A grieving mother was left distraught by Amazon after a laptop bought to plan her child’s funeral disappeared in an alleged scam – despite the website claiming to protect the purchase with a one-time password.

  • towerful@programming.dev
    link
    fedilink
    arrow-up
    8
    ·
    10 months ago

    Yeh, Driver should trigger OTP delivery.
    Recipient should get a text/app-notification with a “is the driver in front of you (physically in front of you, at your door)? Be aware of OTP scams” prompt.
    Then release the OTP code to the recipient.
    Driver types it in, and hands over the package.

    Equally, the driver-contact-customer SMS normally has a “your driver is trying to contact you. Please reply STOP to opt out” pre-message, before delivering the drivers message. This could include a “remember, OTP codes should be exchanged in person and not via SMS” warning.

    • IHeartBadCode@kbin.social
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      10 months ago

      OTPs only ensure that you “physically have” the thing that the OTP presents.

      UPS used to hand over a signature pad to collect a signature. Amazon’s OTP implementation should have an OTP that the customer enters into a pad that the driver hands over. The driver gets the pad back once the package is given to the customer. The package is then marked delivered when the driver enters their OTP into the pad.

      The entire point is that the delivery pad is the presentation of the OTP. The customer entering their OTP into the pad indicates they physically have the pad (not the product), the driver entering their OTP into the pad means they have recollected the pad (ideally in exchange for the parcel). The OTP only proves that someone physically holds the device that the OTP was entered on, it proves nothing else.

      No good OTP implementation has in it a point where the OTP is told to another person. Amazon’s OTP implementation is just flawed from the word start. I think more people would understand it if the whatever digit number was called something like “signature code”, in that the set of numbers constitutes the equal to a signature. You wouldn’t let someone, especially the driver themselves, sign for your package, so you shouldn’t tell the OTP to anyone, except those who you think should be able to sign for your package.