Ask HN: AWS refuses to stop billing me for a compromised account
Around about a year ago, I had my AWS account get fully taken over by a successful social-engineering attack. Prior to a full-take over, the screw-ups by their customer-support were bad enough that in response to a viral blog post ( https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4 ) they upgraded me to "executive support" for free.
Regardless, it was all for nothing when they gave my account to someone else. Besides compromising sensitive information, the attacker was able to change the account information and email address to the point I am unable to authenticate.
At this point, I do not care about recovering my account, as I have fully switched to Google cloud and have been extremely impressed by Google's Advanced Protection Program. However, my credit card keeps getting billed by Amazon. When ever I phone Amazon, I can't get through to a reasonable human being as despite having the credit-card in my hands, I can not authenticate against the account with changed details. Nor will Amazon simply remove the credit card number that I can provide them.
I've even requested a new credit card from the bank, however the bank continues to forward AWS charges to me. So I have been going through a kafkaesque ritual of disputing the Amazon charge with my bank only to win and have Amazon bill me for the next month.
However the last dispute I've made, the bank (of America) has now ruled in Amazon's favor and rebilled my account. My bank has replied: "We've thoroughly reviewed the details of your dispute(s), and based on the information we received, we're unable to pursue your dispute(s) future."
At this point, I'm stonewalled between my Bank siding with Amazon, and Amazon not speaking to me. I feel like I'm out of options. What are my options now?
If any human at Amazon sees this, my account number is: 326156978341 and dispute case number is: 92919033. Please for the love of God, stop billing me. I'm trying to think of how to avoid something like this ever happening to me, and I think the lesson I can learn from this is to use a debit card instead of a credit card? That way, the account can go to 0. That debit card would only be for services with automated billing like this, and would have limited funds. I mean, I imagine the main problem here is that you can't close your credit card because the bank now says you owe them that money, right? If it were a debit card, that would never be a problem. EDIT: > I've even requested a new credit card from the bank, however the bank continues to forward AWS charges to me. They forwarded from one card to another? AWS charged a closed card and the bank forwarded it? Sounds like you need to close the client account (your whole client relationship with the bank), not the card. EDIT 3: Or do you mean that you requested a new card without closing the old one? If they're both open, it's not that charges are being forwarded, but rather that the old card is still valid and both are linked to the same credit account. Maybe you can ask them to close it? EDIT 2: > Nor will Amazon simply remove the credit card number that I can provide them. By the way, if you can't authenticate with Amazon as the rightful owner of that account, it sounds unreasonable for them to comply to a stranger asking them to simply remove a credit card number of some account. > They forwarded from one card to another? AWS charged a closed card and the bank forwarded it? Yup. > By the way, if you can't authenticate with Amazon as the rightful owner of that account, it sounds unreasonable for them to comply to a stranger asking them to simply remove a credit card number of some account. I disagree. If I can provide a full credit card number, they should be able to remove it from all accounts. Either the card is compromised, or I'm telling the truth. The AWS account is what's compromised. And Amazon is aiding the attacker in committing fraud. Both AWS and the attacker benefit from the continued charges to your account. Every AWS and bank account has clear terms including how to unilaterally close the account. I'm not sure why you're slow walking this rather than pulling the fire alarm on both accounts. So anyone you ever bought something from with that credit card should be able to kill your AWS account with a simple phone call? They could send an email to the owner of the account asking to reauthenticate the card (re-enter the numbers & CVV, go through 3D-Secure or provide a picture of the card or bank statement). This would mitigate incidents like this - as far as I’m aware the attacker doesn’t actually have the card number, so giving them 24 hours to confirm it (or the card gets removed after that) would be a good solution while remaining only a minor inconvenience for legitimate usage (realistically speaking, how many online stores who might have your card number are malicious enough to call companies and try to get your accounts shut down, with no benefit to themselves?) I feel for the Kaskaesk nightmare, but isn't this what courts are for? A judge should be able to adjudicate this conflict especially if you give convincing evidence of your communications with both Amazon and the Bank. My venue of legal approach (ianal and not even US) would be that once you show you are not the account holder (since hacked any fully shut out) anymore you don't have a contract with Amazon and they don't have the title to bill you. If they can show you ARE the account holder, than you can cancel. Both ways of that approach before a judge will get your problem sorted? > I think the lesson I can learn from this is to use a debit card instead of a credit card? That way, the account can go to 0. That debit card would only be for services with automated billing like this, and would have limited funds. Generally speaking, this is a bad idea. Credit cards have more legal protections than debit cards[1], giving you more avenues for recourse. Banks can also choose to honor a transaction and and overdraw your account. This can result in a negative balance, leaving you with fewer legal protections on the original transaction (since it was debit instead of credit) and owing money to your bank. Plus possible overdraft fees. > Or do you mean that you requested a new card without closing the old one? If they're both open, it's not that charges are being forwarded, but rather that the old card is still valid and both are linked to the same credit account. Maybe you can ask them to close it? It's a feature of the processing networks called account updater[2]. It sounds like the credit line itself was not canceled, only the card. With a new card issued against the same credit line. The link at [2] mentions the logic for when account updater can happen, but essentially if a merchant has successfully processed your card in the last year and it gets declined on subsequent transactions (because you canceled it or it expired), they can request the new card information to retry the transaction against. It's designed to prevent lapses in recurring payments when cards expire or get re-issued, while limiting exposure to fraud since new merchants without a history of transactions on your account can't get the new account info. If you're ever in this situation, what you want to do is 1) initiate a chargeback dispute on the initial transaction and 2) explicitly request your bank to decline future transactions from that merchant (referencing the initial transaction so they know explicitly which merchant). The merchant should then get hit with this[3] decline code next time they attempt to charge you, which will be a hard decline that indicates it was due to a cardholder-requested block. That way you only have to deal with one dispute involving your credit card company and any subsequent transactions are prevented from even getting to that point (and if one slips through, the fact that you requested a merchant block becomes it's own supporting evidence for disputing a charge). As OP experienced, repetitive disputes tend to shift over time from the consumer's favor to the merchant's favor, so only disputing the transactions after they occur only tend to work the first few times. [1] https://www.fdic.gov/consumers/consumer/news/cnwin1213/stopp... [2] https://articles.braintreepayments.com/guides/account-update... [3] https://articles.braintreepayments.com/control-panel/transac... Filed a police report and provided bank and Amazon with copies of it? (Any written communication with either? Paper trail of provided evidence is kind of important for such things) That said, it's quite bad handling that bank and Amazon haven't managed to at least shut down future charges / tell you what they need to do so. File a police report for the social engineering. Report that too your bank and amazon in a written, semi official letter. If that does not work lawyer up. These are fraudulent charges to occur after you've closed the AWS account. Cancel the credit card account, on the basis they have violated their fiduciary duty to the customer. Tell them you're filling a lawsuit. File small claim lawsuit for the improper charges within 10 business days, if the bank hasn't made this right. You have proof of cancellation of the AWS account? That's how you will win. They've been sending me a bill for three years now on an account they closed. I could not get the assholes to kill the account so I changed credit cards. The support was helpful but gave me phone numbers to call that did not exist and just kept saying they can't do anything else. I threatened with lawyers and I have full correspondence on my behalf kept safe so they can just fuck off with their bills. I would report the CC being stolen and get a new one. Technically, it was stolen, together with the AWS account. Did you report the card stolen? I have never heard of charge forwarding. The number should not work. You need a new bank. It's a new thing. The aim is so companies like Netflix don't lose subscribers when the subscriber loses their card and requests a new one. The implementation is very shoddy - a mapping of old to new cards is distributed to any big provider who has charged the old card. I believe the forwarding is only done if the card was marked as a replacement due to damage or expiry. If reported as stolen the forwarding shouldn't happen. Not sure what happens in the case of lost. OP said they didn't report it as stolen so that might be the reason why the charges are being forwarded. I didn't report it as stolen. But they did forward the charges. But yeah, I've just finished closing my credit card completely. It's unreasonable that I've been disputing the same charge from AWS for almost a year, and now they have decided to side with Amazon. So what did you report to get a new card? It might be lawyer time. IANAL, but might it be possible to sue AWS? You technically aren't their customer (by their own doing), so any arbitration clause might not apply anymore. The only issue here I ser is that you haven’t bothered Amazon enough that the account was inaccessible. Everything else is working as intended. Have you considered cancelling your credit card?