Yesterday I happened to check my Amazon orders in process and discovered, to my horror, that someone had placed an order on our account and that the item was ‘preparing for shipment.’
While it was ‘only’ a $140 computer gaming mouse, and I happened to catch it ‘in time,’ this event brought up several issues I have (and have raised with Amazon customer service repeatedly) with their fiduciary responsibility to their customers.
I have purchased, literally, tens of thousands of dollars worth of goods on Amazon over the years. Usually this process has gone well and there are any number of good things I could say about their product selection and ordering process.
I have also usually found their customer service to be superb – highly responsive and extremely efficient at solving even the smallest problem.
So it is with some discomfort that I bring forward the true nature of my complaint.
Simply put, there is NO excuse for the irresponsible manner in which Amazon’s back-end order processing system STORES users’ credit cards. Not only does it store them – but it does so entirely without the express permission of the customer. Im NOT talking about some fine print legal runaround wherein Amazon can probably correctly claim that we – the customers – gave them some blanket permission to do whatever they want with our credit cards and store them. I’m talking about the fact- in the glaring light of day – that this company stores every credit card you ever put in their system and does so without asking the customer.
In an age of hacking, identity theft, and egregious breaches of e-commerce and other sites with critical personal and private information this is UNACCEPTABLE. It is an unacceptable risk policy and it is made even more so by the fact that it is done surreptitiously.
Which leads me to my next point.
I notified Amazon customer service of the breach of my account and the associated fraudulent order. Their response?????
They notified me that they (after I notified THEM) had noticed account activity that appeared to be a breach of my account and they were changing my password to a temporary password and blah blah blah.
ARE THEY SERIOUS?
I notified THEM.
I had already changed my username/email, my password, and deleted all vestiges of stored credit cards (6 of them).
THEY did NOTHING. Except make me have to change my password again. I had already deleted the as yet unshipped order. Or cancelled it or whatever. Fortunately it had not shipped yet – to some guy in Kansas or whatever.
All of this speaks to a shoddy system. I’m a cybersecurity student. I knew that some day this would happen. Amazon claims that it has nothing to do with stored credit cards but I ask you – how exactly would this person have been ABLE to place – successfully – an order using our account if it were NOT for the fact that there were stored credit cards???????
The answer? IT’S IMPOSSIBLE. No matter what Amazon customer service says. No credit card… NO ORDER.
It stores the WHOLE THING – and doesn’t even ask for a CCV. If you have one click ordering – it’s another DISASTER.
My family has gotten so used to using our Amazon Prime account – partially because it is SO EASY to buy things without even giving it a second thought. Click and buy.
Great if it is authorized purchases. NOT GREAT if it’s some hacker in Kansas.
YOU DECIDE if they are playing with our money for the sake of ease of ordering – which serves THEM most of all because it ramps up their profits BIG TIME. Easier and easier ordering is inversely correlated with privacy and security.
It’s even WORSE because our ‘credit cards’ are actually debit cards and the money comes directly out of our bank account.
I’m going to post this on my two blogs as well – personal and cybersecurity.
By the way – Amazon also tried to pin this on us – saying that we should avoid clicking through in emails (spoofed obviously) that ask us for account information.
Gee. I think that I have enough functioning and firing neurons to have figured that out and so did my family – like 10 years ago.
Who are they kidding?
I’m looking at this experiment as a learning tool for my current studies in cyber/info security.
I’m also looking at it from the perspective of the potential benefit (or lack thereof) that I may derive in terms of greater (perhaps future) privacy (what good is a site called “A Little BIT Safer” if not for this?)
I started by changing my email address. I know that NO unencrypted email is safe, regardless of address – but using a non-Gmail address gives me more control, and is one step on the way towards extracting myself from the Google product labyrinth.
I spent several HOURS attempting to eliminate all current connections and product links from same on the Google site. Everything – even location information. Where necessary, I put in ‘incorrect’ information – if a form field required it.
I do not think I completed the tasks – but I did spend at least 4 hours eliminating whatever stored details that I COULD control.
I could have probably taken a simpler route (who knows if it works) and simply deactivated or closed my entire Google account. I was not prepared to do this since I am still working on saving my emails locally using Thunderbird.
This will be INCOMPLETE at best, and it certainly has (from what I’ve learned thus far) little or even NO effect on ‘history.’ I entered into this experiment fully aware of that. There is nothing that I currently know how to do (maybe some day) that can change that.
