Imagine suddenly being alerted that someone is on a wild buying spree right inside your Amazon account!
It happened recently to a Dallas-area woman named Jonette Ferrier. Hackers had already shipped two game consoles worth more than $1,500 from her account and were ordering more as she watched.
Jonette immediately cancelled the new orders. But that didn’t stop thieves—they kept buying more. So she changed her password thinking that would end the scam. Nope.
No matter how many times Jonette deleted an order and changed her password, the thieves kept returning. (More on how the hackers did this, later.)
She even got Amazon on the phone. They watched the whole cat-and-mouse game right on their computer console. Finally, someone figured out how to halt the theft ring. They told the woman to go into her Amazon Advanced Security Settings and turn on Two-Step Verification. That did the trick.
Cybersecurity rule: Always use two-step verification
Jonette’s story, told to CBS News,
is one of hundreds of “hack reports” Devin Kropp and I have collected over the past four years developing a workshop called “1 Hour to Savvy Cybersecurity” and researching and writing a book called Hack-Proof Your Life Now!
Since the 2013 Target data breach, it has been our mission to help Internet users who are worried about identity theft, alarmed about the possibility of hackers getting into their email and bank accounts, and trying to safeguard their privacy.
We discovered strategies and tools that people can quickly and easily use to boost their online security. How we do this is by getting people to measure their current “Cybersecurity Score” and then showing them simple, clear, and effective action steps they can take right now to dramatically boost their safety, usually for little or no cost.
Adding two-step verification on important financial accounts is one of the most important of our new cybersecurity rules.
This advanced security feature, also known by other names including “two-factor authentication,” “two-step login,” and “multi-factor authentication,” is something every Internet user should know about. Not only can it keep thieves out of your Amazon account, it can secure your email, banking, and other sensitive online accounts.
In our book Hack-Proof Your Life Now! we define two-step verification as a “two-stage process to verify your identity when trying to access an online account. It requires ‘something you know’ and ‘something you have.’”
We’ve all been doing this with our ATM cards for years. You enter the card (something you have). The machine reads it and then asks you for your PIN (something you know).
For online accounts with two-step verification, it’s similar. You enter your username and password (something you know) and then you enter a code sent to your mobile phone (something you have). It’s simple and highly secure. Now let’s see how to do it on Amazon.
Advanced security settings at Amazon
Start by clicking on Your Account, right under your name on the right side of the navigation bar.
Then scroll down to Account Settings and click on the first item: Login & Security Settings.
Figure 1: Login & Security Settings
Once you do that, Amazon will ask you to login again and you’ll arrive at Change Account Settings. Scroll down to the bottom and find Advanced Security Settings. Click the grey box to the left that says “Edit.”
Now you’re on the Advanced Security Settings page of your Amazon account. Look on the left side to see where you will see Two-Step Verification. Click the yellow button that says “Get Started.”
Figure 2: Get Started
Next, you’ll see directions to “Choose how you’ll receive codes.” Your first step is to select “Text message (SMS)” and pick the mobile phone number you want to use. Tell Amazon to send a code to your phone number, and enter it on this page.
(If you live in an area with spotty mobile connectivity, go to the bottom and choose Authenticator App. Go to your smartphone app store, download the program and use it as your “thing you have” to complete your two-step login.)
Figure 3: Choose How You’ll Receive Codes
Once you enter your security code on the Amazon security page, you will arrive at “Add backup method.” You are required
to choose a second, different phone number as your backup. Tell Amazon to send a code to your backup number and enter it on the security page.
Figure 4: Choose Your Backup Method
In this last step, Amazon gives you some alternative directions about signing in from certain devices like pads or phones, and, importantly, offers you the alternative to skip codes on your personal devices.
You probably don’t want to enter a code every time you log in to Amazon from your personal computer or mobile device. No problem. Check the box next to “Don’t require a code on this device.” When you initially sign in from your other devices, you can do the same. (And of course, you can always add a device or computer that you use frequently under the “Devices that don’t require code” area in your Advanced Security Settings page.)
Now just click the yellow box that says “Got it. Turn on Two-Step Verification.”
Figure 5: Skip Codes on Personal Devices
Now you’re done. You will see the following screen as confirmation that you have succeeded in setting up Two-Step Verification.
Figure 6: Confirmation
Congratulations! You’ve just added a major new security feature to your Amazon account. You can shop now assured you’re very safe. It’s a simple, brilliant approach that foils hackers.
The mystery of the changing password
So how did the hackers know Jonette Ferrier’s Amazon password, even as she changed it?
She probably had a type of malware on her computer known as a “key logger.” This kind of software records every key stroke you make and then sends it to the hackers. So each time she changed her password, the hackers could see what she was doing and continue their scam using the new password.
You can reduce the risk of getting infected by a key logger several ways. Of course, it’s
good to have antivirus and anti-malware software on your computers. But one of your best protections against malware is to ensure that you always update your software. Updates close security holes that hackers exploit. It’s the one thing nearly every computer expert in the world does religiously. And you should, too.