PYMNTS-MonitorEdge-May-2024

Amazon Unit Lets Expensive Downloads Happen Before Verifying Payment

The Amazon Audible unit lets shoppers sign up using fake payment card data, fake E-mail addresses and fake names and then permits them to download lots of audio books before it even tries to verify the payment credentials, according to a report in Gizmodo. Even worse, once the Audible system detects that the card data is invalid, it allows the shoppers to renew a membership and download even more stolen audio books. Amazon has reportedly been aware of—and failed to fix—this hole since March 2013, according to Business Insider.

“Using a fake name, email address, and (payment) card number, you can sign up for any membership plan, so we chose the most expensive plan, which gives you 24 free book credits,” the Gizmodo story said. “Even though a warning pops up, Amazon doesn’t check credit card information until the credits run out. Even then, once Amazon figures out a card is faulty, someone trying to rip Audible off can just renew the membership instead of updating the card information. That refills the credits, basically letting people download Audible’s entire catalog without paying.”

Business Insider, which broke the story, said the hole is simply sloppy security. “If Audible checked credit card information before providing accounts with book credits, then the loophole wouldn’t work,” the Business Insider story said. “But the site has a relaxed approach to security, allowing users to sign up with fake email addresses and purchase items without so much as verifying the E-mail address used.”

Both stories quoted the identical Audible statement: “This is a fraud issue, not a security issue. The fraudulent activity did not put any customer data at risk of exposure, nor did it affect customer experience in use of Audible.com; no honest Audible customer has been or will be injured by this. While we are constantly working to improve ease of use by customers, any momentary breach is closed quickly through our process when invalid credit cards are used. We take the act of fraud very seriously—and always have and always will.”

PYMNTS-MonitorEdge-May-2024