by Philip Kushmaro

3 ways Amazon can address its web service data risk – and what others can learn from it

Jan 02, 2019
Amazon Web ServicesData BreachRisk Management

Amazon may be facing a potentially data risk as third-party payment processors have been cited to be suspiciously getting sellers' Marketplace Web Service secret keys in the guise of integration.

Credit: AWS

As Amazon provides merchants and third-party services with ways to interface with its systems, the company may have also opened its platform to new vulnerabilities. Now, Amazon may just be dealing with a potential major data risk.

To conduct business with Chinese parties, sellers need to tap payment processing companies like Pingping and Lianlian Pay to handle transactions. Merchants also have integrated these services to their Amazon Marketplace Web Service (MWS) accounts so that payment information can be passed on from one system to the other.

However, these Chinese payment processors have recently been reported to be asking merchants to supply MWS secret keys as part of the integration process. This is considered non-standard and unsecure practice since secret keys aren’t designed to be shared outside sellers’ organizations. MWS provides mechanisms for developers to tap to its system without using secret keys. In fact, sharing keys is even considered a violation of MWS’ code of conduct and the platforms terms of service.

Nonetheless, these actions by third-party developers have essentially created data risk. Secret keys provide unfettered access to accounts and all transaction information associated with them. In the wrong hands, malicious actors can gain access to the company’s financial and transaction data that include customers’ personal and payment information.

It has been hinted that several merchants may have already shared their private keys which means that actual customer data may already be exposed. 34 percent of Amazon’s top sellers come from China. If even a fraction of these merchants has shared their secret keys to external parties, it’s possible that a sizable number of customers are now vulnerable.

Here are three ways Amazon could address this data risk. Others who offer users similar capabilities would also do well to consider implementing these measures.

1. Educate users on security

While it is tough to encourage a change in behavior and attitude in customers, companies should be more proactive and promote a security-first mindset to anyone who uses their platforms.

Amazon is providing sellers and developers with powerful capabilities through its various merchant services, but it should also anticipate that not all sellers have the technical capability to fully understand what’s at stake. These merchants often have to look towards external third-party developers to create apps and perform integration.

In the least, Amazon should properly orient and onboard sellers not just on the features and functionalities accessible to them but on the potential security risks as well. And it should do it in a more enticing and accessible way and not just through plain and bland documentation. Amazon should also review their documentation in order to avoid providing contradictory advice that could confuse their users.

Secret keys provide access to top-level privileges and powerful functionalities so it’s imperative to remind sellers to keep them secure. Encouraging proper credentials management through the use of password management vaults and by vetting and limiting those who have access to these credentials should also help.

2. Promote strict API use

Attackers prefer to target application programming interfaces (APIs) since they’re essentially the gateways to interact with target systems.

Fortunately, Amazon’s APIs appear to be fairly robust and resilient. It ticks the boxes for the best practices in security with features such as authentication, authorization and access policies, throttling through request quotas and API keys for third-party developers that can be configured for each method. Developers must also be registered on the platform to be given access to the API.

To be fair, there has been no indication that Amazon’s MWS API has been compromised by faulty code or some other technical vulnerability. This is probably why malicious actors prefer to exploit the human element instead by tricking sellers into giving up their credentials.

The challenge then is for the company to further compel developers to strictly abide by the guidelines and ensure that developers only use the most secure methods to tap to the API. If threats of bans don’t work, then perhaps providing incentives could also help. A reputation developer system that rewards developers with getting prioritized in the app review and publishing process or faster support responses could be explored.

3. Screen third-party developers

It’s fairly easy to sign up as a developer on Amazon. It’s free and doing so allows just about anyone to build applications for the Amazon ecosystem. Perhaps it is high time Amazon provides stricter screening for developer sign ups.

In addition, Amazon already has an application approval mechanism but it’s mainly used for apps deployed and published to its own app store. A more hardline stance is to have a similar approval mechanism to all applications that connect to its APIs before they are allowed to go live. While Amazon also has mechanisms to ban developers for abuse and dubious practices, it’s still easy to create new developer accounts if ever one account gets banned.

Surely, there are trade-offs as stricter regulations may stymie the growth of the developer community. But considering the risk of customers’ data getting exposed due to poor development practices and malicious third parties, Amazon needs to rein in developers and start blacklisting and banning those found to be violating the terms of service. This needs to be done especially if those in violation are larger service providers that could have an impact on large volumes of customer data.

Everyone should take heed

Seeing how devastating data leaks and breaches can be, the urgency for Amazon to address this issue can’t be overstated. The prospect of having customer data exploited by potentially malicious actors is nothing to be taken lightly.

In addition, Amazon shouldn’t be the only entity worried about this potential data risk. Any organization that has APIs and allow users and developers to tap into its systems should comprehensively audit their security measures. Malicious actors are exploiting all possible layers of systems so it’s important for platforms to secure all possible weaknesses and vulnerabilities especially the human element.