TL;DR: I've just spent several hours chasing a socially engineered (not password compromised) stolen Kindle through a series of phone calls, chats, virtual shipping addresses, UPS tracking numbers and more. The irony is that my wasted time is the real loss.

NOTE: Amazon Kindle Support is, and continues to be truly amazing. However, in this instance, they have flawed policies that I have no doubt will be fixed.

All this for the want of a $119 Kindle. Let me start over.

Yesterday I got an email from Amazon that said:

I'm writing to follow-up on our recent chat conversation.
I'm sorry to hear about the problem with your Kindle. I'm sending you a replacement Kindle via Two-Day shipping to get it to you as soon as possible.
...
Guaranteed Delivery Date: Tuesday, February 12, 2013.

Hm? What? Is this a Phish? No, all the links are valid, email return path is correct, and I confirmed I've received emails like this before.

I log into my Amazon account and I see:

Holy crap. I didn't order that. I click Cancel. Then I get this email a few minutes later:

We weren't able to cancel the following item(s) from your order:
Kindle Paperwhite 3G, 6" High Resolution Display with Built-in Light, Free 3G + Wi-Fi

Looks like they are so efficient that they got the Kindle on the truck already. I check UPS. It's on the way to my house.

I login to Amazon's "Manage Your Kindle" page, and sure enough, there's already 'Scott's 2nd Kindle' sitting there, ready to go. I deregister it.

Hm? Why is this useful? Why do they want a Kindle sent to my house?

At this point I call Amazon and explain the situation to a human. Sue is SUPER nice, SUPER knowledgeable and immediately I can tell she gets it, so someone give Sue G. a raise. She says she's taking it to Fraud and I should hear from them soon. I want to point out here that I'm talking to a human on the phone here.

Sue looks through their details and says there are a series of chats with "Scott" using their Live Chat system. So, this is a social engineering hack, not a "password compromised" hack. The person has reported that "Scott's" Kindle is broken and has asked for a replacement, but then later tried to redirect the delivery. The customer rep says they can't redirect it. However, it appears the bad guy tried multiple support folks until they finally got the package redirected. More on that in a second.

Note that none of this required anything more than my address and my email. They were able to get the Amazon Customer Service to accept that they were me without my password or any additional verification.

I ask Sue to send me the chat logs. She talks to a supervisor and says she can't send them to me because the chat logs contain the address that the bad guy wants to redirect to. She does tell me the redirect address is in Portland, however.

ASIDE: Amazon customer support also "brick" the Kindle for me. It's not just Deregistered (disassociated from my account) now, but it's remotely deactivated. However, I still don't want the bad guy to succeed.

Sue also mentions that the bad guy asked that the customer representative "not bother to send a follow up email, as I never check my email anyway." The bad guy is consistent in this behavior, always asking to avoid the return emails so I won't see them. Of course, the automated system can't NOT send the follow up, which is why we're here now. If that automated email hadn't gone out I wouldn't have noticed this hack until I checked my Amazon Recent Orders at some point in the future.

ASIDE: It's rather ironic that the bad guy's address has more privacy than I do. 
RECOMMENDATION: I recommend that Amazon implement a policy wherein they email the complete customer chat transcripts after the chat completes. Additionally, my chat transcripts are mine and should be available to me online.

I figure it's done and I go about my day. Next morning I wake up to see a bunch of mails like this, all from different people at Amazon:

Thank you for contacting Amazon.com about your inquiry. It was a pleasure to help you with your concern.
I can confirm that we still expect to ship your order in time to be delivered to you by February 12th, 2013.
We'll send you an e-mail when your order is shipped with your tracking number.  Your order could ship any time between now and right before the estimated delivery date.

Waa? What "concern?" I go to UPS and check the tracking number for the ill-gotten Kindle.

Note the times. Someone is doing this when Amazon phone support is overseas, or when they (the bad guy) is overseas, or at least, up late.

They are still trying to redirect the Kindle to another address, again with the web chat system and multiple times. This sure is a lot of work for a Kindle.

I call Amazon again and re-explain what's up. I ask for the chat transcripts again but they won't send them. Simultaneous to this phone call I email Amazon Customer Support and ask for the chat transcripts (via email, just to be clear) and the chat transcripts show up quickly in my inbox. Doh.

RECOMMENDATION: I'm reiterating here. Policies only work when everyone follows them. The phone folks at Amazon are very consistent, but the chat and email support is, in this case at least, demonstrably spotty.

NOTE: The bad guy isn't "ordering" new stuff, but rather requesting a replacement of an existing product exploiting Amazon's liberal warranty replacement service, then redirecting the package.

OK, now I've got chat transcripts. Here's the annotated and edited transcript.

In case it's not crystal clear here, that's not me chatting here.

Transfer Notes : May I check on my replacement Kindle shipment status that was placed earlier today?
10:11 PM Scott is off hold.
10:12 PM Scott : Hi [Name withheld]
10:12 PM Amazon Rep : Hello, Scott.
10:12 PM Amazon Rep : Could you please help me with the order number?
10:13 PM Scott : I do not have the order number with me right now. Could you please help look into my account? The order was placed earlier in the day.
(ED: Note to Amazon, this is odd, as they are sitting at a computer)
10:13 PM Amazon Rep : Scott, I need the email address associated with your amazon account?
10:13 PM Scott : sure.
10:13 PM Scott : [my email address]
10:14 PM Amazon Rep : Please give me a minute to check that.
10:15 PM Amazon Rep : Before I can view your account I'll need to do a quick security check. Please confirm the email address, complete name, and billing address on your account.
10:16 PM Scott : [my address]
10:16 PM Scott : scott hanselman
10:17 PM Amazon Rep : Thank you for the information.
10:19 PM Amazon Rep : The kindle device which your referring to will be delivered to you by: Tuesday, February 12, 2013
10:19 PM Scott : do you have the tracking number for this shipment?
10:20 PM Amazon Rep : Yes, the tracking number is 1Z0ERxxxxxxxxxxxx
10:23 PM Scott : Thank you.
10:23 PM Amazon Rep : You’re welcome!
10:24 PM Scott : Please hold on.
10:24 PM Amazon Rep : Sure.
10:25 PM Scott : May I know how can I change the shipping address?
10:25 PM Scott : I just contacted UPS, and was told to contact the shipper, which is Amazon, to change the shipping address.
10:25 PM Amazon Rep : This is the shipping address:
Scott Hanselman
[my address]
United States
(ED: Note that they included "United States." This tells me this was copy pasted. No one writes that.)
Primary Phone: [my phone]
10:26 PM Scott : Yes, but I would like to change the shipping address.
10:26 PM Amazon Rep : I am sorry, the shipping address cannot be changed now, since the item has been shipped.
10:27 PM Scott : I understand, but UPS told me that this is still possible, but only Amazon can contact UPS to do so.
10:27 PM Scott : Are you able to transfer me to someone who is able to help out?
10:27 PM Amazon Rep : Please give me a minute to check that.
10:29 PM Amazon Rep : Thank you for being on hold.
10:29 PM Amazon Rep : I've contacted UPS and asked them to hold this package for you.
10:29 PM Scott : ?
10:30 PM Scott : I do not need UPS to hold the package for me.
10:30 PM Scott : Please confirm with me first before making any changes.
10:30 PM Amazon Rep : I understand that you want to change the address, but that cannot be done now since the package has been shipped.
10:31 PM Scott : Could you please help me call UPS to enquire?
10:31 PM Amazon Rep : Sure.
10:32 PM Scott : If you are not able to make any outgoing calls, please transfer me to a colleague who may do so.
10:34 PM Amazon Rep : Please give me a minute to do that.
10:34 PM Scott : Sure.
10:35 PM Scott : www.ups.com/content/us/en/resources/service/delivery_change.html
10:41 PM Amazon Rep : Scott, could you please help me with the address to which you want the package to be redirected to?
10:41 PM Scott : Sure.
10:42 PM Scott : [Address in Portland with "NUM99999" at the end of the street]
(ED: This US address is a "Shipping Portal into another country. More on this soon.)
10:43 PM Amazon Rep : Thank you for the information.
10:43 PM Amazon Rep : Please be on hold while I contact UPS regarding it.
10:52 PM Amazon Rep : Thank you for being on hold.
10:52 PM Amazon Rep : Could you please help me with your phone number?
10:53 PM Scott : No worries.
10:53 PM Scott : Sure
10:53 PM Scott : 425-406-xxxx
(ED: I called this. It's a disconnected VOIP number)
10:53 PM Amazon Rep : Please give me a minute.
10:55 PM Amazon Rep : Could you please help me with your country code?
10:56 PM Amazon Rep : Thank you.
11:01 PM Amazon Rep : I am sorry for the delay.
11:01 PM Scott : No worries.
(ED: Conjecture: People comfortable with English say this. This isn't something you hear a lot of non-natives say.)
11:01 PM Amazon Rep : I have requested for a delivery change of the address to the UPS carrier.
11:02 PM Scott : Thank you. May I know when is the scheduled delivery date?
11:03 PM Amazon Rep : You're Welcome. Yes, it will be delivered as scheduled.
11:03 PM Amazon Rep : Here is the link, you may view the details:
wwwapps.ups.com/WebTracking/processInputRequest?
11:04 PM Scott : Thank you so much. You do not need to follow up with an email to me as I hardly check my emails. Would that be okay?
(ED: Seriously?)
11:05 PM Amazon Rep : You're Welcome. I am sorry, I'll need to send you an follow up email.
11:05 PM Scott : Oh. You do not have to do so actually.
11:06 PM Amazon Rep : I understand your concern, but as per our policy I'll need to send you an email.
11:06 PM Scott : An auto generated email to complete the survey is fine.
11:06 PM Amazon Rep : Okay, sure.
11:07 PM Scott : I will complete the survey when I have the time, but you don't have to include other details in the email.
(ED: Not cool, Amazon.)
11:07 PM Amazon Rep : Sure, Scott. I'll do that.

Amazon Fraud will handle the IP address tracking and deal with the bad guy, but now I have an address. I get a website and phone number from the address. It's a global shipping logistics company. The weird number at the end of their address is a Virtual Routing number.

An address with a number after it allows folks to have a package mailed to them in the US, then the package is transparently forwarded overseas. This number points to an account they have with a post office in a country in Southeast Asia. They received packages from all over, consolidate them, then ship them on masse. This allows governments and companies (and apparently bad guys) to order stuff from companies inside the US, then pay the international shipping and tariffs as a large shipment when it's sent overseas.

I call UPS with Amazon and we initiate an irreversible Return to Shipper. Amazon Fraud is on it, police contacted. This event is done.

UPDATE: Looks like the use of a Domestic Remailer company also hit Chris Cardinal. Someone tried to have a product mailed to an address in Portland, to a different "logistics company" that forwards mail overseas.

Buy why?

Why all this work for a Kindle? No rock solid idea. Perhaps:

• Practice? If they can do one they can do 10, then 100?
• Kindles, especially 3G Kindles, are preregistered to an account that may have One Click Ordering turned on.
  • With a Kindle registered to me, someone might be able to use it to order a bunch of stuff before anyone is on to them. I've said before that a Kindle is "There's a single click between my Wallet and Jeff Bezo's Wallet." This is truer than ever in my mind now.

How does Amazon fix this?

Here's my recommendations to Amazon on how to fix this.

• The IP address that the chat happened from was clearly not mine, nor was it likely in my neighborhood.
• Amazon, like a bank, should notice if a chat or request happens from an unknown location and enforce secondary protocols to check identity.
• Everything was done over web chat without the user being logged in.
• No order change should EVER happen anonymously over web chat. Authenticate the user the way you already know how - by making them log in.
• The bad guy was saying clearly suspicious things. They asked the rep NOT to send emails. That behavior is not normal.
• Train customer service reps to watch for obviously sneaky behavior, and re-authenticate.
• The chat transcript wasn't emailed to me. I was notified about an interaction, but not given the context.
• All chat transcripts should be emailed to the account owner after they are concluded. Chat transcripts should be available to me from my account pages.
• A half dozen attempts were made in a short period.
• It appears that the customer reps didn't read the previous interactions and notice that this person was effectively phishing the reps themselves, trying to get satisfaction.
• The UPS shipping redirect was allowed without authorization.
• Changing where something is shipped is a big deal. It should be done with significant authentication in place.
• The resulting destination address was a known international logistics package distributor.
• There are three in Oregon, which means there are likely only a few hundred, maybe a thousand in the US. Scrutinize orders sent to these "mail launderers."

What do you think?

This blog, my twitter, my YouTube are all part of my online presence. While my day job is ensuring that Microsoft's web developer tools work well across many cross cutting concerns, my passion remains teaching.

When I went to work for Microsoft 5 years ago I made it clear that the blog, it's content, and my online voice would remain mine. I also told them I would do 'side work' in social media. Often I blog about the things I'm working on, but I also blog about family, diabetes, gardening, culture, diversity, languages, gadgets and lots more.

One of the things I enjoy doing besides programming and teaching, is helping folks in other industries manage their personal brands and use social media effectively. I've spoken at conferences and to many different blogging special interests from interior designers to bloggers of color.

The things I've learned - largely by making many mistakes - in the last 10+ years of blogging apply not just to the technical world, but to anyone with an online presence.

• Related Link: A Social Media Brand Primer: Managing your (personal) brand with Twitter, Facebook, LinkedIn, YouTube, etc.

Last year at Blogging While Brown I presented the technical keynote along with my very close friends Luvvie Ajayi and Adria Richards. You may know Luvvie from our podcast Ratchet And The Geek. Adria works for SendGrid and you may have seen Adria on Channel 9 with me at the BUILD Conference this year.

The audience was filled with bloggers of all interests. Tech, Culture, Social Justice, Entertainment, Cupcakes (yes!), Yoga, Green Lifestyles and hundreds more. Luvvie, Adria and I have three very different online styles but each is effective in its own way. We combined what we learned into what we think is an edutaining and useful talk.

Together we discussed how to effectively present a clear Voice online, how your Medium affects your Message. We explore different ways to Reach and audience, but then how to reach them in an authentic way. Then we cover consistent Visuals and what Results look like.

The keynote was split into three segments. You can jump between them directly with these links, Luvvie starting at 2min in, Adria around 14 min and me about 31 min, or watch the whole thing as it was intended.

I hope you enjoy it. We had a wonderful time creating and presenting it.

I use a number of text editors. The three I have pinned to my taskbar are Visual Studio, Sublime Text 2, and Notepad 2.

I have three because I like features from one and wish those features were in another.

Sublime Text (and a few other editors) has a great feature called Simultaneous Editing. It's the very definition of an advanced - but core - editor feature.

Enter the MultiEdit extension for Visual Studio. Holding down ALT while mouse-clicking in the editor will add multiple selection points, so when you type, text will be added to all the selected positions. So today, MultiEdit supports multiple carets, but not multiple selections.

Here's an animated gif of MultiEdit in action.

This wonderful MultiEdit extension was released by the Visual Studio "Core Editor" Program Manager Ala Shiban (@AlaShiban). I'd like you guys to encourage our new friend with good reviews and nice comments if you like it. If you find a good bug, offer a clear bug report.

Perhaps if this thing gets a few hundred thousand downloads, we can get some new features, updates and more importantly show Ala's boss and make it a real live built-in feature. ;)

Version 1.0 supports:

• Typing
• Backspacing / Deleting
• Moving the caret around using the keyboard
• Undo-ing

What isn't supported:

• Multiple selections
• Virtual Spaces

Go get MultiEdit now for Visual Studio 2012 and then share it with all your friends.

Even better, perhaps we'll see even more "power toys" from the Core Editor team.

What would you like to see?

I have a "whenever I get around to doing it" Newsletter of Wonderful Things. Why a newsletter? I dunno. It seems more personal somehow. Fight me.

Still, it's one more site to check and it's a hassle for some of you  Dear Readers. Therefore, I will still do the newsletter, but I'll post each newsletter to the blog some weeks later.

You can view all the previous newsletters here. You can sign up here Newsletter of Wonderful Things or just wait and get them later on the blog, which hopefully you have subscribed to.

Hi Interfriends,

Thanks again for signing up for this experiment. Here's some interesting things I've come upon this week. If you forwarded this (or if it was forwarded to you) a reminder: You can sign up or sign down at www.tinyletter.com/hanselman and the archive of all previous Newsletters is here.

• If you like Science Fiction as much as I do, perhaps you'll like this Creative Commons anthology of "Muslims in Sci-Fi."
• I've been collecting crazy font-related thing lately, I'm not sure why but it's fun. Do you hate Comic Sans? There's many more fonts, ahem, typefaces, to hate.
• An absolute beginner's guide to Arduino. A lovely way to get an overview of how to program tiny computers. Also fun for the kiddies.
• Pardon the swear word, but FckYeahKeming is a great site full of kerning (bad kerning? Keming) that you won't be able to un-see.
• Why does Kerning matter? Well, many reasons.
• I wrote a blog post I'm very happy with called iPad, Surface, Ultrabook: Are we there yet? that I submit for your approval.
• Great web comic that is evocative of Harry Potter. I suspect you'll lose several hours in the archives. If you do, support Gunnerkrigg Court.
• Everything You Know About Fitness is a Lie. Really? Damn.
• Latency Numbers Every Programmer Should Know.
• Brilliant interactive guide to Blog Typography. Really well done.
• Electronic toys from holidays long past imgur.com/a/FCVHV via Jeff Atwood
• My presentation from GOTO Conf on ASP.NET, jQuery and Mobile is up on YouTube.
• Learning to Let Go. First, Turn Off the Phone.
• Great for site designers. Need a placeholder image?
• Practice being a better Programmer at Programming Praxis.
• Cool and inexpensive home science experiments to blow your son or daughter's mind.
• When happens with an secure HTTP request in the first few milliseconds?
• Mavis Beacon was great, but there is room for Typing Practice for Programmers.

Scott Hanselman

(BTW, since you *love* email you can subscribe to my blog via email here: feeds.hanselman.com/ScottHanselman DO IT!)

P.P.S. You know you can forward this to your friends, right?