[Patentpractice] Off-Topic - The final installment of my Amazon saga

Suzannah K. Sundby suzannah at canadylortz.com
Fri Oct 3 22:25:44 UTC 2025 

Amazingly, Tom Olsen with the Amazon fraud department responded to my email saying:

Hi Suzannah,

Thank you for reaching out to me. I’m terribly sorry to hear about your experience. I’ve elevated your case to our escalations team, and they are currently investigating. One of our escalation specialists, Michelle W[   ], will reach out to you shortly to discuss and ensure your account issues are resolved. Thank you again for your message, and I apologize for this frustrating experience.

Best,
Tom

(Again, George Jakobsche, I can’t thank you enough for the help… If you are ever in the DC area, let me know as I owe you dinner.)

Immediately after I received his email, Michelle from the Escalations Team called me.  Considering my issues, I asked for her name.  She confirmed her name was Michelle, but would not give me her last name.  She conceded to giving me the first initial of her last name, and so I said the name I received and she laughed and confirmed.

Apparently, both Michelle and Tom listened to hours of phone calls I had with various Amazon representatives… (which, in retrospect, I probably should have been nicer… but I was so frustrated at times).

Anyway, she/they insist that the Christine person was purchasing things on Amazon using my credit card, which she must have obtained outside of Amazon.  They insist that she did not set up any sub-account or associated account to mine using my phone number.  I still question this given the info other representatives told me… but I guess this is neither here nor there now.

Amazon is insistent that nobody setup an account using my phone number…

Assuming such, I am now 99.9999999% confident that my SIM card was not compromised.

She did explain that “associated” accounts includes those who I might receive gifts from via Amazon.  So, I asked if the “Carl” person’s last name was “Oppedahl”… and drumroll… Yes, indeed, one of the “associated” accounts was our Carl Oppedahl (as he has sent me a few gifts ;).  Of course, Carl is not the one who was making any fraudulent purchases using my account :).  This also means, Karen Canady and her paralegal will find that Amazon keeps my account as being “associated” with theirs because I have sent them gifts via Amazon.

Michelle confirmed that the fraudulent purchases were by one person, i.e., Christine.  Amazon still won’t give me any specifics as to Christine.  However, Michelle will be sending me a follow-up email as to how I might obtain that info from their legal department after I explained that I would like such information because I, at least, have a civil cause of action against Christine for having to deal with this and the loss of billable time… I also suspect that I might be able to determine how Christine got my credit card number (especially considering I only use the credit card for Amazon, and 5 other monthly recurring charges by e.g., medical, and other legit businesses).

Finally, I was able to remove my cell phone number from my Amazon account only after I removed the 2FA.  After removing the 2FA, I deleted my phone number, and then again setup the 2FA using the Authy App.  So now nobody can log into my Amazon account using my cell phone number.  One can try to set up a new account using my cell phone number, but I will receive the text message requesting confirmation.

So… now when I receive the replacement to the replacement credit card, I can resume my somewhat out of control shopping on Amazon (and I don’t need to worry about transferring my Audible and Kindle libraries or getting a new cell phone number, which I’ve had since 2001).

Happy Weekend everyone…

Still take the time to lockdown all your stuff…

Suzannah K. Sundby<http://www.linkedin.com/in/ssundby/> | Partner
canady + lortz LLP<http://www.canadylortz.com/>
1050 30th Street, NW
Washington, DC 20007
T: 202.486.8020
F: 202.540.8020
suzannah at canadylortz.com<mailto:suzannah at canadylortz.com>
www.canadylortz.com<http://www.canadylortz.com/>
Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

From: Suzannah K. Sundby
Sent: Friday, October 3, 2025 11:18 AM
To: For patent practitioners. This is not for laypersons to seek legal advice. <patentpractice at oppedahl-lists.com>
Cc: Patent Lawyer <patentlawyer995 at gmail.com>
Subject: RE: [Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

Yeah, I’m 99.9% positive my SIM card was not compromised.  I barely leave the house and I don’t download unknown/risky stuff on my phone… and I don’t click on links via email or text from unknown senders.

This morning there were more Amazon charges to my credit card account and I received the email below from the Amazon fraud department… which you will see that they are lying… claiming that my credit card was compromised outside of Amazon.  Several Amazon representatives told me exactly what happened—that there were unauthorized Amazon accounts linked to mine via my cell phone number…

Apparently, my credit card company (Chase) said the unauthorized charges today were charged when my original card was still active and then posted when the items were shipped.  Just to be safe, Chase closed the replacement card (I have yet to receive) and are sending me a replacement for the replacement.  <sigh>

Yesterday, I wrote a long, detailed letter to the Amazon attorney guy Tom Olsen who deals with fraud (which thanks again George for finding him) begging for help and pointing out the flaws in how Amazon allows account linking.  No reply yet.

