A grieving mother was left distraught by Amazon after a laptop bought to plan her child’s funeral disappeared in an alleged scam – despite the website claiming to protect the purchase with a one-time password.

  • IHeartBadCode@kbin.social
    link
    fedilink
    arrow-up
    11
    arrow-down
    1
    ·
    10 months ago

    OTPs only ensure that you “physically have” the thing that the OTP presents.

    UPS used to hand over a signature pad to collect a signature. Amazon’s OTP implementation should have an OTP that the customer enters into a pad that the driver hands over. The driver gets the pad back once the package is given to the customer. The package is then marked delivered when the driver enters their OTP into the pad.

    The entire point is that the delivery pad is the presentation of the OTP. The customer entering their OTP into the pad indicates they physically have the pad (not the product), the driver entering their OTP into the pad means they have recollected the pad (ideally in exchange for the parcel). The OTP only proves that someone physically holds the device that the OTP was entered on, it proves nothing else.

    No good OTP implementation has in it a point where the OTP is told to another person. Amazon’s OTP implementation is just flawed from the word start. I think more people would understand it if the whatever digit number was called something like “signature code”, in that the set of numbers constitutes the equal to a signature. You wouldn’t let someone, especially the driver themselves, sign for your package, so you shouldn’t tell the OTP to anyone, except those who you think should be able to sign for your package.