one of Amazon's APIs that allowed someone to set up a spoof device and make purchases through that 'device', no TV involved.

    1. ChipsforBreakfast

      Re: How do we know it was actually a TV?

      It seems some devices do show up and others don't. For example, I have two android devices linked to my account, only one of which is shown. Likewise, I have a VM STB linked which isn't shown anywhere.

      There doesn't seem to be any rhyme nor reason to it - the android's were linked within minutes of each other yet only one appears....

      I suspect there are some fairly serious issues within the Amazon API & associated front end that Amazon aren't being very forthcoming about, the sort of issues that a ripe for a nasty media story and a severe slapping from the ICO when the extent of the problem finally comes out.

      I think I'll be re-evaluating my exposure to Amazon services unless they resolve this issue very quickly and openly.

    2. Carpet Deal 'em

      Re: How do we know it was actually a TV?

      Another comment mentioned seeing a "Samsung Hawaii" on their device list, so it's possible he just misheard him(one's been in the news frequently for a while, after all, while the other would sound like an internal codename that's being leaked).

  24. sketharaman

    Uh oh, I didn't know there was something like linking a device to an Amazon account (although I know about that feature in Google accounts). Anyone knows where I can find the feature on Amazon's website to link a device?

    1. Jamie Jones Silver badge

      Me neither. And when I read this article, I assumed it wasn't active on my account, but I checked the link ("Peterl" posted it above, https://www.amazon.co.uk/gp/video/settings/your-devices/ref=atv_set_your-devices) and I had 5 android devices linked! Not any more!

  25. Anonymous Coward
    Anonymous Coward

    And these folks PAY for this privelege

    You should just say thank you and keep paying your 120 bucks a year for this added benefit.

    Amazon is your God!

    Just surprises me that people pay for the 'right' to shop somewhere. I don't pay the department store just so I can shop there.

    1. Kiwi
      Pint

      Re: And these folks PAY for this privelege

      Just surprises me that people pay for the 'right' to shop somewhere. I don't pay the department store just so I can shop there.

      I'm surprised (and somewhat saddened) that in the 8 hours since your post (at time of writing obvs) I'm the only one who's given you a much-deserved upvote!

      Strange how us old curmudgeons who do most of our shopping at B&M places don't have even the slightest exposure to these sorts of risks (or, where we use cash, exposure to any sort of account/detail linking/selling etc scams'standard business practices').

      (I wonder if I can use this Amazon issue to create a dozen or more El Reg accounts to give some extra upvotes to deserving customers? :) )

  26. Stevie

    Bah!

    Everyone is banging on about the best way to use the Amazon payment system, but to me the thing that is ringing WAY out of tune is the fact that there can be devices attached to an Amazon account that the owner of the account cannot see, and administer out of existence.

    This is the key factor in the whole sorry story (it is a mark of how inured we've become to such things that I don't say the original unauthorized access is the key factor - though it should be of course).

    Why devices attached to accounts are not announced in the dashboard, and why they take such effort to be rid of is the real story.

  27. ratfox
    Devil

    Dark pattern + invisible subscription = profit

    So we did have weird AMZN... charges on our credit card, which didn't show up in the account on the Amazon website.

    I called them just to check if it was really them, and the the guy immediately says yeah, I see those charges, they're for your Kindle subscription. What Kindle subscription?

    1) Turns out that when you install the Kindle app on your phone, you get one of those magical dark patterns, which looks like this: screenshot

    If you hit the big yellow button in the middle, you need to remember to cancel within the week, otherwise the free pass is renewed into a paying monthly subscription. I guess the back button is the only way to refuse the offer.

    2) Their customer support could see our Kindle subscription, and the charges. However, we could not. Neither were showing in our account. Seeing the charges on the credit card was literally the only way we could notice anything was wrong...

  28. Anonymous Coward
    Anonymous Coward

    Amazon Prime Video device management link is separate to shopping

    Amazon UK provided me with two links:

    Prime Video device management:

    https://www.amazon.co.uk/gp/video/settings/your-devices

    This includes my registered TV, and enables me to see all devices registered to use Prime Video - and de-register them, or register a new device.

    Would this link have solved fidelisoris' problem?

    Kindle and shopping apps:

    https://www.amazon.co.uk/mycd

    This has my Kindle and Kindle apps registered. If I had other devices like Alexa that would be here too, apparently.

    I also use an iOS Amazon Shopping app. I don't see that anywhere, but it might be included with one of the Kindle registrations.

