Security Advice Review: Avoiding Amazon Delivery Scams
The Mercury News recently published an article about a complex e-commerce scam involving unwanted deliveries and credit card fraud. It's worth a read to understand the nature of the scam - but will the cybersecurity tips they offer do any good to the average reader?
I decided to score their advice based on practicality and utility.
Research the Vendor - 3/10
Make sure you know who the vendor is. Do a little bit of research, rather than selecting just on price. “If you’ve never heard of them, that should be your first concern. When we walk through downtown San Francisco, we’re constantly aware of people around you. We don’t do that online.”
This advice is a lot like "watch out for suspicious emails" - it sounds great in theory, but what exactly are we watching out for? What information is more likely to make a vendor legitimate? Heck, how do we even define vendor legitimacy? If I want a knockoff handbag, any vendor delivering me the knockoff handbag I ordered is arguably legitimate.
Shop with Prime - 7/10
“Amazon Prime” vendors are better vetted than others. The easiest way to find Prime vendors is to check the little box in the upper left hand corner of your screen that says “Prime only.” Amazon automatically clicks it off, so you have to click it on.
While I've seen examples of Prime vendors slipping through the quality nets, this is a pretty good way to avoid ripoffs and scams in the Amazon Marketplace. It won't stop the kinds of identity theft and fraud outlined in the article, but still worth doing!
Use Passkeys - 10/10
Consider using “passkeys,” which are easier and more secure than passwords. They let you sign in to your Amazon account by using your face, fingerprint, or the PIN that you use to unlock your device.
Yep. Just use Passkeys. They won't stop you from being defrauded, but use them anyways.
Rotate Your Passwords - 1/10
If you use passwords, change them every three months. Don’t repeat passwords or use the same password for every account. A “password manager” makes it easier to change them frequently, using a randomly generated code.
Nope! If your passwords are randomly-generated and unique per site, the only time you need to change them is if the site gets breached. Do use 1Password, do not use 1Password as a tool to rotate your passwords every 90 days.
Set Up Usage Alerts - 5/10
Set up your bank account so it issues an alert every time your credit card or your bank card is used, so you’ll know as soon as a transaction happens.
The underlying goal here is good, but the approach is bad. Depending on how often you use your credit card, this is likely to result in personal alert fatigue. Given that credit card charges can be disputed for up to 90 days, I've found that reviewing my credit card charges once every couple of weeks has been a good balance.
Also, don't use a debit card anywhere except indoor bank branch ATMs if you can help it.
Use Credit Unions - 1/10
Credit unions provide better security than banks. To be sure, large banks are more numerous and convenient. But they are larger targets for hacking.
This advice is so bad it borders on nonsensical. I'm not saying credit unions are bad, I'm just saying, use a credit union despite their security track record, not because of it.
In my time dealing with payment fraud, most of the systematic fraud originated from small banks and credit unions, because they simply don't have the personnel, tooling, or system-wide visibility that big banks do.
And they get hacked or defrauded. All. The. Time.
Install Antivirus Software - 4/10
Install anti-virus software on your computer. Because the software is constantly running, it may slow down your machine. But it will fend off hackers who are trying to steal personal information.
This really depends on the antivirus vendor you choose - Norton and McAfee are essentially malware in their own right, and you'd be better off with no antivirus software if they are your only options.
Instead, folks should:
- Install browser and operating system updates as soon as they're available.
- Install as little software as possible. That includes browser extensions.
- Make sure Windows Defender is running, and if you reeeeeallly want the comfort of antivirus on Mac, use Malwarebytes.
Overall - 4/10
While there are some helpful nuggets sprinkled in this article, for the most part, the advice ranges from useless to actively harmful. More importantly, it does little to actually address the underlying attack. To my mind, there's nothing worse than cybersecurity advice that is painful to implement (e.g. move all my banking to a credit union??) only to find out that it doesn't actually guard against the type of attack affecting me. That's how we create jaded users who end up ignoring all security advice as futile.