By Charles Miller
The two most recent columns appearing here both dealt with some of the consequences of not using a cryptographically-secure password and/or forgetting what the password is. Right on cue an email arrived in my inbox triggering a chain of events that makes another perfect example of why password security is so important today.
My friend Jim emailed me saying today was his niece’s birthday so he wanted to buy her a US$250 gift card she could use on Amazon.com. For some reason Amazon.com was refusing accept his credit card so he asked me if I could assist. Now I know that tricking unsuspecting victims into buying gift cards is a very common hacker’s tactic for committing petty larceny, but to my shame I was fooled in the beginning.
Jim asked me if I could buy the Amazon.com gift card and he pay me back. I said, “sure.” I was not immediately suspicious about Jim not being able to buy the gift card himself because he could have been in the U.S., or in San Miguel, or even South America. When you access your Amazon account from a new location, that is a red flag and sometimes your account access will be blocked. I had recently been through that when I traveled. I logged on to my account and placed Jim’s order. That was foolish, but all appeared to be in order with Jim and I trust him. The Amazon.com web failed my purchase of the gift card, even though I had ordered some other items only days ago. I thought that was because a US$250 gift card was an unusual purchase for me, but in reality, it was another red flag. Amazon had recognized a scam was being perpetrated before I did.
I tried to call Jim but he did not pick up. That was not in and of itself suspicious because he could have been traveling. I emailed Jim back asking him to phone me so I could explain, but his answer was, “My phone’s not working right now. Try ordering again.” Another red flag!
Then later my phone rings with caller ID saying “Amazon.com.” Yet another red flag, because the last time Amazon called me the caller ID said, “206 922 0880” which really is Amazon’s number. Knowing that someone was spoofing the caller ID information to hide the real number, I proceeded cautiously. The caller wanted to verify my credit card number and now there were so many red flags waving in the breeze that anyone should see them. The caller with a Pakistani accent hung up on me, but not before I had spent 30 minutes tormenting him by repeatedly giving him credit card numbers with one wrong digit.
Now it was abundantly clear that Jim’s email had been hacked, and that it was not Jim with whom I had been exchanging emails. Shame on Jim being careless and letting his email get hacked, but shame on me as well.
So what did I do wrong? Quite simply, I was not following the advice I have given many times to readers of this column. I was not suspicious enough soon enough. Kudos to the fraud prevention professionals at Amazon.com for recognizing the possibility of a scam before I did, and blocking my attempt to buy that gift card.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.
