Amazon multiple account weirdness
The other day, I logged in to Amazon and got as far as checking out, when I noticed that my address book only had very old addresses in it (from circa 2001/2002) and the order history stopped around the same time. After thinking for a bit I realised that I’d accidentally used an old password that I don’t really use for anything important any more to log in, so I logged out and logged back in with the correct (newer) password and exactly the same email address. Lo and behold, I got my up to date account information and recent order history.
Now, I don’t thinking I’m alone in expecting that when I create an account with a website, the email address or login id will be the primary key, and not the login and password combined. So I was a bit surprised by this.
I sent Amazon a mail asking them how this could have happened, and asking them a couple of awkward questions like “What if I change the passwords on both accounts to be the same?” and “If I delete one account does it delete both?”. They couldn’t really provide satisfactory answers to that and said I must have inadvertently created the second account (which is probably the case).
Discussing this with some colleagues at work, it became evident that this is the usual behaviour – you can create as many accounts as you like for the same email address, as long as the passwords are different. Moreover, creating the account does not require the email address to be confirmed! So this means anyone can create an account on Amazon with my email address.
Now, I don’t think this in itself is a massive security hole since the new account doesn’t have access to any privileged data, but at the very least someone malicious could try to do some nasty things. For example, they could create a lot of accounts against a target email address with common passwords, and hope that the victim accidentally logs in with the wrong one and, not realising their mistake, re-enters their details and makes a purchase. The user probably wouldn’t notice since the confirmation will get sent to their email address as expected.
I put these points to Amazon in a customer services enquiry, and for the most part I got the expected fob-off:
Please rest assured that Your Account is secure.
In the event of Malicious creating accounts with obvious passwords in the hope that someone will accidentally type the wrong one and enter their credit card details into an account,Our secure server software encrypts all your personal information including credit or debit card number, name and address. The encryption process takes the characters you enter and converts them into bits of code that are then securely transmitted over the Internet.
Secondly, An attacker registering many passwords against the email address of a victim, even if the attacker was to get access to the customer’s account,Please know that if someone was able to log in to your account, they would still not have access to your payment card details, as they are not displayed anywhere on the site.
None of the customers who have shopped at Amazon.co.uk have reported fraudulent use of a payment card as a result of purchases made with us. In fact, we are so confident about the transaction security we offer on our site that we back every purchase with a security guarantee.
Well, I’m glad that I’ve got all those ‘bits of code’ protecting me! Unfortunately, they’ll be protecting the attacker too… They do make the valid point that you can’t extract credit card details even if you can log into an account, but you can still make purchases and read or change addresses.
I have seen posts on the web saying that the reason for this functionality is so that people sharing the same email address can have their own accounts. This might have been an issue in the early days of online shopping, but now in the days of widely available free email accounts, I don’t think this is necessary. Even then, why not have an email verification step when creating a new account? I don’t think this would be a barrier for people signing up.
It seems strange to me that such a well known web presence as Amazon would operate a confusing system like this, the disadvantages seem to far outweigh the advantages. I’m sure security experts would say that the simpler a system is, the simpler it is to secure it.
Graham
Graham's blog 
I was searching the internet for info on this very phenomenon and came across this. My aunt has had the same problem, she couldn’t figure out why and I spent a good few hours trying to figure out what the issue was; in the end, she’d created two accounts with different passwords. Strange, very strange.
I posted this on comp.risks (http://groups.google.com/group/comp.risks/browse_thread/thread/cdb61f0adb537965#) and some replies added some more background (http://groups.google.com/group/comp.risks/browse_thread/thread/5a5c14444038528e#).
Same thing just happened to me. Terrible, terrible, terrible feature!! – can’t believe Amazon would implement this kind of idiotic functionality. I have no idea when or how I managed to create a duplicate account, and frankly I don’t give a crap – the email address should be the primary key. Period. Also, the noddy on the support line decided to close the duplicate account, which resulted in me not being able to access anything. Apparently they are unable to merge the accounts into one account – that would just make too much sense I guess ! I’m still in shock at the whole concept of multiple accounts under one email address identified by different passwords. I have exactly the same question as you – what happens if I change both the passwords to be the same? I’ll try it after I receive the item I’m currently waiting for.
I did not realize I had multiple accounts, but on day I logged in with a different password and cashed in a gift certificate. Then I noticed I did not have prime shipping or an order history. So I was stuck with this gift certificate on my non-prime shipping account. I would have called Amazon but I didn’t want to risk losing one of my accounts.
I’ve have this too, very weird! Anybody know what happens if you change both passwords to be the same?
Last time I tried, amazon will not let you change the password to be the same as another email/password combo. Maybe someone could determine your password by setting up an account and trying to change the password rather than attempting to log in as this may be less likely to be stopped by the security protocols.
Seems like you are a true specialist. Did ya study about the matter? haha..
I just ran into this same problem, but in my case I saw that over 10 passwords worked as long as they had approximately 4 or 5 base characters correct in the same sequence. For example:
Password -original password
PaSSword
PaS$junky52
etc
These above examples, with different variations all worked with one e-mail account, and with one of them I was able to do conduct an order. Now, to me this may indicate that perhaps someone has (already) discovered a password of mine and utilized it for multiple accounts, or that Amazon is just hellbent on getting all impulse-based sales.
Why do I think the latter? I run an e-commerce website and I realize the utility and potential to make the checkout process as painless as possible, and one thing you realize is that realization to buy or not happens at the login screen – the more people who fail to remember their login information tend to bail out of the sale than those who don’t (that’s why many websites will utilize a “Guest” account during checkout).
My biggest issue with Amazon’s feature, like you mentioned, is the lack of authentication, accountability, and verification. NO e-mail being sent to confirm an addition to an account? Count me out, Amazon! This is a direct violation of all the major tenets of Information Security! (And possibly PCI DSS industry regualtions).
The biggest problem in my case was that I could just make up a password and I got in, no matter how complex the password combination was. My guess this is the case on many different Amazon accounts and I think it’s something that Amazon needs to work on immediately. Even if controls are put in place that prevent one from making an order, it’s much easier to collect various meta-information on the user that when combined with password type, characters, patterns, even their buying patterns in books can yield myriad information that could be used in later social engineering attack, not to mention this also decreases the amount of time for a brute-force attack to be successful.
Rule: One, and only one password.
I encountered this issue this week. It is very strange, confusing, and useless feature from Amazon.
Amazon doesn’t have a system to merge these accounts as immi pointed out.
For a web only store such as Amazon this is unacceptable.
I’ve been fighting with Amazon over the last couple years because of this very thing. The problem I have is that I have two accounts linked to the same email address – one I currently use all the time and one from long long ago. No matter how I try, I can’t remember or reset the password to the old account. I have emailed amazon’s customer service and tried to get them to close out/delete the old account and basically, they won’t do it. The reason this whole thing is a problem is because both accounts have a wishlist associated with my name, so when people go to amazon to see what I want, they will see the old account wishlist and the new one and depending on which one they pick, I’ve actually gotten things from my old wishlist (which I no longer want of course) as gifts! Unfortunately Amazon hasn’t been good about handling this type of situation.
Not sure if anyone is still having problems. If you know your old password, sign in to the old account and you can change the email of the old account. Then close that account so you won’t have to wonder if both would be closed if they had the same email.
If you don’t have another email, make one up. It’s not like you have to use that email.
If you don’t have your old password… I’m sorry.