Amazon’s Worrying Approach to User Account Security

I was first puzzled why the Amazon service rep I had connected to was demanding a series of answers to verify my account, because the call had already been pre-validated, and then increasingly concerned that the questions she was asking were not truly protective of me and my account.

I’d called Amazon with a minor service question.  You’ve probably done the same.  You go to Amazon’s website, enter your account name and password to securely log in, go to your orders, choose the order you have a question about, and then play hide and seek for several minutes until you finally coax Amazon to reveal a way to get in touch with a live person.

At that point you enter your phone number, and within seconds, your phone rings and there’s an Amazon rep ready to help.

But sometimes you have to play a game of “20 questions” with the person you’re speaking with to “verify your identity” before they’ll assist.  That seems unnecessary in this scenario because you have already verified who you are by securely logging in to your account online, and further verified your identity when you put in your phone number – especially if it is one they already know and have on file.  With the immediate call-back, it is unlikely anyone else has taken over your phone and intercepted their call.

While some of their staff understand this and spare you much in the way of needless and pointless confirmation questions (they’ll simply say “Is this David?”, others don’t.  Regrettably, when challenged, the reps who don’t understand the ridiculousness of asking you to re-confirm who you are will lie and say it is impossible for them to access your account unless you reveal the information to them.

That is a thin transparent lie, for two reasons.

First, if it is impossible to access one’s account without these questions being answered, how is it that other Amazon support reps can instantly access the account?

And secondly whenever I give my address to them, I rattle it off so quickly there is no way the Filipino or whoever at the other end of the phone could hope to clearly understand it and type it correctly into a form on their screen (when I get an American rep, they usually don’t bother asking the questions).  All the person is doing is presumably listening to the address and confirming it sort of matches what is already in front of them on their screen, at which point maybe they click a button saying “Verified” and proceed on with the call.

Being lied to in a clumsy attempt to cover up a stupid policy adds insult to injury.  And such a transparent lie implies they think I’m really stupid, which increases the insult.

I should add that when I ask to speak about this with a supervisor, the supervisor invariably doubles down on the lie.  “I’m sorry sir” they say with exaggerated politeness and dripping insincerity, “There’s no way I can access your account without entering your billing address”.

My response – “This is my second call about this matter today.  How is it that on the first call I made, barely fifteen minutes earlier, the rep didn’t even bother asking me for this information and could access my account perfectly, and now you – a supervisor – can not?”.  That gets an evasive “I don’t know what they did, I just know I can’t do anything without your address”.  These people not only lie, but do so very badly.

Lies are never nice, especially when repeated by supervisors, but the more frustrating thing is the illogic of their approach to validation/verification.  I’m not complaining about the importance of account security, merely about how and when verification should be conducted, indeed, I’m actually further saying that if I need to be verified, I should be verified properly.

In the case of a call generated after logging in to one’s account, they already know that whoever it is they are speaking to has logged into my account to initiate the call request, and they know the call has been placed to the phone number they have on file for me.  So there’s a 99.9% or greater chance that “I am me” already.

But to close that last 0.1% of uncertainty, they ask me three standard questions which are already obvious to whoever it is logged in to my account.  What does that prove?  It doesn’t prove that I am me.  It just confirms something they already know – whoever they are speaking to has access to my account.  They know this because of the way the call request was generated.  It is a self-referential bit of non-validation.

I’ve asked repeatedly for them to ask me something that wouldn’t be known to a person who had hacked into my account, but they don’t, they won’t, and, perhaps, they can’t.

Sometimes, Proving ID is Irrelevant and Unnecessary

It seems the world is going crazy at seeking ID for anything and everything, whether there’s any sense in seeking it or not – with the only exception being if you want to vote!

Here’s a high tech example of ID-demanding run amok.  When closing down my T-Mobile account a couple of months ago (I’ve switched to Google Fi and couldn’t be happier) I went to return the router T-Mobile had provided, dropping it off at a T-Mobile retail store.  The router had a unique serial number on it which of course matched the serial number in their records that they knew I had – they’d even sent me a shipping document to enclose with the router that had all that information on it.

