d0ctrine
Elite
- Joined
- 26.12.23
- Messages
- 32
- Reaction score
- 98
- Points
- 18
Beating Amazon's Anti-Fraud Anyone who has ever tried carding Amazon will know the pain of getting this email from them:
But what factors do really come into play when steering clear of the dreaded 'Cannot Be Shipped' email? And how can we minimize our risk factors to ensure a high success rate when dealing with Amazon?
The Process
Alright, let's dive into Amazon's transaction risk assessment, but first, we gotta break down their order flow. You'd think Amazon, with its massive $2T valuation and years of online shopping experience, would have the most secure, airtight of transaction security, right? Not exactly!
See, Amazon's got this whole "customer-obsessed" vibe going on (they're always bragging about being the world's most customer-centric company). And you know what customers hate more than anything? Checkout hiccups. Seriously, a 100-millisecond delay in loading the site, can hurt sales by 7% according to science!
For a behemoth like Amazon, that tiny slowdown could translate to a whopping $40 billion loss. Every. Single. Year. That happens if they just make the mistake of putting a tiny bit of delay between the customer adding the item to getting an order confirmation. The amount of loss they get from credit card fraud can barely compare to the loss of profit they'll get with any 'security' features they implement.
So, Amazon's playing this balancing act: They're trying to keep things secure, sure, but their top priority is to make sure legitimate customers breeze through the checkout. It's all about keeping those customers happy and coming back for more. This is the exact reason that for the longest time, they did not even require CVV, even if VISA and MASTERCARD charges them more to process orders without the CVV, because not having CVV means they maximize all the juicy profits from their customers who would otherwise abandon their cart because they were too lazy to look at the back of their card.
This friction vs security is the heart of all credit card security systems, this is the exact reason why a lot of merchants still don't implement strict 3DS checks, even if the rate of fraud will drop by 95%. They'd simply rather lose to fraudulent transactions than let checkout friction eat their sales! Once the friction rate of 3DS lowered to acceptable levels, Amazon too, started rolling it out. But as I'll explain later, there are bypasses to this that are allowed by Amazon by design.
So if that was the case, how does Amazon implement their security then, and how come it's too good? Well, like we've discussed with my earlier guide, it's all data and machine learning (AI). Amazon's implementation is too good they even offered it as a service to their business customers: the business customers uploads their transaction history (including the fraudulent orders) and Amazon's API helps them asses real time which orders should be accepted, put in for review, and rejected. This is a great resource for us to learn, since it is similar to how they implement fraud detection Amazon itself: AMAZON FRAUD DETECTOR
I've chatted with a few ex-Amazon employees. While we can never get the full picture, they've given us a peek behind the process. For this article, we'll focus on the top four factors:
Customer Lifetime Value (Successful transactions, frequency, How much Amazon values them as customer, Arrears)
Delivery Address
Email address
Device fingerprint
Now, here's where it gets juicy. Amazon's implements assessment in a vastly different way as Stripe does. Instead of eyeballing each transaction separately, they mash all these factors together to cook up what we'll call a "trust score" and slaps it to your account.
This score essentially sets your personal Amazon spending limit. Once you've "unlocked" a certain amount, you're free to shop up to that limit without setting off any alarms. It's like Amazon's saying, "We trust you this much, go buy shit!"
This system is pretty slick because once you're in the clear, you don't have to sweat every purchase like you might with Stripe's transaction-by-transaction approach. This score fluctuates with each transaction. Make a purchase, and your limit might dip for a few days before bouncing back. It's Amazon constantly recalibrating how much they trust you. Amazon's playing the long game, betting on your overall trustworthiness rather than scrutinizing every little purchase.
Now, here's another interesting tidbit on the first check: Product categories don't matter as much as you might think. Whether you're carding $3000 on dog food or the latest Apple gadgets, the system treats them pretty much the same. The only exception? Really high-risk items like gold, luxury bags, pricey jewelries and shit.
If you go over your AI-set limit, that's when the manual review kicks in. And this is where the product category starts to matter more. The human reviewer--being a human with common sense--might look at a cart full of designer handbags differently than a year's supply of pet food. And as I'll explain later, your order might even have been manually reviewed and passed without you knowing it. But before we go to manual reviews and stuff, let's first take a look methods to bypass 3DS and CVV.
The Problem with Legacy Systems
One thing hackers and pentesters love are old legacy systems. These often have messy code and outdated endpoints, making them easy targets for potential hacks. This is not that different when you're trying to find bypasses for certain security features of an online shop, and lucky for us Amazon is exactly that: an old, over bloated dinosaur of a website, with some pages and endpoints not even seeing an update since the early 2000s.
These two things, outdated pages and outdated protocol logic, allows us to bypass a bunch of things, most notably the CVV and the 3DS requirements.
CVV
For ages, Amazon didn't ask for CVV. As we discussed earlier, this was all about reducing checkout friction. But things are changing. They've slowly started requiring CVV, first beginning in the US, and now to my knowledge they've pretty much rolled it out across the board, in all countries. This is still highly dependent on the site's overall 'trust' for you, and it might still not ask for CVV when it feels like it doesnt need to.
So what can you do if they're asking for CVV and you only have CCNs, and you miss the good old days? It's pretty simple, just find old 'add credit card' pages! You can find these pages scattered across the Amazon ecosystem, these are pages with late 90s styling, and outdated buttons. You can find these (I call them oldies) by accessing different old services across Amazon that require payment, and trying to edit your payment method through there:
Or if that's too hard or you're just too lazy, just add your payment via PrimeVideo.com, which has been fairly consistent in not asking for CVV since it was opened:
This allows you to use cards with no CVV for as long as you'd like. And now for the thing that drives carders insane: the 3DS.
3DS
Amazon's 3DS flow follows the typical modern 3DS flow in most payment systems, in that 3DS is requested in two ways: either Amazon requests it, or the bank/risk assessor requests it:
If you ever get a 3DS, bypassing it is actually so simple, it's mind-bogglingly stupid: before the 3DS box appears, close the site/Amazon APP. Go back to Amazon, go to your order, which should be present even before you've completed the 3DS prompt, and change the payment method to the same payment method you used:
Doing so reinitializes your transaction via the 'non-interactive' payment flow, which should prevent the transaction from getting declined due to failure to authenticate via 3DS.
There's a chance for it to go through without doing this process, but it's lower than doing it. Remember how we talked about Amazon's obsession with customer experience? A lot of legitimate customers are too finicky and close the site after pressing submit before even getting prompted by 3DS, and some get connectivity issues with their bank; Amazon allows this 'bypass' for those fairly common occurrences. Like we said: they'd rather lose a little bit to fraud, than to lose a lot to failed orders. It just so happens that this also works for us: a win-win for us and Bezos!
Assessment and Manual Review
Now that we've got our order submitted, it's time for us to wait and pray. Remember how we talked about the spending limit Amazon imposes on each account? The hardest part of that is not knowing how much you're allowed to spend. Sometimes it could be as low as $5, and sometimes it could be more than $10K. So the goal to maximize your success then, is to maximize the allowable spend on each account, so that you can order as freely as possible without triggering manual reviews. In order to do that we go back to the prior list we've discussed:
Customer Lifetime Value (CLV):
Businesses like Amazon use a metric called Customer Lifetime Value (CLV). It's basically their way of saying how much a customer is worth to Amazon. The more the customer shops, the higher their CLV goes. This number helps them decide whether to put you through those annoying manual reviews and verification processes. If your account's CLV is high, they might think twice before hassling you. After all, they don't want to risk losing a big spender over some stupid security checks. This is where old 'aged' Amazon accounts play an integral part: Buy an old aged buyer account from your trusted shop (check CrdPro first for trusted sellers!) with transaction history, warm it up by browsing items for a few different days, make sure your fingerprint and IP is as close as possible to the owner's, and order as closely as possible to the previous owner's buying patterns.
Delivery Address
Now while Amazon does keep checks with the delivery address, it doesn't strongly enforce it, for a couple of reasons:
1. People living in addresses change; blacklisting an address means blacklisting a future customer.
2. Some people share the same addresses; blacklisting an address means you will prevent other legitimate customers at the same address from purchasing.
3. While the AI and manual reviewers take it into account, according to my sources (ex-employees), for some reason they don't enforce it as strictly enough on fraud/chargeback cases as they do with refund fraud (I'll cover this soon too!)
Email Address
One stark contrast between Amazon and Stripe if we compare them is how they approach trust on the customer's email address. Stripe only uses email to compare it with past transactions across the Stripe network, but Amazon utilizes email addresses to assess trust more. What does this mean? It means free email has lower chances than trusted business domain (aged domain!) email addresses. We can exploit this to increase our success rate by buying .edu or .gov emails, which I'll cover in the future. But if you're stuck with no .edu or .gov email, you can either buy aged domains and set it up for email, or if you have more than 500 IQ like me, create any email using old endpoints:
CREATE ANY EMAILS ON AMAZON You see, once upon a time, Amazon never really asked for email verification, you just fill up the email, you signup, and you're good to checkout. This allowed people to sign up with all sorts of trusted email, especially .gov emails, allowing them to order with a higher trust than normal. But eventually, Amazon put a stop to it as it's simply not likely that a bunch of .gov emails keep buying GPUs and gaming laptops. Lucky for us, using the same philosophy we outlined earlier, we arrive at the logical conclusion that we, in fact, still CAN create any email we want; we just have to exploit lax logic or outdated pages!
Lax Logic:
One evident unrestricted implementation of Amazon is the fact that when a customer adds to cart a large purchase and tries to checkout, it assesses the person's Fingerprint and IP, and the amount of money they are about to spend. If we go back to the earlier concept of checkout friction, it's also at play here: they decide then if they will implement an email check or if they will let you slip without asking for email verification. Exploiting this allows us to make emails without verifying the emails, as long as we have a clean fingerprint + IP and we're trying to order a large purchase (we don't need to proceed with the order after we've signed up successfully).
Outdated Pages:
If you cannot seem to make the earlier trick work, try looking for outdated signup flows of Amazon, as some (especially the ones in Mexico) do not require email confirmation. There are hundreds (or even thousands if we count the affiliate and flow ID) of sign-up pages for Amazon, and some of them still do not require email confirmation. When doing this trick keep in mind how the accounts are shared between different Amazon storefronts; for example, an Amazon.COM account can be used on Amazon.CA, but it cannot be used on Amazon.JP.
If you're signing up with fake .gov or .edu emails, make sure that the email cannot actually be verified, meaning the domain uses catch-all inboxes so the verification service won't see that the email is nonexistent:
BAD
GOOD
Device Fingerprint
A core solution to device fingerprinting is Antidetect - a topic so big I'll need to cover it in depth later. In my experience, Che Browser, while not great for most sites, works surprisingly well on Amazon. Why? Amazon handles canvas hashes differently than most, needing real fingerprints instead of randomized noise. Che provides these actual fingerprints by tampering the responses to the requests of Amazon's servers, tweaking the values before submission. This trick works because most other antidetect browsers just scramble the canvas hash with noise, which for a lot of reasons that I'll cover in my in-depth Antidetect guide, won't fool Amazon's security systems.
Like we discussed with my earlier AI systems writeup, another great way to bypass Amazon's fingerprinting is by utilizing iOS Safari's built-in privacy features. I've discussed it in-depth here: $LINK
I've done everything! Yet my order still got manually reviewed!
In any case that you've done everything, and you still get the 'cannot be shipped' email, worry not, because if you've followed the steps so far, even if you triggered the manual review, unless you purchase really expensive stuff, the trust in your account would be so high you can actually get through the manual review fine. For this, you need to exploit the human element and social engineer the manual reviewer.
When trying to reinstate your Amazon account, there are two early signs that can indicate your chances of success:
1. High chance of reinstatement: If Amazon only asks for your billing information (without requesting a statement or ID) on your first login attempt or request. If you play your cards right, this will be easy.
2. Low chance of reinstatement: If Amazon immediately asks for a statement on your first request, it suggests they have low trust in your account and purchase history. This is still workable, but will take longer time.
These initial requests from Amazon can give you a hint about how likely it is that your account will be successfully reinstated.
Prakesh, the Manual Review Specialist
You need to understand, unless you have a silver tongue and you had the charisma of George Clooney, there's a very very very minuscule chance that the customer service agent on the live-chat will be able to help you. I've been doing Amazon for years and I've got my account reinstated by talking to the customer agent only a handful of times, and once I had to pretend to be a grandma whose son is having seizures to make them find a way, and even that took hours and a tremendous luck that the agent I talked to knew someone from the specialist department personally.
This isn't because the customer service agents are cruel, they are restricted from reinstating accounts by design; and the only way they could help you even if they wanted to was to know someone who knows someone who knows someone from the 'Account Specialist' department.
Your best way then is to craft a compelling reason for your purchase. If you're buying a GPU/gaming laptop tell them it's for your daughter who works in medical research and she needs it to sequence proteins. If it's the latest iPhone, tell them you need to get it sorted ASAP as you need it as a gift to your dying cousin. Why your dying cousin needs the latest iPhone, nobody knows. But get creative and use your brain. Ask GPT to help you, and give it your best shot.
You need to put your feet in Prakesh, the Manual Review Specialist's shoes: he has a shit job that gives him a shit pay, and all he does is scroll through thousands of requests for reinstatement, like a hot 10/10 chick swiping left on hundreds of ugly guys on Tinder, bored and out of their mind. So make sure your submission stands out, and that you grab their attention and they have a second look.
If they keep repeating the request, as they always do, keep sending the documents and intensifying the message. It only means there's still a chance. Also: you should do this as efficiently as possible for a bulk of accounts at a time, and not waste your time replying and trying to reinstate a single account, because that would be stupid.
If you did everything yet you still failed (meaning you can no longer submit the documents on the site), then either there's something wrong with your FP or your card's just shit. If that's the case you can still email [email protected] and appeal the decision. Another trick is to put in a report on BBB.org
https://www.bbb.org/us/wa/seattle/profile/ecommerce/amazoncom-1296-7039385
Be a Karen. Tell them you are currently suffering emotional distress from not being able to shop at Amazon. Tell them you can't buy life-saving medicine (despite your last purchases being jewelry, lmao) since your account was disabled. Tell them you felt someone was being racist to you and they decided to arbitrarily disable your access. Make up shit; the more outrageous, the more attention-grabbing, the more chance they just reinstate your account for you to stop pestering them. At this point, you have nothing to lose but your time, which if you actually value you would've just created a new account hours ago.
If you get reinstated one of three things can happen: the order from before was not canceled, and it got processed properly and is now 'Preparing for shipment', or it got processed but you used a $5 card from a fifth-hand shop so it declined, or it got canceled even before the account got reinstated. If it was the last case, then you now have the 'spend limit' for how much the last order was, meaning if you ordered something worth $3K, you can now buy anything for $3K without triggering any alarms. Good shit.
Many of these topics need their own deep dives, so hang tight. I've got hundreds of topics locked and loaded in the chamber, ready to blow your mind.
Last edited:
