Amazon security glitch

[braumeister]

Received an odd email from Amazon:

Sign-in Code
Your sign-in code is:
######
Amazon takes your account security very seriously. Amazon will never email you and ask you to disclose or verify your Amazon password, credit card, or banking account number. If you receive a suspicious email with a link to update your account information, do not click on the link—instead, report the email to Amazon for investigation.
We hope to see you again soon.

There have been no changes in my account, and I was able to sign in normally both before and after receiving this email.

Looked online in Amazon forums and apparently this is a known glitch in their system where they randomly send out irrelevant sign in codes for no reason. It's a bit disconcerting, but apparently harmless.

Anyone else get one of these?

 

[Aerides]

Do you have 2FA setup with amazon?

If not, and really, even if, it can still be phishing. The hackers are smart, and you may want to change your password anyway. I'm a seller on amazon and I use 2FA, but other sellers have reported getting similar weird emails as if they had requested the code but hadn't. (one just today in my group of sellers). General thought is perhaps someone tried to log in to your account.

 

[CoolRich59]

Sounds like a phishing attempt to me.

 

[braumeister]

I suppose you're right.

Just to be on the safe side, I changed my password and set up 2FA.

 

[razztazz]

Here's what happened to me just last week:

Got the same email with a security code. The Amazon address looked legit. I contacted them to see if it was real or a phishing attempt.

The upshot from the amazon security (or customer service) person was that:

1) It was indeed a real code / legitimate message sent from Amazon.

2) I should immediately change my email password AND amazon password because these types of hacks usually originate from someone having gotten into the email account rather than the Amazon account.

Well, you can take that with a grain of salt I suppose, but I changed my email and Amazon passwords

LATER THAT SAME DAY..... I get 2 emails from the APPLE STORE sent to the email account in question. Two invoices from 2 separate purchases for what look like video games (Bang-Bang-Moba...?) I got NO kick-back from any of my credit or debit cards or bank account. I checked them directly also. My credit/ID theft monitoring company shows nothing unusual. The APPLE STORE invoice says "Store card id: (my email address)"

I went to the Apple Store site and it asks right up front: Not Your Purchase?" or something like that. BUT I cannot tell them it is not mine because I do not have an account with the Apple Store so it's sort of a dead end.

I have no idea what comes next but it does not appear that I have been harmed just ticked-the-hell-off. Kind of like somebody breaking into my garage and stealing something I didn't want anyway or didn't even know I had...?

Keep an eyeball out for an Apple Store invoice or other receipt and keep this thread informed. I will do same.

 

[W2R]

I got the same e-mail a few days ago. I deleted it without clicking on anything in the email.

I don't know what it is, but you google "Amazon verification code spam", apparently many people got this email, and it may not be genuine. I don't know anything else about it.

I haven't had any unauthorized purchases on my credit card or other suspicious activities.

 

[gwraigty]

I haven't had any unauthorized purchases on my credit card or other suspicious activities.

I haven't gotten this email, but I did have an unauthorized purchase on September 17th on one of my credit cards that is stored with Amazon (Fidelity VISA). The thief helped themselves to a monthly subscription to Amazon Prime. When I notified Amazon, they promptly removed my credit card from this person's account. I got a new card from Elan in 2 days.

This is the 3rd time that my Fidelity VISA has been compromised, but the first time a purchase was made with Amazon. First time it was still with FIA card services before being switched to Elan. It makes me wonder if there is some lax security with Amazon, as that is my go-to card most places, so it's always been on file with Amazon. I've got other credit cards that have never been compromised.

 

[easysurfer]

I got an email the other day supposedly from Paypal that almost had me fooled into clicking on a link. But my gut feeling said phishing attempt.

 

[braumeister]

It's all so tedious. I haven't noticed anything odd yet, apart from that one email, but just to be on the safe side I changed my Amazon password, set up 2FA there, and changed my email password as well. I'll be more vigilant than usual for a while.

 

[SecondCor521]

A passing comment: A friend of mine who teaches cybersecurity classes at the university level pointed out that one really needs the strongest password on their email accounts because a lot of 2FA and password recovery processes will send a password reset code to your email address. So a bad actor could get access to your email account and then try to reset passwords on all of your other accounts using your email account and password reset codes sent there.

I suppose a similar idea applies to phone passwords, although people probably don't want to be using strong passwords on their phones due to inconvenience. I guess that's where FaceID or fingerprint technology comes into play.

 

[braumeister]

I can see his point. I routinely change most of my passwords about twice a year anyway, and use very strong ones.

With a new iPhone, I have to admit I was skeptical about how convenient FaceID would be, but I love it.

 

[easysurfer]

I just got that "Amazon" sign-in code email a short time ago.

 

[Spock]

You're not going to like this because Amazon goes out of their way to make it inconvenient, but remove your CC from your Amazon account.


Amazon makes it a real PITA to remove and then add again next time, but if the Amazon account does get cracked they can't spend your money if there is no card info in the account.

 

[SecondCor521]

You're not going to like this because Amazon goes out of their way to make it inconvenient, but remove your CC from your Amazon account.


