Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've had the exact same issue with Amazon. I had prime. Suspected suspicious activity. It's been 6 months without resolution. I just created another account but I've been calling in every day since. There is no escalation, I keep getting told the same thing: We have no power, we just submit the form to the Account Specialists. You should be called back in 24 hours. I've not once received a call back. My old account is still being used for fake reviews, while amazon had completely locked out the account from being able to login on any device. I can't log in. Whomever is in my account seems to have complete control through some other method, which would explain how they were able to access my old account, even though I have 2FA and mobile authentication. There is a vulnerability they are not talking about.


I'm so fucking pissed about this. I signed up for AWS with a personal Amazon.com shopping account. Enabled 2FA, lost the token. I can care less about the AWS account but no longer can I change my password on the shopping account I've had for 10 years.


I bet that more accounts and data have been lost to 2FA than have ever been saved by 2FA.


Follow proper practice. Always register two keys.


FWIW this is why it's a good idea to have two MFA mechanisms. If you can afford it I recommend getting 2 hardware tokens, and storing them separately (you can leave one in your computer, hard to lose).


That's a great plan, but AWS notably doesn't support multiple hardware u2f devices.

They've been sitting on the ask for about 7 years

https://forums.aws.amazon.com/thread.jspa?threadID=137055


Don't they have 2FA recovery codes?

This had become somewhat of the standard for 2FA in recent years.


Can you not manually set the two tokens to the same "seed"?


That works for TOTP 2FA on your phone. But most hardware tokens have an internal seed that's immutable.


Isn't that just the enterprise ones? I've been using personal hardware TOTP tokens[1][2] like this for years, where you can set the seed yourself using NFC.

[1] https://www.token2.com/shop/category/programmable-tokens

[2] https://www.protectimus.com/protectimus-slim-mini


The problem with totp is it's really just a second password. It eg doesn't protect you from phishing in the way that a yubikey does.


I think they meant hardware in the sense of U2F tokens like Yubikeys, not TOTP based ones.


Damn, that sucks. I use GSuite to SSO to AWS though.


And there is zero support to help you fix the problem.


There is a MFA reset process that requires a notary and what not. Wouldn't be an issue for the average Joe but since I've moved 3 times since signing up for AWS, I'm not sure which address they need and not even sure I can procure sufficient documents with those addresses on them.


I don't get this. You lost your MFA backup and you can not proof who you are and somehow this is amazons fault. What are you complaining about exactly?


I don't think he can't prove who he is. He is, after all, the same person. Rather, he can't verify to the service provider that he's the same individual that they have on file, despite being the same bag of flesh and bones he always was. And that is absolutely the service provider's fault.


Blaming him instead of Amazon would make sense if Amazon allowed you to have an MFA backup, or recovery codes.


I use Authy to backup my MFA codes, this works fine for amazon.

When I switched providers and phone at the same time I used my billing address as well as my CC to confirm my change in billing address.

Ensuring I can proof who I am is my responsibility.


You are responsible to ensure your identity. Make sure you backup your 2FA codes.

You can try and shift the responsibility but why would they be responsible for your shit?


It sounds like someone working for Amazon directly is abusing your account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: