Amazon is known for disrupting industries. Amazon Prime is so disruptive it’s turned the retail business on it’s head. Amazon Prime has “tens of millions” of members, which means big money for the company considering it charges $79 a year for a subscription. In short, Amazon Prime is an all-you-can-eat buffet of nearly any retail item you could imagine, shipped free in two days. On this past Cyber Monday alone Amazon Prime logged more than 36.8 million items ordered. If you’re sharing the bounty of Amazon Prime with a significant other, however, beware.

Amazon Prime by all accounts has one extremely huge flaw in its service: you’re out of luck if Amazon Prime has ever been accessed from an ex-boyfriend or ex-girlfriend’s device. They’ll be able to make it rain with free shows, shipping and more.

Shevonne Polastre and her now ex-boyfriend wanted to watch a movie one night at his house. They logged into her Amazon Prime account to watch a movie she wanted to see. A few weeks later she ended it with him. But he wasn’t done. Upon logging into her Prime account one day, Polastre found  The West Wing on her recently viewed list. She doesn’t watch The West Wing.

Through a text message exchange Polastre learned her ex was watching it on his Xbox One and had no plans of stopping. She promptly changed her password from the computer, but surprisingly wasn’t prompted for that new password when logging into her Sony PS3 Prime app. Posastre details:

So I look what devices are registered to the account. I see a Sony (that’s the PS3), Sony Blu-ray, and two Kindle Fires. Never listed was the Xbox One. I tried deleting the Kindle Fires to see what happened. Nothing, I could still re-add it and log-in without being prompted for any password. So I tried to e-mail Amazon Prime and say I had changed my password and it isn’t prompting me to re-sign in because my password has been changed.

The story gets better. .. and by better I mean worse. Polastre tried deleting The West Wing from her watch list. Next day, it reappears on her recently watched shows. So she tries Amazon Prime’s customer service chat.

I tried chat, they were clueless. ‘I don’t see it (the Xbox One) on your registered devices,’ said the customer service representative. Exactly. I tried deactivating all of the devices and restarted my PS3 like he asked me to, but I was still able to simply turn it on and access my Amazon Prime, never prompted for a password.

What Polastre got was a canned response that, loosely translated, means “you’re up a creek without a paddle.” Here is a screenshot from the response from Amazon:

Scripted response from Amazon Prime’s customer service.

How can that be? A major security flaw in Amazon Prime and the best they can come up with is “this usually does not occur”?

Maybe Amazon Prime has a kill switch, like Netflix. Nope, no kill switch. So because Polastre’s Amazon Prime was signed into on an Xbox One once, regardless of her password change, he’s able to take full advantage of all the freebies allotted to Amazon Prime users.

But can he make purchases?

“I’m obviously extremely worried about that. I had some people on Twitter say that I should contact Xbox and they can flag his account so he can’t access it, so I’m going to try that,” said Polastre.

I tried to find anywhere on the World Wide Web to see Microsoft’s stance on password issues with applications on the Xbox One platform, specific to Amazon Prime or not … and came up drier than a camel in the Sahara. Microsoft is pretty vague in any information on application-specific issues through the Xbox console.

A story of privacy

The story here is privacy and security of the life of the connected consumer. The digital trail we leave is expansive and extremely intrusive. The Internet of Things is only going to compound the problem. The more connected our lives become the more security risks can affect our lives. An ex-boyfriend having access to your Amazon Prime account to watch free stuff isn’t the same as having access to your bank account, but it doesn’t feel any less worrisome.

Look, I’m all for the cloud. I’m all for services working with services (Amazon Prime and Microsoft’s Xbox One). But there is a significant security flaw in the how devices are accessing things in the cloud and those shared services communicating within it. Without a proper ‘kill switch’ or reset option, no account is safe from previous devices, partners or access points. Period.

“While some improvements in the development process have been made, other newer areas of vulnerability have emerged. It’s a graphic illustration of the gigantic game of whack-a-mole that enterprises and software developers are playing – and a clear message that it’s time to rethink the way we develop and test our applications,” said Bala Venkat, Chief Marketing Officer at Cenzic, a provider of enterprise security testing services.

Security is going to be the common thread amongst all digital-related conversations for the next 20 years, and the connected consumer in the Internet of Things is going to be the center of attention. Cybersecurity is no laughing matter, and as a connected consumer you’d be wise to better protect your digital footprint. Oh, and don’t log-into your Amazon Prime from your boyfriend’s gadgets.

Customer service #FAIL

If security is the story here, its first chapter would be all about customer service. Amazon didn’t handle the situation well at all. When you’ve run out of templated responses and give up on securing a user’s account, that’s poor form. It isn’t for Amazon to determine whether or not the issue is a threat.Polastre is a paying customer yet someone is using the services she paid for, without her permission.

The connected web is creating a mountain of customer service issues, and those tech companies leading the mobile web are struggling to keep up. The connected consumer relies on services offered, but when something goes wrong with personal information, security and password recovery — web companies are failing consumers. Security flaws in mobile applications are outpacing the fixes. The Cenzic’s Application Security Trends Report 2014 found that privacy violation and excessive privileges appear in over 80 percent of mobile applications.

Take Twitter for instance. Our Managing Editor Kristen Nicole Martin was forced to reset her Twitter password last year after the service suffered a major security breach. But in setting up a third party service years ago, she no longer remembers which service’s email address is tied to her Twitter account and remains unable to access the “reset password” email.

In all of her communications with Twitter, the final outcome has unvaryingly been, “Sorry we cannot help you.” The kicker? She’s still logged into her Twitter account on web Hootsuite and Twitter’s iPhone app. Neither have prompted her to enter any new password. Say what?

With a frustrated tone, Martin had this to say:

“Why can’t Twitter tell me what e-mail address is tied to my account, as they would with a username? Or a secondary method to reset my password, like Google offers?”

Good question.

Protect yourself

Our own Mellisa Tolentino’s recent article highlights five ways to improve your password security. Let’s recount the two most important from that list.

• Use two-step authentication

Most services these days offer two-step authentication, which means you need your mobile phone to login to a service. You can do this by editing your account setting and adding your mobile phone number to your account and activating the two-step authentication. What happens is, whenever you login to your account, you need to enter a code, which the service sends to your mobile device. This keeps things secured as the codes are changed every time.

• Password lockers

Managing too many passwords can be really tricky and it’s not that easy to remember which password goes with which service. You can write things down on a piece of paper and keep that paper secured, but tangible things can easily get lost. The best next thing, if you think you can’t rely on your memory to manage all these passwords, is to use a password locker like SplashID Safe, which has a 10 year history and over 1 million users. SplashID Safe allows you to store all your passwords and all other sensitive information in one place, and instead of entering a password for each site you manage, you just use SplashID Safe to gain access in one click.

Whatever method to your madness, be proactive in protecting and backing up your accounts on the line.

photo credit: Alex Jarvis via photopin cc