Amazon’s Plan to Track Worker Keystrokes: A Sign of Controls to Come?

  • Data theft, insider threats and imposters accessing sensitive customer data have apparently gotten so bad inside Amazon, the company is considering rolling out keyboard-stroke monitoring for its customer-service reps.

    A confidential memo from inside Amazon explained that customer service credential abuse and data theft was on the rise, according to Motherboard which reviewed the document. Keystroke monitoring would be a way for the company to verify the identity of who was accessing data.

    “We have a security gap as we don’t have a reliable mechanism for verifying that users are who they claim they are,” the document reportedly said.

    Amazon’s memo added that outsourced employees working from home in countries like India and the Philippines, where most of these security incidents occur, has created a “high data-exfiltration risk,” according to Motherboard.

    Roommates of legitimate customer service reps curious to look up what famous people purchased from Amazon; hackers purchasing customer-service credentials; even the use of a USB Rubber Ducky to rapidly input keystrokes to gain access to systems, are all ways that attackers have abused Amazon data, according to the report.

    The company added that it’s considering using a company called BehavioSec, which uses the aggregate data of a user’s mouse clicks and keystrokes to develop a profile of their typical behavior. Once that baseline of typical behavior is established, the BehavioSec tool will identify when someone’s activity is unusual. But based on Motherboard’s reporting, Amazon doesn’t seem to have settled on a final plan.

    “We are considering an option that will include capturing all keystrokes and with this functionality turned on, we may not be able to deploy the off-the-shelf solution,” the company said.

    But even this disclosure is probably downplaying how rampant the problem is, Gaurav Banga, CEO of Balbix told Threatpost.

    “Amazon is a purpose-driven company,” Banga said. “They don’t do anything for no reason.”

    What If You Don’t Know Your Employees?

    The most basic security control in any organization is the employee manager, he explained. The manager knows who the employees are, what they’re supposed to be doing and how they’re supposed to be doing it. Once employees started working from home offices, that most basic security control was lost.

    “You can’t see who’s an insider and who’s an outsider,” Banga said. “So how do you compensate for not knowing who your employees are?”

    He said keystroke monitoring is the kind of security that remote employees will have to get used to in the future.

    “Cybercriminals are becoming increasingly sophisticated in penetrating the enterprise and, once in, remain undetected for long periods of time,” Ordr CEO Greg Murphy told Threatpost. “Behavioral profiling is becoming increasingly important to be able to detect these threat actors, not just via user behaviors but anomalous patterns of behavior in connected devices.”

    Murphy explained that if a video-surveillance camera suddenly starts communicating with a malicious ransomware domain, that’s an obvious departure from regular behavior that should be investigated.

    “Amazon seems to be taking it a step further by monitoring keystrokes on customer-service agent devices,” he said. “This will be useful to detect devices that have already been compromised, particularly with many customer service agents now working from home with shared living quarters and poor physical security.”

    Murphy cautioned organizations to only use these types of monitoring controls on company-owned equipment. He added that organizations like Barclays have already riled up their employees with similar software monitoring initiatives.

    For employees worried about privacy, Banga offered a simple fix: Don’t do anything personal on a work computer.

    The flip side of that, Banga added, is that companies need to start taking control of the tech that runs their business and put firm policies in place to ensure security. Besides a basic acknowledgement that employees are subject to monitoring, Banga said he doesn’t think most people would care about their work-habit data being collected.

    Besides, Banga added, there are jobs in industries like finance and government where data protection has always been part of an employee’s role in the organization.

    “If you work for a big fish and you handle big-fish data you have to protect that data,” he added.

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.