10 Aug 2012

Amazon Changes Security Policy to Avoid Identity Theft

Amazon customers can no longer change account details such as e-mail address or credit card number over the phone.

Up until Tuesday, August 7th people were able to call in and modify their Amazon account data, changing, for instance, the e-mail address associated to their account or their credit card number. For identification the caller only needed to provide name, e-mail address and mailing address.

Since all this identification data can be easily found on the Internet, calling in to change settings proved to be a liability for Amazon users’ privacy. Hackers figured that out as well when, last week, Wired reporter Mat Honan had his Amazon account hacked, identity stolen and digital life destroyed. 

Wired.com writes in an article how they “discovered Amazon’s policy change on Tuesday after [they] failed to replicate the exploits used on Honan this weekend.”

The adjustment made by Amazon this week was a security measure customers needed for their protection. Otherwise the unfortunate Mat Honan incident would have been only the first in a long line of malicious impersonations.

The old policy made it easy for criminals to illegally get their hands on sensitive data of unwary victims, giving them the opportunity to access other online accounts to publicly post in the name of the victim, create controversy, or dispose of data important for the owner. And if the victim has no backup, the ugliness can be irreversible.