From The Wall Street Journal:
Hackers are targeting the growing population of third-party sellers on Amazon.com Inc., using stolen credentials to post fake deals and steal cash.
In recent weeks, attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven’t used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash, those people say.
The fraud stems largely from email and password credentials stolen from previously hacked accounts and then sold on what’s dubbed the “dark web,” a network of anonymous internet servers where hackers communicate and trade illicit information. Such hacks previously have favored sites such as PayPal Inc. and eBay Inc., but Amazon recently has become a target of choice, according to cybersecurity experts.
. . . .
While the precise scope and financial impact of the Amazon attacks is unclear, some sellers say the hacks have shaken their confidence in Amazon’s security measures. Such third-party merchants are critical for Amazon’s retail business, with more than two million sellers on the site accounting for more than half of its sales, including more than 100,000 sellers who each now sell in excess of $100,000 annually.
. . . .
Margina Dennis, who rarely uses her seller account, discovered she had been hacked late last month when she started to receive notifications to ship Nintendo Switch videogame systems. She notified Amazon immediately that she hadn’t listed the device, but Amazon still tried to charge her for unreceived items, she said.
“This has been a nightmare,” said the makeup artist, who said Sunday afternoon she was still waiting for resolution.
Link to the rest at The Wall Street Journal (Link may expire)
PG is going to increase the password security for Mrs. PG’s KDP account. If you need help generating a strong password, LastPass has a free service for doing so.
I have had good results with LastPass. Never knew how many re-used passwords I had floating around there.
I had to do something because a forum I had an account on had data stolen and I had used the same email/password combination on multiple sites – Rookie mistake.
I have no association with lastPass other than being a satisfied user of the product.
Right after reading this post, I tried to log into my Amazon account. I got a message that told me to re-enter my password, which I did. I was then asked to type the letters I saw in a box (I tried over and over, but never got it right even when I knew I was right). Still paranoid after reading the post, I closed my computer, went back and logged into Amazon with no problem. Then I changed my password to a really, really long one.
Recently, when reading reviews on an Amazon product page, I noticed that a seller (or someone purporting to be a seller) asked a disgruntled buyer to contact him via a non-Amazon email address. I thought that looked like a good way to get scammed.
“The fraud stems largely from email and password credentials stolen from previously hacked accounts and then sold on what’s dubbed the dark web,”
This sounds to me like sellers were reusing the same password on multiple sites. That is just a terrible practice. I too endorse LastPass. I’ll take it a step further and recommend enabling multifactor authentication (a number generator on your phone) for logging into LastPass. That way even if a keylogger steals your master password, they _still_ won’t be able to unlock your password vault.
I can’t remember random strings of letters and numbers and don’t use a password safe. I changed my Amazon password to a 19-character phrase and number set that I can remember easily. Something like MerylIsTehAwesome20171!1 (Not my real password anywhere, nor will it ever be, just an example.)
I mean, if you’re Charlie Brown you could have “MyDogIsSnoopy” and add a string of meaningful numbers (NOT your birth year or something like it) and make life hard for the hackers.
I use Lastpass, and generate long, random passwords for my various accounts.
And as with the ebook scams, jumping too fast could cause Amazon to close accounts the scammers then start claiming are scams. (If you go back on these very pages you’ll find demands that Amazon ‘do something NOW’ about the scams — and then a writer that was very upset because ‘they’ got treated like they wanted the scammers treated. So I for one prefer that Amazon check carefully before closing rather than closing first and then asking questions.)
And PG, while a strong password is good, not checking (signing into) your account through any questionable connections (free wi-fi hotspots) is better. (I don’t know how many times I’ve had to tell friends to reset/change their email passwords because they’d checked their email while waiting for their flight and someone grabbed it to spam their mailing lists.)
I hate to argue with you Anonymous, but your advice is flawed. You are correct that unencrypted data on public Wi-Fi is exposed to any script kiddy who can download Wireshark, Firesheep, or any of a score of other hacking tools. However, no engineer who can find the restroom has transmitted a clear password in this decade, maybe not this century. It still happens, but it is rare. When the transmission in encrypted, extracting the password is hard. NSA can probably do it, but not ordinary hackers.
