The interesting part to me is that amazon gives out loans to small businesses. I never knew that. I’m curious how amazon will handle the situation. Will the merchant be required to pay back the stolen loan funds?
Amazon's in the perfect position to give loans to their sellers. They have all the data in the world about how a seller is doing on the platform, so why not make some (relatively) safe money off interest and boosted sales?
Loaning money to their merchants allows their merchants to buy more inventory to ship to Amazon to sell. Thus Amazon benefits by making more sales, too.
It's crazy really, they loan the money they would in the past have to use to buy stock, but they also don't have to pay for warehousing (straight away).
Presumably it helps with inventory management too - like the loanee indicates the inventory they're buying which means Amazon can factor that in.
Then they charge interest ...
However, whilst this sounds good for Amazon, is it more efficient - in economic terms - or does it just reduce Amazon's risks and costs.
And the best part is that because they can hold money from sales for months, before remitting it to a merchant, they can loan that money right out to other merchants.
In the vast majority of cases money is released within 2 weeks of a sale. The exceptions are if an account gets suspended, or if there's a sudden increase in sales and it's flagged, in which case they might hold it for another week or two.
The only time money is held for over a month is if the account was suspended and not reinstated by then.
Square does the same thing. If you control the flow of money to the merchant you’re in a great place for both risk assessment and ensuring that you get paid back.
They have an offer on my dashboard that's 10% interest for 3x monthly subscriptions (not total monthly revenue), 20% interest for 6x. To me, it seems rather aggressive. I'd have to be super desperate to accept those terms.
Almost every processor gives out loans to small businesses. Most small businesses struggle with cash flow, so these loans are with very high interest rate. 20% etc. It's a very nice money making machine. Before they pay the merchant, they collect the interest and part of the payment from their daily transactions.
My partner recently had her Amazon account comprised. The scammers ordered a “random” pair of white socks for $20 that showed up at our door.
Since the fraudsters never received the package I don’t think they gained anything directly by stealing from my partner’s debit card. So that made me think, how could they be gaining from this? I’m assuming some unscrupulous merchants or “marketing consultants” are using this kind of fraud to boost sales for themselves or their clients.
That's the beginning, so this is how it works. You get some random order at your house for $5-$20 with USPS deliver confirmation.
Then you start getting billed for $90 every 30 days but nothing really shipped. When you realize it, it might have been 6 months. They fight the dispute claiming you ordered and agreed to a $5-$20 trial and subscription every 30 days. They claim they will cancel the subscription but you're liable for the other billings. They show proof that delivery was made with USPS delivery confirmation for that first order.
Or the merchants are the scammers. That's $20 for probably $5 of raw product. Even if the merchants are paying the scammers a portion, that's a good profit.
I would agree to that. Nightmare scenario - this is the beginning of identity theft/fraud. The baddies now know: who you are, what you shop, home address (and probably phone number), habits, age/gender. All a good setup for a bad story.
Also if you don't aggresively react to this (e.g. file a complaint, get your money back etc) they also get the info that you don't pay so much attention to these details, and that puts a bigger target in your head.
Also they presumably get notification about the delivery, so they have an idea if you're home to collect. If then they send a large delivery and notify "leave in yard" they've a pretty good idea an associate can drive past and pick it up once the "delivered" notification comes in.
If you are referring to SMS based 2FA, then that is definitely an issue. If someone is able to hijack your phone number to receive the notifications, then you are going to be in trouble.
Token based 2FA is another story though... it definitely adds another layer of security to your passwords and amazon supports this format.
In the case of the OP's partner, my guess is that either they were phished into revealing their Amazon password or their password for Amazon was the same password used elsewhere and that source was hacked.
Doing a bit more reading and now I can clarify terminology...
2FA is a general term.
U2F is a type of 2FA.
The other type, which is what I was referring to, is TOTP (Time-based one time password).
You are right that U2F is more secure. The primary security advantage is that there is no longer a shared secret that needs to be stored on each end. But saying 2FA is useless would be like also saying that U2F is useless since 2FA is a general term.
That said, in this case, TOTP would have likely prevented anyone from accessing the OP's partners account. Therefore, TOTP is not useless per your original comment.
Check this[] starting at 18:55. It explains the issue and the fix for OTP/TOTP.
What you need is a u2f device/key/app and web auth. It takes the responsibility to identify if the website is fake or not from you which is really the core issue. The secret is negotiated directly with the u2F device/sec key.
