This chapter will cover some MFA solution hacks that didn't fit in previous categories and that were not discussed in earlier chapters.

Amazon Mystery Device MFA Bypass

This strange MFA bypass was reported by a U.S.-based Amazon user (www.reddit.com/r/sysadmin/comments/dpbt3t/the_perils_of_security_and_how_i_finally_resolved) in November 2019. This Amazon user woke up to discover several Amazon gift cards fraudulently charged to his Amazon account. This surprised him because not only did he not make the gift card purchases, but he, as an IT security professional, had protected his Amazon account with an OTP token. Amazon allows three different OTP options (see Figure 20.1): SMS Message, Voice Phone Call, and Phone App.

When enabled, the OTP code is required during the logon process to the Amazon user account, including any device the user connects to the account. The victim in this case thought that his account was thoroughly protected until the fraudulent charges happened. He tried to contact Amazon fraud support and sadly discovered that there was no option other than to send an email that has a promised 48-hour turnaround response time. So, he enabled another OTP option, deleted his credit card information from his Amazon account, disabled all current active sessions, removed all approved allowed devices, and even changed his banking and credit card website passwords.

After much research and talking to an offshore tech support person, he learned ...