    I think this design, separating Prime Video and Shopping App device management so completely, is very poor and might fail GDPR Article 25 - Data Protection by Design and by Default. I imagine it would be easy to include all devices on one page, probably in separate sections on the page.

  29. Anonymous Coward
    Anonymous Coward

    On the Kindle pages, there is reference to 'All Kindle transactions are completed with 1-Click. Changes made to your default 1-Click method will apply to future Amazon.co.uk 1-Click transactions, but will not change your current active subscriptions', there is an option to cancel 1-Click, I wonder if this is the payment method used by non-Amazon devices?

    I have one Kindle registered, the card used on Amazon was changed about three months ago and the new card is shown as the default 1-Click payment method, despite me not having charged, used or bought Kindle content for well over a year

    1. NetBlackOps
      Thumb Up

      Now that's an interesting observation! Disabled it here for all browsers and devices and, yes, it's explicitly on that page that it applies to all devices when you universally kill it.

  30. Anonymous Coward
    Anonymous Coward

    Seriously

    Why does not everyone use a prepaid debit card for on line purchasing/subscriptions.

    Using one of those (I use Pockit or however the hell they spell it) which means if my account gets hacked, apart from the cash on it, they cannot use it for anything else.

    I am seriously amazed that people link their credit or debit cards to any online thing.

    Cheers… Ishy

    1. Kiwi
      Pint

      Re: Seriously

      I am seriously amazed that people link their credit or debit cards to any online thing.

      On that we can agree!

      Limit the exposure, limit the risk, limit the loss. Sure you might be able to get the charges reversed in time, but that doesn't help you when your bank acc has been drained and you have immediate costs that need to be dealt with.

      1. MachDiamond Silver badge

        Re: Seriously

        "and you have immediate costs that need to be dealt with."

        That's my biggest fear. All of those other bills also will have late fees, etc. If it's something big like a car loan or mortgage, the late will go on your credit report as well. Those other creditors also aren't going to care that you got pwned, only that your payment to them was late/missed. While you may get charges reversed and funds put back into your account 60-90 days down the line, it could be a couple of hundred in lates/fees that aren't going to get reversed.

        I use prepaid cards on road trips. Petrol pumps are a favorite target for card readers along with little out of the way shops you might think a little dodgy but don't have much of a choice about late at night when you need something. Out of towners are a big target. You are probably buying lots of stuff on a trip and it would be the business to try and sort out where your card got compromised. Some issuers seem like they want you to investigate fraud yourself to be able to claim the protection. Yeah, you wind up paying a bit extra for the prepaid card, but it's insurance against getting somewhere and not being able to check into a hotel because your card has been compromised. I also bring enough cash with me to pay for petrol to get home and a meal or two. I could sleep in the car if I had to, but I don't have anyway of creating petrol to put in the tank. The other bonus is cash works if the network is down at the petrol station.

        1. Anonymous Coward
          Anonymous Coward

          Re: Seriously

          Here in the uk Revolut is an online pre-paid account with real and virtual cards. I've not paid any charges using it. I get a notification on my phone app often before the merchants terminal has printed the receipt. And it works - I forgot to top up (my bad) and my Ring subscription got declined.

        2. Kiwi
          Happy

          Re: Seriously

          I also bring enough cash with me to pay for petrol to get home and a meal or two. I could sleep in the car if I had to, but I don't have anyway of creating petrol to put in the tank. The other bonus is cash works if the network is down at the petrol station.

          Same. I keep cash or petrol vouchers in the bike helmet and in a tucked-away place in the car (after all, if someone breaks into the car and steals the contents of the glove box, having a $100 in there isn't going to help me - and that's one of the more likely ways I'll wind up wallet-less). I can find a hay-barn or bridge or something on the bike, car's big enough to pass a night or two, but no cash=no gas.

          Recently a nearby suburb had a powercut. Was interesting seeing the blank stares on the faces of people who couldn't contemplate the idea of using something so out-dated and unfashionable as cash. But while they were panicking about how long the power would be down, I was still shopping and going about my business as if nothing had happened (and enjoying the lack of artificial light and especially the lack of canned muzak!)

  31. Anonymous Coward
    Anonymous Coward

    Culprit

    Clearly it was Elliot with Tyrell in tow.

  32. anonymous boring coward Silver badge

    ""For those who suggested that the account should be abandoned and a new one created, I agree that is certainly the best move for security purposes. "

    I use my Amazon purchase history to re-buy things I bough years ago, Even a decade ago.

    It's too useful to just abandon for the off-chance that it will fix a problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like