Amazon Web Services has begun to send out emails threatening to close customer accounts unless they provide large amounts of personal data via fax.
The emails started going out on 20th May and were generated by Amazon reviewing the status of any account that originally was set up to do payments through AWS.
They tell customers that accounts are suspended while a review of their status is carried out and request a number of items of data in order to reinstate the accounts.
The data requested by Amazon includes:
- Complete residential address
- A copy of unexpired passport or other government issued identification (for example, driver’s license)
- Proof of address, such as your last utility bill (if the address on your passport or government issued identification is not current)
- The e-mail address that is registered to your Amazon Payments account
Customers are being told that they cannot email the data to Amazon but instead must fax it. If they don’t have a fax then they should available themselves of any free fax service they can find on the Internet.
The email was first highlighted by Richard Norman CISM CRISC CISA CGEIT, Director of Information Governance and Risk Management at British Council via a LinkedIn post. In a follow-up comment to the post, Norman provided a link to the final email in the chain from Amazon (published below).
Norman has since provided us with the email chain between himself and Amazon. Reading through the chain it shows that there is a complete lack of interest in providing a secure alternative to customer data. Instead, all they do is reiterate the option to use free Internet based fax services if he doesn’t own his own fax machine.
The Amazon email
From: Amazon.com [mailto:email@example.com]
Sent: 31 May 2015 15:00
To: (Customer – edited)
Subject: Your Amazon Web Services Account
Greetings from Amazon Web Services Account,
We are writing because we have not received the information we requested in our previous e-mails. If we do not receive this information within 2 days, your account may be closed.
To comply with applicable laws related to commercial transactions, we are conducting a review of your account. Within 2 days, please send this information to our secure fax at 1-800-887-0540:
– Complete residential address
– A copy of unexpired passport or other government issued identification (for example, driver’s license)
– Proof of address, such as your last utility bill (if the address on your passport or government issued identification is not current)
– The e-mail address that is registered to your Amazon Payments account
For security reasons, we are unable to accept these documents via e-mail. If you are not able to utilize a fax machine from home, work, a library or local copy center, please know there are many online based fax services available. Many of these websites provide their services free of charge. Please use your favorite search engine to locate a service that may work best for your needs. We will send an email confirmation once your fax has been received. Please allow 1 to 2 business days for us to process your fax and provide an account update.
Why is this an issue?
There are a number of issues at stake here.
- The email reads like something customers would expect to get from a phishing attack. As such it is possible that many customers will simply ignore it.
- Asking people to fax data to an unverifiable number not only makes no sense but should worry everyone who gets the email
- Suggesting that if customers no longer own a fax, they should “use your favorite search engine to locate a service that may work best for your needs”, ignores the potential for identity theft as there is no way of ensuring that data sent through such services is secure and protected.
The data set that Amazon are requesting is that which most stores will use in order to open a store credit card. It would also take very little effort to get the additional data to also apply for a credit card or even a bank account. This means that any half competent cyber criminal would be able to gain significant financial advantage once in possession of this data with the end user completely unaware as to how the data was leaked.
Amazon not allowing customers to contact them by phone or to email data is also a strange approach. Many customers would be able to reassure themselves of the validity of the request by having contact with Amazon customer services. They would also be assured that data would not end up in the wrong hands on the Internet.
It is also remarkable that even when Norman raises this whole issue of privacy, an unverifiable fax number and the risk of using free services via the Internet, the Amazon response was to simply ignore him and repeat its demands.
Like many service providers, Amazon regularly talks about its commitment to privacy and security. This email shows either a glaring lack of process or a complete breakdown between the data protection team and customers services.
What do Amazon and others have to say about this?
We spoke to security expert Simon Moores – Chair International ecrime congress who said: “This must be a joke? I might laugh at its naivety if it were not for the fact that whoever wrote this email, sent to Amazon Web Services customers, appears entirely uninformed of even the most basic information security practice, in a world ravaged by persistent and organised data theft.”
We also contacted Amazon in the UK to ask them for their response to this. At time of going to print they were unable to get a spokesperson to respond although we have given them the option of commenting on the article later.
To be fair to Amazon, they do make it clear in the emails received by Norman that they are required, by law, to verify customer data in order to allow commercial transactions to take place across their network. The problem is the way that they have chosen to go about it in this instance.