1. Get a friend's permission to "hack" into his Amazon account (or "hack your own account").
2. Contact Amazon's customer service, try the same social engineering techniques that the OP documented.
3. Once you obtain some sensitive information from the account, scare the CS rep by saying: "Haha! I am actually not the customer. I am a journalist/hacker/whatever and wanted to see how easy it was to social engineer information out of your customer service department, and you failed. I would like to talk to your manager please."
Hopefully if enough people do this, it will get some internal attention at Amazon.
I think there is already enough here to shame Amazon into action if it gets on a major newspaper. Something like "Hackers break into Amazon account and Amazon will not do anything" Perhaps the Washington Post would be a good newspaper with credibility.
This already happened to Matt Honan back in 2012, where the hacker used social engineering on both Amazon and Apple to take over his twitter handle (oh and also wiping all his devices via iCloud). http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
It looks like both Amazon and Apple have fixed _some_ issues since then - Amazon is no longer leaking last 4 digits, but instead they're still leaking other info. Apple now requires more information to reset accounts and to wipe devices.
Apple set up 2FA for certain actions (changing passwords, adding or removing devices from an account, etc); Amazon has yet to do anything related to 2FA for normal customer accounts.
The option is only (at the moment) available for Amazon.com accounts, but if you enable it there is will also be turned on for other domains Amazon.co.uk etc.
Amazon hasn't given permission. I suspect they'd be quite unhappy. Having said that, I personally think they ought to expect it, and be responsible for whatever failings it discovers.
> Hopefully if enough people do this, it will get some internal attention at Amazon.
This is very smart, why has no one thought of this before? When people post it on Medium and share it on HN/Reddit it will not get enough internal attention at Amazon for sure. So let's do something totally stupid which could easily get us in trouble with the law enforcement to make a shitty point to Amazon so that they can notice something is wrong on their end.
There is no point in getting a friend involved. Just see how much sensitive data Amazon will give you without giving them any of your login credentials.
1. Get a friend's permission to "hack" into his Amazon account (or "hack your own account").
2. Contact Amazon's customer service, try the same social engineering techniques that the OP documented.
3. Once you obtain some sensitive information from the account, scare the CS rep by saying: "Haha! I am actually not the customer. I am a journalist/hacker/whatever and wanted to see how easy it was to social engineer information out of your customer service department, and you failed. I would like to talk to your manager please."
Hopefully if enough people do this, it will get some internal attention at Amazon.