Amazon multiple account weirdness
The other day, I logged in to Amazon and got as far as checking out, when I noticed that my address book only had very old addresses in it (from circa 2001/2002) and the order history stopped around the same time. After thinking for a bit I realised that I’d accidentally used an old password that I don’t really use for anything important any more to log in, so I logged out and logged back in with the correct (newer) password and exactly the same email address. Lo and behold, I got my up to date account information and recent order history.
Now, I don’t thinking I’m alone in expecting that when I create an account with a website, the email address or login id will be the primary key, and not the login and password combined. So I was a bit surprised by this.
I sent Amazon a mail asking them how this could have happened, and asking them a couple of awkward questions like “What if I change the passwords on both accounts to be the same?” and “If I delete one account does it delete both?”. They couldn’t really provide satisfactory answers to that and said I must have inadvertently created the second account (which is probably the case).
Discussing this with some colleagues at work, it became evident that this is the usual behaviour – you can create as many accounts as you like for the same email address, as long as the passwords are different. Moreover, creating the account does not require the email address to be confirmed! So this means anyone can create an account on Amazon with my email address.
Now, I don’t think this in itself is a massive security hole since the new account doesn’t have access to any privileged data, but at the very least someone malicious could try to do some nasty things. For example, they could create a lot of accounts against a target email address with common passwords, and hope that the victim accidentally logs in with the wrong one and, not realising their mistake, re-enters their details and makes a purchase. The user probably wouldn’t notice since the confirmation will get sent to their email address as expected.
I put these points to Amazon in a customer services enquiry, and for the most part I got the expected fob-off:
Please rest assured that Your Account is secure.
In the event of Malicious creating accounts with obvious passwords in the hope that someone will accidentally type the wrong one and enter their credit card details into an account,Our secure server software encrypts all your personal information including credit or debit card number, name and address. The encryption process takes the characters you enter and converts them into bits of code that are then securely transmitted over the Internet.
Secondly, An attacker registering many passwords against the email address of a victim, even if the attacker was to get access to the customer’s account,Please know that if someone was able to log in to your account, they would still not have access to your payment card details, as they are not displayed anywhere on the site.
None of the customers who have shopped at Amazon.co.uk have reported fraudulent use of a payment card as a result of purchases made with us. In fact, we are so confident about the transaction security we offer on our site that we back every purchase with a security guarantee.
Well, I’m glad that I’ve got all those ‘bits of code’ protecting me! Unfortunately, they’ll be protecting the attacker too… They do make the valid point that you can’t extract credit card details even if you can log into an account, but you can still make purchases and read or change addresses.
I have seen posts on the web saying that the reason for this functionality is so that people sharing the same email address can have their own accounts. This might have been an issue in the early days of online shopping, but now in the days of widely available free email accounts, I don’t think this is necessary. Even then, why not have an email verification step when creating a new account? I don’t think this would be a barrier for people signing up.
It seems strange to me that such a well known web presence as Amazon would operate a confusing system like this, the disadvantages seem to far outweigh the advantages. I’m sure security experts would say that the simpler a system is, the simpler it is to secure it.