Yesterday (September 29, 2010) I logged into my email account to find a message from Amazon.fr entirely written in French. First of all, I do not speak French. My high school offered two language options: Spanish and Latin. I took Latin, but even if the email was in Latin, that was many moons ago.
I did the responsible thing. I typed Amazon.com into my browser window, assuming the two sites were the same entity, and up popped my account since I’d logged on during the same browser session. I’m one of those types who rarely shuts down the computer.
There were no extra charges on my account, but I wanted to check to make sure my email address and password were all set so I clicked on Account Settings. Lo and behold, when Amazon asked me to input my password and supplied my email address, which was NOT mine. It was melalih10@gmail.com (and I have really NO problem publishing this email address.)
I searched the email on Facebook and found this guy in Algeria: Melalih Djamal Bechar (Vivia Algeria) who graduated high school from Knight Belkacem (written in Arabic) in 2002 and works in a municipality office in Abadla Algeria. (I used Google Translate today in order to get these translations. I wish I had done this yesterday for the French email, but I’m coming to that). And then I created a Facebook group that could see no personal information and I friended the hacker. (screen shot after the jump, click to see full image)
I called Amazon who put me on the phone with a lovely girl who told me that there were no charges on my account since I ordered season five of “It’s Always Sunny in Philadelphia” and a book by an obscure Egyptian author. Yes, both were me, all was good. The guy could not have seen my credit card number as it was encrypted. My password and email were reset. All was good, but I would monitor my credit card.
And then this morning I checked my email again. Another email in French and I could see my parents’ address within the text of the email and it finally dawned on me to use Google translate.
The message basically told me that my order from Amazon France was going to my parents’ house. Also, because it had been shipped, the order could not be cancelled.
I called the bank and cancelled my card and disputed the charges and was complimented on how well I was handling the situation. What can I say? I’m taking Introduction to Information Security this semester.
Then I called Amazon again, a little peeved that these transactions that were dated the day before were on my account, but they didn’t appear on my Amazon.com account, just my newly created Amazon.fr account. This means that the lovely girl from the day before was not at fault. She was great. The structure of her institution, however, needs some work.
I first tried calling Amazon.fr using their fun tool where you input your phone number and they call you. This, by the way, is nearly impossible to find as I had to google search “Amazon Contact” and could not find the link from the actual Amazon page. This is a ridiculous usability issue that I’m sure stems from Amazon NOT wanting its customers to call them.
ALSO Amazon.fr does not provide the option for US customers to input their numbers to have them call you. So I called Amazon.com.
The CSR I talked to, who didn’t seem as competent as the original, informed me that he could not cancel or even view my Amazon.fr account as it was a completely separate entity from Amazon.com.
So let’s get this straight. A hacker can use my existing Amazon.com account to open an Amazon.fr account and change the email address and password on my Amazon.com account yet when I try to alleviate the situation with Amazon.com, they can do NOTHING because they are a separate entity from Amazon.fr? I, the customer am now supposed to call FRANCE on international charges, which I do not have in my cell phone plan in order to cancel my Amazon.fr account that I never actually opened.
This is a fundamental flaw in Amazon’s structure that compromises the security of my information and every Amazon customer should be aware of this.
The only thing I can say is “You have got to be fucking kidding me.” Now I’m just sitting at home waiting to file a police report.