Why Amazon temporarily locked your account after buying something.


Power Member
Sep 26, 2023
Did your Amazon account become"locked" right after a purchase? This is probably why.

You login, see some stuff you want to buy, put it in the cart, and checkout. Everything was fine. You've done this before. But then you got an e-mail telling you to send a fax to unlock your account. Maybe you did that. Maybe you didn't. Maybe you sent an e-mail, or clicked the 'chat' option for support. Whatever you did after didn't work. So you googled "account locked", and now here you are. I can't tell you why they won't (or can't) help you, but I can tell you how it happened. It's a consolation prize, I know, but it might help you the next time you do business with Amazon. For that matter, it will probably help with your shopping online everywhere.


What's happening here happens to a lot of companies, and once you know what to look for, you can make a more informed choice as a customer. Since it's easier to explain, I'll lead off with my guess on *why they aren't responding*. In my professional experience groups like this become black holes for customers with problems with some frequency. It's been for one of three reasons:

1. Understaffing

Most businesses consider IT a cost center, so they have a heavy hand on budget cuts. Self-explanatory for anyone who's worked a day in their life what happens next. In IT, we call this Tuesday. Any kind of front-facing support faces the same structural problems to varying degrees.

2. General incompetence

Also very common, but not quite the way you'd think. Usually it's internal policies that have rendered otherwise intelligent people into slathering, mindless beasts. Front-line call takers are *always* the first to spot a trend in incidents. With a good manager, trends resolve. Customer issues are balanced and don't move around much as a percentage. But with bad ones -- *trends* become *policies*. Policies that don't fix the problem, so much as declare it someone else's.

That might be the case here, considering nobody is having problems getting in *contact* with customer service -- but once it leaves their hands, it's off to never-never land. No ticket numbers. No references. No call back numbers. That's *is* unusual for my field. In small businesses it could be they haven't a need (or the budget) to build up remediation pathways and bring formal tools like ticket handling into their business process. But this isn't a small business, and there is a strong need. Speaking professionally, it's a worrisome sign.

3. Toxic culture

Most companies have *some* culture problems. But truly toxic culture is rare; I've only directly witnessed it twice. It's not pretty either -- it's a failure mode for a business. Once a business is firmly in its grasp, it usually is a dead man walking. Both times there was heavy mistreatment of employees, high turnover rates, and an unyielding mass of policy changes, meetings, statements. Basically, a bureaucracy bent back on itself to the point its only output was more bureaucracy. Tilting at windmills, blamestorming, turf wars, and intiatives to 'silo', outsource, reorganize, and the list goes on. The specifics don't matter so much as the frequency.

This pressure-cooker of action-reaction pairings drive people to seek what could be termed 'minimal effort resolution'. In other words, they try to find a wrong answer that won't raise eyebrows, but either shifts the work elsewhere, or buries it somewhere nobody will find. An example would be taking a call, telling the customer they will receive a call back, and then "accidentally" closing the ticket as "resolved" after setting a call back time. In every line of work, there will be a few people like this, and even the best human resources efforts take time to weed them out. But in a toxic environment, a feedback loop quickly establishes itself leading to cascade failures as one business unit after another finds themselves increasingly cut off from productive and responsive peers.

Out of the three, I put dollars to donuts it's policy-inspired incompetence. There are sufficient resources on hand to engage with the customer, and presumably most problems are being handled as I don't see piles of complaints of *all* kinds showing up all over the internet. But anything requiring an "account specialist" is a red arrow to nowhere.


So why did the red arrow happen? Here, I'm on firmer ground. I work in information systems, including some work with payment processing systems. They work like a lot of other technologies in security and research fields in my sector. They all run on statistics. If you are worried about being 'hacked' you buy an IDS (intrusion detection system), and it builds up a statistical profile of what "normal" is on your network. Once it has had a long enough time to learn those patterns, it can begin sending alerts when those patterns change. If you're looking for patterns in human behavior, like say, to catch a terrorist buying stuff to make the 4th of July come early, same deal. Fraud detection is the same; It's pattern matching. It doesn't just find patterns though, it also assigns them weightings. Think of it like credit scores, or IQ. It's a single number that gives a summary of many other things. Fraud detection pattern matches for things like;

* Does mailing address match billing address
* Is address or geographic locale flagged (ie, past account issues/crime)
* If an e-mail is present, domain name weighted
* name/type/category of product purchased (ie, buying an expensive TV is more likely to be fraudulent than a 3 dollar e-book)
* Type of card
* Card Issuer
* Country of origin

There's usually over a *hundred* variables like this. Each by themselves isn't enough to trip out, but if several factors weigh in, it can. Fraud detection works better with more data. The more data points, the better the confidence rating on the heuristics. Low confidence means the actual value may be much higher or lower than the calculated result, with high confidence, the spread shrinks. If the edge of that spread dips into its trigger range, it gets flagged -- even if the data points themselves can't clear the bar (ie, still 'legit'). Unfortunately, the fraud detection for Amazon's marketplace hasn't been tuned well. Looking at the *pile* of google search results across a dozen forums, it's pretty clear *what* it's tripping off on too.