Anyway… again, recommend that everyone LOCKS DOWN THEIR Amazon, accounts, cards, SIM, phone, etc.

Email from Amazon:

Hello,



We detected that an unauthorized party used your payment card ending in 0938 on Amazon. To protect your information, we have taken the necessary security measures and canceled all pending orders.



The following charges were already processed on your card:

$51.47

$33.16

$39.58

$56.11

$54.73

$42.39

$53.67

$200.00

$83.83

$37.79

$100.00



About refunds and disputes:

Please review all recent activity on your credit or debit card and report any unauthorized charges to your bank within 90 days from the date of the unauthorized transaction. As the refund will not be issued by Amazon, your bank or financial institution is responsible for refunding any unauthorized charges to your credit or debit card. Once you have reported the unauthorized charges, your bank will guide you through their dispute process.



Why did this happen?

While we can't exactly determine how your card information was compromised because that happened away from our websites, this typically happens through:

-- Malicious software capturing payment information

-- Phishing emails requesting account details

-- Data breaches on other websites



We will provide full cooperation to any bank investigation into this matter, though we cannot share further specific details about the unauthorized activity with you.



Can I contact Customer Service about this action?

Customer Service can confirm this email is legitimate but cannot provide additional details about the unauthorized activity. For refund assistance, please work directly with your card issuer.



How can I verify this email is from Amazon?

Unsure about an email claiming to be from Amazon? Don't worry about verifying the email itself. Simply sign in to your Amazon account the way you usually do through the website or Amazon app. You can also check your Message Center for any recent communications from Amazon if you have account access. For more security tips, visit “Security and Privacy” under Amazon Help pages.



Thank you for your prompt attention to this security concern.



Amazon Account Protection Services



About refunds and disputes:

Please review all recent activity on your credit or debit card and report any unauthorized charges to your bank within 90 days from the date of the unauthorized transaction. As the refund will not be issued by Amazon, your bank or financial institution is responsible for refunding any unauthorized charges to your credit or debit card. Once you have reported the unauthorized charges, your bank will guide you through their dispute process.



Why did this happen?

While we can't exactly determine how your card information was compromised because that happened away from our websites, this typically happens through:

-- Malicious software capturing payment information

-- Phishing emails requesting account details

-- Data breaches on other websites



We will provide full cooperation to any bank investigation into this matter, though we cannot share further specific details about the unauthorized activity with you.



Can I contact Customer Service about this action?

Customer Service can confirm this email is legitimate but cannot provide additional details about the unauthorized activity. For refund assistance, please work directly with your card issuer.



How can I verify this email is from Amazon?

Unsure about an email claiming to be from Amazon? Don't worry about verifying the email itself. Simply sign in to your Amazon account the way you usually do through the website or Amazon app. You can also check your Message Center for any recent communications from Amazon if you have account access. For more security tips, visit “Security and Privacy” under Amazon Help pages.



Thank you for your prompt attention to this security concern.



Amazon Account Protection Services


Suzannah K. Sundby<http://www.linkedin.com/in/ssundby/> | Partner
canady + lortz LLP<http://www.canadylortz.com/>
1050 30th Street, NW
Washington, DC 20007
T: 202.486.8020
F: 202.540.8020
suzannah at canadylortz.com<mailto:suzannah at canadylortz.com>
www.canadylortz.com<http://www.canadylortz.com/>
Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

From: Patentpractice <patentpractice-bounces at oppedahl-lists.com<mailto:patentpractice-bounces at oppedahl-lists.com>> On Behalf Of Patent Lawyer via Patentpractice
Sent: Friday, October 3, 2025 10:51 AM
To: For patent practitioners. This is not for laypersons to seek legal advice. <patentpractice at oppedahl-lists.com<mailto:patentpractice at oppedahl-lists.com>>
Cc: Patent Lawyer <patentlawyer995 at gmail.com<mailto:patentlawyer995 at gmail.com>>
Subject: Re: [Patentpractice] Off-Topic - PSA and WTF is DIGITS on T-Mobile

All this SIM swap protection is a good idea for all of us, but I don’t think that you (Suzannah) were the victim of a SIM swap.

A SIM swap would have caused your phone to stop working almost immediately (“substantially immediately”).

Since, as I understand it, your phone still works, you were not the victim of a SIM swap.

More likely, they have (or had) your email password to do the Amazon crap.

Even if you change your email password, make sure that they have not set an auto-forward rule on your email account.


Also, maybe this T-Mobile link was already shared, I have lost track:

https://www.t-mobile.com/support/plans-features/help-with-t-mobile-account-fraud




On Oct 2, 2025, at 9:07 PM, Rick Neifeld via Patentpractice <patentpractice at oppedahl-lists.com<mailto:patentpractice at oppedahl-lists.com>> wrote:

1. On T-Mobile login, I am presented with the options of using my local TOTP generator or receceving a text containing the TOTP.  I guess your concern is that someone using T-Mobile's DIGITS service can get that texted TOTP.  A texted TOTP is vulnerable to a SIM swap attack.  (Where someone impersonates you and transfers your SIM to a new device.)  The DIGITS app authentication process has the same fundamental flaw, vulnerable to a SIM swap attack. My review of the DIGITS app authentication process is that it relies exclusively on a text message to "your" phone (or the thief's phone if a thief succeded in porting your account to their phone) to complete its own authentication that you are who you say you are. Again, vulnerable to a SIM swap attack.

2. But T-mobile has a separate secret code process to prevent SIM swaps attack.  See  Under Account, settings,  SIM protection.  Here you can turn ON the SIM Protection. This feature requires the entity requesting a SIM swap to provide a unique 6 to 15 digit PIN to effect the SIM transfer.  But I do not see a way to get a new PIN now, and I do not have a record of such a PIN.  I hesitate to turn on this feature until after I know from T-mobile what my PIN is.

3. Other things you can do in T-mobile to limit the chance your user ID and pswd are compromises, and prevent other hassles:


In privacy settings, turn OFF the following:

"Let us share your individual data with trusted third parties for public and scientific research purposes."
All "Advertising options"
All "Sharing certain financial information"

In privacy setting, turn ON the following:

"Share your data to help protect you against fraud and identity theft"

In "Do not sell or share my personal information"
Turn OFF all options.'

In "Mobile Advertising ID Opt Out" find your cell phone's advertising ID (32 or so digits long), enter it in the interface, and click Opt Out.

In "Block calls and messages" enable "Block Scam Likely Calls"




On Thu, Oct 2, 2025 at 5:41 PM Suzannah K. Sundby via Patentpractice <patentpractice at oppedahl-lists.com<mailto:patentpractice at oppedahl-lists.com>> wrote:
So, considering my issue with unauthorized accounts associated with my Amazon account.

I decided to look into SIM card hacking, etc.

PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/

I have T-Mobile.  After checking out the T-Mobile app, which I never did use before (I was previously Sprint).  I discovered that one can also set up 2FA for logging into T-Mobile… which I guess is essential to protect one’s cell phone and SIM card.

It seems I already had SIM card protections toggled on.  Whew.

But, in reviewing security options… T-Mobile has something called DIGITS, which lets one use one phone number to talk and text on multiple devices.  WTF?!?!?!

I tried toggling this OFF, but then a warning pops up saying if I disable then I can no longer receive texts and emails, etc.  WTF?!?!?!

Nevertheless, the app indicates that there are no additional devices using my account/phone number… Whew.

But still…  Why does toggling off DIGITS (to prevent other devices from using my phone number) turn on ‘Device Block’ which per T-Mobile “If you select this service [Device Block], you will no longer be able to send or receive any type of message.”

I mean… WTF… It’s just like Amazon whereby others can create associated accounts using my cell number but I can’t remove my cell number from my account, etc…

Anyway, PSA: Check your cell phone and take measures to secure/lock your SIM card.  Read more here.  https://securityscorecard.com/blog/sim-card-hacking-what-it-is-how-it-works-and-how-to-protect-yourself/

Suzannah K. Sundby<http://www.linkedin.com/in/ssundby/> | Partner
canady + lortz LLP<http://www.canadylortz.com/>
1050 30th Street, NW
Washington, DC 20007
T: 202.486.8020
F: 202.540.8020
suzannah at canadylortz.com<mailto:suzannah at canadylortz.com>
www.canadylortz.com<http://www.canadylortz.com/>
Confidentiality Notice:  This message is being sent by or on behalf of a lawyer.  It is intended exclusively for the individual or entity to which it is addressed.  This communication may contain information that is proprietary, privileged or confidential, or otherwise legally exempt from disclosure.  If you are not the named addressee, you may not read, print, retain, copy, or disseminate this message or any part.  If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

--
Patentpractice mailing list
Patentpractice at oppedahl-lists.com<mailto:Patentpractice at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com


--
Best regards
Rick Neifeld, J.D., Ph.D.
Neifeld IP Law PLLC
9112 Shearman Street, Fairfax VA 22032
Mobile: 7034470727
Email: RichardNeifeld at gmail.com<mailto:RichardNeifeld at gmail.com>;

--
Patentpractice mailing list
Patentpractice at oppedahl-lists.com<mailto:Patentpractice at oppedahl-lists.com>
http://oppedahl-lists.com/mailman/listinfo/patentpractice_oppedahl-lists.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oppedahl-lists.com/pipermail/patentpractice_oppedahl-lists.com/attachments/20251003/9e0e6465/attachment.html>

More information about the Patentpractice mailing list