loomberg reported yesterday that Amazon.com Inc has been reportedly hit by an “extensive” fraud, revealing that unidentified hackers were able to siphon funds from merchant accounts over six months last year.
https://t.co/VGLGhCHqyn has been hit by an "extensive" fraud, revealing that unidentified hackers were able to siphon funds from merchant accounts over six months last year : https://t.co/E1nK4J8PT3 pic.twitter.com/GbFDRTXnEq
— News24 Business (@News24_Business) May 8, 2019
Expert Comments:
Brian Higgins, Security Specialist, Comparitech.com:
“I’m not at all surprised to hear that Amazon are exploiting children’s data in this fashion. Let’s also not forget that although this case has arisen in America, Amazon’s platform is global. The unscrupulous retention of data for potential commercial gain or advantage is common among all social media platforms and I’m delighted to hear that the practice is finally being challenged. A friend of mine died a couple of years ago but I still get regular messages from Twitter asking me to follow her. There is no proprietary, or common, mechanism for account disablement, let alone deletion even when the data owner is deceased. The recent European General Data Protection Regulation offers the ‘Right to Erasure’ for those under its purview but even that requires an unnecessarily onerous amount of dedication and tenacity on the part of the individual.
Unfortunately, data is a valuable commodity in the digital economy and nobody will give it up without a fight. In Amazon’s business plan today’s children are tomorrow’s customers, and the more information they can gather the more stuff they can sell to them. I’m pretty sure there’s no minimum age limit on Ad Ware.”
Dean Ferrando, Systems Engineer at Tripwire:
“Regardless of the outcome of this investigation, it is encouraging to see that IoT devices are met with constructive criticism, rather than blindly trusted to be safe and compliant. Smart home appliances are a relatively new entry in consumers lives, and it perfectly understandable, and advisable, that users ask questions about how these devices work and how they treat their data. A reputable manufacturer such as Amazon will take the opportunity to make its processes transparent to its customers and to adjust its practices to ensure full compliance.”
Corin Imai, Senior Security Advisor at DomainTools:
“Users of a recognised platform such as Amazon can often fall into a sense of false security and blindly trust the provider to keep their details and their accounts secured. The truth is that, despite the state-of-the-art security measures that these organizations put in place, breaches are inevitable.
Users can take steps toward protecting their credentials by remaining vigilant when combing through emails. This attack, in fact, seems to have started with a phishing campaign that cast a wide net of potential victims and then narrowed its scope to the roughly 100 people that ended up accidentally sharing their credentials.
Service providers should continue to promote phishing awareness among their users, and that they alert users as soon as the breach has been detected.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“To be clear, Amazon was not hacked. Amazon says the affected accounts were likely compromised through phishing scams that tricked merchants into giving up their login information. Unlike hacking, which can be prevented through technological means, phishing is much more difficult for a company to prevent. The attack takes place beyond Amazon’s control and leverages social engineering rather than a security vulnerability. Amazon can’t stop merchants from being phished or prevent them from receiving phishing messages, because Amazon doesn’t control their email and messaging accounts.
A few precautions could help prevent this sort of attack, though we don’t yet know all the details of how they occurred. Two-factor authentication would prevent unauthorised users from logging in on unfamiliar devices without a PIN code, for example. Amazon could require additional verification of some sort whenever a merchant attempts to change their bank account settings. But it’s really up to merchants to know how to spot phishing messages and handle them appropriately.”
Corin Imai, Senior Security Advisor at DomainTools:
“Users of a recognised platform such as Amazon can often fall into a sense of false security and blindly trust the provider to keep their details and their accounts secured. The truth is that, despite the state-of-the-art security measures that these organizations put in place, breaches are inevitable.
Users can take steps toward protecting their credentials by remaining vigilant when combing through emails. This attack, in fact, seems to have started with a phishing campaign that cast a wide net of potential victims and then narrowed its scope to the roughly 100 people that ended up accidentally sharing their credentials.
Service providers should continue to promote phishing awareness among their users, and that they alert users as soon as the breach has been detected.”
Martin Jartelius, CSO at Outpost24 speaking from an EU perspective:
GDPR stipulates the right to be forgotten and the right of erasure, as well as privacy by design. Clearly, this is in violation of a range of the requirements of the legislation, especially with regards to the retention. If getting in contact with support, resolve the right to be forgotten and that is still sufficient for that specific requirement. This is a good example of a service that, by its nature, is the very reason we need privacy legislation.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.