Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

George, do you have any domains with your whois/registrar information matching your Amazon account information? I guessed that was the vector they used to attack me. I had several domains with my home address as my address, along with my email and name. Voila. The entire triangle of data the CSRs need.

I was able to get a CSR to show me some of the logs of the chats with the scammer, which was particularly enlightening:

http://www.htmlist.com/rants/two-for-one-amazon-coms-sociall... (Thanks also for linking to my post in your article. It's insane this is still going on.)



I do, yes. The domain this linked post is on is registered to my current mailing address which is the same as the one I have on my Amazon file as my shipping and my billing address.

I've changed my Amazon email address as you suggested in your helpful email and hopefully that will be enough since I don't think it would be practical to try to put my mailing address back in the bottle at this point.


Change your registered domain address! There's basically no upside to having your "real" address listed.


What should I put instead? Isn't a bogus address grounds for ICANN to take your domain name away?


Maybe technically (or maybe not--never bothered to check), but I've never heard of it ever happening.

I usually put a legitimate address that's in the same city (and sometimes the same general area). Where I actually live is completely irrelevant wrt DNS and I can think of no reason to have it trivially available to anyone who can do a WHOIS.


Check if your domain registrar offers an anonymous registration service. Mine provides it for free, but some charge a small yearly fee. It is still fine per ICANN standards since it simply goes to a forwarding service.


From ICANN's perspective though, doesn't that mean that the owner of the domain is the registrar?

While most registrars would be perfectly fine, I worry about the one that is willing to take the domain for themselves (for a domain not worth going to court over).

While not exactly what happened, I remember the case of the @N twitter account be stolen (https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...), and wonder if having your actual information on the registration would help or hurt a situation like that.


This is precisely why I use whois privacy services.


That post linked to some socialengineered site, which has thankfully been taken care of in a roundabout way:

http://socialengineered.blogspot.com/

Thank god. Less scum out there doing shit like this, the better.


How bizarre. What legit customer asks for fucking order numbers? A whole bunch of them?

They really need to train their customer reps better. Good customer service is not black and white, you can keep out the frauds and still offer excellent service.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: