The attack sought order numbers—which in turn enabled a shipping address to be changed and free replacement merchandise to be dispatched—and it highlighted various problems that retailers could easily fix but don't. For example, do CS reps take the time to review chat transcripts and activity history in an effort to spot repeated fraud attempts? Shouldn't a change of address set off all types of alarm bells? In this instance, it was to a maildrop that reshipped packages overseas, and that specific address had been noted in Amazon's own records. The system hadn't been told to flag anything going there, even after it had been discovered?
The incident was captured and detailed in all its glory by Gizmodo, but this incident shouldn't be seen as flagging Amazon's security hole. The concern here is that Amazon is generally relentless on security issues, and this effort would have gotten nowhere on the site itself. But when the attacker opted for the human route, doors opened wide. How many chains even bother to test for policy adherence? Even more frightening, how many chains have bothered to even write policies that address social engineering safeguards for CS reps on the phone and in texts? No need to demand adherence to policies that haven't been issued.
Here's a nice way to look at this. Employees generally hate security rules; they are akin to being made to eat your vegetables. Some of the methods that would have thwarted this social engineering attack would have also improved customer service—and thereby potentially boost conversions.
For example, insist that CS reps review full order history and glance at recent chat discussions before delving into a caller's request. Maybe it will save the shopper from having to repeat background. Maybe it will flag a potential upsell opportunity or, being even nicer, a way to tell the shopper a better purchase to make. And, yes, if it helps stop a fraud attempt, all the better.
The essence of the attack started with the caller saying that he had been hacked—cyberthieves have never been short of chutzpa—and that he needed all recent order numbers. To get it, all he had to do was reveal the current street address of the victim, which was available online. (A whois search, apparently, in this case.)
After that, a temporary address change was easy. Why? Isn't an address change a big heads up? Why didn't that force the requesting of a lot more information and perhaps an E-mail to the account holder? Or maybe even a phone call to the phone number on file?
Having extra-helpful reps is always a nice thing, but sending $900 cameras to an overseas maildrop—one that Amazon had already identified—is probably not an ideal bit of courtesy. Would your chain fare better?