Beware: Amazon fraud happening in East Dulwich

[Tottleworth]

PROTECT YOURSELF FROM THE LATEST AMAZON SCAM

The local news bit of this follows underneath, but if you use Amazon and think your account is secure, you're wrong

and you should do three things immediately to protect yourself.

1.

If you have any payment cards or paypal/other payment account linked to your Amazon account, remove it immediately. They're not safe, whatever Amazon say. OK, so you will have to manually type in a card number each time you buy something, but better than it being left there 24-7 waiting to be hacked and defrauded - which just happened to me

2.

Also remove your billing and delivery addresses from your account. Again, a small inconvenience to put them in manually each time you buy something. Having your card details attached to your home address on an Amazon master file is dumb. (And delete your order history whilst you are at it. Do you really want the local criminals knowing you just bought a new smartphone/computer/tv as well as where it was delivered?).

3

If you must use Amazon, never have anything delivered to your home address - Use the Amazon lockers in the Co-Op. You can set this up in your account. (Or have items sent to your work address instead - dont put the address in your account details). This is way safer than risking they will deliver when you are not in/don't hear them, leave it with flakey neighbous, or just give it to the first person outside your home... which just happened to me.

Whilst abroad last week, some local sleazeballs managed to hack into my Amazon account and buy an iPad and iPhone.

(It's well known Amazon, amongst others have been hacked on a regular basis).

They weren't hacker enough to change the delivery address to their own place, so they had the stuff shipped to my address and then waited across the road for the delivery van to arrive.

Presumably they turned up at the gate just as the driver was dropping off, probably pretending to be just coming back from somewhere. (I'll be interested to see the recipient signature on the Amazon delivery docket). Even worse was the second delivery that was signed for by a neighbour in a shared house... and then later on, one of their housemates just handed it over without an ID check, when sleazeball came knocking for it.

So ?1k out of pocket, Amazon customer service hopeless, and no evidence that I didn't order the goods, or not receive them. An entire morning on the phone to Amazon, bank, police and fraud team is not recommended

The really scary part is this is not just an internet fraud siphoning money out of your account. It's a local doorstep operation.

So if you use Amazon, protect yourself now

[kford]

How did the 'sleazeballs' know a) a neighbour had it, and b) which neighbour had it?

[a_m]

Sounds like neighbours weren't involved - the scammers just purported to be the recipient instead.

Tottleworth - do you have any idea how they hacked into your account in the first place - i.e. were you using One-Click ordering on a public or shared machine, or a device that got stolen, or has your computer been infected with malware?

[Pevara]

Good grief- scary stuff. I will follow your tips. I hope you are able to recover your money soon and without too much further hassle.

[worldwiser]

Not wishing to minimise the inconvenience you've faced but this happened to me some time back and I think the sum total of effort required on my part was 5 minutes. Amazon cancelled the transaction, immediately refunded me and handled the police. In these cases the risks are all borne by the retailer and the banks. You are never likely to suffer any financial cost from this type of fraud. And knowing someone's got a posh telly with a tiny black market value is not a likely incentive for a burglary these days. I think the solution is to carry on living your life, be vigilant to a degree, but not be thrown into a mad panic. Thanks for the warning but I'll be leaving my amazon and other accounts as they are.

[LondonMix]

I have the same questions as kford. How would the criminals know which neighbor the package was left with since the slips are put through the front door? Also, did they stop the email notification of purchase and shipping that would be sent to your account? For me that would be the first tip off if I didn't make a purchase and I would contact Amazon prior to the item being shipped. Did they somehow know you were out of town? If not, its a pretty significant risk to try to doorstep delivery driver when the owner might be in.

I hope this all works out for you. Any additional details would be very welcome.

[Tottleworth]

Hi there... No my neighbours are not involved in the scam!

Once you are inside your Amazon account you can see where and when a delivery has been made. So easy to trace to an address other than the delivery/home address. And no I haven't given over or written down any of the account log-on details.

My understanding so far is they hung around to see when the van arrived for one of the two deliveries, and went to the neighbours a little after there was confirmation of the other delivery. This all occured within 24 hours between Friday and Saturday. (FYI, why do Amazon think anyone would accept something as valuable as an ipad or phone being given to a neighbour rather than returned to depot?). I suppose it could also be an inside job, but some review sites are carrying similar scam stories in the US where the hackers also altered the delivery address.

I've only ever used a private device (MAC), which to my best knowledge isn't carrying malware. (I was travelling in the US, so maybe it was compromised somewhere over Wifi perhaps). I subsequently understand some of the 'remote' capabilities allow hackers to track passwords and other details from just keystrokes alone. Luckily I have more than one device, so can revert whilst I have my travelling device checked out. I definietly wont be using Amazon in a hurry again and have made a clean sweep of all online accounts for any cards and reset all passwords.

[Penguin68]

The most 'routine' ways in which hacking takes place are associated with the person being hacked (and their equipment) rather than the supplier - that is for such 'individual' hacks, rather than mass down-loads of account details and passwords - if you have been travelling and using public wifi that certainly is a route through which hacks can take place - unless your system is made very secure. Did you undertake any Amazon transactions whilst abroad? However I cannot imagine a US hack then attacking a physical UK address for delivery. A ?1000 loss to you/ the bank equates (broadly) to a ?100 gain to the criminal (that is why a safe 'cash-rated' at ?3000 can be used to store non-cash items of a value up to ?30,000). It doesn't seem worth the effort.

Malware (key-loggers) can identify e.g. passwords being input (which is why some firms use drop-downs so that the actual password elements cannot be thus identified) - it is also possible to use electronic devices (close by) to snoop on keyboard and indeed screen activity. To avoid this you need to work in a Faraday cage.

Did you actually receive transaction confirmation by e-mail from Amazon? If you didn't then the hackers would have been good enough to put their own (probably disposable) e-mail in - but they may have had to get it delivered to your address to match the credit card address.

I think if there had been a mass attack on Amazon which compromised loads of accounts that would have been made public by now, which does suggest that this was an individual attack which is more likely to mean that you (or your card) were individually compromised rather than that the Amazon system was.

I would suggest (if you haven't) changing the card used. And the methodology doesn't look, to me, to be Amazon specific.

I am afraid your heading should probably be - 'Beware, Credit card and Internet Account fraud happening in East Dulwich' and yes, it certainly is. Your recommendations on cautionary behaviour go far wider than just for Amazon.

[kford]

How did they get confirmation of the delivery though? Did they have access to the email account associated with your Amazon account? All assuming the item was tracked etc

[elliescott]

Sorry to hear all this but thanks for the heads up.

[evilmanic]

Amazon hasn't been hacked, really.

What is very likely, is that your details were compromised elsewhere, it's common that people use the same email address and password combination on other sites.

Be careful when you discard boxes, packing slips or whatever with your email address on, it's quite trivial to use an email address collected this way on a site such as https://haveibeenpwned.com/ - go find what the password has been decrypted as, then try and login to things such as amazon, gmail etc.

If you are serious about your online security, consider using something like 1Password or LastPass, these will generate random passwords for you, that you can use on sites so that this type of attack doesn't work.

It sucks that the amazon delivery person didn't deliver correctly - but Amazon will absolutely make good on this, if it was them at fault.

[*Bob*]

LastPass is great - would totally recommend it for the price of a few quid a year. Takes a little while to get all your passwords in there and (usually) upgraded, but after that.. it's a breeze.

[Loz]

An alternative to LastPass is KeePass (which I use) - similar systems, but

- LastPass is a cloud based system, with your passwords held in the cloud (in SHA256 encrypted form). LastPass is proprietary software.

- KeePass uses a SHA256 encrypted local file which I keep on my OneDrive (the cloud storage that comes with Hotmail/Outlook). It's open source and free.

[JohnL]

evilmanic Wrote:

-------------------------------------------------------

> Amazon hasn't been hacked, really.

>

> What is very likely, is that your details were

> compromised elsewhere, it's common that people use

> the same email address and password combination on

> other sites.

>

> Be careful when you discard boxes, packing slips

> or whatever with your email address on, it's quite

> trivial to use an email address collected this way

> on a site such as https://haveibeenpwned.com/ - go

> find what the password has been decrypted as, then

> try and login to things such as amazon, gmail

> etc.

>

> If you are serious about your online security,

> consider using something like 1Password or

> LastPass, these will generate random passwords for

> you, that you can use on sites so that this type

> of attack doesn't work.