Once I have taken care of what I CAN control vis a vis Google and the other social media sites, I can use my LastPass Vault to access the dozens of sites that I log into and change their login credentials to suit my needs. That is one good thing about having gotten comfortable using LastPass. I don’t have to remember all of the places I actually use since they’re all collected in the Vault.
Other tools I am using or planning to use/experiment with (I know… yawn… many have been around for ages – all are free):
1. I use Comodo’s IceDragon (a modified version of Firefox) – it is excellent.
2. I use Thunderbird for my email client – and I use a digital certificate to digitally sign my emails (but I need a new one for my new non-gmail address)
3. I am using DuckDuckGo (see vid below) for my search engine – I like their explanation of how they work.
4. I use SpiderOak for cloud storage (because of their zero-knowledge policies)
5. I use 3 layers of anti-malware/antivirus: Comodo Internet Security 2012 Pro (free for me :-), Malwarebytes Anti-Malware, and Spybot Search & Destroy – all resident in the system tray and all tailored for max. benefit w/o too many false positives.
6. I also use a bunch of other utilities like Glary and CCleaner and Speccy. You can get a lot of great, crap-free (no extra junk) stuff from a site they taught us about in school called Ninite.com I HIGHLY recommend it. The ‘installer’ is COMPLETELY free of extra junk. Just the program. Also, if you already have a version of a program that is ‘newer’ than Ninite has, it will know just to ‘skip’ it and tells you that it did so. You can’t go wrong. They certainly do not have everything – as you can see from what I use – but it’s a good starting point. It’s good for Windows and Apple and Linux I think.
U.S. Inquiry of Google Is Expected to Press On
Google must submit a plan in January to change its practices to avoid a fine or finding of wrongdoing, Europe’s top antitrust enforcer said.
I think that the real issue isn’t going to be these ‘revelations’ and court cases – but the issue of how we can all learn what we can and maybe ‘should’ do to protect ourselves to the best of our abilities.
I have nothing personally against Google or Facebook. They’re companies and they make a lot of good products that billions of people like. They are just corporate entities though – and if history teaches us anything it’s that 99.9% of corporate entities do not act in our personal realm of ethics and morals – or at least the don’t until they get caught or forced to do so. It’s why we have regulations and laws that go along with capitalism, obviously. We all know that the game (usually) is to maximize profitability and shareholder value. It’s kind of absurd to argue otherwise.
I started this blog because I wanted to educate myself (and others) regarding things like the safest means of using email, learning where and how my data is stored online, and perhaps continuing to investigate and understand what my digital fingerprints have touched, and if there is anything I can do about it.
I don’t know why it takes these governmental investigative agencies so long to act.
I suspect that for a lot of people the fingerprints are permanently etched and what can be ‘done’ is less than many people (including myself) would like to do in terms of clean-up.
I do want to give people a sense that there is HOPE though – with proper training and (hopefully) simple enough tools.
I do know that many hundreds of writers, bloggers, podcasts, security specialists, and countless end-users have been stating the ‘obvious’ long before I came along.
I’m just trying to figure out what to do about it.
Hopefully as I gain the cybersecurity education (formally) and mix it in with my life/work experience I will be able to help myself and others do what ‘can’ be done.
Maybe even help a bit in training newer users regarding how to (like my tagline) ‘navigate the digital(mines) and play IT Safe(er).’
This seems like a pretty simple question. But I know that I probably could NOT answer it with any degree of certainty…. which is kind of scary.
If you had to list all (or even 90%) of the Websites that have your credit card information stored on their sites…. COULD YOU?
Did you even know that some of these sites do this without even telling you that they do so?
The one that I use – without naming names – is one of the biggest in the world and certainly does this. There may be something buried in the fine print.
I do KNOW that in order to make a purchase using a credit/debit/whatever card I have to enter it and it gets auto-stored (as I call it).
There is NO option for this NOT to happen. NONE.
After the purchase is complete then I have to go back in every, single time and manually delete the card it just stored.
Me no like that. I asked them about it and I just got the runaround – about how safe it was and so forth. I want the option (wouldn’t we ALL????) to have this NOT be the case?
Am I alone in this? Did you take a look at the list of data breaches on privacyrights.org ?
