Does Amazon US require email verification for account creation?

Discussion in 'Apple, Inc and Tech Industry' started by Makosuke, Feb 11, 2014.

  1. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #1
    I ask the question in the title because I just had an odd and rather disturbing, when you think of the privacy implications, thing happen.

    Out of the blue I got a couple of order confirmations from Amazon Japan for some oddball items shipped to someone I'd never heard of. The emails weren't sent to the email account that I use with my own Amazon account, so at first I thought spam. Then I went to Amazon.co.jp and did an account reset with that email address.

    Which worked. And gave me access to some random lady's mailing address, phone number, billing address, last four of her credit card, and the ability to one-click order random items for her without any further verification (I assume, based on the US Amazon, that if I were to try and ship something to a different address I'd need the CVC code off the card to confirm). Plus of course order history, which had already been emailed to me.

    When I contacted support, they basically said "We'll contact her to fix it, but this happens sometimes with new accounts."

    Since I didn't verify the email address (never even saw a "welcome to Amazon!" email), that would mean that they're allowing account creation and orders with completely unverified email addresses. So a simple typo could result in a random person getting a substantial amount of personal info about you, not to mention the ability to max out your credit card ordering Lord-knows-what (they stock hardcore porn, among other things) shipped to your door without warning.

    I didn't have a lot of faith in Amazon's security or scruples to begin with, but are they THAT screwed up across the board? Or just in Japan?
     
  2. pdjudd macrumors 601

    Joined:
    Jun 19, 2007
    Location:
    Plymouth, MN
    #2
    It could be that she changed her account to a new email address and made a mistake there - it’s possible I suppose. But in any case, there should have been verification.

    Maybe it was set up in another fashion - like over the phone.
     
  3. Makosuke thread starter macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #3
    Could have been, but that's even more reason to force a confirmation before attaching the account info to it, since the typo could have been on the Amazon rep's end, in which case the huge privacy breach would be 100% their fault.

    Seriously, I can think of no legitimate, or even excusable reason to let someone create an account with financial information using an email address without first confirming it as live and correct.
     
  4. pdjudd macrumors 601

    Joined:
    Jun 19, 2007
    Location:
    Plymouth, MN
    #4
    Well that might have been Amazon’s policy, but there is always a chance that someone on Amazon’s end didn’t follow the policy 100%.
     
  5. Jessica Lares macrumors G3

    Jessica Lares

    Joined:
    Oct 31, 2009
    Location:
    Near Dallas, Texas, USA
    #5
    They don't require verification. I changed my e-mail the other day and got the same message in both of my inboxes:

    A few years ago, someone signed up for Blockbuster Total Access using my e-mail address. I did the same thing, changed the password, logged in, and closed the account. I also went snooping around and saw some fishy things...

    There was my e-mail address, and then there was a billing address. However, the shipping address was totally different and in a different state even.

    That could have been the same situation over at Amazon, some scammer just using any e-mail address, someone's stolen credit card, and then getting whatever sent to them.
     
  6. Makosuke thread starter macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #6
    I could think of lots of scams where one would want to use a fake email address, or one that belonged to the person whom you were impersonating, but the particular case for me was definitely not a scam targeted at me, and seemed to be pretty clearly a legit account (with a bad email address)--the billing and shipping addresses matched, and the couple of items ordered were just winter toys.

    Regardless, either is disturbing, just for different reasons--a fake email address lets you generate accounts at will without even the flimsy trail of a throwaway email account, and a mistyped email hands your private info off to a 3rd party without any verification by you necessary. The latter is obviously much worse for the poor sap who mistyped their email.
     

Share This Page