First of all, I want to stress that I know how important it is to have good password security. That is why I have a 14 character password that uses letters, numbers, capital letters and symbols for all important accounts. I consider an important account to be credit cards, back accounts, shopping sites that store my financial info, etc. I do not share this password with anyone other than my wife. In January I was contacted by one of my credit card companies regarding fraudulent activity on my card. No, I had not been in Arizona that day and purchased anything, and no, I had also not been in Miami that day and purchased anything. The very nice lady took care of it all, canceling the charges and issuing me a new card. I had not used this credit card in 6 months, and it had not left my wallet in that amount of time either. I began to suspect that, perhaps, a company that had used that card at, online or in person, had some sort of data breach. In early March, I logged into my credit union account to find that $597.00 had been deducted from my checking account from Paypal.com. I had not made any purchases. I began to have feelings of fear, concern and anger. A few seconds later I attempted to log into Paypal.com via my login credentials. When attempting to login, I was prompted to change my password, because my account had been locked for "fraudulent activity". I changed my password to something different, yet equally complex, as my old password. At this point, I was presented with another message saying that I needed to contact Paypal customer service via phone. I did so and was connected with a very polite and helpful lady who informed me that Paypal had detected fraud on my account and had locked it down. She verified that, no, I had not ordered an unlocked N900 cellphone from a random store in Brooklyn, NY and had it shipped to a city in California (what kind of loser buys any kind of phone other than an iPhone, anyway? sheesh). She informed me that the charge had been reversed and the money would be debited back to my checking account within 48 hours. She also informed me that they had contacted the FBI about this matter and apologized profusely. Once I had assured her that I had changed my password, she unlocked my account. The entire exchange took 20 minutes. Paypal found an issue, protected me, and quickly resolved the issue once I, too, became aware of it. Despite the fact that the lady told me it could take up to 48 hours, I found the money back in my bank account the next day. Problem solved. Done. For years I had heard nothing but horror stories about Paypal's customer service, but after years of using them myself, this is the first time I had to deal with them. I was pleased. I will continue to use Paypal. So my credit card in January and now, my PayPal account in March. Very suspicious. I had heard about the big Monoprice.com break-in, and yes, I buy things from Monoprice fairly frequently, but I did not ever use my credit card that was breached back in January there. Perhaps they weren't related. Perhaps Monoprice was not at fault, but some other site? I didn't give it much thought because I didn't see any way that I could ever know for sure, on my own. In the 3rd week of March, I began having email issues. My wife, Steffanie, had sent me several emails on a weekday and became frustrated that I had not responded to her, at all, all day long. When I arrived home that evening, she was upset that I hadn't called her when I left the office late, despite her email she had sent requesting that I would do so. I was confused and upset myself, because I had received NO such emails from her....wait a minute. Not only had I not received any emails from her, but I hadn't received any emails ALL day long...from anyone. Odd. After logging into my GMail account, I found that I had 15 or so emails sitting in my Trash folder, all unread. I was extremely perplexed, and frustrated, because I had not deleted any of these emails. I did not recall seeing these emails, at all. I then asked Steffanie to send me another email and it arrived in my inbox a moment later. Odd. Well, perhaps there had been some sort of issue going on with GMail that day, or perhaps my iPhone had bugged out and somehow deleted my emails from that day? It appeared that the issue was no longer affecting me so I wrote it off as random-weird-unexplainable-technology-bug and promptly forgot about it. On March 30th, mid-day at work, I received a call from my wife who was very excited because our wedding photographers had sent us some sample photos via email. Puzzled, I told her that no, I had not received that email that had been cced to me. Steffanie rechecked the email and assured me that I had been CC'ed on it and that, yes, they had not made any typos within my email address. Odd. Ok, nothing I can do about it. I was very busy at the time so I told her that I would look at the photos that night, once I got home. That evening when I sat down at my iMac I found that, yet again, I had a ton of unread, deleted emails. At that point, I'm not sure what caused it (and in hindsight, I do not know what took me so long to figure out 2 + 2 = 4) but it just clicked with me. I became suspicious so I began looking through my Gmail account settings. I quickly discovered that under the "Forwarding and POP/IMAP" tab all of my emails were being forwarded to an unfamiliar gmail account and the copies of them were being moved to my trash folder immediately. I disabled the forwarding, now understanding that I had been the victim of an ID/security breach once more. Perhaps the PayPal issue I had earlier in the year wasn't an isolated incident? Shit. I then went back to my trash folder and began reading all of my lost emails. Shit. I had an email from Amazon, from the previous day, saying that they had detected possible fraud on my account and had disabled it. Great. Wonderful. This is where the "fun" began. The email is as follows (received on Tue, Mar 30, 2010 at 5:52 PM):
Greetings from Amazon.com. Please take the time to read this message - it contains important information about your Amazon.com account. At Amazon.com, we routinely perform reviews of orders and customer accounts to protect our customers. After careful review of your account, we believe it may have been accessed and used by a third-party to make purchases without your permission, but it appears they did not use your credit card to make these purchases. It seems that someone obtained your personal account and/or financial information elsewhere, and used it on Amazon.com to access your account. We have closed your account effective immediately because of this possible unauthorized account activity. If this recent account activity (electronics orders) was authorized by you, please reply to this message as soon as possible and we will reactivate your account. Otherwise, you will need to open a new account when you place future orders with us. If you had previously purchased digital content, (Kindle books, MP3s, Videos, etc.) please reply to this message and we will help transfer these items to your new account. It is important to know that Amazon.com accounts can only be accessed by those who know personal, specific information about you and your account -- such as your email address, Amazon.com password, physical address, credit card information, and other details. As mentioned above, it appears someone obtained some of your personal account and/or financial information elsewhere and used it on Amazon.com to access your account. While it is not clear how this happened in your case, we do know that personal account and financial information are often obtained by scam artists who send unsolicited email to unsuspecting users asking them to "update" their account information. The email usually contains a link to a website that is controlled by the thief asking the user to submit personal information including email address, password, credit card number, and other relevant information. Once the information is obtained, the scam artist can then gain access to numerous online accounts since many internet users frequently use the same user name, email address, password, and financial information at multiple web sites. Please know that Amazon.com employees will *never* ask for your password, nor will we ever send an email asking you to verify personal information. Although it appears someone did access your Amazon.com account, they would not have been able to view your full credit card numbers as they are never displayed on our site. However, it is possible your credit card numbers may have been compromised at the time your other personal information was obtained. Therefore, we suggest you carefully review recent credit card statements to check for any unusual activity or unauthorized charges. In the future, you can protect your Amazon.com password and account by following some of these safety tips: ----------------------------------------------------------------------- 1. Choose a good password: Use at least 8 characters and a combination of letters and numbers. Do not use single dictionary words, your name or other personal info that can be easily obtained, or a password that contains part of your email address. 2. Password protection: Avoid using the same password at multiple sites or for your email account. Do not share your password with others. 3. Account protection: Be cautious of unsolicited emails that appear to come from reputable online shops or services that ask you to submit personal information such as your credit card number, email address, and password. Often these emails will look as though they come from the company you're familiar with, and the email will ask you to click on a link and "sign in". You should never provide this kind of personal information in an unsolicited email. ----------------------------------------------------------------------- Please accept our most sincere apologies for any resulting inconveniences, and feel free to contact us if you have any further questions or concerns by writing to firstname.lastname@example.org. Sincerely, [REDACTED] Account Specialist Amazon.com http://www.amazon.com
I responded that afternoon, as requested, with the following email to that account (sent on Wed, Mar 31, 2010 at 7:04 PM):
Amazon, I recently experienced an identity theft issue with one of my credit cards about 2 months ago. A month ago, my Paypal account was broken into. This week I just found my GMail account had been tampered with and have just read this message from you about my Amazon.com account. Because I do not trust emails (they could be phishing emails) as I am an IT professional, I would very much appreciate if you could give me a call at XXX-XXX-XXXX at your earliest convenience so I may get this issue resolved. I am a very heavy Amazon user. I buy all of my books through my Kindle app on my iPhone (and plan to do so when I get my iPad). I am an Amazon Prime customer, and I have an Amazon Affiliate account. I would like to get access to my account once more. [REDACTED TEXT DISCUSSING THE PASSWORD SCHEME I USE THAT ISN'T RELEVANT TO THE STORY] Thank you for contacting me and I look forward to hearing from you asap. Joel Housman
