Amazon.com is a Nasdaq traded company with over $12.2 billion in sales reported for the last 12 months and 28% growth over the past 5 years. Its business is conducted on the internet where it relies upon the trust of customers to enter their private bank card numbers to purchase goods. What kind of security does Amazon.com offer to protect those customers?
Having reccently experienced a fraudulent transaction through Amazon.com, I can share with you some details of Amazon.com’s security procedures.
First, what flaws allowed the fraud to happen? A thief apparently used a random password generator to break into my Amazon.com account. The major flaw here was the ability of the thief to detect the password using such a tool. A random password generator spews out combinations of potential passwords until it hits on one that works. Generally, this tool works when a password is simple, say a combination of only numbers or only letters. Amazon.com loses points here because its account creation system allows customers to set up accounts with overly simplistic passwords. However, I lose some points here too, because I am the person who long ago set up the account with the overly simplistic password.
Once the perpetrator had access to my account, he was able to change the email address to which all email concerning the account would be directed. This is a major security breach which Amazon.com could have prevented. For example, Amazon.com could have notified the account holder at the previously listed email address of someone attempting to change the account holder’s email address and demanded confirmation of the legitimacy of the change. In the event that the old email account was not operative or Amazon.com did not receive a response, Amazon.com could have insisted on the establishment of a new account. This would have required the perpetrator to type in address and bank card information. Since he did not have my bank card information, he could not have defrauded me.
Could he have stolen the bank card information from my account? No. This is one excellent feature of Amazon.com’s security. Amazon.com does not display full bank card numbers, even to the account holders. Thus if you or I want to see what bank cards we have previously used on Amazon.com, the only information Amazon.com will display for us is the last four digits. Someone who does not have access to the card will not be able to learn the first twelve digits from rummaging through an Amazon.com account.
Amazon.com features one other safeguard that protects its customers well. If you run into this safeguard in a nonfraudulent situation, you may mistake it for a nuisance. So read carefully. Amazon.com does not allow customers to rely on stored bank card data when shipping to a new shipping address. To use a new shipping address, bank card data needs to be typed in anew. This may be a pain for you if you ship to many different addresses. However, this safeguard keeps a thief from relying on your stored bank card information to direct a package to himself.
Fraud is a common problem at Amazon.com, as is probably true for most online retailers. Amazon.com has some solid safeguards in place, but it could improve its fraud prevention by not allowing email account changes without verification from the original authorized email address and by requiring its customers to use a combination of letters and numbers in their passwords.