WingNews logo WingNews GitHub [2]
top | item 19574672

Ask HN: AWS continues to charge me even though a hacker uses my account

8 points| unknownsavage | 7 years ago

Around 8 months ago I lost control of my AWS account after a prolonged social-engineering campaign against my account. Although it was a nightmare, thanks to a robust offsite backup solution we were able to quickly migrate to google cloud (which has Advanced Account Protection, a godsend for anyone in my position).

Strangely enough, even after several attempts I was never able to recover my hacked AWS account (from my support calls it seems like the attacker changed the email, name, address) and have never been able to authenticate against it.

However the one thing that was never changed is my credit-card. I have offered AWS support several times to give them my credit number and ask them to unlink it from the account, but they refuse to do so without me being authenticated.

I don't want to get on Amazon's bad side, but with no options left I have been resorting to charge-backs on the credit card. Thankfully my bank has been siding with me, and each month I have been winning them -- but next month the new bill comes and I forced to repeat the process.

Not wanting to get a bad reputation with my bank or Amazon, I just asked my bank to send me a new card. But amazingly (?!!!) the next month the bill from AWS still came on the new card.

It's now been 8 months, and I'm sick of the absurdity of the situation. Is there anything I can do?

8 comments

order
[+] 3into10power5|7 years ago|reply
There is a shitty think called "Card refresh". Big companies can have deals with Credit card companies, because, at the end of the day, both of them need your money.

Lets say, you gave your card automatic monthly billing to company 'X'. You would normally expect that when card expires, it won't be billed anymore and they will ask you for new card details. The reality is company 'X' goes to credit card company and tells them "We have these card details with us. Everything except expiry date is same. So you can conclude that we legitimately obtained the card details. Can you give us the new card details. We will update the account accordingly. It is even useful to the customer as he will be (cough cough) inconvenienced."

I think something similar happened in your case. Source: I implemented this in a big e-commerce company(Not AMZN).

[+] addcn|7 years ago|reply
I really wish the relationship was inverted. So I had a dashboard of every recurring charge in one list and I could cancel at will. More designed around me pushing funds to vendors than vendors pulling them from me.

Someone should make a digital first credit card optimized for the subscription world.

[+] LinuxBender|7 years ago|reply
Go to your bank and dispute the charges. Get a new card (again), and specifically ask for a new card number because yours was compromised (for all intents and purposes).
[+] hombre_fatal|7 years ago|reply
It's absolutely absurd that you cannot authenticate by proving that you're the one paying the account's bill before and after the credentials were changed.

This is a good reminder of how unprepared even large corporations like Amazon are for the reality of social engineering attacks.

[+] codegeek|7 years ago|reply
Can you not ask the bank to issue a new card with a NEW NUMBER ? Am I missing something ?
[+] computator|7 years ago|reply
> Am I missing something ?

The credit card issuers will happily allow recurring credit card billing (like a gym membership) to automatically continue on a new card after the expiry date, CVV2, and even the card number change. They'll do this without asking you, the card holder. They'll do this even if you refuse to allow the billing to continue on the new card. The only way to get out of a recurring payment is to (a) get the vendor to stop it, (b) claim it as fraud (the card issuer may still take the vendor's side), or (c) to close your account with the credit card issuer and withdraw all your money from that bank. You'd have to withdraw all your money because otherwise they'd take it directly from any account you have with them; this is their right of "set of" as written into every credit card contract.

Someone else in this discussion said the practice of allowing the vendor to continue billing your new card is known as "card refresh". It's cool to learn the correct term for that.

Recurring credit card billing is a horrible thing when it goes wrong.

[+] crooked-v|7 years ago|reply
At this point, you may have to get a lawyer to write them a nastygram about it.
[+] ltmi600|7 years ago|reply
Cancel your AWS account and create a new one.