More than 3.3 billion online credentials were reported stolen last year, and such stolen data helps fuel criminal endeavors to get into the online accounts of consumers and businesses and wreak havoc, including on Amazon.com.
A widely reported story today from The Wall Street Journal highlights how some sellers on Amazon.com Inc.’s marketplace have found payments due to them are being deposited into bank accounts that aren’t theirs. Upon logging into their seller accounts, they are finding their bank account details have been altered. Other marketplace sellers are seeing their accounts used to list and sell goods that aren’t real.
Sellers have sporadically reported this type of activity for several years on the Amazon Seller Central message boards, where Amazon marketplace merchants post questions to fellow sellers and receive answers and advice from other sellers. It is unclear how many sellers have been affected by such hacking, but reports indicate more activity in recent weeks.
If your actual credentials are exposed because you shared them or reused them [on multiple sites], and they are stolen, Amazon’s security mechanisms don’t secure against that.
For instance, a seller using the screen name Scorpion RPG posted in late February about expecting a payment for his marketplace sales. Scorpion RPG’s story echoes the trials of other sellers posting on the forum. When Scorpion RPG didn’t see the $33,000 due post to his bank account, he logged into his seller account and saw his deposit account information had been changed two days prior to Amazon issuing the payment. “I have had the same account since 2011 with no issues, so the thought never even entered my mind,” to check the deposit account before initiating the deposit, he wrote.
Scorpion RPG appealed to the seller community for advice on how to get his money back, and whom to contact at Amazon for help. After many exchanges with the forum and with Amazon representatives who investigated, Scorpion RPG on March 24 wrote that he got his money from Amazon. Other sellers who have reported similar issues report it takes about four to six weeks to receive their money.
Scorpion RPG doesn’t know how a criminal managed to get his login details, but he advised other sellers to begin using Amazon’s two-step verification authorization procedure, which he hadn’t activated prior to the theft. With two-step authorization, users login with a password and a security code.
“If you are a seller and don’t have this, go do it now,” Scorpion RPG wrote. “After going through this ordeal, the thought that someone was poking around my account literally makes me sick. The fact that they got $33,000 of my hard earned money pisses me off to no end. Protect yourself, it is worth it.”
He also advised sellers to double-check their bank details before requesting a payment. “Lesson to sellers, check your deposit account before all disbursements!”
Criminals are freely buying and selling stolen login credentials and passwords online, and such credentials are abundant. More than 3.3 billion credentials were reported stolen last year as a result of high-profile system hacks that included Yahoo Inc., LinkedIn, Tumblr and Dropbox, according to Shape Security, a security firm that protects against automated attacks on the web and mobile apps.
Criminals also obtain credentials through such methods as phishing, in which an email that may look legitimate fools recipients into updating account information, or through the installation of malware that tracks computer and online activity, such as tracking keystrokes. Users often also use the same password for multiple accounts, and if one account where that password is used is breached, criminals can apply that password elsewhere online to see if they can access other accounts.
“If your actual credentials are exposed because you shared them or reused them [on multiple sites], and they are stolen, Amazon’s security mechanisms don’t secure against that,” says Shuman Ghosemajumder, chief technology officer at Shape Security. “Companies like Amazon are targeted on a 24/7 basis by credential stuffing attacks.”
A credential stuffing attack involves a criminal pushing combinations of usernames, often email addresses, and passwords at a login to try and gain access. Ghosemajumder says the success rate of credential stuffing attacks typically ranges from 0.1% to 2.0%.
In communications to sellers where Amazon suspects unauthorized access, Amazon writes: “We do not know how your sign-in information was obtained, since the unauthorized party obtained this information on a site other than Amazon.com.” It directs sellers who see unauthorized changes in their accounts to contact Seller Support via the “urgent help” feature within Seller Central.
“Amazon has zero tolerance for fraud,” an Amazon spokesman says in a statement provided to Internet Retailer. “There have always been bad actors in the world; however, as fraudsters get smarter so do we. Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com.”
Ghosemajumder advises sellers take the following steps to secure their accounts:
- Use a good password.
- Do not reuse any password.
- Don’t share your password.
- Enable two-factor authentication.
Amazon is No. 1 in the Internet Retailer Top 500 Guide. About half of units sold on Amazon are sold by sellers on the Amazon marketplace. The rest are sold by Amazon itself.