T-Mobile’s sole focus was on getting the router back.  They didn’t care how it was returned or who returned it.  Indeed, they even offered to pay UPS shipping if I’d prefer to send it back that way, and that method is of course completely without ID.

So, there I was, after waiting a few minutes, handing back the router and the shipping document to a clerk in the T-Mobile store.  He typed into the computer and looked at my account, then asked me for ID.  I asked why, and he uttered the classic “gotcha” lie of “It is store policy that we always ask for ID when dealing with a person’s account”.

I said I’d understand that policy if I was asking to be given something that would incur a liability on me/the account owner, but in this case I was doing the opposite.  He looked puzzled, and so I helpfully pointed out that the serial number of the router would match the router they had shipped me, and wasn’t that all that mattered?  He said he was unable to accept the router back without seeing my ID.

I asked what would happen if I asked a friend to return it on my behalf?  Would he refuse to accept the router from anyone who wasn’t me?  And if he would accept the router back from other people, did it matter who was handing it to him now?  This evoked a repetition of the “It is our store policy” line.

I asked about ID if I shipped it back to them via UPS – did they ask the UPS driver for his ID every time he dropped off a package?

This caused the guy to get cross.  He logged out of his computer, crossed his arms, and refused to do anything without seeing my ID.  I left the router on his counter and walked out of the store, with him calling after me that he’d not do anything with the router and that I’d be charged for it.  Other customers stared at us both in puzzlement.

A lovely last memory of my many years with T-Mobile!  And surely a case where ID is not needed, just like if you’re making a deposit into an account at a bank.

But what about the Amazon situation?  We’re all in favor of ID in most of our interactions with Amazon.

Our Amazon Account Privacy and Security is Very Important

Amazon is the world’s largest online retailer.  It is steadily extending into every part of our lives, and the information they have about us is increasingly sensitive.  These days, much/most of one’s life can be seen as a reflection of one’s Amazon activity.

The books we read, the products we buy, the names and addresses they are shipped to, the movies we watch, commands we give to Alexa, and other aspects of our increasingly extensive and detailed Amazon profile and activity can reveal much more about us than we may wish to openly share.  The privacy of our account information, profile, and activity history needs to be protected.

In this case, an Amazon representative insisted I confirm my identity, and to do so by providing three things.

• First and last name
• Email address
• Billing address

The problem is – for most of us – all that information is already freely available and “out there” in public records.  None of it is secret, none of it is secure.  Probably everyone at your place of work, and most of your friends, know this information already.

Anyone with the slightest desire to access all your Amazon records can do so with the mildest of effort.

Proving ID Means Asking Something an Impersonator Would Not Know

Hopefully you understand the illogic of asking a person “easy” questions about public information to prove a person’s private/personal identify.  There are a dozen ways Amazon could ask more secure questions.  And because, much of the time, they are trying to validate the identity of a person who already has access to your Amazon account, such questions and answers must be things which are not revealed to anyone who can log in to your account.  (On the other hand, if a person can access your Amazon account, why would they then need to call up a customer service person to find out more about you?  Another Catch-22.)

For example, we could be required to create PIN codes.  Another approach – Amazon could store a bunch of the typical questions/answers to confirm an identity of the “What is your pet’s name” variety.  They could send a text message to our phone or an email to our email address with a code for us to repeat back (“two-factor” authentication).  They could store some of our personal information in a form which is not visible when one logs in to one’s account – indeed they already do when storing credit card numbers, showing only the last four digits.  Why not simply ask for the third group of four digits rather than the last four digits of the preferred credit card on file.

But they do none of this.  They just ask for name, address, and email.  That’s an amazing and appalling omission.

The world’s leading internet retailer, increasingly the custodian of many of the more private elements of our lives, should be able to do better than this.  But it isn’t, and it seems it doesn’t care.

I’ve tried to discuss this with supervisors, and asked to be referred to a manager who can actually discuss and change their policy.  Despite promises of calls-back, none have ever occurred.