The title of this link is very misleading. Amazon is actually going out of its way to provide excellent customer service, and is being exploited by a scammer. It is therefore not "Amazon's Scam", but a scam perpetrated against Amazon.
As to whether or not something should be done, this is a sensitivity/specificity tradeoff. Too far in the other direction of distrusting customers and Amazon ends up like Paypal.
Paypal's customer service isn't bad because they don't trust the customer in terms of authentication - it's bad because they have horrible policies in place, and their reps are unintelligent, untrained, and unhelpful.
In any case, some authentication aside from "Full Name" would be nice. When I was with Liquid Web, I had a pass phrase set up, which I could pass off as regular conversation even in a crowded room without anyone suspecting it was my authentication. That works best. Even a birth date and city of birth would be better than a name.
> Paypal's customer service isn't bad because they don't trust the customer in terms of authentication - it's bad because they have horrible policies in place
This is true. I got locked out of my Paypal account because I had the audacity to log in from a nearby country (Germany). Fair enough, though maybe a bit overzealous. To get control back they then had to charge a small, random amount of money to my account and phone my registered phone number to give me a code to input. Reasonable, perhaps, except that it didn't work! and to this day still hasn't. I can't count the number of times I entered in the code. So I just created a new account with an alternative email instead . . .
This was a few years ago admittedly, so maybe they're better now, but it's one thing to have overzealous policies and quite another to implement those policies poorly. And that's not even getting into the one time I actually needed PayPal buyer protection, because I'm sure we could all be sharing PayPal horror stories all day if we go down that road.
As a such, perhaps you have some interesting insights into what might be causing PayPals uniquely poor (it seems) CS record? It seems that the majority of PayPals public CS failures could have been avoided with a minimum of, well, intelligence, training and helpfulness.
I don't know what the hell you were doing then because I've never had any good interactions with Paypal. Ever. Last time I tried disputing a charge when the seller disappeared on me (and several other buyers) I couldn't even get a response from PayPal at all. That was the last time I used it.
FWIW customer service survey results were not bad at all but it was five years ago, I know nothing about current situation, and each market is different.
Exactly. This is why we can't have nice things. Here is a company that has given its CSRs enough power to resolve issues, and someone is taking advantage of it. Clearly, they need to implement something like the pin number challenge Chris mentioned, but I for one am impressed that Amazon trusts their customers to this extent. Someone has just found a weak link to exploit, and Amazon needs to fix it, but I hope this doesn't make them change their policy of trusting the customer.
I'm mostly surprised they allow so much power to phone reps. In my way-too-many years of using Amazon I've had to call them precisely once, about trying to get an SSD replaced that had died just outside of warranty (yes, they did replace it). I've placed at least 150 orders with them in the last three years alone, probably closer to 200, and have had to perform a handful of returns; all but that one were done online, very easily, and that special case existed only because I was outside the standard return window.
As the article points out, their web-based security seems pretty darn solid. Nearly any account change requires reauthenticating with your password, and only recently did they start to roll out support for a more persistent auth for viewing what most people would consider non-critical info (order history, etc). With the exception of a phone-based password reset - which should not cause a problem like the one described here - they could require even a web-based PIN (behind the login-wall, of course) for chat and phone support; live chat could skip this if the user already has a fresh auth.
I hope for everyone's sake that Amazon is able to prevent this kind of problem without harming their fantastic customer support. There's a reason I've averaged an order every 5.3 days this year (I can stop any time I want to, but thank you for your concern!)
As a customer, I would prefer they do _not_ trust people claiming to be me. I've called customer support all of once, and almost never buy anything from Amazon these days, so anyone claiming to be me probably isn't. I'm not impressed, and would like them to stop doing that, since otherwise the safest thing is for me to close my account.
I suspect this is a result of their attitude towards re-orders due to delivery issues, it would make sense that if CSR's are told "if a user wants a re-order, just do it" that they'd not really consider the implications of allowing them with a new address, because their attitude is do whatever to keep the customer happy.
I had a delivery of a game go missing (~$60 cost) so I opened a live chat and explained, then they shipped me a brand new order (which arrived!) without any hassle or confirmation that my prior delivery had really been stolen. This seems like a trivial thing to abuse (and I'm sure many do). After my free re-order was placed I thought "that was cool, I'll order from Amazon in the future just in case...".
The same thing happened to me. Afterward, that prompted me to sign up for Amazon Prime. I had decided that if they were going to take care of me like that then I may as well dive right in. My Prime renewal is coming up in a few weeks and I will be renewing it. Hell, my girlfriend and I order light bulbs and various trivial household items via Amazon now. They've made it so easy for me. It sucks that people are taking advantage of that.
I once ordered an item by mistake (oops, one click shipping!) I should have paid attention. I requested to return the item and fully expected to pay the shipping costs back. I explained that it is MY fault. They still told me that it wasn't a big deal and that they would cover the shipping back.
I'm not sure what the proper solution is. I don't want to lose that helpfulness, but I hate for them to get ripped off, too, due to assholes. They've been very good to me and have quickly addressed any issue I've ever had.
When my kindle broke (within one year though only barely) I asked if they wanted a picture of the error (frozen screen). I was told they don't need it and my brand new kindle (with added 3g, the broken one was wifi-only) should arrive in the next 2-3 days. So yeah, I hope their service stays as awesome as it is.
On the other hand, the stuff recommended in the blog posts would be easy to implement without really making it more of a hassle (only ship to places already listed, ask for more than name, mail and address, collate chats).
I'm sure that is what they are counting on and once it happens to people they probably become very loyal customers. At a previous place I lived my neighbors stole two Amazon packages from my doorstep. Amazon had no problem not only sending out replacements, but sending them to my work address instead. It made me very much want to order from Amazon from then on.
This customer service model, where the CSRs go above and beyond to help the customer with as little hassle as possible, is what built the initial customer base for Newegg. Those customers have largely remained loyal even though other online retailers have caught up in price. This is also what made Zappos very popular (eventually bought out by Amazon). So the strategy clearly works. I assume Amazon has calculated that the number of frauds is greatly outweighed by whatever business is generated from returning customers and great PR.
Your model should be made more dynamic, to include that Amazon can adjust to new fraudulent methods. Once a method is discovered for making fraudulent purchases, it will be reused and broadened. Like the story of the Dutch boy and the dike, it will get larger and larger until it collapses. Amazon no doubt figures that they can plug the hole early enough, and reports like this are part of that detection system.
I ordered a TV from Amazon last week that never showed up. I don't know if UPS messed up or if it was stolen off my front step. Either way, I appreciated Amazon trusting me and dropping another one in the mail without making a big deal out of it. While it seems like Amazon have ignored this issue to date for all the right reasons, they may need to start addressing it since it obviously affects their real customers with worrying emails & the chance of being viewed with suspicion later on.
Surely not. A company the size of Amazon/UPS doesn't need to pay someone else to shoulder the risk of them losing $500 now and again. But it must be factored into their margins.
No it's not. If you book it under "Unplanned expenditures" then you're not insured. If you try to determine your risk in such a way that you can budget a fixed sum for coverage and reasonably expect not to exceed it (ie. not an unplanned expenditure) in the same way an insurance company would do it, they you're insured.
It's literally a line item in the budget for unplanned expenditures. Sounds ridiculous, but you are planning for the unplanned. I'm just saying calling that "insurance" dilutes the meaning of what insurance actually is, which requires a transaction between two separate companies.
Speculation: They probably force the supplier or courier to foot the bill. Maybe sack the delivery driver with a carefully vague intimation that they've been stealing?
Well, that's super-paranoid. Amazon uses major name suppliers like UPS. So it's not their employee to sack. And I doubt UPS would allow Amazon to go around randomly accusing their employees of theft.
What Amazon does after first time shipping adress changes (in Germany as of yesterday) is to re-ask for your full credit card number. After that the new shipping adress is part of the account and valid.
But what I confirm is great customer service. Last week my sound card broke down after almost 2 years and it took about 5 minutes to get the return information and the according refund once the item showed up at amazon. No hassle what-so-ever with waranty issues and replacement of the original item, just a plain and simple refund.
That's what customer service should be like. And that things like that can be exploited is true, but that's equaly true for almost all other things. If it's a calculated trade-off from amazon's side there shouldn't be a problem.
I am surprised by your sound card story - I bought a graphics card last year where the initial batch had a lot of lemons, I got three broken graphics card in a row and each time Amazon refused to help me insisting that I should go through the manufacturer RMA process since the 1 month return window was over.
Maybe thats the difference. I've been pretty surprised anyway since I didn't have the warranty slip ready (sometimes tidding up isn't that a good idea).
This seems like a trivial thing to abuse
(and I'm sure many do).
I can't speak for Amazon, but at my employer, when a customer phones up or e-mails the customer service rep immediately sees certain details - number of orders by address, lifetime spend, spend in last 6 months, age of account and address, percentage refunds, fraud flags and so on.
Needless to say, the more legitimate an account looks, the easier it is for them to get no-hassle refunds.
Heck, this happens at my company, and we're 2 co-founders and a CSR. This was literally one of the first things we built - as I imagine it must be for any biz that ships products to customers.
Thats true but I'm sure Amazon has some form of blacklist somewhere in their risk management process. Or maybe that is not tied to csr changes and only in order processing.
Having shipping patterns change especially to a ship forwarding sites is highly suspect. There are databases that can help flag these either done commercial or collected internally. I'm sure Amazon has a pretty extensive list.
This seems like a trivial thing to abuse (and I'm sure many do).
I used to think the same of Netflix DVDs when I had the 5 out service. For the life of that subscription I had 2 never show up. I talked to the CSR and he assured me they keep track of these things.
I suspect that part of what they do is look at your (likely very long) order history, and make the calculation that it's better to just reship rather than risk losing you as a customer. It's the benefit of having so much order activity over so much time - they know exactly how much a customer is worth to them. That's part of why this scam works - it trades on the existing goodwill / history of a longtime customer to get Amazon to do something un-economic.
This thread reads like a giant love-letter to Amazon. As well it should.
Amazon is one of the best companies in the world . I've been buying physical books from them for the last 8 years. I've recently started buying audiobooks at Audible, and have even more recently purchased the new Kindle Paperwhite, and have been burning through many, many ebooks. The one time I had a problem with a physical shipment, they resent the book, no-questions-asked. From the looks of this thread, their customer service has stayed amazing.
My favorite Bezos quote, showing an approach that, over the long term, is amazingly profitable: "There are two types of companies: those that work hard to charge customers more, and those that work hard to charge customers less. Both approaches can work. We are firmly in the second camp."
By the way, I agree with the OP, asking a simple question to verify the credit card number would not hurt the customer service process, and would probably prevent some fraud.
He cites DRM, remote wiping of Kindles, sweatshop conditions in some shipping facilities, cutting off service to Wikileaks, squeezing small publishers, not paying enough UK taxes, and being a member of a right-wing lobbying group.
Most of what he talks about, I don't care about. I used to care a lot about DRM, I in fact swore I'd never do business with Audible because of DRM. Turns out, I care less about the DRM than about getting good content at a good price. It's also part of moving everything to the cloud - I'm more used to the idea of not having a "physical" bookshelf full of books, but rather a bookshelf keep by Amazon. It actually makes things easier for me as a consumer. Remote wipe I assume was a one-off.
About the other stuff, it doesn't really impact me as an Amazon user. The only thing I'm interested in is them squeezing small publishers, because I do want to make sure I keep having good content... but so does Amazon, so I trust them to work it out. I don't mind if Amazon becomes a large publisher themselves, it'll probably work in my favor.
In general, almost everything Stallman cares about is uninteresting to me, and the few stuff I think he's "right" about I think he takes to extremes that are, frankly, crazy.
> Turns out, I care less about the DRM than about getting good content at a good price.
As long as it's convenient. Not all DRM is equal. Even though I backup my Amazon books DRM-free, I only do it because it happens automatically when I connect my kindle to my PC. But compare that to the DRM in many PC games or the Audio CD DRM we had a few years ago. I'd rather skip a game than getting one that requires me to be online to play it in single player.
I have a lot of respect for Amazon; Bezos's quote definitely explains a lot of their appeal. So many businesspeople are so focused on short-term costs that they are unable to make long-term wins. Bezos has been busily crushing those people for nearly 20 years. I really hope American business culture eventually unlearns the MBA-school dogma that leads them to the charge-customers-more approach.
That said, Amazon definitely has problems. E.g., how they treat employees:
90% of these attempts at scamming the CSRs could be prevented if Amazon allowed me to provide a SMS address that they could send a message to for confirmation.
Every time I login to gmail over the web from anywhere but my personal computer, I take an (at most) 5 second pause while Google SMS's my cellphone and has me enter the 6 digit code. Failing that, in my wallet, I have a list of 12 Backup "Nuclear Codes" should I for some reason lose my iPhone and need to login to email in the intervening period while I get it replaced.
Unfortunately, what Amazon has to secure is almost every account. 2 factor authentication is great for the more security-conscious, but that's a very small percentage of Amazon's customers. All the scammers would have to do is hit one of the 98% of accounts that just have default security.
Sure, it can protect your account, but it can't protect Amazon unless they force everyone to use it (which would obviously not be good for building customer loyalty.)
GMail has a nice 2-factor scheme. While the SMS might need external services, the app-based verification keys are based on open standards and open-source code, and can be added to any web application with about 10 lines of code: http://code.google.com/p/google-authenticator/
There is even a Unix login module for adding it to SSH.
Amazon use the same two factor auth too. I've got my AWS account secured with the Google Authenticator app using TOTP codes as well as passwords.
It worries me that "consumer friendly" customer service leaks information like this, that could potentially lead to my AWS account getting suspended while fraud is investigated.
I've got real live client sites which I haven't (yet) migrated important S3/Route53/EC2/CloudFront services out of the "I'll just try this out on my account to see if it'll work" setup.
This is for authentication when you're not logged in. But that aside, yes, I'd would too prefer named cards. I don't think of my cards by their numbers quite as much as their issuers.
Sears built the reputation of Craftsman tools based on their unconditional lifetime guarantee; They also created a cottage industry of people searching yard sales, thrift stores and scrapyards for rusted old tools. A British clothing retailer (Marks & Spencer) was famous for an extremely liberal refund policy, which also made them a magnet for shoplifters and petty fraudsters.
I'm sure Amazon know how much this sort of fraud is costing them. I'm sure they've calculated that it's worth the cost, at least for now. Shrinkage is just another cost of doing business.
Worth the cost of asking for more information for the replacement of expensive items? It just takes a few more seconds to each rep and is surely shorter than all the new orders being placed for scammers.
Exactly. And what happens when a user needs a legitimate refund/exchange and Amazon then refuse because their account has had so much fraudulent account gone unnoticed? Not very good customer service at this point...
It's a scam, certainly, but it's actually great customer service policy. If the only risk is the loss of value of a product to Amazon, and there is no personal data loss for a customer directly, then it's actually an acceptable loss policy to Amazon.
They (and most good businesses) would prefer the majority of their customer base be able to get refunds and deal with order issues swiftly than have to jump through hoops to prove who they are. Certainly an SMS PIN or other authentication method would make it more secure, but there is no further customer benefit. The monetary loss to Amazon is basically a rounding error so why make things more complicated?
It surely appears a great customer service policy. Unfortunately, the cost of fraud, waste and loss is passed on to honest consumers in the form of overall higher prices.
It's probably true that Amazon can still offer generally competitive prices despite scams like this; but in principle, I agree with the OP. And not necessarily because it would mean slightly lower prices for myself or slightly higher profits for Amazon; but simply because I dislike knowing that I'm complicit in the scam for the sake of my own convenience. Especially when that convenience means having an item re-shipped to a different address that I never used before, which happens to be the address to a 're-shipping' organization.
> Unfortunately, the cost of fraud, waste and loss is passed on to honest consumers in the form of overall higher prices.
In Amazon's case it's also possible to argue that the cost of fraud, waste and loss is passed on to honest consumers in the form of overall lower prices.
Customer service policies like this are a significant part of what allowed Amazon to grow to be the company it is today, and Amazon has used that power (some would say abused it), to drive prices lower than they would otherwise have been on many items.
> Especially when that convenience means having an item re-shipped to a different address that I never used before,
I'm personally very glad that they allow this, having had to had a broken Kindle replaced whilst on holiday in a different country.
>having had to had a broken Kindle replaced whilst on holiday //
What would the negative repercussions of Amazon only shipping to the original verified shipping address have been - waiting a week to get your free replacement kindle?
I'd say it's ridiculous to re-ship to a different address based on an unverified claim of non-delivery; especially for high-cost items.
> I'd say it's ridiculous to re-ship to a different address based on an unverified claim of non-delivery; especially for high-cost items.
It is. But Amazon is a ridiculous company that doesn't follow the rules of common sense. Amazon would rather lose a little (in the scheme of things) to fraud and continually amaze its customers than to stick it to thieves and Amazon customers. The customer is king.
It's especially genius with the Kindle because even if it's sent to a thief they will probably make money on it from the Amazon purchases of whoever ends up with it.
It certainly sounds ridiculous on the face of it, but without knowing the level of this fraud it's difficult to actually judge.
If these are two of a tiny handful of instances where this has ever happened, and there's many thousands of people who have had replacements shipped to alternate addresses (e.g. work, or a holiday location) then the cost of implementing additional checks for this - even if that's just the man-hour cost of asking additional questions - could be far more than the size of the loss.
And that's ignoring any less tangible customer experience angles - there's several people in this thread alone who have said they are more likely to buy from Amazon again as a result of this kind of customer service. I had to chase a missing order up last week, and the simplicity of the interaction was amazing compared to the hours (or even days) of battling I've had with some other internet businesses when things have gone wrong, and that definitely has at least some impact on my future decisions to use the respective companies.
And as I read much more when I'm on holiday, and one of the reasons I bought a Kindle in the first place was so I didn't have to carry dozens of books on such a trip, I'm very glad that they were willing to ship it to not only a different address, but a different country.
It's great customer service, but what happens when the scam takes off and starts impacting their margins? Profits go down, prices go up, and customers start leaving.
