Unauthorised Payment through Amazon Account

So there were some purchases made in my Amazon account which was not done by me. This is the 2nd time this has happened.

I have a 2 step verification which sends me a code to my phone when ever I log in. There is no other way of logging without the SMS code on the phone.

In the last 2 days exactly after 1am 3 purchases were made for computer parts from same 3rd party seller. After the purchase the orders were archived so I wouldn't get any notifications about it. The only way I found out about these purchases were once I check my bank statement.

The weird part about theses purchases were it was getting sent to my address.

I spoke to Amazon to cancel the orders. As this was 3rd party Amazon send a message to get the orders cancelled. Amazon assured orders will be cancelled as it was not dispatched. The seller ignored the message and charged me for the product and then dispatched it. When questioned he mentioned he never got the message. I can see the cancellation request in my amazon account so he was lying. Amazon mentioned once the order is reaches the delivery date only then I can get a refund which can take up to 2 months.

The 3rd party seller has been with Amazon for only 3 days which seem odd.

So the question is how can someone use my account if I never got an SMS request code for login? I only use my phone to make purchases for Amazon and checked my all my other devices (PC Laptop and Tablet) to make sure that I was not logged in on those.

Could the 3rd party seller be doing this?

Has anyone else had the same experience?

Related Stores

Amazon AU
Amazon AU
Marketplace

Comments

  • +1

    Have you logged in on any other devices in the past that may have a persistent login?
    Changed your password? Force logout of all devices?

    • No I haven't. I haved changed the password and forced logged out from all devices as well

  • +6

    https://haveibeenpwned.com/

    From your description the 3rd party seller is likely the fraudulent party.
    You should ask Amazon how they bypassed your SMS auths

    • unlikely.
      amazons verification process for sellers is extremely tough.
      you need to provide a ton of id and verification documents.

      if it is the seller, amazon will have every detail on them and be able to get the money back / remove the seller from their platform.

      speak to amazon about this and they will give you the answers on the seller.

      • +6

        Wait are you seriously suggesting that is it unlikely that Amazon has zero fraudulent 3rd party sellers?

        • -1

          pretty much.

          and if they did amazon would fid them very fast.

          there systems and procedures on sellers is extremely strict.

          (I am a seller so do know their process).

        • Fake Brother toner cartridge described as genuine Australian Brother stock.
          By the time I discovered it the seller was no longer on Amazon. Amazon however facilitated a full refund, but no-one ever admitted fake.

    • Got this result for my email login

      Oh no — pwned!

      Pwned in 9 data breaches and found 1 paste (subscribe to search sensitive breaches)

  • +4

    Someone in your family logging accessing your phone and logging onto your account to buy stuff?

    • Maybe OP's birthday is coming up and partner/parents/siblings are getting stuff through their Prime account once they go to sleep?

      • Lmao that would be awesome but I never buy PC items from Amazon. 1st thing was I checked all devices used by my family members. I have only logged into Amazon from my mobile and no other device

  • The only way i can see this happening is using insider information, maybe a former amazon employee ? 2 factor authentication must be pretty hard to get around, maybe your phone number has been spoofed ?

  • +1

    You can designate some devices as trusted which bypasses 2FA - https://www.amazon.com.au/gp/help/customer/display.html?node...

    Might be worth seeing if they have somehow managed to add some devices as trusted and not requiring 2FA.

    Otherwise remove your payment - or change the expiry so it is wrong.

  • +1

    I am bit interested with this.

    Amazon's login experience is in my view, a big pain the arse.

    First, I had to put in the credentials, then it took me to a page where I have to do a Google Catptcha look-a-like thingy and ENTERED the password again. The Google Captcha thingy is not always clear so if I get it wrong, I have to do it again.

    Then even if I get it right, it still sends 2FA Codes to my phone.

    It really is such a pain in the arse.

    So what I am very interested is this. Given this elaborate login, how can this sort of thing happened?

    • +1

      It really is such a pain in the arse.

      Don't you mean a burning sensation of rage? ;-)

  • After the purchase the orders were archived so I wouldn't get any notifications about it. The only way I found out about these purchases were once I check my bank statement.

    you should still receive the email confirmation.

    I reckon this is shopping in your sleep.

    • If it was shopping in their sleep they would have the SMS 2FA messages still on their phone.

      • text messages can be deleted.

        • +1

          Sleep shopping and covering his tracks by deleting the messages? Seems a little far fetched

          • @Quantumcat: the email confirmation from amazon has also disappeared.

    • Yeah all orders were made after 1am when I'm fast asleep

      • +6

        Sleep talking to Alexa?

  • +1

    If all you say is correct, then amazon's system has failed; they're at fault. I imagine they would look after you quick smart before word of this got out.

  • +3

    I had the exact thing happen to me!

    They also archived the order but I only had one order.

    I thought that maybe they hacked my phone as well to get past the 2fa but I hadn't received any sms's.

    it took me MONTHS to get my money back! the banks referred me to amazon, and amazon service was terrible!! It didn't help that the item was being posted to my address etc.

    My belief is that the marketplace seller of the furniture is the scammer - they purchase the items while hacking in knowing they are never going to send the item to you.

    After this experience, I deleted my amazon account, created a new one and chose my 2FA to go through the authenticator app.

    • +1

      Yeah thanks for that advice. I will create a new account as well

  • Did you ever Subscribe and Save to the product from this seller before? Almost similar thing happened to me, but it was actually my fault, I forgot to cancel my S&S.

    • Didn't know you could subscribe and save to computer parts

    • Yeah I checked that and no S&S for this seller

  • Did you ever get the deliveries? Though you should reject them anyway.

    • Nah man. All orders were put under investigation meaning it will never get delivered regardless

  • Where can i see archived orders ?

  • +3

    This is why I have a debit card with a zero balance linked to e-commerce websites like Amazon and pay using gift cards.

    • Yeah I will do that from now on. Much safer

    • Credit card - not my money, the bank will get on its bike quick smart as soon as you report this type of activity

    • What do you do when your gift card balances at like $1 and the something you want to buy cost $1.01 or whenever you don't have enough? Can you use two gift cards to pay or only one allowed in which case you would have to drop the $1 since you can't get anything with it unless you can transfer the funds to your new card and then get it with that?

  • +1

    It might not be Amazon or the seller. SMS authentication is no longer that secure. See this article from last year (one of many): https://www.google.com/amp/s/www.okta.com/blog/2020/10/sms-a...

    • Authentication way to go now. Authy or Google or Microsoft

  • Sounds like a fat fingered seller?

  • +1

    So I have left the account active until the refund is done. Bank details are removed. I just got an email saying I have given all the products 5 star and explaining how good the product is even though the orders were cancelled by Amazon. Pretty convinced now this is the sellers doing.

    • Look into that. When did you supposedly rate the items? After you had changed password and forced logout? If so either your device is hacked or amazon is (totally possible as unlikely as it seems, remember yahoo had a flaw enabling people to log in with no password and took them years to work out and fix).

      • -1

        remember yahoo had a flaw enabling people to log in with no password and took them years to work out and fix

        When was this and how did you login without password?

        • There was an exploit with remember me where hackers worked out they could create cookies and get in without having to enter a password. Basically make a cookie with the username and then they could login to that account as it wasn't being verified. Google it - it was a massive breach that went on for years before Yahoo worked out how it was being done.

          • -1

            @Webber000: But the hackers would still need to figure out the username to use this hack, right?

            • @Zachary: Yes, but your username is just your email address and they can either buy email address lists or just try every possible word/combination to try them all.

              • -1

                @Webber000: Hmm, so best to make a really obfuscated email address, like &goeQwy}vzn;fGH'@yahoo.com and then goodluck for the hackers trying to "guess" your username!

  • Who is the seller?