The retailer doesn't ask for the security code on a credit card when setting up a new account, reports U.K. journalist Benjamin Cohen in an investigative report.
A criminal can simply open a new Amazon account, enter a stolen credit card number, and start shopping, Cohen found.
The report was initially looking into how safe it was to use new finagled credit cards that support Near Field Communications contact-less payments. With NFC, you can wave the credit card near a special reader to pay.
It turns out that millions of Visa credit cards issued by Barclays in the U.K. can be read by Android phones equipped with NFC readers. Thieves can electronically snatch the info right out of someone's wallet or purse, Cohen discovered.
But that alone shouldn't let them go shopping. Online retailers are supposed to validate that a person is holding the card by asking for the credit card security code (CSC), a three digit number on the back of the card.
It turns out that Amazon doesn't always ask for that number. Someone can fire up a new Amazon account and make a purchase without it, Cohen confirmed.
Business Insider looked for ourselves. After registering a new account we started a purchase transaction. We saw that the screen that asked for the credit card did not have a spot for the CSC number.
We did not have access to a stolen credit card so we didn't complete the transaction, but Cohen did. He wrote, "We were surprised that Amazon processed our transactions using a Barclays Visa that didn’t belong to the person making the order. The name didn’t match and neither did the billing address. But the transactions went through without a hitch for physical product orders and also electronic orders that were downloaded immediately," writes Cohen.
Granted, it's not that easy to find NFC credit cards that give up too much data. In the U.S. many NFC credit cards won't transmit information like the user's name, reports Computerworld.
But crooks don't need NFC to grab credit card info. Any time you hand your card to a waiter, hotel clerk, retail salesperson, that person has access to your credit card information and from there it can wind up into the wrong hands.
If the charges turn out to be fraudulent, Amazon is on the hook because it doesn't follow best practices, says the report.
We asked Amazon to comment on this story. We'll update it if we hear back.
More From Business Insider