>

> It sucks that the amazon delivery person didn't

> deliver correctly - but Amazon will absolutely

> make good on this, if it was them at fault.

I've heard Amazon ban you if you have multiple delivery

issues - just that makes me not want to use my home address.

Will always be a dropbox for me now (I didn't know they existed

for a long time).

[evilmanic]

JohnL Wrote:

-------------------------------------------------------

> evilmanic Wrote:

> --------------------------------------------------

> -----

> > It sucks that the amazon delivery person didn't

> > deliver correctly - but Amazon will absolutely

> > make good on this, if it was them at fault.

>

>

> I've heard Amazon ban you if you have multiple

> delivery

> issues - just that makes me not want to use my

> home address.

>

> Will always be a dropbox for me now (I didn't know

> they existed

> for a long time).

It depends, I've reported four issues to them over the last three months (mostly deliveries not arriving on time, but one where the goods said delivered but were not) and each time they have extended my prime subscription by a month and the last time they sent replacement goods the next day.

Obviously, if you order 5 iPads and 5 iPhones and they all go missing, then they'll take a look at possible ulterior motives, but for common problems you should be OK.

[JohnL]

evilmanic Wrote:

-------------------------------------------------------

> JohnL Wrote:

> --------------------------------------------------

> -----

> > evilmanic Wrote:

> >

> --------------------------------------------------

>

> > -----

> > > It sucks that the amazon delivery person

> didn't

> > > deliver correctly - but Amazon will

> absolutely

> > > make good on this, if it was them at fault.

> >

> >

> > I've heard Amazon ban you if you have multiple

> > delivery

> > issues - just that makes me not want to use my

> > home address.

> >

> > Will always be a dropbox for me now (I didn't

> know

> > they existed

> > for a long time).

>

> It depends, I've reported four issues to them over

> the last three months (mostly deliveries not

> arriving on time, but one where the goods said

> delivered but were not) and each time they have

> extended my prime subscription by a month and the

> last time they sent replacement goods the next

> day.

>

> Obviously, if you order 5 iPads and 5 iPhones and

> they all go missing, then they'll take a look at

> possible ulterior motives, but for common problems

> you should be OK.

Glad to here that

Deliveries suck where I live :)

[Bic Basher]

As mentioned above, never use public wi-fi for ordering goods or online banking. There are people who scan those services who will hack into your personal data.

If you have to, change your passwords as soon as possible or use your mobile data instead.

[Horsebox]

Just been told my dad's Amazon account was hacked last night and iPads and iPhones ordered for delivery today to my address in SE22.

Amazon cancelled order as it was deemed suspicious. They've now suspended his account whilst they investigate further.

I'm sure the SE22 connection is just a coincidence.

[firekat2]

Cant take the risk and have cancelled all my details.

[Loz]

firekat2 Wrote:

-------------------------------------------------------

> Cant take the risk and have cancelled all my details.

On that basis, you probably want to cancel any bank accounts with internet facilities as well.

[KessonL]

USE AMAZON GIFT CARDS DONT USE CREDIT OR DEBIT CARDS ONLINE THERE ARE WAYS TO PAY LIKE PRE PAID MASTER CARDS CALLED IDT PRIME CARDS ... OR THEN THERES GOOGLE PAY WITH GIFT CARDS OR EVEN PAYPAL ...

STAY SAFE ONLINE !!

[Azira]

You can stay safe online without needing to resort to avoiding using credit or debit cards.

[KalamityKel]

Surely this isnt just localised to "Se22" but happens everywhere... unless there's proof of a targeted scam?

[Loz]

KessonL Wrote:

-------------------------------------------------------

> Use Amazon gift cards dont use credit or debit cards online there are ways to pay like pre paid

> master cards called idt prime cards ... Or then theres google pay with gift cards or even paypal

> ...

Not using credit cards might seem like a good idea, but of course with paypal and other payment methods you lose your Section 75 rights.

http://www.moneysavingexpert.com/credit-cards/PayPal-Section75

[Bic Basher]

You can pre-pay credit onto you Amazon account online as well.

I had a delivery yesterday from Amazon Logistics, the courier knocked on the door, left the parcel by the door and was already walking off when I opened the door.