The most common scenario I'm seeing is (1) a gift card or newly issued bank card, and (2) an e-mail address with a domain name that isn't a major ISP or business. And it's usually been on a new amazon account, or e-mail address change since the last purchase, or using a new card on an established account. What's special about the cards? There's two possibilities -- one is technical, one is social.


Credit card numbers contain more than just an account number and which company owns the account. They also encode what *type* of card it is. This information comes from first 6 digits of the card, but with a caveat. Those digits need to be registered prior to use, so payment processing systems can route it to the right company. This is called the IIN (Issuer Identification Number) or BIN (Bank Identification Number). Sometimes, new batches of cards come into circulation before payment processing systems (or merchant) have updated their list. When this happens, the card can still be processed, but the type of card may not be known.

This is a problem. If the system can't see that it's a prepay card, it's going to default to what most cards are. Most cards, are *credit* cards. Which means they're attached to a *financial account*. Prepay cards aren't accounts, legally speaking. Which means there's no name, address, zip code, or any personal information attached. Payment systems won't pass a regular credit card through without at least a zip code; And if you just started using your gift card like most, you probably didn't go to the website printed on the back to 'register' it. And by register, I mean feeding it a zip code. No zip code, and suddenly, flag on the play. Penalty. No order for you.

It's the same thing with a bank card: If the database hasn't been updated and you're unfortunate enough to be one of the few people who got a new card with a new IIN, it might point to your bank's parent instead of *your* bank, and since *that* system doesn't know your zip code, it sends back an authorization approval -- but no zip. Oops. Flag on the play.

These kinds of issues *shouldn't* be enough to trip off fraud detection -- it generate a "there was a problem with your order" sort of resolution path, with a chance to go back and add the missing information -- or leave the order pending until a call to the bank (or customer service) the next day, who can go in and see that's the problem. But if wishes were dollars and all that. Not all systems can do this, depending on where the fraud detection is wired in on the order processing chain. Amazon's doesn't seem to have wired it in until after it starts sending authorization requests -- so, very late in the chain.


In the past few years, criminals have started using them to perpetuate online scams. Think prince from Nigeria, then dovetail that to "buy me gift card and send picture with phone of back side" ... which of course includes the CVN and usually, in barcode form, something that translates into the card number and expiration date. They buy stuff online and disappear into the shadows. Most retailers are warning people at the POS (Point of Sale) that these scams exist. Usually right on the card reader with a 'accept' button. It's still happening, and it leaves merchants on the hook when people complain that a couple hundred bucks just vaporized thanks to a lack of attention or common sense.

E-mail domain name.

People with @gmail.com addresses aren't having problems. Same with major ISPs, like @comcast.net or any of the Fortune 500 companies. Beyond that, even medium sized businesses have seen people complaining. Domains that have few or no addresses associated to amazon accounts appear to be negatively weighted.

There are also things like maildrops, anonymization services, etc. These are often they're used by people (like me) who got sick of marketing spam in their inbox and Google's cozy relationship with some who have paid to "whitelist" their spam into my inbox. If you click 'report' in your gmail and it offers you the chance to 'unsubscribe' as well as block -- that was a whitelisted sender. I don't care to play those games, so everyone, everywhere, for everything, dumps into a throaway and quarantined for 3 months. If no spam shows up, I feel confident enough to login, swap the address to my 'actual' e-mail and continue forward. Haven't gotten spammed since. I don't know if the fraud detection they're using weights based on past patterns on a domain by domain basis, or if it just has a static whitelist, and anything not on it gets a ding. What I can say for sure is the domain matters to the system.


Here's the bottom line:

Amazon can't just turn away these cards or various combinations of legitimate orders that weigh similarly to illegitimate ones. That's not a small chunk of change flowing in -- especially in August for back to school stuff, or Christmas for, er, obvious reasons. The end result is, to bag the crooks, they've turned up the weighting on those other factors -- like the e-mail address. This isn't the wrong answer per-se. These systems are designed to be able to move the line back and forth based on human resources available. In other words, if there's too many complaints coming in for staff to handle, it can back off and let more transactions through that look weedy, and then clamp back down once staff can catch up. The end result *should* be a steady workload.

Obviously, this isn't happening. The system isn't coupled to whatever incident reporting system they have(if they even have one). Without some kind of tracking and auditing in place to track problem/resolution pairings, no upper level manager will have the tools to objectively measure either the scope of the problem, or even that one exists.

I can't, in good faith, advise you on what to do here, because everyone's situation will be a little different. I've armed you with an understanding of how these systems operate. A careful consideration of what data you entered into the system now, I believe gives you, fellow reader and perhaps customer, a shot at resolving it on your own. Or at least not encountering it if you take your business somewhere else.

I wish us both luck.

Source: Reddit
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features and essential functions on BlackHatWorld and other forums. These functions are unrelated to ads, such as internal links and images. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock