An Amazon security system designed to ensure expensive items are delivered to the correct person is still backfiring on customers, 18 months after flaws in the system were first exposed.
In July 2022, I wrote about how Amazon’s one-time password system (OTP) was being used to deny customers refunds for packages that were never delivered in the first place.
The OTP system requires customers to give couriers a six-digit code before expensive items are handed over by the courier to the customer. But I reported on multiple cases in which customers who gave the correct code to the courier weren’t given the expensive item, often when the person was receiving multiple packages at the same time and didn’t notice the expensive item was missing until the courier had left.
Amazon customer support initially refused to refund affected customers, claiming that supplying the code was proof the expensive item was delivered.
Since that July 2022 report, I’ve received a steady stream of complaints from customers who’ve experienced a range of problems with the OTP system.
Amazon OTP Flaws
Tim Furdi from London has twice suffered as a consequence of Amazon’s OTP system.
On the first occasion, a courier arrived at his London apartment to deliver a robot vacuum cleaner. The driver called Furdi when he arrived to deliver the package and said he needed the OTP to release the package to the concierge in his apartment block. But when Furdi went to collect the package from his concierge, no parcel had been left.
“The driver was still there and he was adamant that he gave the parcel to reception, but reception denied that he had,” Furdi told me. “Then the driver became verbally abusive and left. I had to call Amazon many times about this and it took three weeks of internal investigations and checking footage before they refunded me.”
Furdi had further OTP problems when he recently ordered a router. This time a driver arrived with a package and asked for the OTP, but after handing Furdi the parcel he “immediately realized it wasn’t mine, it was someone else’s,” Furdi said.
The driver returned to his van to supposedly retrieve the correct package, but instead drove off. When Furdi contacted Amazon’s customer support he was told that “since I gave him the OTP there’s not much they can do, they won’t refund or redeliver.” The company has since fully refunded Furdi.
Phone Number Scam
It seems rogue couriers have found other ways to beat Amazon’s OTP system, too.
Another reader contacted me to complain that their Google Pixel phone had supposedly been delivered while they were out, without ever giving the OTP to the driver.
The reader claimed that in cases when the customer is unable to provide an OTP, courier drivers can instead use digits from the customer’s cell phone number as proof of identity. Amazon doesn’t provide drivers with the customers’ phone numbers, but drivers can call customers using an Amazon system where the number is hidden.
In this instance, the call went through to the customer’s voicemail, which has a generic message stating “you have reached the answerphone service for” and then proceeds to read out the customer’s number. The driver allegedly used these details to bypass the OTP security system and steal the package. Amazon customer services refused to offer a refund, claiming the delivery was confirmed by OTP.
Amazon customers on Reddit report similar scams, where the courier rings them and tricks them into giving them their phone number, again using this to bypass the OTP and keep the package, which they know will contain an expensive item.
Amazon Statement On One-Time Passwords
“We work hard to understand the circumstances around every case and find a resolution with the customer. Customer satisfaction is our utmost priority, and we’re sorry that customer experiences in these cases did not meet the high standards we expect,” an Amazon spokesperson said.
“We have implemented additional controls that are already making it even harder for bad actors to defraud customers, selling partners and Amazon. We are collaborating with the authorities, and are working tirelessly to improve the customer experience in these cases.”