A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months A fraudster exploited a bizarre weakness in Amazon's handling of customer devices to hijack a netizen's account and go on multiple spending sprees with their bank cards, we're told. If you have weird fraudulent activity on your Amazon account, this may be why. In short, it is possible to add a non-Amazon device to your Amazon …
The rest of the rhyme is particularly applicable, as a sort of mythological bait-and-switch.
Three Rings for the Elven-kings under the sky, [Books! get yer luvverly books!]
Seven for the Dwarf-lords in their halls of stone, [We do CDs and stuff now]
Nine for Mortal Men doomed to die, [You want handbags? Socks? Johnnies? Bikes?]
One for the Dark Lord on his dark throne [I've got mine]
In the Land of Mordor where the Shadows lie. [speaking of lie...]
One Ring to rule them all, One Ring to find them,
One Ring to bring them all [the mall, haha] and in the darkness bind them [mushrooms...]
In the Land of Mordor where the Shadows lie. [I heard you the first time]
A pair of two-word phrases would cure such nonsense: Strict Liability and Treble Damages. If companies that handle transactions were held to this simple standard of care, the problem would vanish overnight. Not even a bozo wants to be paying three times the disputed amounts, plus attorneys fees if they dispute it. Arbitration clauses be damned, you screw up and don't 'fess up, you get smacked down harder.
Quote "Thus if someone can get into your account". So how did this someone get into his account?
Actually, I am calling bullshit on this. He is protesting far too much. And as for that bollocks about not closing his account? Am I the only one not buying that? Oh well, Downvote oblivion here I come.
Cheers… Ishy
> Quote "Thus if someone can get into your account". So how did this someone get into his account?
> Actually, I am calling bullshit on this. He is protesting far too much. And as for that bollocks about not closing his account? Am I the only one not buying that? Oh well, Downvote oblivion here I come.
In his case I don't know how someone got into his account. But I could imagine that people in relationships that end badly could use this as a means of retaliation, so closing the loophole of not being able to see all devices is a must.
I suspect his login was hacked from an unrelated website and someone found he uses the same creds across all accounts, including a very popular Amazon.
Yeah, I would try Amazon first.
I'm guilty of sharing logins until someone sent me a message:
"We have your pornhub account password. Send a bitcoin to..."
Yeah, I think my Mom is the only one who doesn't use pornhub.
Fuck off.
Well, let's round up a few suspects:
1. Reused password.
2. Poor password.
3. Keylogger.
4. Phishing email.
5. Someone with a passwords file (especially children).
6. Insecure IoT device (E.G. television watching Amazon's video service).
7. Malicious attack by someone who knew the person.
8. The poster was not the person whose account was accessed; they are the technical person who helped a family member or friend whose account was accessed using one of the above mechanisms.
9. Amazon's had their system accessed and Amazon doesn't know or hasn't told us.
10. Dumb luck.
So maybe one of those was used to access the account. It's still a massive problem if you can't lock them out by changing the password and deleting connected devices and changing how 2FA is working and talking to normal customer support. I fail to see your objection to this quite likely possibility.
@the down voters.
As I expected you have all totally missed my point. And I thought "Techies" are supposed to be clever. Thank fully I use a Macs for my business. (You may have listened to my mixes in certain clubs. There is a reason I am a ghost deejay). Which means I don't need a techie. More downvote oblivion by the sheeple.
Cheers… Ishy
You didn't make a point. You made a wild and unjustified accusation.
As to your comment about techies being clever - that's why you got so many downvotes. We're[1] clever enough to know the only "bullshit" was in your post.
[1] Hopefully including myself among "techies" doesn't get me a visit from the Serious Fraud Office
"As I expected you have all totally missed my point", your point being that you feel the user is lying for which you give no evidence, however what was being discussed makes a lot of technical, historical and general life sense
Recent media exposure of other companies abusing data sharing suggest that it is more than believable for Amazon to hide information to avoid users looking too closely at what is being done with their data
As to you being a DJ, personally I see this as irrelevant, your suggestion that I might have heard your mixes, in my case atleast, suggests you have misjudged your audience. Even if I had heard your mixes (which I know I have not, too old for clubbing) it would not cause me to give your opinion greater credence.
On the DJ subject and FYI for my part I never understood why playing someone elses music should give you automatic respect, the musician perhaps but not someone who chops up an artists work and claims it as their own ("my mixes").
I hope this helps you not to feel rejected for any reason other than your own actions
It's a different door with different keys, is a good analogy, ...
Well, sort of ...
It's a different, secret, door that initially takes the same key as the main door ... but when you discover someone has been getting in and you change the lock on the main door the intruder can still get in through the secret door (either because the old key still fits or because it's been left ajar -- that part's not clear from the article) ... and as the door is secret you can't find it to nail it shut.
Anything with "link your account" is always going to be a security hole and especially if a linked device can add a new link using the existing credientials.
IMHO Amazon do not want to publish who is linked to their account for the same as for all the others like steam,fb etc, basically people would be able to remove the link that allows these third parties to spy upon the user and their transactions.
Since Amazon here are taking pains to prevent the user from knowing which third parties can bypass authentication then you cannot see how many fourth parties may have been daisy chained into the loop.
To my mind if a company allows account linking then they are responsible for any fraud that occurs using their system, if they do not allow you to see who is spying upon you then they are intentionally thwarting identity legislation
My story is exactly the same except this happened many months ago and Amazon had not a clue. I;ve done every IT gig you can over the last 40 years, from code monkey in Fortran on punch cards on up to CIO. I don't reuse passwords on any site that matters a damn (PasswordSafe); they are all long and random. Actually my banking password, due to restrictions, is the worst, still long though. And yes, haveibeenp0wned is a regular check.
I went through the same tap dance, changing every thing including the debit card. The charges were for XBox-360 gift cards. After a bit of work on my end, Amazon cleared the charges. I just now checked my devices list, and aside from the Fire tablets and Firestick, no other devices are listed, despite adding two "smart TV's: to the authorized devices a couple of months back when I got Amazon Prime. [We're experimenting with cutting the cord here.] So, Amazon has some sort of problem here and it has been going on for a while.
Amazon making money on the whole thing is nuts. Any legal eagles know why Amazon cant be had for criminal behaviour if they are knowingly in cohorts with the crims.
That's the issue though. You and I suspect Amazon are milking this and dragging out the 'fix' to get a little extra profit. Some may suspect that Amazon or people within have been using this information deliberately, perhaps even from the very outset (perhaps a dev found a way to crack the API that links devices so login details are never needed - perhaps that was passed on to a manager who has enough knowledge to make use of it, perhaps the dev just decided to supplement their income).
But the problem is proving it to a suitable standard in court.
Amazon can claim "we're working on it but there's backwards compatibility issues and it only seems to affect 3 people", or "We're aware of the problem and will reverse charges when a customer complains, however we're still investigating the cause" (easy - let people see attached devices, all attached devices - and perhaps purchased made through each individual device and IP's/location etc etc etc etc)
Making the claim is one thing. Proving it is another :(
It sounds to me that there is an additional issue with Amazon that allows the fraudsters to gain access to accounts and then the one being described in the article that allows them to retain it. Maybe an API that doesn't enforce timeouts for bad password attempts or they're vulnerable to MITM attacks or maybe have CSRF issues. There's definitely more to what happened than what is given in the article.
Might even be someone at the "Smart" (ahem, are they *really?*) TV factory... do you know the brand of TV or the "App" (Yeah, right, you mean android/java/html5 rip off of an OS) manufacturer? I'd not be surprised if they were all the same.
(If not directly the TV manufacturer, might be an engineering port/website left open/unregistered that's been claimed!)
The problem with that theory is that until very recently, well after the "hack" of my account, there were no "smart TV's" linked to my Amazon account. Just a Kindle Fire tablet and, at that time, I'd only order on Amazon using Firefox with it set to nuke everything after I close a tab for a site as well as nuke everything entirely when I close the browser. So, three possibilities come to my mind. My Amazon account got hacked; my linked Google account got hacked; or it's the API courtesy of either the Fire tablet or the API in general,
Path analysis isn't that hard.
Forgive me if I'm not a browser expert, but I do know that usually zombie files and LSOs are not removable by most anything even after closing the browser; and that is why so many people use CCleaner to get rid of those objects. I know of no other cleaner that does. If you do, please enlighten me!
"I'm not sure about Amazon, but I've experienced many sites that don't let you remove a card unless you replace it with another valid one"
Amazon does allow you to remove all payment methods. I mentioned in the comments on another Amazon story that I recently placed on order on behalf of my mum via her account, and there was swearing due to the Prime trick. After placing that order, as I've done every other time I've done this for her, I removed the card.
One possible gotcha when you do this is that it warns you the card will still be used for any existing orders that have been placed using it but not yet fulfilled - but given that (I assume) the orders placed via a smart TV were videos, they will have been fulfilled immediately.
"chargeback" is the process of reclaiming a disputed payment.
Do you mean "pre-authorisation" which checks if the card can cover a payment and reserves that amount ready to be "authorised" (claimed) later. It's a common practice when setting up online payment methods or using Pay-at-Pump petrol (gas) stations. In fact it used to be a stipulation of the card companies that an online retailer could not take money from your card until they had shipped your order.
I noticed that my Samsung TV had several apps installed tha I could not remove that were similar to apps found on my Android phone.
After I swithched to IOS I found that I could now uninstall the apps in question that were on my Samsung TV.
I had never linked anything from my phone to my Samsung TV myself.
I now have my Samsung set up on it's own isolated network and sinkhole any Samsung related connections using a Pi-Hole.
If I were a betting man I would wager that Samsung was giving access to third parties such as Amazon and vice-versa.
Much like Facebook allowing phone manufacturers and data providers to access low-level data of users Facebook accounts through the "Facebook Partners" program I believe that Samsung and Amazon (and everyone in-between) also have similar partnerships that could allow this kind of cross-device exploitation.
I too had an interesting and revealing phone conversation with my phones data provider customer service rep a few months ago where the agent accidently mentioned my Samsung TV on an unrelated issue.
When I asked him how he knew I owned a Samsung TV he said he misspoke and denied he could see what devices were on my home network.
This is nothing new of course, many phone apps (such as Facebook) actively scan the users internal WIFI network, bluetooth and NFC in search of neighboring devices.
With so much user data being shared amongst third parties behind the scenes this kind of thing is bound to happen.
Why didn't 'they' (let's face it, *he*) delete the credit card from 'their' Amazon account? That would have been my *first* action, forget changing all those passwords.
Each time I've used the 'purchase with one click' option on Amazon I've mentally cringed at the potential loophole there. But let's face it, it's really convenient, innit...
Deleting the card isn't going to help much though, because the charges would just go through onto the replacement card.
Unless you meant to type "why didn't he completely abandon that Amazon account and start a new one". That would certainly work but such an extreme measure isn't something most people would go with unless they were aware that Amazon had a whopping security hole in their account management.
Cancelling your cards (and effectively closing your bank account for every single payment mechanism you use) is fairly extreme for a strange purchase on Amazon, I think - all that extra work and hassle, for a start.
Have you stopped a bank card recently? There's dozens of places that have the details, that you have to chase down.
So no, killing the card certainly shouldn't be your first step. It hasn't been compromised!
I disagree IMHO card has been compromised simply by passing it to any service that allows liinking of accounts.
In answer to the question "who do you trust" then your thinking should be no one and certainly never anyone who offers you a reward to allow them to share your information
I have had to kill credit cards to get rid of "pre-authorized" charges. You sign up for some service and they start billing your CC automatically "for your convenience", and then make it impossible to close the account. First offender was AOL but there have been plenty since. I no longer even bother trying to close the account - I just get a new credit card. A good way of cleaning out the leeches that attach to any card over the years. Anything I actually still use will get the new card number.
But the worst offender was PayTrust after they got bought out by Intuit. Since it was a bill paying service, they had my bank account on file and made cancelling the account even more hyperimpossible than learning to fly or making something invisible.
So I put a stop payment on any charges from paytrust - even that didn't work for awhile - they just kept running up charges until after about 6 months they gave up.
I remember reading something a while back about banks waving through transactions for expired cards when they were for Amazon. As if Amazon gets VIP treatment, no questions asked, in that regard. It doesn't surprise me now.
Hmmm, that's a bit short-sighted of them, in my opinion. Not only would the charge be easily disputed, it will mean more hassle for the bank as more people cancel cards completely!
Doesn't surprise me though...
Cheers for the reply
Deleting the card isn't going to help much though, because the charges would just go through onto the replacement card.