At this point I waited for a response. The following morning I received a call from someone who works for Amazon in their Fraud Department. This gentlemen informed me that, contrary to what the email said, they could not give me my account back. I would, instead, have to create an entirely new Amazon account tied to a different email. After expressing to him how I would not prefer this unless it was absolutely necessary (I just wanted my old account back) he assured me that it was their policy to do so. He then assured me that it would be no problem for customer service, once I had my new account created, to transfer ALL of my customer data over to my new account including my: 10 years worth of order history, Amazon Prime membership, Kindle book purchases, Amazon Associates account, wish lists, wedding registry & other small bits of data. I told him that I would create a new account and respond to his email letting him know what it was. He apologized again for the trouble and told me he would look for my email. We concluded the phone conversation. The response email (sent on Thu, Apr 1, 2010 at 10:43 AM)
Hello, After speaking with you on the phone, I've now made a new amazon account. The email account associated with this new account is [REDACTED]. Thank you for your help, Joel Housman
Over 24 hours passed by without any further contact from Amazon or any activity with regard to my Amazon account. I became frustrated with the slowness in which my case was being handled, so I sent a follow-up email. Follow-up email (sent at Fri, Apr 2, 2010 at 2:35 PM):
This is a follow-up email from yesterday. I received this email from you on Wednesday. A representative from Amazon called me back on Thursday and told me what happened to my account. He instructed me to sign up for a new account, which I've now done ([REDACTED EMAIL]) and that your company would then move ALL of my customer data from my old account to my new account. My order history, my Amazon Prime membership and all of the Kindle books that I've purchased. It has now been over 24 hours and I have not heard anything back from anyone in regards to this. While I appreciate your detecting the fraud that happened with the account, I feel it is very heavy handed for you to summarily close the account preventing my access to it. I would appreciate your timely moving my customer data into my new account as I have books I have paid for (and was reading) that I can no longer access (I don't have a Kindle, I read them on my iPhone) and I cannot use my Prime Membership. Joel Housman
The rest of Friday April 2 went by without any word from Amazon. Steffanie and I were heading out of town that weekend and we spent most of our time on the interstate Friday night. Saturday we were also occupied with various things down in southern Virginia at my folks' place. On Sunday morning though, I awoke to the following email from Amazon. Email (received on Sun, Apr 4, 2010 at 8:36 AM):
Thanks for contacting us about your closed account. While our Customer Service team is unable to assist with your closed account, I can certainly help with any further questions you may have. Please accept my apologies for the incorrect information that you have been provided. Your previous account and order information is permanently tied to your closed account, and cannot be transferred. If you need any specific details from your account, I can send those to you upon request. I've canceled your Prime membership and issued a refund of $52.67 to the payment method charged for this subscription. This is a refund for the 8 months you had remaining in your subscription purchased on November 26, 2009. You'll need to enroll in Prime on your new account to use the feature again. I have transferred your Wish Lists and Wedding registry to your new account. I see you also had a Kindle device registered to your closed account. You’ll need to connect your Kindle to your new account to purchase and download content again. You’ll need to first deregister your Kindle from your closed account. Follow these steps: TN96vrlXvyn64rbaRTSD From here you can follow the steps to register your Kindle to your new account. Unfortunately, we're unable to transfer Kindle titles between accounts so I've issued you a gift card to cover the costs of repurchasing the Kindle titles on your closed account. You should receive this gift card in the next 24-48 hours at this e-mail address. I've also included a list of your previously bought titles for your record: [LIST OF 14 KINDLE BOOKS THAT I'VE PURCHASED REDACTED HERE] We appreciate your understanding and hope this information is helpful. If you have further questions or concerns, please don't hesitate to contact us by writing to [REDACTED EMAIL]. Best regards, [REDACTED] Amazon.com We're Building Earth's Most Customer-Centric Company http://www.amazon.com/your-account
Well, I'm normally a grump first thing in the morning. This didn't make things better. I groaned in bed as I read this email on my iPhone, but got up quietly, not wishing to wake my wife. Heading into the living room I grabbed my MacBook Pro and began to compose a response email. I replied (sent on ):
