The courier one time password scam, enabled by Amazon

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,695 (4.48/day)
This is a particularly nasty scam, because it doesn't rely on tricking the gullible with social engineering tricks to pull off the scam, so it can happen to anyone right in front of their eyes and the victim is powerless to stop it. In this instance, it's Amazon enabling the scam through a flawed security procedure and then don't care.

All it needs is a dishonest courier to pull this one off. Upon delivery, they ask for the one time password issued by Amazon for a high value item, in this case an Apple MacBook. They claim that the password doesn't work, or there's a problem with their handheld terminal and refuse to hand over the item. A little later, they use the OTP to mark the item as delivered, when they've actually got it, instead. Amazon will then refuse a refund due to that delivered status. Question is, how did the courier know what was in the box to make the scam worth it? That's not explained in the article.

Clearly this is a flawed procedure that must be abandoned immediately and everyone who fell victim to it given a full refund, plus investigation of those dishonest couriers and dismissal from their jobs, along with a criminal record once found guilty in court.

In this case, it's particularly nasty, since it involved a mother grieving for her 11 year old son who recently passed away from a tumour. Like she needs this headache on top of everything else she's going through ffs. :rolleyes:

This reminds me that Uber Eats occasionally used an OTP when I had food delivered, but I never hard a problem, presumably, because a meal is hardly worth the courier's time to steal.

Thing is, an OTP is a very good way to stop a hacker logging into someone's computer account as it's a core part of two factor authentication (2FA). However, in this case, it's an app or website that's doing the verifying, so there's no human with an insentive to scam on the end of it. Clearly, Amazon hadn't thought this through when implementing their delivery version and then didn't care afterwards. The world's most customer centric company? Sure.

“I gave the OTP to my father while I spent the afternoon at the hospice and I duly received a text stating [the laptop] had been delivered.”

She discovered she had been left empty-handed when she returned to her parents’ house. “My father had handed over the OTP, at which point the driver said his handheld scanner wasn’t working and he would have to take the parcel back,” she said.

“It seems the driver then used the OTP to trigger the ‘delivered’ notification. My poor father is already distraught and this has just made him feel even more dreadful.”

Buchanan said Amazon refused to investigate when she complained.

 

Tiffany

Web Diva
Staff Member
Joined
13 Apr 2022
Messages
2,099 (2.86/day)
Thanks for tagging me on this scam. Very tragic for the mother and anyone else that has been scammed. I'll keep this in mind if I should ever see an OTP request on anything now.
 

Mars

Moderator
Staff Member
Joined
10 Jul 2021
Messages
520 (0.51/day)
As Tiffany said, same here, thanks for the warning!
The system is definitely flawed, as it is open to abuse: on one side, from dodgy couriers and on the other side, from dodgy customers.
Let's face it, 'customers' may very well try it on, just because they say they did not receive their order, does not mean that they are truthful.
The system obviously does not work, and should be updated, otherwise, it is worthless, as both couriers and customers can abuse it.
 

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
313 (0.31/day)
As pointed out anyone could fall for this, the remedy of course would be for some receipt to be issued saying why item could not be delivered but hindsight always makes one appear clever and sensible.

Geffers
 
Back
Top Bottom