Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.

When logging on to his account, he used an old password by mistake and found that he was looking at details from some years ago (2001-2), from when the old password was tied to his active-at-the-time account. When he contacted Amazon about the odd behaviour, they told him that he must have somehow created a second account using the same email, and had since been using that account as his primary account.

If we take Amazon's explanation as being the correct one (and ignoring the glaring security problem if any old password could access a current account - a question that Amazon didn't answer when Bennett asked), there is a serious security problem that exists for Amazon account holders.

Basically, Amazon should not be allowing multiple accounts to be linked to the same email address, especially when using the email address as a core component of the online authentication process. Although the accounts would have unique account IDs it still throws up several problems for administration and user experience.

Just one of the administrative problems is how do you handle notification of hijacking attempts across each account when there is only the one email address? You can't exactly identify the specific account when the only unique identifier that the user knows of is the password.

From a malicious point of view, you won't need to access someone's credit card details to have expensive goods shipped from Amazon to a Post Office Box, just so long as you can guess their older password details (for a user who has gone through the same process as Bennett), or attempt to establish a fake account with the correct password (which is probably easier than it sounds).

Dictionary attacks have a new viability - collisions in the database. If you, as an attacker, manage to create multiple accounts on a target's email address, eventually you are likely to hit their in-use password. If this happens, you can change their shipping address and merrily ship away with expensive goods, before returning the account to its pre-hack state.

Numerous email address/password authentication compilations are available on the Internet for a number of major sites (often the result of phishing victims not recognising their presence on a phishing site). There are thousands (if not more) of excellent starting points that are quite likely to have tens to hundreds of matching pairs due to people still not using discrete passwords for each site that they maintain an account on.

Stock Pump 'n Dump scammers have been known to monitor users of online trading sites and use their accounts when the user departs on holiday or other travel, keeping the risk of their discovery low. Someone who successfully captured an Amazon account (or set of accounts) could readily do the same here and it would be much harder to prove that it was fraudulent activity.

Without notification to, or verification by, the email account holder that an Amazon account has been opened with their contact address, then all the attacker has to do is continue attempts at guessing the password via fake account setup at a rate that doesn't alert Amazon.

Stopping this problem is easy. Email verification as part of a new account setup will stop this attack dead in its tracks. The victim would also get wind of an attempt to hijack their account based on the numerous verification emails that they suddenly start receiving from Amazon.

Why does Amazon allow multiple accounts for the same email? Bennett suggests that it might have originally been due to people sharing the same email, but this should no longer be a very widespread practice, given the number of freely available webmail services.

How does someone whose account has been compromised in such a manner convince Amazon (or their bank) that their account had been hacked at the time? After all, the attacker gained access through the correct authentication procedure, and only changed the shipping address temporarily (or entered it as a one off shipping address).