Around 8 months ago I lost control of my AWS account after a prolonged social-engineering campaign against my account. Although it was a nightmare, thanks to a robust offsite backup solution we were able to quickly migrate to google cloud (which has Advanced Account Protection, a godsend for anyone in my position).<p>Strangely enough, even after several attempts I was never able to recover my hacked AWS account (from my support calls it seems like the attacker changed the email, name, address) and have never been able to authenticate against it.<p>However the one thing that was never changed is my credit-card. I have offered AWS support several times to give them my credit number and ask them to unlink it from the account, but they refuse to do so without me being authenticated.<p>I don't want to get on Amazon's bad side, but with no options left I have been resorting to charge-backs on the credit card. Thankfully my bank has been siding with me, and each month I have been winning them -- but next month the new bill comes and I forced to repeat the process.<p>Not wanting to get a bad reputation with my bank or Amazon, I just asked my bank to send me a new card. But amazingly (?!!!) the next month the bill from AWS still came on the new card.<p>It's now been 8 months, and I'm sick of the absurdity of the situation. Is there anything I can do?
There is a shitty think called "Card refresh". Big companies can have deals with Credit card companies, because, at the end of the day, both of them need your money.<p>Lets say, you gave your card automatic monthly billing to company 'X'. You would normally expect that when card expires, it won't be billed anymore and they will ask you for new card details. The reality is company 'X' goes to credit card company and tells them "We have these card details with us. Everything except expiry date is same. So you can conclude that we legitimately obtained the card details. Can you give us the new card details. We will update the account accordingly. It is even useful to the customer as he will be (cough cough) inconvenienced."<p>I think something similar happened in your case.
Source: I implemented this in a big e-commerce company(Not AMZN).
Go to your bank and dispute the charges. Get a new card (again), and specifically ask for a new card number because yours was compromised (for all intents and purposes).
It's absolutely absurd that you cannot authenticate by proving that you're the one paying the account's bill before and after the credentials were changed.<p>This is a good reminder of how unprepared even large corporations like Amazon are for the reality of social engineering attacks.