Ever toyed with the idea of selling stuff on Amazon’s Marketplace? Many people do, some offering new goods for sale as a full-time occupation while other use it to get rid of second-hand items such as books they have lying around.
Integrated into the Amazon steamroller, it’s a powerful retail concept that also earns Amazon commission, of course. But as a recent spate of account takeover attacks underline, opening a Marketplace third-party account for even the most modest level of sales carries risks people need to understand and plan for.
There is no room for complacency here. As some unfortunate sellers are discovering, if a hacker breaks into a Marketplace account, its legitimate owner can be left with a time-consuming heap of woe.
Marketplace attacks aren’t new, but their scale seems to have shifted up a gear recently, with The Wall Street Journal quoting a lawyer acting for a dozen clients who claim to have lost sums ranging from $15,000 to $100,000 to fraudsters.
Painfully, in some cases victim Marketplace sellers could see the frauds happening in real time via email alerts but could do nothing about it until after their accounts had been ripped off.
Ridiculously, there is a reliable defence against this kind of hacking but before we explain what that is, we’ll first describe how these attacks seem to have happened because that’s an important part of the story.
There appear to be two forms of attacks, the first targeting Marketplace accounts with significant turnover; the second attacking small ones that are dormant and whose owners might not be paying attention.
For larger accounts, the fraud involves breaking into them and then diverting funds to the criminal accounts by changing bank details. For occasional sellers, fraudsters list and take payment for non-existent goods, which the real account-holder is held accountable for when they don’t turn up.
Once fraudsters have control of an account, getting it back requires the owner to work through Amazon, a process that can take days. The company does say:
We withhold payment to sellers until we are confident that our customers have received the products and services they ordered.
In the case of goods fraud sold as a four-week delivery, that still leaves sellers holding the bill for undelivered items until the mess is sorted out.
How are fraudsters getting into accounts? In some cases, reportedly by re-using credentials breached from other sites, while in others some form of phishing attack is not out of the question.
The first defence, then, it not to re-use passwords across accounts, a form of behaviour called”‘credential stuffing”. Doing so on something as important as a Marketplace account is begging for trouble.
Next, turn on Amazon’s two-step verification system (something all Amazon users should do). This was launched for US users in 2015 but has only recently been turned on for UK users too under Login and Security Settings > Advanced Security Settings.
This sends a one-time SMS verification code to the user’s registered phone. Alternatively, for anyone worried about SMS reception, Amazon offers an authenticator app to generate the same. Marketplace users should also set up email notifications as this could give an early warning that an account is being misused. Arguably, two-step verification should be mandatory.
Never underestimate the risks these sorts of accounts (including eBay and PayPal) bring. Embrace Marketplace selling with eyes wide open.
5 comments on “Watch out for fraudsters attacking Amazon Marketplace accounts”
With the huge amount of malware for phones, is SMS even a reasonable verification. After all, I wouldn’t be surprised if that is where the breach started these days.
Two-step verification doesn’t work on Amazon. Or, doesn’t work properly.
You can only put one number in place. So, there’s no way to allow two people to use the account. They really need some kind of account profiles, so both spouses can use it independently.
Why not have two accounts? If two people use the same account then they can hardly be said to be using it “independently” 🙂
Having two active numbers would create problems – how would it know which device to send the code to? If it sent the code to both devices that might undermine security. There might also be contention issues.
You can at least set a backup number.
I agree with both you and Paul. It’s not a trivial problem to solve.
The best idea I have is to do it like Netflix does things: one master account, with many profiles under it. If Amazon (and other vendors) did this, then spouses and even kids could use 2FA. (And, it would allow children’s usage parental controls, as a side benefit.)