Recently my Amazon account was hacked, which contained my stored American Express card number. Luckily, my American Express number was not hacked. Amazon claims that this did not happen internally (via a security lapse on their side), which I have no reason to question. However, Amazon should expect that user accounts will sometimes be hacked, and ideally, should have system policies in place to detect fraud prior to a loss. So with that in mind, I’ll explain what the hacker(s) actually did, and also discuss a couple policies that Amazon (and other online retailers) could implement that would reduce the chances of this happening to anyone else.
In my case, the user that hacked my account did two things that I believe Amazon’s systems should have detected and evaluated. First, the user ordered instant gift cards; this is a common fraud sales item because the value is available immediately to a 3rd party. Secondly, the user ordered those gift cards to be delivered to an unusual email domain (a non-sensical alphanumeric domain name).
In the past, we have worked with other retail clients that have these types of evaluations in place, so I am a little surprised that this passed through at Amazon. So how could Amazon avoid this? They should be looking for order patterns regarding both of the above situations. Here’s how the fraud detection would work:
1.) When a user places an order with either instant electronic gift cards or items electronically delivered to an unusual domain address (or both), Amazon’s checkout basket should prompt that the full credit card number and CVV (3 or 4 digit extra code on the card) be entered.
2.) If the user account was hacked, the shopper would not know this information and the fraud would be averted (and would have been averted in my case).
3.) If the user was valid (if it was actually me placing the order), the user would have that information. This would make the purchase process a little less convenient, but if I were programming the system, I would provide a pop-up explanation of something like ‘Because this is an instant delivery item and we would like to protect your account from unauthorized purchase, please re-enter your full credit card and CVV number…’. Then Amazon would get some customer service points while also averting fraud losses.
No one retailer has all the answers (as the above situation shows), but we can all learn from best practices to make online shopping efficient and safe. For more information on how implementing best practices can help safeguard your company, and customers, check out ‘Poor Accounting Practices, Not the Skill of Thieves, results in Financial Losses’. Or, you can directly download the ‘Six Accounting Practices Companies Can Use to Avoid Email Fraud’.
By: Susan Alvarez, VP of Consulting Services