Even if you only use a secure network, strong passwords are important. A long (12+ characters) password that is not something obvious, like your name or 12345678901112, is probably good. Hackers have gotten much better at cracking passwords in the last few years because the hardware has gotten so much better. Long passwords kill them.
And for heaven’s sake, don’t use the same password on several sites. Some of the nastiest hacks of the last few years have been due to duplicate passwords.
I will double down on PG’s plug for LastPass. They were recently caught with a severe vulnerability. I was bowled over by the speed and transparency of their response. They convinced me that they have the security of their users at heart. A password manager like LastPass makes it relatively easy to manage unique and strong passwords. They are not the only good product out there, but they impress me.
By all means, be careful on public Wi-Fi. Get a VPN if you are stuck with public Wi-Fi. (But be careful, all VPNs are not honest.) Also be careful about opening attachments on flaky emails and click bait. Disable Javascript in your browser (you’ll hate it) or use Noscript (you’ll hate it less, but it’s still a pain).
The most important advice I have: if you are not using an account, close it. If you are not using an app, uninstall it. Stuff that just sits unused on the network is a hacker’s playground. Think about that abandoned house that turns into a meth lab.
A note on cracking passwords.
There are a few ways to ‘hack’ someone’s account.
1. from the outside by guessing passwords.
In this case, the length of the password doesn’t really matter much, what matters is how many failed passwords can be entered before the account gets locked. A low-and-slow attack (guess a few passwords a day across lots of accounts) will eventually find some, but avoiding common passwords and passwords that you use on other sites (that may be compromised) is far more value than a very long password.
This then forces people to go through the ‘lost password’ authentication (and if you use real answers to those questions, you are at the mercy of anyone who can lookup your facebook page and learn the answers to these questions)
It token authentication is available, you should use it
2. from the inside, after getting a copy of a dump of password hashes.
This is where the processing power of the attacker matters, and where longer passwords are significantly harder to attack than short or medium length passwords.
The reality is that this really isn’t a common attack.
3. from the client, getting malware on your computer/in your browser and recording when you type your password (or getting you to use someone else’s system that is setup to record this). Getting people to enter their passwords into fake sites is another variation of this.
This is actually the most common way for people’s accounts to be ‘hacked’, and the website being ‘hacked’ can’t really do a lot to prevent this. Amazon does “I don’t recognize your computer, answer a security question”, but that’s vulnerable to the ‘facebook’ attack I describe above.
There are lots of discussions among Security Professionals on the topic of passwords, and there is a growing recognition that the old ‘standard password policies’ just do not work. Forcing someone to have a long password and change it on a frequent basis just doesn’t make a real benefit, and in many cases ends up with people using very weak passwords (a common, short password with a number at the end that changes each time), and making the routine use of the ‘forgotten password’ mechanism is a significant security weakness.
I agree on most of these points.
However, I think that method 2, getting an inside dump of password hashes is common enough to be a danger. Sites, Yahoo for example, get broken into using some social engineering scam (bogus attachment, phishing, etc.) with fair frequency in the news and probably more often in reality. The stolen list goes to a cyber chop-shop that applies the kind of processing power we used to associate with nuclear test analysis to crack the “easy” ones. Then, the harvest of passwords is sold on the dark web for a few bucks apiece to script kiddies. If you have an easy password stored on a hacked site and use it for other accounts. you are wide open.
The consensus on password policies is certainly changing. NIST and NSA have reconsidered their policy on frequent changes. My only comment there is passwords typed frequently in public places should be changed frequently if you think somebody could watch over your shoulder. Also, some Bluetooth keyboards are subject to snooping by anyone within 30 feet with the right equipment. Long unique passwords are a strain on memories and paper management systems. That’s why I recommend password management systems.
I also agree about password reset mechanisms– they are appallingly weak in many cases.
A tip for long passwords if you don’t use a password manager: think up a phrase and then google it. If it gets no matches, it is highly unlikely to show up in some hacker’s list of easy passwords. Those lists have gotten very long and include stuff like phrases from popular songs with the “s”s replaced with “$”s, etc.
my feeling is that if someone is in the system enough to get a dump of the password hashes, they are in the system enough to not need passwords. :-/
Good points, all.