Amazon makes it a real PITA to remove and then add again next time, but if the Amazon account does get cracked they can't spend your money if there is no card info in the account.

True, but my understanding is that if a CC number gets hacked/stolen/whatever, I'm not on the hook for any fraudulent charges. So I'll stick with convenience and trust Amazon (and other merchants) to properly secure my CC info, or absorbe the fraud losses if they don't.

 

[Walt34]

True, but my understanding is that if a CC number gets hacked/stolen/whatever, I'm not on the hook for any fraudulent charges. So I'll stick with convenience and trust Amazon (and other merchants) to properly secure my CC info, or absorbe the fraud losses if they don't.

+1

Now, a debit card is a whole other story. We won't even have a debit card because the consumer protections on the credit cards are so much better than a debit card.

 

[W2R]

+1

Now, a debit card is a whole other story. We won't even have a debit card because the consumer protections on the credit cards are so much better than a debit card.

Direct communication from Mastercard on this issue, with reference to Debit Mastercards (the only debit card issued by my bank, and almost every bank, or at least every bank I have patronized in the past 20+ years):

If your card is ever lost or stolen, it comes with Zero Liability Protection and Identity Theft Protection from Mastercard so you won't be responsible for unauthorized charges.

And in fact, when I had an unauthorized purchase on my Debit Mastercard back in 2000, I got every penny back in less than 24 hours, even though it took a month or so for the investigation to be completed.

 

[Walt34]

And in fact, when I had an unauthorized purchase on my Debit Mastercard back in 2000, I got every penny back in less than 24 hours, even though it took a month or so for the investigation to be completed.

While that is the policy of most banks, it is not federal law, as it is with the credit cards.

When I was working on fraud cases I saw many instances of people being put into a serious (for them) cash flow crunch with stolen/unauthorized use of debit cards when their bank dragged their feet on the investigation, holding on to the account holder's funds in the meantime.

I'll stick with credit cards, thank you.

 

[W2R]

While that is the policy of most banks, it is not federal law, as it is with the credit cards.

It is part of the contract verbiage by which they are bound, that you go over and sign when you sign up for the card. I'm not going to look for it in my files, but it's there in black and white that you will be reimbursed within 24 hours and I think the communication direct from Mastercard that I quoted gets that point across.

When I was working on fraud cases I saw many instances of people being put into a serious (for them) cash flow crunch with stolen/unauthorized use of debit cards when their bank dragged their feet on the investigation, holding on to the account holder's funds in the meantime.

I'll stick with credit cards, thank you.

Perhaps there have been some changes since you were working on fraud cases?

I think that the last old fashioned debit card that I ever saw was in the early 1990's, although perhaps in your area they persisted longer. Indeed, those did not have much protection.

However in recent decades these have been replaced by Debit Mastercards at many (most? all?) banks, and the contract verbiage for these with respect to unauthorized purchases, is identical to that for Mastercards. It is most definitely against the law for your money to be taken for unauthorized purchases here.

 

[Spock]

It is part of the contract verbiage by which they are bound, that you go over and sign when you sign up for the card. I'm not going to look for it in my files, but it's there in black and white that you will be reimbursed within 24 hours and I think the communication direct from Mastercard that I quoted gets that point across.


Perhaps there have been some changes since you were working on fraud cases.

I think that the last old fashioned debit card that I ever saw was in the early 1990's, although perhaps in your area they persisted longer. Indeed, those did not have much protection.

However in recent decades we have Debit Mastercards and the contract verbiage for these with respect to unauthorized purchases, is identical to that for Mastercards. It is most definitely against the law for your money to be taken for unauthorized Debit Mastercard purchases here, and not returned for more than 24 hours after notification.

The difference is company policy (debit card contract that can change with each individual issuer) vs. law (credit card fraud limits).


It becomes a no brainer when comparing the cash coming straight out of your checking account with a debit card that you have to fight to get back. Its only returned after they complete their fraud investigation ("guilty until proven innocent")
vs. the $ don't leave my checking account until I pay the credit card bill... the transaction is out of their pocket while the dispute investigation is completed ("innocent until proven guilty").

 

[W2R]

Direct communication from Mastercard on this issue, with reference to Debit Mastercards (the only debit card issued by my bank, and almost every bank, or at least every bank I have patronized in the past 20+ years):

If your card is ever lost or stolen, it comes with Zero Liability Protection and Identity Theft Protection from Mastercard so you won't be responsible for unauthorized charges.

And in fact, when I had an unauthorized purchase on my Debit Mastercard back in 2000, I got every penny back in less than 24 hours, even though it took a month or so for the investigation to be completed.

The difference is company policy (debit card contract that can change with each individual issuer) vs. law (credit card fraud limits).

Right - - I remember hearing horror stories years ago about credit card owners having as much as $50 withheld from their reimbursement! Wow. That's pretty egregious, I agree. With the Debit Mastercard at my bank, they have to give every single penny back and they have to do that within 24 hours. It is most definitely against the law for your money to be taken from your bank account for unauthorized purchases here, once notification has been given.