This exactly. The net benefit to Amazon from improved customer service is likely worth the potential for a few lost products. Sure may be wrong, but to them it may just be a cost of doing business. It's not unlike many department store's policy of not targeting a shoplifter-in-action in a mall, especially once they've left the store (mostly for liability reasons).
Interesting. I was at a mall last week where a security guard had caught a shoplifter, and the guard was downright friendly with the guy. It appeared that he was just going to let him go. The guard was asking the guy whether he'd shoplifted before, why he did it etc, but in a very relaxed conversational way. I hadn't thought of it as a customer service policy (both not to scare customers and keeping a potential future customer).
I also talked to a science-fiction / hobby store owner years ago, who mentioned that most of the shoplifters they caught had also been their best customers. (His policy was to ban them from the store, though.)
"many department store's policy of not targeting a shoplifter-in-action in a mall"
Citation? I've never heard of such a policy. Every mall I've had knowledge of had a very extensive security organization that was pretty effective at targeting shoplifters-in-action.
Perhaps the CSRs use the email to pull up a history of previous chats, and by using a "new" email they can avoid the new CSR knowing about the previous ones?
That's my thinking. I assume they figured that because the account they were "chatting as" was so close, it might help. Or they thought it had a dot initially and found out they were wrong when the rep said there were no orders.
Amazon lets you chat without signing in and you can claim to have any email address you want at that point, so it's tricky to say if this was intentional (hoping the reps were "dot blind") or if it was just a mistake/bad initial guess.
as mentioned in some other replies, probably to legitimize it. As the author mentioned, they allowed the item to be shipped to a new address. If I'm not mistaken, a dot-email would be considered a new Amazon account, thus with no address associated with it, so maybe this helps the attacker in that regard?
It could also be that Amazon waives it's same address policy only around Christmas as it knows that a) people are travelling and b) a missed Christmas present is a bigger deal than a normal missed package.
It might have figured that this would be an acceptable loss given that it can only be exploited once a year.
Its amazing that this scam seems like its being pulled off from outside the US, via a re-shipping service in Oregon. Anyone know how vulnerable international Amazon customers are to this same scam? I'm thinking that the scammers require some sort of re-shipping service, which are generally not as widely available as they are within the US.
When these fraudsters use mail forwarding services, do they have the address registered with the credit card company, and do you guys check that?
I ask because I live overseas and use a forwarding service quite a bit, but several smaller shops do flat refuse to ship to me, meaning I have to ship to my dad's and have him send it to my forwarding service, which ups the price a bit. And it's kinda frustrating, as I do have the address registered with my banks.
At least reading a story like this one explains to me a bit why things are the way they are.
They usually don't since they may not have the bank login information or be able to pass the bank's verification checks in order to change the registered info. Even if they do, merchants many times won't check because its very time consuming to call up the bank to verify shipping address.
Thats unfortunate that it causes you the hassle. But from the merchant's perspective, especially if they have been burned before, ship forwarding services are high risk.
Look at it this way. When you place your order, to the merchant, your IP will be from overseas, the credit card will be based in the US, and you are shipping to a ship forwarding facility. This is very typical of what fraud looks like with stolen US cards. The problem is that merchants bear the responsibility and chargebacks are a big problem, so they may not want to take the risk.
Banks often approve transactions where the billing address doesn't match - this is because the financial burden of the fraud is borne by the merchant.
But the response does indicate whether the numeric portion of the street address matched and whether the zip matched. The merchant can choose to reject the order based on this information. In our case, we accept the order if either matches.
Many merchants also are looking at the IP location from which the order was placed. Depending on the country it may raise enough red flags to reject the order.
as someone outside the usa can i (1) thank you for selling outside and (2) ask what we can do to help avoid fraud / re-assure sellers when we are legitimate buyers?
i recently bought something and first emailed the shop asking if it was ok, pointing them to my online existence (blog etc). i don't really know if it helped (but they shipped - according to fedex the box arrived in santiago at 3am this morning - may be here today :o).
i don't use a shipping service, but was wondering about doing so (because they have clearer fees - dhl at least, in my experience, adds random extra "customs charges"). i guess i should not bother trying that.
i use a "virtual credit card" (a one-off for internet use, generated by my bank's web page, with an upper limit that matches the price, short expiration date, and valid only for single use). i feel pretty safe using that, but i guess that just protects me, not the seller (although if you can tell someone is using one then i guess it is not a stolen card). recently i have started adding my postcode to shipping details (they exist in chile, but most people don't use them and it doesn't appear on my credit card bill). i do always ship to my billing address.
i don't know what else i can do. i really appreciate companies that do ship - the internal market here in chile is limited, so this is pretty much the only way to indulge when i want something unusual.
[one positive note - a chinese company called audiogd that makes electronics (hifi dac) gave really excellent service, letting me disassemble their hardware and return only a single logic board that was faulty, rather than the entire (heavy, expensive to ship) product. i wish there were some way to reward companies like that. http://www.audio-gd.com/En%20audio-gd.htm ]
Couldn't this be fixed by Amazon just requiring you to be logged in when you start a chat with them ?
Tiny bit of extra hassle for the user but is made up for by the fact that Amazon wouldn't need to bother asking any security questions to verify identity.
Yes, this. And in the few instances where they needed assistance resetting a password, that should be all they're allowed to do without logging in.
In the transcript, you'll see that the rep tries to offer a password reset before relenting and just giving the scammer every single order number for the past two months. Big mistake.
The "skip sign in" button is absolutely the vector being used to run these scams, and that's an incredibly good point. Though I can see there being some trouble for users who want a number to call off a packing slip without having to open the Amazon site to trigger the call first.
In this case the fraudster was logged in to an Amazon account. They created a new account using the alternative e-mail address and set the address differently to the original account.
They then claimed that the original account was lost due to the e-mail address being "hacked" and that they needed the order numbers. They then used the order numbers to request a replacement using their new account.
>They created a new account using the alternative e-mail address and set the address differently to the original account. //
You lost me.
So customer Andy Blogger has account ablogger@gmail.com.
Fraudster Bandy Logger creates account at Amazon using email address ab.logger@gmail.com and the verification email is sent to Andy's account (as gmail is dot blind in email addresses).
How does fraudster Bandy confirm ownership of the Amazon account so he can log in and change the accounts email address? Doesn't he have to create the account with the re-shippers postal address, then confirm the account with an email address they control, then change the email address to the one for the Gmail account ... doesn't that look pretty damn suspicious.
How about recording a short video on account creation, speaking/signing name or something similar. Then reps could confirm owner ship via video chat. Sure it would still be possible to abuse but would be a lot harder.
I just wish they would add some challenge that wasn't publicly available information. The rep admitted to me on the phone that "that's all we need, and we can do a lot with just that." They can't place new orders or add billing methods, and she claimed they don't have access to even see your billing information anymore (perhaps since the Mat Honan debacle?) but yeah, eager to please, clearly.
Actually, all the reps would need to do is look at your history. Like "You recently returned a book, can you tell me what book?", and it would be pretty hard to social engineer it from some other source.
In this day when everyone is bragging online about what they bought recently, its easy to get this data.
I see limited options available to amazon if they want to reduce fraud at the same time increase customer satisfaction.
One option would be for amazon to only ship the replacement to the address(es) that are on the account or better yet, only to the shipping address previously given with the order.
But again it could happen that the customer recently moved and forgot to update the address while ordering. Also could be that the customer made a genuine mistake with his shipping details and want to change (say wanted it to ship to his new office instead of to his home).
Another option for them is to call the customer on his given phone numbers. Again, the customer could be traveling overseas.
So ultimately amazon has to decide and I feel the best option for them is to lose money instead of troubling genuine customers.
Sure, why not? They're still up 100% y/y. Either you're long on Apple, in which case it's just a little bumpy right now or you were long on Jobs, in which case you closed your position out when he passed away.
I had a strange issue with my Amazon account a while back where I couldn't log in and when I finally could, all my account history was lost. I can't recall if it was my mistake (I've used dot-emails before), but this definitely reminds me of it.
As a Canadian shopper, the abuse of these shipping depots is a bit concerning to me, as I've used one of the depots mentioned in the post. These are such high volume shipping locations (to so many different addressees), I'm sure Amazon has shipped tonnes of orders to these locations and I'm wondering if they've investigated them before? These centers are very easy targets for abuse and I know Nike keeps a database of these addresses and blacklist them.
I'm not sure if they do it to prevent grey market exports or fraud, but (from a consumer perspective), I hope Amazon doesn't go this route.
Thanks to Chris Cardinal for taking the time to write this up! I think it's important to be aware of current fraud like this since a lot of HN readers are probably also amazon customers (as I am myself).
Also interesting to know about gmail "dot blindness" - kind of like "plus addressing" you could use it to track who adds you to spam lists, by giving out different versions of your gmail address to different vendors (not that most people have time for that - I've never done this).
Plus addressing looks like this: myusername+whatever@gmail.com sends to myusername@gmail.com, but some site's email regex check do not allow this, so dot addressing could be used instead.
I will say this, since it's somewhat amusing, but it's the first time I've been scammed for negative $43 dollars. I wonder if the scammer figured that he could get me some hush money and hoped I'd let the rest slide?
Amazon actually distinguishes between accounts with the SAME email address but different passwords. I don't know of any other site that uses email as an account identifier and lets multiple people use the same one.
They don't allow you to do this anymore. Back when Amazon started, lots of families only had one email address from their ISP. They allowed you to make multiple accounts with different passwords for this reason.
Everywhere I've ever shopped and every ATM I've used shows you the last 4 digits of your CC#, why Apple decided to use the first 4 is beyond me. Maybe they just wanted to think different?
I, unwittingly, nearly pulled the same scam with Dell about 10 years ago.
I had a new notebook shipped to my house. It cost about $1600 new. The tracking information said it was delivered, so I hurried home to get it as I didn't want it on my doorstep. I get there, and no box. I checked the deck out back (where the UPS guy would sometimes leave things), and nothing. Crap.
So I call Dell, and after working with them for 20 minutes, I have a new replacement on the way. I basically had to "super pinky promise" that the notebook never really made it to me.
10 minutes later, my neighbor comes by and says "Hey, got a package for you!". Holy moly... I just social engineered the poor Indian lady at Dell. After a quick call back, the replacement is canceled.
To this day, I'm both shocked and very happy that Dell made it so easy. I like that they trusted me (a return customer) and tried to do the right thing. However, that trust is so easy to exploit.
I'm not sure what the answer is here. In this case, I can't blame amzn. I mean, they are trying to be helpful. How do you setup a system that's truly helpful w/o leaving wide gaps for scammers? Things like 2-factor auth, sms codes, etc will annoy most non techies (IMO).
I'll vouch for the ease at which Amazon sends replacements for broken products. I've ordered obscure replacement phone parts (namely touch screens and lcd panels), but had issues with a couple. Amazon gladly refunded the defective ones on the spot, which allowed me to buy others right off the bat.
I really hope this gets stopped - I'd rather not have Amazon's generosity thrown down the drain because of a few scammers.
I'd like to point out that this is almost ALWAYS the problem.
People ALWAYS get hacked, not because they use "love123" as their passwords, not because their pc/mac wasn't up to date.
Nope. They get hacked because the security question ask for a pet name, or a school name, or a friend name. Freaking easy.
They get hacked because support gives information without authenticating people.And so on.
I accidentally did something similar. I ordered an item, and paid for overnight shipping on a Thursday morning. The item didn't arrive as promised on Friday, in fact it didn't arrive until Wednesday the next week. That weekend, I called in complaining that I hadn't received my item. The label was printed Thursday, but UPS never picked up the package. They assumed it was lost and re-shipped my package. Low and behold, I received both packages and ended up with a 2 for 1. I kept the extra still in the box for a month, figuring I'd get a call from Amazon eventually asking for it back - when I never heard from them I decided to sell it.
I wonder if I am being the target of this scam now too?
I just got an email from Amazon customer service asking if my recent customer serivce inquiry was handled satisfactory. I've not contacted Amazon or ordered from them in quite some time. So I wrote them and told them that (I also linked to this blog post on htmlist). Their reply:
> Thanks for bringing this to our attention.
> It looks like one of our customers mistyped his or her e-mail
> address when placing an order with us. You have not been
> charged for anything as you didn't order.
mistyped their email address? This seems unlikely to me, as my gmail address is pretty unique and not likely "near" other people's addresses. I dunno, feels suspicious to me.
I find it interesting that people are still blaming Amazon for the Mat Honan iCloud hack, when it was Apple who was so lax in letting someone reset a password with as little as the last four digits of a credit card number.
Annnnnnnnnnnnnnnnnnnd Amazon terminated my account. Great. (And that of the other woman this happened to.) EDIT: Being told that it was just on hold despite the customer service email and my account being locked out. Oy.
What's the deal with these reshippers? It seems like the weak point in the scam, Amazon should either blacklist their addresses or coordinate with them to authenticate where the package is actually going.
While there are higher risk, you can't really just blacklist them all since there are a lot of legit orders that get sent to reshippers. For example, customers buying from overseas and the merchant may not offer international shipping. So you have to look at other data points as well.
In this case, having an established order and delivery history and then to have it shipped to reshipping is odd and should've raised a flag.
I'm sure Amazon's fraud system knows about that address. But maybe that flag is not exposed or given to the csrs. That particular one in Oregon is used fairly frequently by fraudsters. We've seen it a number of times among our merchants.
A much easier way would be to refuse to ship to an address that's not already active in your address book. If you really need to ship to another address, it's not too much to ask that you go through the full account recovery process and enter the new address (which will prompt you to re-enter your credit card number).
