Last week, we spoke to an Amazon customer who was for months plagued by unauthorized purchases from their account. It appeared a fraudster's smart TV had been quietly linked to the victim's profile – a gizmo not visible in the usual account settings and could not be removed by even Amazon's own support team.
Yet the phantom telly could still place orders using the customer's bank cards even after the account password was changed and multi-factor authentication enabled.
If you thought that seemed to be a one-off, a weird technical glitch that led to one isolated case, you would be forgiven. Now, thanks to Register readers, we know that is not the case, though. The use of invisible devices attached to people's Amazon accounts by criminals to go on unauthorized spending sprees with their victims' payment cards seems to be a fairly widespread problem.
The scam works like this: a crook somehow manages to get an Android device added to a mark's Amazon account, and it doesn't show up in the usual list of linked gadgets. This device is now authorized to quietly buy stuff online using the account's payment methods, and it's not obvious to the customer nor customer support what's going on.
Reg reader Jon d'Shade says that he experienced pretty much this earlier this year even though he had been careful with his account security.
"Several months back, I went through the same thing," he told us over the weekend. "A mysterious hack of my account with orders for several XBox 360 gift cards totaling $500.00.
"Now I've been involved in all aspects of IT since 1970, at all levels up to CIO. I don't reuse passwords on any site worth a damn (PasswordSafe since Bruce Schneier introduced it way back when), all long and all gibberous, and keep a close eye on HaveIBeenPwned.com."
A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for monthsREAD MORE
d'Shade told us he was able to get Amazon to reverse the charges, and has changed all associated passwords. At first, he couldn't see any unexpected devices linked to his account in the main settings – but then he found two smart TVs, made by Samsung and Vizio, in an Amazon Prime page listing supposedly authorized devices.
"I checked my devices list. It reflects my two Fire tablets and my Firestick. It does not reflect the two smart TVs, one Samsung, the other Vizio," he said.
Other readers have noticed their Android devices fail to appear in the main account settings despite being otherwise logged into their accounts, presumably because these gizmos are non-Amazon gadgets and/or because they are hidden away in Amazon Prime settings.
"Hmm, just looked on my Amazon account. My LG TV isn't shown," noted one netizen. "Now I only use it for Prime viewing but it does offer to pay for films etc. so I'd expect it to be there. Worrying."
Reader Brian Adgey has had to deal with his mother's account suffering from mysterious charges via an unknown device.
"Just to give you some background, her account was hacked previously when somebody compromised her email account," Adgey told us.
"She did not have two-factor authentication enabled at the time, so this was the first thing we did on her Amazon account on that occasion, the theory being that if somebody compromised her email or guessed her password, they would hit the 2FA, and she would get a text with the code. On this occasion she didn’t get a text, but they did manage to make the purchase. Amazon appears clueless as to how it happened, and we both have been left very worried."
Amazon has yet to get back to The Register on repeated requests for comment, though our original tipster, Reddit user fidelisoris, told us they have heard from Amazon that there is an investigation underway.
In the meantime, some Reg comment posters have noted that those with Amazon Prime can see some of their non-Amazon devices showing up via the Prime Devices screen. This could be one way to check what non-Amazon devices are connected to your account. ®