This is completely unacceptable. I would like to speak to someone on the phone before unilaterally make any further changes to my account. The only reason I agreed to make a second account was due to the fact that the person in the fraud department assured me, on the phone, that all of my data could be transferred over to my new account he insisted I create. First of all, I do not understand why it is Amazon policy to completely lock a customer out of their account, without letting them back in. Second of all, why will you not tell me what the fraudulent activity that occurred on my account is? I've had incidents happen with other companies before, in which my accounts were fraudulently accessed and used. Paypal is one example. Paypal temporarily closed my account and then informed me of this occurrence. The message they sent told me to log into my account, change my password, but then, to contact customer service at a certain number. Once I did so, they proceeded to treat me like the victim of the fraud and not the criminal, as your company has done. I cannot understand why I can't be granted access to my original account that has ~ 10 years worth of order history built up, my prime account, my Associates account, all of my kindle books, my wish lists, and my wedding registry (which we have people trying to use, btw)? I have items that I've purchased in the past which have failed within their 3 year manufacturer's warranty period. These companies require me to print out an invoice of when I purchased the product and to mail it in to them in order to receive warranty service. If I lose my order history, I can no longer process any warranty claims on any products that I've bought from you. Do you know how unreliable I now view your company? I now have zero confidence to purchase any high-cost electronics from your company. Will my purchase history be there tomorrow for me to refer back to, or could I get locked out of my account for a week only to then lose the information? Will my books suddenly become inaccessible on my iPad tomorrow (yeah, I don't own a Kindle, I just use your Kindle iPhone app)? In short.... Before doing anything, I wish to speak to a customer service representative - ON THE PHONE - so you can explain to me why your company is the only one I've ever dealt with that takes the heavy handed route of completely denying the customer access to their account when it has been breached. Paypal does not do this. Ebay does not do this. B&H Photo does not do this. Google does not do this. Apple does not do this. I suspect that your fraud department has put this policy in place to make their lives easier, but, what it does is just frustrate your customers who have to feel the brunt of this policy. Joel Housman
Yes, I was upset. Sunday April 4th passed by without receiving any further response from Amazon. Most of Monday April 5th had passed as well, until at around 4:00 pm, I had a few minutes of free time at work and decided to give Amazon a call. A customer service representative and I spoke for about thirty minutes. After explaining to him the entire timeline of what had happened, he apologized once more to me (Amazon had been very good at apologizing up until this point, but not very good about doing anything about it). He told me that, unfortunately, what had been done up to that point what not reversible. He didn't know why the Fraud Department insists upon locking a customer out of their account once it had been breached. He apologized for everything that happened and told me he would pass on my feedback about my experience to someone internally. He offered to have everything taken care of, that day, and as a way of making amends for this whole experience, granted me free Amazon Prime access for the following year, without revoking the pro-rated refund that they'd given me for Prime on Sunday. I told him that I would rather have my order history back, but I would accept the Prime membership. It was true, I value the 1000+ orders I've made from Amazon over the past 10 years and their history more than 80$. It's extremely useful to remember what type of filter the humidifier in the bedroom takes by looking up which one I purchased previously...or finding that particular hard drive that I researched 6 months ago for the Drobo when I need to order another. We concluded the call. I left work that day and checked my Amazon account once more before going to bed. No Amazon Prime yet. Still no word on my Kindle book refund as the email on Sunday had promised. The next day, at 4:25 PM EST (April 6th) I received yet another email from Amazon's Fraud Department that was identical to the original email I received from them on March 30. Did this mean that someone had gained access to my account gain? Did this mean that someone in the Fraud Department had thought that I hadn't yet contacted Amazon yet? Do they not realize that I had been corresponding with the company over the past 6 days already?. I was a bit miffed and wrote back to them once more. My response (sent on Tue, Apr 6, 2010 at 4:50 PM):
Why are you still emailing me about this? Please look up my old account ([REDACTED]) and my new account ([REDACTED]) in your system. I've been on the phone & corresponding via email with various customer service representatives from your company for the past week regarding this issue. I spoke to someone on the phone for thirty minutes yesterday fixing all of the problems your company created for me when you wrongly closed my account without asking my permission last week. Please look up my customer information on both of my accounts in your system to see the timeline of events. If, this email is somehow related to a new issue that has happened since you first began emailing me last Tuesday (March 30), you can give me a call at [REDACTED]. Joel Housman
I received a response from Amazon (received on Wed, Apr 7, 2010 at 1:20 PM):
Joel, I apologize for the misunderstanding that this has caused. You received this message, because we were able to reopen your original account as you had previously requested. This message was just to let you know that we were able to do this and how to reset your password. Again, I apologize for the misunderstanding and inconvenience that this has caused. Best regards, [REDACTED] Amazon.com We're Building Earth's Most Customer-Centric Company http://www.amazon.com/your-account
Wait...they were able to reopen my original account? Why? How? After telling me, repeatedly, since Thursday that this was not possible, why were they suddenly able to do this? I responded (on Wed, Apr 7, 2010 at 1:33 PM):
[REDACTED], Would you please give me a call at [REDACTED] sometime before 5:00 pm est today, or at [REDACTED] if it is after 6:00 pm est. When I spoke to someone on the phone Monday, he told me he was unable to open my old account so that I could continue to use it and instead, I would have to use the new account I created. He told me I would be getting complimentary Amazon Prime enabled on my new account and that I would also receive a refund for my purchased kindle books so I could repurchase them on the new account. Since that call, none of these things have happened. Now you're saying that I can get my original account back? Could you please call me so we could discuss this, because when this is all said and done, I would prefer to have my original account back using the same email address with my order history intact. The order history, about 10 years worth of orders, is very important to me. Joel
Up until this point, I was very frustrated with this entire experience. The lack of communication on the part of Amazon amongst it's own customer service representatives was frustrating, as well as the asinine polices on the part of Amazon when they detect fraud on an account. I cannot remember the specific time but either that night or the next day, I received a call back from this last customer-service rep. This is also the same person that sent the early Sunday morning email that made so many changes to my account without asking me first if it was okay with me. After a few minutes of tenseness on my part, she began to tell me everything that she would be able to do to my account:
- She would return my access to my original account, with my order history intact (this made me very happy but also very frustrated because several people, up until this point, had told me, in previous phone conversations, that my order history had been deleted & forever lost)
- She would transfer my Wish Lists & Wedding Registry back to my original account from my new account with all data intact (very important to my wife and I because we were in the middle of writing thank-you notes for all of the wedding gifts
- I would receive complimentary Amazon Prime, however, contrary to what the gentlemen on Sunday said, she needed me to purchase it on my own and then she would refund me the amount that I was charged. There is no other way for Amazon to handle that transaction otherwise
- I was to keep the pro-rated refund for my original account's remaining Amazon Prime time.
- All of my Kindle Books were still tied to my original Amazon.com account and that I could keep them.
- The refund for my Kindle books (from her Sunday email) had came in the form of a gift-card which had been sent to the new email tied to the new Amazon account (the reason I had not seen it was due to, up until this point, all correspondence had been between them and my original email account.
- My Amazon Associates account was still tied to my original account and my access had been restored.
So in summary....my original account had been restored to the exact state it was in on March 29th, before ANY of this had happened with Prime & Kindle books + all data(lists, registry, associates, order history) + a gift card for 60$ + a gift card for over 100$ (kindle book refund from Sunday). So, in the end, Amazon fixed everything and bribed me with gift cards to make amends for the difficulties they put me through...but wouldn't it have just been cheaper...and less frustrating for me... if on Thursday, April 1 at around 10:00 am the gentlemen on the phone had just created a new password for me and allowed me back into my original account (just as PayPal had done a month before)? And it would have saved me from writing this blog post. Also, as I'm getting ready to post this, it's April 24th. I've been rather busy, with this, for the past few months and haven't had time to write this up, but I felt that it was such an onerous customer service experience that I needed to share it with my readers. I'm a huge fan of Amazon and will continue to be a customer of theirs, but they really do need to work on communication between their customer service departments, as well as, review their policies...or perhaps better train their own reps on what their policies are? I'm still usure of which is the case myself - was it their policy being asinine or was it simply a case that my case # was assigned to a representative who didn't know what he was talking about?