Hey, I have an idea: how about stop using Amazon and start buying and selling from your local community, small businesses, like with actual people who can get to know you and who aren't susceptible to this kind of nonsense?
The cool thing about dealing locally is that you no longer have to wade through bureaucracy to get customer service - you can walk up to a flesh-and-blood person and talk to them face to face! And, unless they have masks from "Mission: Impossible" you'll be very, very difficult to spoof!
Because I personally don't value seeing a flesh-and-blood person very much. In my experience, Amazon has them beat in price, convenience, and customer service (they replace items and take my returns without an attitude, always). They also carry items my local stores wouldn't dream of carrying.
The only time I buy from local stores is when I absolutely must have it that day. And it looks like Amazon might even be doing that soon.
Perhaps I'm spoiled but there are two very good camera shops nearby. They are more expensive than Amazon, but they are also the hubs of the local photographer community, and the people that run them are neighbors. They also have consignment, used gear, etc. and for those time when I shoot film they do a great job of developing.
The inconvenience of going there is far outweighed by the benefits. Perhaps that's why they have survived in the era of Amazon and Best Buy! But I really really encourage people to actively search for local independent photog places (I mean, not Scammy's, er I mean Sammy's) if you take photography seriously at all, the premium is worth it.
I actually use the local lab/photog shop for prints and camera work and lens rentals, but they want $1,150 for the T4i with 18-135 STM. Amazon sold it to me for $799. (It's back up to $865 now, but still.)
I looked, but I couldn't justify the extra $350 at this time.
Hmm. Normally the price discrepancies aren't that large, so I can't blame you there. Next time try talking to them - camera shops know whats up and will often work with you on the price. Negotiation is also one of the nice parts of dealing with actual real-life people.
That's one of the reasons I don't like shopping offline- I hate the act of negotiation about price of something. I also don't like to negotiate on price when I'm selling something myself. If I'd be willing to sell it cheaper, I'd put a cheaper price tag on it.
Reminds me of classifieds like "will sell for $100. Serious buyer will get $30 discount".
I hear ya. In this case, there's not much of a negotiation - it's more of a "Well, I want to support local business, but Amazon has this product for $350 cheaper. Can I work with you on price?" Then, if they don't come down in price, you buy it from Amazon.
Local stores are not all the same, of course. Some, perhaps many, local stores don't deserve to survive. They are poorly run and perfectly willing to scam people who don't know the market price of stuff. But still I'm eager to at least try to work with them to avoid living in a world of nothing but enormous, monolithic corporations. Granted retail isn't exactly my favorite industry - I'd much rather support small makers of things - but I still try.
Negotiation is something you have to do when there is friction involved in discovering the market price of something. The more efficient a market becomes, the less negotiation there is, with the benefit being the time and effort saved for the buyer and seller. This is why you don't negotiate for things like gas, clothes, and milk.
The only reason I can think for someone to like haggling is it lets them think THEY got a good deal, and makes them feel better about themselves. However, it is almost always in the interest, and benefit, of the seller if haggling has to be done (they have more information than you do, unless you're willing to spend a lot of time and effort).
My experience of local stores is one of cheap nasty products which break on the day you buy them, idiosyncratic opening hours, and an inability to handle even basic stock control. Oh and everything is overpriced by a factor of about four. No thanks.
That's presuming they even stock what I want, which they usually don't.
Could you give an example of something you bought local to you that was ~4 times the price of Amazon and broke soon after you purchase it? Presumably you got your money back; I wonder how the store is staying open if they have to refund all their customers.
I live in Edinburgh, it was a hardware store, it was a set of screwdrivers. It's the only hardware store within 2 miles accessible on foot (most people walk to shops here).
Further down in the article I mention that a possible vector was that I tweeted from my personal Twitter that I was considering buying a T4i and that someone searching for that might consider me a target and try.
It's definitely an interesting question, but it's clear he was just hunting and pecking, which is why he wanted all the order numbers from November and December... not sure if he initiated a few other chat sessions to figure out what was in each order and found a high-ticket item to pursue, or what, but it's a good question... I don't know what made me an initial target at all.
Interestingly enough, Amazon offers a "Tweet this purchase" option which I did NOT avail myself of, but which would definitely exacerbate this problem.
(Also, my name is Chris Cardinal. I don't know the scammer's name, but of course he couldn't request Amazon to change the shipping address AND the name for the replacement order. That would be a bridge too far.)
In passing, not fair to blame Amazon because Apple uses effectively public information (last 4 of CC, which is known to every restaurant waiter and shop clerk in America), as a secret key.
As to whether or not something should be done, this is a sensitivity/specificity tradeoff. Too far in the other direction of distrusting customers and Amazon ends up like Paypal.