Republished on August 13 with Amazon’s updated security guidance for users and further warnings on password weaknesses.
Amazon password attacks are now driving headlines, as hackers impersonate the retail giant with malicious messages to steal passwords and access accounts. “Scammers that attempt to impersonate Amazon put consumers at risk,” the company tells me.
But your account is even more at risk from attackers who may have acquired your password from a breach or infostealer campaign, or because it’s weak and easily broken. Given the surge in attacks, you need to address these risks right away.
As I have warned before, the latest Amazon lure is the promise of a refund for a recent purchase. It comes by way of a text message with a link “to request your refund.” Clicking through takes you to a fake sign-in window that steals your password.
The FTC and Better Business Bureau have both issued warnings. Amazon says it “will continue to invest in protecting consumers and educating the public on scam avoidance. We encourage consumers to report suspected scams to us so that we can protect their accounts and refer bad actors to law enforcement to help keep consumers safe.”
This latest attack highlights the insecurity of password access. If you have nothing but a username and password protecting your account, then your account is at risk. And if your password is weak, then your account is wide open to attack.
As ESET’s Jake Moore warns, “criminals have the ability to test stolen and common passwords across multiple sites at once and many people who reuse passwords will see their accounts compromised.”
Amazon told me “we encourage customers to use two-step verification and Passkeys to help protect their accounts. We have a helpful article about the importance of using a Passkey and how to sign up here.“ You should do that as soon as you can.
Guardio has told me that the refund scam has evolved and is now surging again. A new version of the text phrasing “first appeared on August 9, increased by 590% on August 10,” and has continued since. In total, it has surged almost 1000% in just a few days.
Two recent reports have shone a light on the most common passwords in use, providing good advice on what to avoid and how predictable we all can be.
NordPass publishes a list of the “most common passwords” and you can assume every hacker has this to hand. Meanwhile, CyberNews analyzed passwords in the “19 billion leaked passwords” breach. This wasn’t really a new breach despite the headlines, but it was a valuable collation of smaller breaches and infostealer troves.
But the list that’s even more telling is CyberGhost’s, with its “worst passwords in the last decade.” Spin through this guide to all things you shouldn’t do with passwords, whether it’s keyboard patterns, numbers, animal names, sports, cars or celebrities.
Have you immortalized your beloved dog, Charlie, in all of your online passwords?” CyberGhost asks. “While he may be tasked to protect your home (or at least his food bowl), your heartfelt dedication might actually be compromising your digital safety.”
You really need to add a passkey and enable two-factor authentication on your account. Amazon is a prized target and doesn’t mandate 2FA, leaving a vast number of accounts protected by nothing but passwords. As CyberGhost warns: 81% of account breaches are caused by weak passwords, 60% of people use the same passwords across multiple accounts and unsurprisingly 90% of people worry about account compromises.
If you’re struggling to conjure up good passwords, then fortunately, as Moore suggests, “password managers are now easier than ever to use and they can generate strong, unique passwords and store them securely. Furthermore, when combined with multi-factor authentication, they offer a significant boost to account security.”
If you have nothing but a weak password in place, then you should worry.
Amazon told me that “more than 320 million Amazon customers are now using passkeys to experience the convenience of passwordless sign-in on Amazon.com and many of our shopping web domains around the world.”
Amazon says it is “encouraged by how many of our customers are using passkeys, and are committed to expanding their availability across more apps and services.”
But even if passkeys are added to accounts, a password that remains in place is still a vulnerability if it also access the account. And that’s especially true if the password is not shored up by strong, non-SMS 2FA. That means you still need to change any weak passwords on an Amazon or any other account.
Cyber News has now warned on the threat from this kind of “downgrade attack.” Because while Passkeys are touted as a phishing-resistant and secure way to access accounts without entering usernames and passwords,” it’s critical that users do now harbor illusions that their account is safer just because they’ve created a passkey. At least not while their old authentication methods still work.”
This is why Microsoft’s push to passkeys also sees a push to delete passwords. The newer passkey is not seen as an addition to an account, but as a complete replacement for passwords to ensure users are protected.
“While enrolling passkeys is an important step, it’s just the beginning,” Microsoft says. “Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”
Proofpoint warns that such forced security downgrades is a real risk. “FIDO-based passkeys remain a highly recommended authentication method to protect against prevalent credential phishing and account takeover (ATO) threats,” it says.” But it’s not foolproof and the ecosystem is open to exploitation.
Proofpoint says its researchers “have found that FIDO-based authentication can be side-stepped using a downgrade attack. Using a dedicated phishlet, attackers could downgrade FIDO-based authentication to less secure methods, exposing targets to adversary-in-the-middle (AiTM) threats.”
None of this has been seen in the wild as yet, and “attackers’ current focus remains on accounts with other MFA methods or no MFA methods at all.” But Proofpoint warns that “despite the lack of observed usage by threat actors, Proofpoint considers FIDO authentication downgrade attacks as a significant emerging threat.”
That type of attack is sophisticated and should not worry everyday account holders. Proofpoint acknowledges that “such attacks could be carried out by sophisticated adversaries and APTs (namely state-sponsored actors or technically savvy hackers).”
All of which means everyone should change those weak passwords and add strong 2FA to all accounts. Looking at CyberGhost and other websites will make it clear what’s good and what’s not. But a good, dedicated password manager is clearly the better option.
And you should join the 320 million Amazon customers using passkeys. Per Microsoft: “signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional2FA.” Not only that, but “users are three times more successful signing in with passkeys than with passwords (98% versus 32%), and 99% of users who start the passkey registration flow complete it.”