Potential security issue on Amazon’s website (updated 11/4/2011 – twice)

Apr 082011
 
An example payment method still on my 'old' Amazon account

Over the course of the last few days I’ve discovered what appears to be – or possibly to have been – a fairly notable potential security hole in the Amazon UK website (and possibly others, but I only use the UK site on a regular basis). I will go into detail below about the nature of the security hole and how I discovered it – but first I want to point out that I’ve been trying to cause the problem to manifest itself again today, and failing. This might mean that the problem – which appears to have been triggered on my own Amazon account in August 2010 – has already been fixed. It might also mean, however, that I simply haven’t been able to establish all the variables that caused it to happen.

In other words, the problem I am about to describe might already be fixed, or it might not. I have no way of knowing one way or the other.

I was planning to wait before publishing this, but I’ve decided to proceed because I am somewhat less than happy with Amazon’s response to my emails on the subject – details at the very end of this post. Continue reading »

Additions Direct: The story begins

Sep 302010
 

I discovered today that I have an account with a company called Additions Direct and, although I don’t owe them any money, there is only £971 of the £1,000 credit limit available. This is because there is an unfulfilled order on the account – for an “X Factor Waistband Amplifier” which, at £25 (and looking like something utterly dreadful), is yet to be shipped – plus £3.95 delivery.

Except that I don’t have an account with them, having not used this company to purchase anything, and having not set up any such account.

Oh dear.

Continue reading »

Barclaycard: The story ends… for now?

Sep 302010
 

After discovering there had been fraudulent activity on one of my credit cards held with Barclaycard on the 16th September, and my subsequent contact with them that didn’t get anywhere on the 17th, I had a missed call on the morning of Sunday 19th September from a withheld number, which I assume was from Barclaycard’s fraud department, but they made no further attempts to contact me that day. I finally received a call from them on Monday 20th. Continue reading »

Barclaycard and the illusion of security

Sep 192010
 

A couple of days ago, I posted about the call I received from Barclaycard concerning fraudulent activity on one of my accounts, and from which I concluded that Barclaycard themselves have become a victim of social engineering (which I am now able to confirm, and will be updating that post to explain after finishing this one), allowing the fraudster to set up new online access to my accounts – and I dropped in a comment about the security questions that they ask, and would have asked the fraudster, pointing out that they are not actually secure at all. Since then, I’ve called Barclaycard myself, so to illustrate the point that the security questions they ask are anything but secure, here are the three I was asked: Continue reading »

Have Barclaycard fallen victim to social engineering? (Updated 19/9/10)

Sep 162010
 

I received a partially automated telephone call from Barclaycard today – their systems had been alerted to possible fraudulent activity on one of my credit card accounts. When I initially answered the call and their robot explained this, my first thoughts were that it probably wasn’t fraudulent activity, and that I’d have to confirm a transaction I initiated a few days ago – I booked some holiday accommodation, and the last couple of times I’ve booked with the same company I’ve received a similar phone call and had to confirm that it was a genuine transaction.

However, I soon discovered that booking wasn’t what triggered the call, as the robot revealed two transactions and asked me to confirm if either of them weren’t genuine. Neither of them, one for £3 and the other for £3,762, were transactions I had made.

Continue reading »