The potential from Amazon sales from your own products is probably one of the most lucrative for online sellers, but this also means your account is valuable to attackers and could be a target. Unlike hacking your buyer account, a compromised seller account could give an attacker access to your funds, customers, products, and your own sales information. Numerous things can go very wrong if an attacker manages to compromise your seller account, so we’ve gone through all the cybersecurity best practices you should follow to protect your Amazon store and its funds.
What Does Amazon Do to Protect Accounts?
Although you should always do what’s best for your own cybersecurity, Amazon does have some protections in place both explicitly and implicitly. You get implicit security using Amazon’s servers configured to detect common attacks. The infrastructure they have in place will detect brute-force attacks on your passwords, denial-of-service (DoS), and numerous other scripted attacks launched against their servers. These protections run without your knowledge or configurations to keep your account secure.
Along with server protections, Amazon has several other account takeover mitigations and lockouts. For example, if an attacker logs into your account from a suspicious IP address, Amazon can detect the unusual behavior and lock the account before damage can be done. You will then get an email alerting you to the account lockout.
To leverage explicit security, you must configure your Amazon account to take advantage of it. As an example, you can configure two-factor authentication to protect your account, and you need a secure password that cannot be brute forced by an attacker. Most passwords range from 8 to 12 characters and contain special characters, numbers, and lower and upper case letters.
These small protections are in place to help you avoid an account compromise, but they only stop basic attacks that can be automatically detected. More sophisticated attackers can avoid detection and compromise your account, stealing your data and funds. To better protect your account from sophisticated attacks, you can follow some best practices that we’ll cover below.
Phishing is one of the most common ways you can lose an Amazon account to an attacker. Most people are familiar with the concept of phishing, but they are ill-equipped to detect it. Sophisticated attacks are very effective, and these attacks often target specific people with high-level privileges and accounts with large sums of money available. As the administrator of your account, you have the highest privileges available, but attackers will also target anyone with access to your store. It’s not uncommon for large stores to have several people helping with communication and management, so you should also educate staff on the dangers of phishing and the ways to identify suspicious messages.
Attackers approach phishing in a number of ways. They might register a domain that looks similar to one that you know, or they can spoof the sender address. Never trust a suspicious email based on simply the sender address as an attacker can configure any sender address they wish. In the past few years, email security has gotten much better and spoofed addresses are identified and spam-binned by larger email service providers. For example, if you use Google Suite for business email, the provider will flag these messages and either post a warning in the body of the message or immediately send it to the spam inbox.
Even with sophisticated email filters, some phishing emails can avoid detection and depend on the recipient to fall victim to the attack. In addition to spoofing sender addresses, attackers also send messages to a hacked email address contact list. This means that if your friends and family get hacked, the attacker might use the account to send you messages. These messages could link you to a phishing website or send you malicious files that will download malware to your local drive.
Here are a few basic practices to follow when receiving email:
- Never run executable files attached to email messages.
- If the message wants you to click a link and log into your account, always type the official domain into your browser and never authenticate on the linked page.
- Never share passwords in email. Use a password vault like LastPass or 1Password to share with other team members.
- Do not assume the sender address is accurate.
- If email is sent to your spam bin, be cautious if you decide to interact with the sender. Chances are it is spoofed email.
- Never click links or send information when the sender threatens to cancel your account, asks that you confirm information, or offers a refund on a service provided you send payment information.
The Federal Trade Commission (FTC) offers an example of a phishing email pretending to be Netflix billing. Notice in the example, the customer name is not included in the greeting, and the message threatens to cancel the subscription unless the recipient clicks the link and updates billing information. A common theme with all phishing emails is using fear to get recipients to act before realizing it’s a scam.
Here is another example of a phishing email specifically targeting Amazon sellers.
Notice again that the name of the seller is not included in the greeting, and the message threatens to deduct funds from the seller’s account if action is not taken immediately. Phishing attacks rely heavily on fear so that victims will ignore the red flags and send sensitive information including credentials and financial data.
