Some thoughts on Amazon's 2FA
By @edent
· 2fa Amazon security usability · 2 comments · 550 words · read ~679 times.
Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) - but it is exactly the same as all the other 2FA solutions.
The Process
There's no direct link to 2FA settings. So the process is slightly convoluted. Assuming you are signed in to your Amazon account, you need to
- Go to https://www.amazon.co.uk/your-account
- Click on "Login & Security Settings"
- Then "Advanced Security Settings"
You can now start to add 2FA to your account.
There are two ways you can get your 2FA code. The most secure way is by using an authenticator app like Authy or FreeOTP.
If you can't install apps - or just don't like them - you can get your code delivered to you via SMS.
Let's ignore the American number formatting (555!) - is an SMS code sensible?
- SMS works everywhere, even on the dumbest phone.
- No app needed.
- Swap your SIM to a new phone and have instant access.
That last one is the biggest weakness. It is terrifyingly easy for a scammer to ring up your phone company and get your number swapped to a new SIM. If a scammer wants the codes off your app they have to physically steal your phone and then unlock it (you do have a secure password, right?). With SMS, all they have to do is convince some hapless call centre worker that you need your number transferred.
There's also the little matter that SMS isn't encrypted - but if the security services desperately want access to your Amazon account, I'm sure they have their own means.
2FA Problems
Far from being a scrappy start-up, Amazon is now a maze of interconnected legacy systems. There are several ancient services with Amazon can't or won't update. This means they don't get 2FA support.
This is a problem which I recently encountered with PayPal. Old apps don't support new security - weakening the usefulness of security for everyone.
Of course, there's no mention of which apps don't support 2FA. Their proposed solution of sticking your 2FA code to the end of your password is... interesting. It implies that if the system doesn't recognise your password decrypted password, it will split it in two and try it again. I wonder if that leaves them open to subtle timing attacks, or any other issues?
The point of 2FA is that you use it everywhere - otherwise you're introducing a weak point in your security. Amazon will happily let you turn off 2FA on specific devices.
I can kinda see their reasoning. It is annoying to be forced into using the 2FA on your regular handset. But that's also the point. Making it slightly harder for us makes it extraordinarily hard for an attacker.
Despite these shortcomings, I urge you to switch on 2FA. Amazon holds a surprising amount of your personal data - and the consequences of your Amazon account being hacked can be dire.
There are hundreds of sites which support 2FA. You should make sure you use it wherever possible.
Mastodon
Twitter
Facebook
LinkedIn
Reddit
HackerNews
Lobsters
Pocket
WhatsApp
Telegram
Anatomy of an Amazon Phishing Attack
It's actually been possible to enable 2FA on Amazon.co.uk accounts - albeit indirectly - for some time now (though being able to do so directly from the .co.uk site is welcome): https://nakedsecurity.sophos.com/2016/06/30/setting-up-two-step-verification-on-your-amazon-account/#comment-4565335
As an aside, this also backs up your point about Amazon now being "a maze of interconnected legacy systems".
Would authorising your handset actually be a weakness? If someone has access to your handset then they already have access to your code generator or SMS anyway.
And if someone has access to my desktop then they are either easily traced (who was in the house at this time) or there are other, easier ways to steal from me (like taking my watch and all my belongings in the same room as the desktop).
The attack vector for most people is people accessing their account remotely.
From a more cynical point of view - if someone in Russia hacks your Amazon, you'll blame Amazon*. If someone compromises your account in person - a family member, a thief, a co-worker, a friend - you're going to blame yourself or the thief, not Amazon.
*For the niave user at least.