This is a particularly nasty scam, because it doesn't rely on tricking the gullible with social engineering tricks to pull off the scam, so it can happen to anyone right in front of their eyes and the victim is powerless to stop it. In this instance, it's Amazon enabling the scam through a flawed security procedure and then don't care.
All it needs is a dishonest courier to pull this one off. Upon delivery, they ask for the one time password issued by Amazon for a high value item, in this case an Apple MacBook. They claim that the password doesn't work, or there's a problem with their handheld terminal and refuse to hand over the item. A little later, they use the OTP to mark the item as delivered, when they've actually got it, instead. Amazon will then refuse a refund due to that delivered status. Question is, how did the courier know what was in the box to make the scam worth it? That's not explained in the article.
Clearly this is a flawed procedure that must be abandoned immediately and everyone who fell victim to it given a full refund, plus investigation of those dishonest couriers and dismissal from their jobs, along with a criminal record once found guilty in court.
In this case, it's particularly nasty, since it involved a mother grieving for her 11 year old son who recently passed away from a tumour. Like she needs this headache on top of everything else she's going through ffs.
This reminds me that Uber Eats occasionally used an OTP when I had food delivered, but I never hard a problem, presumably, because a meal is hardly worth the courier's time to steal.
Thing is, an OTP is a very good way to stop a hacker logging into someone's computer account as it's a core part of two factor authentication (2FA). However, in this case, it's an app or website that's doing the verifying, so there's no human with an insentive to scam on the end of it. Clearly, Amazon hadn't thought this through when implementing their delivery version and then didn't care afterwards. The world's most customer centric company? Sure.
www.theguardian.com
All it needs is a dishonest courier to pull this one off. Upon delivery, they ask for the one time password issued by Amazon for a high value item, in this case an Apple MacBook. They claim that the password doesn't work, or there's a problem with their handheld terminal and refuse to hand over the item. A little later, they use the OTP to mark the item as delivered, when they've actually got it, instead. Amazon will then refuse a refund due to that delivered status. Question is, how did the courier know what was in the box to make the scam worth it? That's not explained in the article.
Clearly this is a flawed procedure that must be abandoned immediately and everyone who fell victim to it given a full refund, plus investigation of those dishonest couriers and dismissal from their jobs, along with a criminal record once found guilty in court.
In this case, it's particularly nasty, since it involved a mother grieving for her 11 year old son who recently passed away from a tumour. Like she needs this headache on top of everything else she's going through ffs.
This reminds me that Uber Eats occasionally used an OTP when I had food delivered, but I never hard a problem, presumably, because a meal is hardly worth the courier's time to steal.
Thing is, an OTP is a very good way to stop a hacker logging into someone's computer account as it's a core part of two factor authentication (2FA). However, in this case, it's an app or website that's doing the verifying, so there's no human with an insentive to scam on the end of it. Clearly, Amazon hadn't thought this through when implementing their delivery version and then didn't care afterwards. The world's most customer centric company? Sure.
Grieving mother falls victim to Amazon one-time password ‘scam’
Clare Buchanan left empty-handed after a MacBook Air from Amazon went missing in ‘known scam’