'Deleting the payment info from the Amazon account' and 'getting the credit card revoked and replaced' are two not entirely equal actions.
I had a similar experience, I decided to change from the AA to another provider. I told the AA that I was not renewing, and told my bank not to honour any request for payment from the AA. They still managed to get paid, so I had two rescue services. I complained to the bank, and they refunded the charge, and I then cancelled my debit card and asked for a new one. 12 months later, the AA managed to get paid again, even though the original card had been cancelled. It took a long time for the bank to refund me this time, but they are under strict instructions NOT to pay the AA again. We will just have to see what happens next time.
This can happen, especially with the AA.
It's not a direct debit, it's a continous payment authority, and it can roll over even when your card expires.
Happened to me, and it's a very real thing. More info here:
http://www.theukcardsassociation.org.uk/individual/repeat-payments-on-your-card.asp
This line in particular explains it simply: "If your card expires during the course of your CPA, you should check with the retailer whether your new card details have been automatically updated with them, as this will not always be the case."
In other words, the bank informs the merchant of the new card details - without any action from the cardholder.
Hmm, fair enough. I didn't know that. I have always had suppliers asking when a card expires as the payment didn't go through. However the same page about CPA also states you can cancel directly with the bank and the CPA will be removed and the card details will no longer be sent to the company.
The AA would not be able to bypass this.
The AA _sh_ould not be able to bypass. Everything in this is a process implemented and followed by humans, possibly using computers, hundreds of thousands of times a day in dozens of banks and hundreds of companies.
There's always room for a fuckup-in-a-million event.
You should read the AA's terms and conditions, it states that if you cancel your direct debit they will continue to take payments from the bank account you used to set up the DD (is that legal?). You can only cancel through them, not your bank.
I was always under the impression that you could get a DD canceled by your bank but apparently not now, to be fair I have never tried to cancel my AA subscription and if I did I would certainly get in touch with the AA first then cancel with the bank, however if you cancel through them and they still take payments then there is a problem.
You should read the AA's terms and conditions, it states that if you cancel your direct debit they will continue to take payments from the bank account you used to set up the DD (is that legal?). You can only cancel through them, not your bank.
A big part of why I don't allow any DD's. Burnt once (badly), never again.
You're giving control of your bank account to another party. A party who may not honour your request to no longer have anything to do with them, and a party who hopes you'll forget and not notice the small monthly charges.
When I am starting with a company there's a few options - I can set up an automatic payment (where I control the if, when and amount), I can come in and pay in store, or I can do business with someone else. I say once I won't do DD. They complain, I say I won't do DD because being badly burnt, they say 'trust us we'll never do that', I say you can let me do it my way or I'll go elsewhere. If they still say 'we only do DD' I hang up/walk out. Customer respect goes a long way.
I've picked me up another stalky random downvoter!
Looks like they went through the first 2 or 3 pages of my posts and added a DV to each. If they do a few more pages I'll finally reach 2,000 DV! Come on Stalky, just another half hour or so of mindless clicking and you can help me achieve my goal before the year is out! :)
(PS I have a fairly good idea who you are too. Noticed certain patterns the last couple of times this happened..)
The only way for any company to take money directly from a bank account using account details is via a direct debit. They can't do it any other way (apart fro a very brief window where some companies can reclaim money paid in error into someones account).
A Direct Debit usually has quite good protections as if you complain then all money should be returned and you can cancel it via the organisation or directly with you bank at any time (more protection than giving out your credit card details).
If an organisation abuses this or sets up a new DD or tries to reactivate a DD by pretending you have authorised it they are at risk of losing their authority to process them - An organisation has to go through the process of being authorised before they can take money on Direct Debits, it's not open to everyone.
The only way for any company to take money directly from a bank account using account details is via a direct debit.
Yup.
Thing is.. They get to say how much and when. And a 'typo' on their part might mean they take more than they're supposed to. Like maybe several months worth of payments in one hit.
Banks also tend to charge fees for automatic payments failing. HP/Loan etc companies charge fees when you don't meet the payment. A missed mortgage payment can get dicy PDQ, and missed insurance payments can mean late fees and cancelled policies.
You might get the money back PDQ but as MachDiamond said, you're going to be out of pocket for other stuff. You may even get the payment reversed that day and the money in your account less than 24hrs later, but you could still be broke for a while.
"I was always under the impression that you could get a DD canceled by your bank but apparently not now"
If you're within the EU/EEA, the Payment Services Regulations 2009 requires that you be able to cancel a CPA by notifying *either* your bank or the retailer. The situation may vary in other jurisdictions ;)
some one else's credit card is listed in my payment options.
I was wondering if that was the case with the story myself. Not that someone had 'hacked' the account but that somehow a fault in Amazon's system was crossing cards and accounts (or devices and accounts etc).
How many people, when things are working as expected ("I click on 'Watch the movie' and I get to watch the movie" or "I buy stuff and it arrives") don't actually pay any attention to making sure it truly is working as expected? People who buy a lot of little trinkets and other things all the time tend to have some much going on in their accounts (and maybe not much going on upstairs) that incorrect billing wouldn't be noticed.
And then there are those who properly filled out the forms, yet for some reason Amazon never charges their credit card so they happily purchase stuff, never bothering to notify Amazon nor ever considering that those charges may be getting paid by someone else.
*remove all our cards from Amazon*
Or do what I do, have an online only debit account with a limited amount of cash in there, strictly for everything online. Online banking makes it simple to transfer cash from one account to another in seconds.
Point of fact it would take a bank seconds to create an online limited pool in your main account that texts a needed response to you whenever anything gets paid for, even quicker!
But yea, not showing all connected devices in your Amazon account should be grounds for an FTC / ASA investigation.
Remember to also ask them to cancel the "shadow Overdraft". That's the one you don't apply for or know you have and the bank won't tell you about it.
Had that bit of joy with the ANZ (who I am no longer a customer of nor will ever deal with again, fsck you very much!). Done without my asking or authorisation, charged IIRC $20 every time for the privilege. Got very pricey once when I was out for a weekend and did a gas purchase knowing I had about enough in there but not sure exactly how much (like I knew it was about $45 but was it $45.60 or $45.70?). The purchase went through. Later I brought lunch meaning to pay with the cash I had in my wallet, only remembering my account was empty a millisecond after I hit "enter", but the payment went through. I though that perhaps my boss had been nice to me and put my pay through on the Friday since I was going away (instead of the Monday) so over the weekend I happily spent, getting charged $20 each time.
The bank of course refused to refund the charges even though they'd put the thing on without my approval or even notifying me. Took a complaint to the banking ombudsman to get my money back. Oh, and about $70 worth of purchases (filling the tank and a few pies/drinks here and there) netted me nearly $300 in 'fees'.
Never again ANZ. No wonder you so consistently get awarded "NZ's worst bank".
Back when I was a 2nd line tech the whole team had raw SQL access to millions of card payments so I wouldn't rule this out.
Not as big as Amazon I admit but then their tech only needed access to the devices table or equivalent.
AC to prevent you finding out where, it's actually one of the most secure places I've worked!
Yeah a very, very big company has a 'PCI compliant' system where they don't know your admin passwords into your(their) system. Whenever they want to do work for a support request they need you to open up an admin account for them temporarily.
However after not much time, due to the inconvenience, they just cut the encrypted password for the admin user out of the SQL database, added their default one in, did their work and then reset it back afterwards (most of the time).
Another, very big, top tier payment provider had a system which to make some of the lower level customisation they logged into the system. A small mistake by them while they were working remotely and I now knew their master password to their payment system and many other passwords to other systems which they used across their client base. Their password was surprisingly rude and unprofessional for a company of that size so I suspect it was the same password that had been around since they were a much smaller company.
It doesn't *mean* that. Hence the wording *I suspect*, to reference an opinion.
However adopting a password like the one they used as a universal superadmin password, seemed very unusual and was of a short enough length that it would've been unlikely to be used by any serious company at that time. I'm not going to put the password here, but I think most would agree it seemed like it wasn't a recent company decision to use that password and that password policy.
If you think a 2nd line tech gets "raw SQL access" to the whole of Amazon's payments system, think again!
Ahem.. If 'complete strangers' manage to be getting such access...
(But your implication - perhaps lower-level techs do get such access and perhaps one (or more) of them is actually responsible for the problem in the article?
This post has been deleted by its author
Who would have thought it.
Not me and probably not many here.
Amazon just want two things.
Your money and your data. (like many others in this day and age)
You pays your money and takes your choice.
I choose NOT to do busines with Amazon unless I really, really, really have no other choice.
I also prefer to shop elsewhere unless Amazon is the only source - but that's about ethics and convenience. The limited amount of shopping I do on Amazon presumably poses the same security risks as if I made multiple purchases daily, in the context of this story.
Whatever faults there are in the OP's story, the fact that account owners cannot see and delete all the connected devices is clearly a security risk.
This is the text of an email I received out-of-the-blue from Amazon a couple of weeks ago:
Hello,
We are writing to let you know that your name, email address, and phone number were disclosed by an Amazon employee to a third-party in violation of our policies. As a result, the employee has been terminated, and we are supporting law enforcement in their prosecution. No other information related to your account was shared. This is not a result of anything you have done, and there is no need for you to take any action.
Sincerely,
Amazon Customer Service
Please note: this e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.
So. That's all right then. No-one at Amazon for me to talk to, no further details available. Employee. . . terminated. Ah. (email from no-reply@amazon.com, not amazon.co.uk).
I kind of doubt that any TV (smart or otherwise) has the ability to start obfuscating its IP address or using VPN's to bounce around the world, so the rep got the IP Address for the TV, and passed it over to the relevant authorities, right? And they've got in contact with the ISP, and gone around to the address provided by the ISP, and collared the miscreant, right?
If none of this has happened, you really have to aks the question why not? It would seem this really does fall under the "low hanging fruit" branch, since the usual obfuscation that a crim can make is unlikely to be available from a TV. Go after them, and maybe you can learn how they got into the account in the first place and do something about it.
But I'm dreaming arent I? As if anything will happen...
I hate sites that insist you have to have a card saved, Amazon being one of them.
I would prefer the bother of putting in my card details every time (Including on mobile type stores such as Google Play Store).
Then again most people call me an alien for being paranoid.
My thought exactly. I wouldn't trust writing down my credit card details on a piece of paper and hand it out to the staff in a shop I go to every now and then just because of any imagined convenience. Much less do the same online.
I never save those details online. And if some stupid site does it for me, I delete it at once and stop using that site.. but of course, Amazon (and the others) want you to spend your cash as easily as possible, and don't give a damn about your security, privacy or data. Well, ok.. they care about your data, since they'd LOVE to sell it onwards.
I'm not downvoting you just because I disagree.
But I you send your card details to someone they are likely stored, even if you aren't able to recall them for your own usage later. I don't have a problem with actually seeing and using my stored card details on, for example, Amazon, Paypal, eBay, etc.
You aren't paranoid at all. Convenience = less secure.
I continue to get paper bills/statements in the mail wherever possible and pay my bills manually. I don't use Amazon, but I do buy things off of eBay using Paypal. I never opt-in to automatic or one-click payments. I've been through the automatic payment hell cycle before. One time when I moved it took months to get my Sat TV cancelled (new flat had cable), etc. With manual payments, I'm not out the money every month until I get them sorted out. I'm also able to pay bills when there is money in the account. I've had automatic payments get deducted before my paycheck was posted due to a bank holiday that delayed my direct deposit and the bank deciding to place a hold on the money that they had never done in the past. It's in their fine print they can do that and it cost me several hundred in fees upfront since everything gets submitted twice. I did get about half of the fees reversed, but it took a month. In the mean time I'm eating Ramen noodles or beans on toast for most meals.
It's much easier to stay on budget if it takes a little bit of work to buy stuff. When all you have to do is see something shiny and twitch your index finger, you lose the thought process where you should be asking "do I really need this? Do I really need this now? Is this a good price?" I pay for most stuff with cash. No cash, no buy. I might fancy having a nice steak for dinner, but if I don't have cash in pocket, I'm not going to be able to splash out for it. If I have my whole paycheck available via a small piece of plastic, I can get in real trouble. What I really want is to pay off the mortgage and get a new(ish) car.
Make it hard for anybody to get your money, authorized or not and you'll be in a better position when you favorite online merchant is hacked. When, not if. If you opt out of them retaining your card number, there shouldn't be any leak. If they did keep the card on file, they owe you big.
This is odd, because "yes" if you look under "My Devices" you only see Amazon branded ones, but if you go to "Manage My Devices" under the Kindle page(s) you see all your connected/permissioned "apps", including those running on non-Amazon kit: https://www.amazon.co.uk/hz/mycd/myx#/home/devices/1
I can see my PS3 registered there, and phones running the Android apps for Kindle and Prime Video.
The list even includes a VM running under Bluestacks.
Amazon support should have pointed this out.
BTW I don't think TVs should be allowed to order stuff beyond movies - was this because of the Alexa integration? "Alexa order some more toilet roll".
"some device that pretends to be smart."
The device doesn't pretend t to "smart". The act of pretending implies intelligence. It's only marketing that tell you these devices are "smart".
For that matter, it still sounds like an odd word to use here in the UK. We don't really use smart to mean clever in the UK. We would normally use...erm....clever. Or bright. Smart usually means well dressed, smartly turned out, wearing your best suit etc.
Smart usually means well dressed, smartly turned out
Think you hit the nail on the head right there.
When you look at the polish/newshiny on many "smart" devices (especially what comes from the coloured pencil dept), it's your very definition that they come under. When you look at the insides - well, neither "smart" nor "clever". Perhaps that's why so much effort is put into making it harder for people to open them up, less chance we can see what a WTF??? they have inside.. :)
It might have identified itself to Amazon as a TV. "Samsung Huawei" makes me immediately suspicious that it was not. Presumably teh connection is done over the internet.
I'm sure I could open up Fiddler right now and make an API request to one of Amazon's publicly accessible APIs telling it all sorts of things that aren't true, including user agent, IP address et al.
I suspect an undisclosed flaw in one of Amazon's APIs that allowed someone to set up a spoof device and make purchases through that 'device', no TV involved.
It seems some devices do show up and others don't. For example, I have two android devices linked to my account, only one of which is shown. Likewise, I have a VM STB linked which isn't shown anywhere.
There doesn't seem to be any rhyme nor reason to it - the android's were linked within minutes of each other yet only one appears....
I suspect there are some fairly serious issues within the Amazon API & associated front end that Amazon aren't being very forthcoming about, the sort of issues that a ripe for a nasty media story and a severe slapping from the ICO when the extent of the problem finally comes out.
I think I'll be re-evaluating my exposure to Amazon services unless they resolve this issue very quickly and openly.
Me neither. And when I read this article, I assumed it wasn't active on my account, but I checked the link ("Peterl" posted it above, https://www.amazon.co.uk/gp/video/settings/your-devices/ref=atv_set_your-devices) and I had 5 android devices linked! Not any more!
Just surprises me that people pay for the 'right' to shop somewhere. I don't pay the department store just so I can shop there.
I'm surprised (and somewhat saddened) that in the 8 hours since your post (at time of writing obvs) I'm the only one who's given you a much-deserved upvote!
Strange how us old curmudgeons who do most of our shopping at B&M places don't have even the slightest exposure to these sorts of risks (or, where we use cash, exposure to any sort of account/detail linking/selling etc scams'standard business practices').
(I wonder if I can use this Amazon issue to create a dozen or more El Reg accounts to give some extra upvotes to deserving customers? :) )
Everyone is banging on about the best way to use the Amazon payment system, but to me the thing that is ringing WAY out of tune is the fact that there can be devices attached to an Amazon account that the owner of the account cannot see, and administer out of existence.
This is the key factor in the whole sorry story (it is a mark of how inured we've become to such things that I don't say the original unauthorized access is the key factor - though it should be of course).
Why devices attached to accounts are not announced in the dashboard, and why they take such effort to be rid of is the real story.
So we did have weird AMZN... charges on our credit card, which didn't show up in the account on the Amazon website.
I called them just to check if it was really them, and the the guy immediately says yeah, I see those charges, they're for your Kindle subscription. What Kindle subscription?
1) Turns out that when you install the Kindle app on your phone, you get one of those magical dark patterns, which looks like this: screenshot
If you hit the big yellow button in the middle, you need to remember to cancel within the week, otherwise the free pass is renewed into a paying monthly subscription. I guess the back button is the only way to refuse the offer.
2) Their customer support could see our Kindle subscription, and the charges. However, we could not. Neither were showing in our account. Seeing the charges on the credit card was literally the only way we could notice anything was wrong...
Amazon UK provided me with two links:
Prime Video device management:
https://www.amazon.co.uk/gp/video/settings/your-devices
This includes my registered TV, and enables me to see all devices registered to use Prime Video - and de-register them, or register a new device.
Would this link have solved fidelisoris' problem?
Kindle and shopping apps:
https://www.amazon.co.uk/mycd
This has my Kindle and Kindle apps registered. If I had other devices like Alexa that would be here too, apparently.
I also use an iOS Amazon Shopping app. I don't see that anywhere, but it might be included with one of the Kindle registrations.
I think this design, separating Prime Video and Shopping App device management so completely, is very poor and might fail GDPR Article 25 - Data Protection by Design and by Default. I imagine it would be easy to include all devices on one page, probably in separate sections on the page.
On the Kindle pages, there is reference to 'All Kindle transactions are completed with 1-Click. Changes made to your default 1-Click method will apply to future Amazon.co.uk 1-Click transactions, but will not change your current active subscriptions', there is an option to cancel 1-Click, I wonder if this is the payment method used by non-Amazon devices?
I have one Kindle registered, the card used on Amazon was changed about three months ago and the new card is shown as the default 1-Click payment method, despite me not having charged, used or bought Kindle content for well over a year
Why does not everyone use a prepaid debit card for on line purchasing/subscriptions.
Using one of those (I use Pockit or however the hell they spell it) which means if my account gets hacked, apart from the cash on it, they cannot use it for anything else.
I am seriously amazed that people link their credit or debit cards to any online thing.
Cheers… Ishy
I am seriously amazed that people link their credit or debit cards to any online thing.
On that we can agree!
Limit the exposure, limit the risk, limit the loss. Sure you might be able to get the charges reversed in time, but that doesn't help you when your bank acc has been drained and you have immediate costs that need to be dealt with.
"and you have immediate costs that need to be dealt with."
That's my biggest fear. All of those other bills also will have late fees, etc. If it's something big like a car loan or mortgage, the late will go on your credit report as well. Those other creditors also aren't going to care that you got pwned, only that your payment to them was late/missed. While you may get charges reversed and funds put back into your account 60-90 days down the line, it could be a couple of hundred in lates/fees that aren't going to get reversed.
I use prepaid cards on road trips. Petrol pumps are a favorite target for card readers along with little out of the way shops you might think a little dodgy but don't have much of a choice about late at night when you need something. Out of towners are a big target. You are probably buying lots of stuff on a trip and it would be the business to try and sort out where your card got compromised. Some issuers seem like they want you to investigate fraud yourself to be able to claim the protection. Yeah, you wind up paying a bit extra for the prepaid card, but it's insurance against getting somewhere and not being able to check into a hotel because your card has been compromised. I also bring enough cash with me to pay for petrol to get home and a meal or two. I could sleep in the car if I had to, but I don't have anyway of creating petrol to put in the tank. The other bonus is cash works if the network is down at the petrol station.
Here in the uk Revolut is an online pre-paid account with real and virtual cards. I've not paid any charges using it. I get a notification on my phone app often before the merchants terminal has printed the receipt. And it works - I forgot to top up (my bad) and my Ring subscription got declined.
I also bring enough cash with me to pay for petrol to get home and a meal or two. I could sleep in the car if I had to, but I don't have anyway of creating petrol to put in the tank. The other bonus is cash works if the network is down at the petrol station.
Same. I keep cash or petrol vouchers in the bike helmet and in a tucked-away place in the car (after all, if someone breaks into the car and steals the contents of the glove box, having a $100 in there isn't going to help me - and that's one of the more likely ways I'll wind up wallet-less). I can find a hay-barn or bridge or something on the bike, car's big enough to pass a night or two, but no cash=no gas.
Recently a nearby suburb had a powercut. Was interesting seeing the blank stares on the faces of people who couldn't contemplate the idea of using something so out-dated and unfashionable as cash. But while they were panicking about how long the power would be down, I was still shopping and going about my business as if nothing had happened (and enjoying the lack of artificial light and especially the lack of canned muzak!)
""For those who suggested that the account should be abandoned and a new one created, I agree that is certainly the best move for security purposes. "
I use my Amazon purchase history to re-buy things I bough years ago, Even a decade ago.
It's too useful to just abandon for the off-chance that it will fix a problem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
