Amazon's 1-Click Security Hole
1310935125|%e %b %Y, %H:%M %Z|agohover
David MarseillesDavid Marseilles

Amazon's 1-Click Security Hole


Last month I ordered a title from Amazon's Kindle Sunshine Deals, a now rare example of ebook discounting. I was surprised when I went to order my book that I was not required to sign in or given the opportunity to choose a payment method. I wasn't surprised because I didn't understand that's how 1-Click was supposed to work, I was surprised because I had deliberately turned off 1-Click as a payment method in my settings a long time ago. I logged in to check my account to be sure I had not imagined disabling the feature, but sure enough, it was still disabled. I contacted Amazon support to inquire as to why they weren't respecting my settings. They very kindly explained that they did respect my settings, except when they didn't. 1-Click, as many of you may already know, is the only available payment method for kindle books, as well as other Amazon digital products.

Shouldn't I be happy with convenience of not having to log in? Apparently I should, but I'm not. Anyone with access to your machine need not be forced to login in order to run up charges on your default 1-Click payment option. This includes your kids, loser roommates, frenemies and of course, any cats you might have around. Honestly, the cats are the real threat. Amazon must be aware of the possibility of security issues because they have an option to turn off 1-Click for non-digital goods (though that portion of settings does not explain that 1-Click will still apply to digital goods). Perhaps they figure digital goods tend to be cheaper and there is less potential for harm, as well as there being less reason to affirm your shipping address as you would do while going through the traditional pay process. I also suspect if you contacted Amazon and explain certain purchases had been made by an unauthorized person, and the digital goods had not been accessed yet, they might well undo the sale. But that's just not good enough for me. Nor is the most obvious option: completely logging out of Amazon in between each session.

On the one hand, eBay automatically logs me off and won't even let me stay logged in enough to see the auctions I'm watching no matter how secure the system I'm using is (which does discourage me from spending more time on ebay), on the other hand, Amazon requires me to manually completely log off to avoid risking unwanted orders. Have online retailers not read Goldilocks? There's an ideal zone of security and it isn't the same for every person. Why not let me lock things down when I feel it appropriate and open them up a little when I prefer? No one knows my needs better than me, and while some people prefer to be told what to do, that's what default options are for.

So to address this security hole, I've placed a prepaid card as my default 1-Click payment method. Said card has about $0.01 remaining on it, and my hope is, that would be my total exposure to orders placed by anyone else. To test this theory, I placed an order on an item (one that I did want, just in case Amazon switched pay methods on the fly or something) today to see what would occur. Amazon sent me an email stating the item required attention with instructions on how to retry my payment method or change that method, and notice that I needed to do so within 5 days. Hopefully, after that time, the order will be canceled. I'll report back.

Whatever happens, proceed at your own risk. Even if this is a useful method for now, Amazon could always change things around later. Probably the only safe way to deal is to log out every single time. Does this seem smart to you Amazon? Do you think I'll use your service as much if I have to logon and then back off every time I want to add something to a wishlist or grab the free Android app of the day? In the meantime, if this bothers you as a user (or could someday bother you, if say, your living circumstances change), please contact Amazon support and ask them to allow a true opt-out from 1-Click. Amazon is a fairly responsive company in my experience, and if enough people ask, perhaps they will act.


win free stuff contests sweepstakes money

Similar Posts

rating: 0+x

Visit WiiHD's Sister Site

WiiHD Blog
WiiHD's Homebrew Guide
WiiHD Clan Directory
WiiHD User Video Gallery
Subscribe to WiiHD

Most Recent Posts

The ListPages module does not work recursively.


Subscribe in a reader RSS

Highest Rated Contests

Win a 22" Widescreen Samsung Monitor (Rating: 1, Comments: 0)
46" Sharp Aquos LCD HDTV Giveaway (Rating: 0, Comments: 0)
Bill Day Giveaway (Rating: 0, Comments: 0)

Recent Comments (+more)

Only 3rd place, for the USB pen prize, but I'll take it. You can never have enough usb...
(by David Marseilles 21 Aug 2008 22:10, posts: 1)