One way for Amazon sellers to avoid being a victim of phishing is to understand what Amazon would never ask you to do. Amazon has a full list of items on their site, but here is a breakdown of what Amazon would not ask you to send in email:
- Bank account information
- Credit card number
- PIN number
- Security codes
- Mother’s maiden name
- Answers to your security questions (e.g., what is the name of your first pet?)
- Your seller account password
Two-Factor Authentication Bypass
You may or may not know that Amazon offers two-factor authentication as an additional step in your account cybersecurity. With two-factor authentication, a message is sent to your smartphone required to fully log into your seller account. This extra step in security is beneficial should your password get stolen in a phishing attack or social engineering.
What’s more unknown is that two-factor authentication using text messaging is not as secure as you would think, so Amazon offers you the option to use the Google Authenticator app to receive your two-factor authentication PIN. There are two reasons why SMS texts are not a secure way to get your two-factor PIN. The first is based on the poor security surrounding the protocol used to send you the PIN in an SMS message. Weaknesses in the routing protocol SS7 have already been exploited to drain bank accounts in 2017, and this is the same protocol used to send you a PIN from an Amazon.
The second issue with SMS is a social engineering attack called SIM swapping (also called SIM hijacking). A crafty attacker can convince a telecom representative to configure your number with the attacker’s SIM card. This means that any SMS messages including the ones containing your two-factor PIN are sent to the attacker’s device. This social engineering attack has been common in theft of cryptocurrency wallets and other financial accounts.
Instead of risking rerouting your PIN from an SS7 attack or a SIM swap, the Google Authenticator works with your Amazon seller account to display a PIN using Google’s platform rather than being sent via SMS. You should use the Authenticator option for any of your accounts if the provider gives you this option for two-factor authentication.
Authenticators are preferred over SMS text messaging, but you still must be aware of social engineering attacks used to trick sellers into giving an attacker their code. Never give your two-factor PIN to anyone and only use it to authenticate into your Amazon seller account. Sophisticated attackers that can obtain access to your email account linked to your Amazon store will use social engineering to trick you into divulging the two-factor code.
Outsourcing Help and Cybersecurity
For large Amazon stores, it’s not uncommon for you to get temporary help whether it’s to manage customer requests or updating item descriptions. The larger your customer base and sales increase, the more likely you will need outside help. However, giving access to your store opens risks and should be done with care.
The Amazon Seller Central dashboard lets you give specific access to each account used to help you. Never give your administrator password to anyone. Instead, use the Seller Central dashboard to invite a third party to work with you and give this new account specific permissions based on the job that they will do.
Before you give access to your Amazon store, follow these best practices to protect your store:
- Hire carefully. If you hire a remote worker, interview them thoroughly and onboard them before giving them access. This could be a quick Zoom chat or a basic chat to determine that they are the right help.
- Grant access following the “least privileges” principle. In cybersecurity, the “least privileges” principle says that a user should have only enough privileges to perform their job function. In other words, don’t give full privileges like admin permissions if it’s not needed.
- Disable access when a user is no longer contracted to help you. Leaving access privileges adds the risk of allowing a rogue user to harm your store. Always deactivate accounts that no longer work with you to avoid this risk.
- Monitor activity. As the administrator of your store, you can monitor activity on your assets and store products. Should your assistant get hacked, monitoring lets you track suspicious activity and stop it quickly before too much damage can be done.
While Amazon has some of the best security on the web, you still must protect your account from credential theft, phishing and social engineering. Amazon’s server security will protect from many sophisticated attacks, but credential theft is still an attack that even Amazon can’t help you avoid. You must know the signs of a phishing attack and be aware of social engineering that targets your account. Follow these basic best practices and you will reduce your risk of a data breach and seller account compromise from the many cyber-criminals searching for access to your funds and customers.
These tips don’t just apply to your Amazon seller account, but also to the other online marketplaces you sell on too. For cybersecurity tips for your online store, check out this post on how to keep your eCommerce store secure.