Another related question:
If you had to list all of the so-called ‘cloud storage’ sites that you either use or have used (which usually means they still have your info) – COULD YOU?
I know I had a hard time with this one too: Mozy, Dropbox, SkyDrive, Google Drive, CX.com, Sugarsync, SpiderOak – and do you actually know WHAT is on each of them? Oh, and let’s not forget about some of the ‘sync’ programs like Crashplan, that I had to spend hours and 20 emails on to get my account deleted? Do I even know if it is really done?
This is something to think about. Just these things – the stored credit cards and the offsite/cloud-storage/data-synch/whatever name they go by companies.
It certainly is for me.
I want ta program that I can use that tells me where everything is stored so I can go and see if I think it’s safe there. There ARE ‘safe enough’ places for certain kinds of data – and then there are places where nothing is probably entirely safe. I like SpiderOak because of it’s security policy. But I have a LOT of work to do regarding the credit cards and other GB of stored data.
Consumers, small business people, and just about anybody with an interest in learning what’s really going on can benefit from two sites I have recently started to use much more frequently to try to understand some of the basics of what people ACTUALLY face every day (and it applies to online and offline transactions and things you would not necessarily even think about)
As a cybersecurity student and blogger, I have, of course, had to face the avalanche of daily information from such diverse sources as blogs, podcasts, e-zines, mainstream media, LinkedIn groups, other social media sites, and on and on when it comes to trying to filter and understand the who/what/when/where/how and why of information security.
Two sites that are extremely well known and are not news to any of those experienced people – but are pretty new to me:
Privacyrights.org Privacy Rights Clearinghouse: Empowering Consumers, Protecting Privacy
Electronic Freedom Foundation (EFF.org) Electronic Frontier Foundation: Defending Your Rights In The Digital World
There is lots of really straightforward, practical advice on how to begin to protect yourself.
The list of data breaches that privacyrights.org has collected since 2005 (something over 605,000,000+) was enough to scare me silly 🙂
This seems like a good approach – It is targeted towards 6th-8th graders. I do wish there were similar ‘games’ for high-school aged kids as well. There may be… if you know of any that are like this let me know. This is a joint effort between the Army and the National Science Center.
Security Awareness without making it overly complex, intimidating, and filled with jargon. It seems like an approach that could actually work for all age groups if done in a clever manner. The feedback I get from adults is that it is absolutely overwhelming to try to learn all of the things that they ‘need’ to learn to be safe and have a modicum of privacy.
I can relate to that. It may be that as generations move on it will become second nature and the tools will be much more user-friendly – or even transparent and require no user knowledge. I understand that that is how technology usually works. BUT – what about the hundreds of millions of people right now, who are too busy and stressed and on information overload to try to absorb yet another body of knowledge.
I know people might respond that we can, perhaps, incrementally train each other – but from what I understand, even the ground-rules keep changing… one day you hear that you should always use sites with HTTPS and not HTTP for transactional/personal ID stuff… and then you (or I) read that even that isn’t entirely true or safe – my own textbook states that these HTTPS sites can be spoofed as well.
And… from what I understand, even though something like HTTPS has been around for quite a LONG time, many people aren’t even AWARE of its existence or use (or LACK thereof – which is what ‘matters’).
I’m just speculating out loud – as a second semester cybersecurity student. I see that from my LinkedIn groups there are dozens, if not hundreds of articles on all of this – and in blogs – and in podcasts. It’s so overwhelming that even I don’t know how to filter it.
That’s the truth (or my truth at the moment).
Kleiner Perkins calls it “Re-Imagination” in the context of the changes that have been/are taking place in this arena.
Indeed, as some have suggested, the future might not have as many open Windows as you might think!
But who really knows? There are always unforeseen obstacles and circumstances that these companies and their products run into along the way that can temporarily or permanently derail them. For example, which of them will end up using Numenta’s (Jeff Hawkins) GROK before the other and to what end? (see my previous posts on this paradigm shift)
This is a great slideshow to flip through though.
(I want to thank my brother for providing me with the link to this material – he’s in the tech field and very up to date on trends/analysis)
I think that this is one of the pages that seemed to clearly indicate a major market change – a decline in Microsoft’s control and dominance – and perhaps (and I say this very cautiously) a decline or even ‘fall’ of Microsoft to whatever extent that is possible: