This Amazon shopping hack can save you over 70% every time you use it

This Amazon shopping hack can save you over 70% every time you use it

Amazon houses thousands of discounted items in a secret online store where it liquidates customer returns and merchandise with damaged packaging at fractions of their retail prices.

Sarah Tew/CNET

Forget about coupon codes, lightning deals or waiting until Prime Day rolls around again, because this Amazon shopping hack doesn't require any secret promotions and -- best of all -- it works any day of the year you want to use it. I routinely save anywhere from a few bucks to over 70% off the retail price off just about everything I buy on Amazon just by looking for the item I want on Amazon Warehouse Deals. And once you learn the trick, you can too.

The only catch -- apart from the fact the stuff isn't technically "new" -- is that Amazon doesn't exactly make it easy to find these discounted listings, so you'll have to play a little hide-and-seek, which isn't always easy. Sometimes, in fact, it can be so tricky to figure out whether or not a particular item is available through Amazon Warehouse that it almost seems like Amazon is hiding the discounts on purpose.

That's why I'm going to help navigate you through the labyrinth of Amazon listings and show you how to drill down until you find the best deal. Once you master this hack, you'll never want to pay full retail price on any Amazon item again.

Whether you're on mobile or desktop, if you know how to find Amazon Warehouse Deals you can save up to 70% off a retail price.

James Martin/CNET How to browse Amazon Warehouse Deals

If you're not in the market for anything in particular -- say you're just looking for gift ideas or killing time during your lunch break -- you can get to the Amazon Warehouse Deals landing page by heading to Amazon.com and searching for "Amazon Warehouse" or "Warehouse Deals." From there you can browse the categorized listings just as you would at any online retailer.

How to find specific items from Amazon Warehouse

If you're anything like me, 99% of the time I shop on Amazon I know exactly what I'm looking for. If you already have something specific in mind but want to see if there's a discounted Amazon Warehouse option available, this is where your sleuthing skills come into play. 

At the bottom of the box, click the link that reads, "Used & new (20) from $121.79" to get the discounted Amazon Warehouse listings for this item.

Screenshot by Dale Smith/CNET

First, pull up the item you want to buy just as you normally would on Amazon, but don't add it to your cart just yet. Scour the page, keeping your eyes peeled for words like "New & Used," "Buy Used,"  "New & Used Offers" or just plain "Used." 

Usually there'll be a price listed too, representing the cheapest option available (but not including tax or shipping costs). If you're not having any luck finding the link, try using your browser's "find" function (usually Control-F on Windows PCs and Command-F on Macs) to look for these keywords.

Once you locate the link, look for items with "Amazon Warehouse" listed as the seller and an Amazon Prime logo displayed near the price. If Amazon Warehouse has more than one of the same item in stock, there will sometimes be a separate listing for each, especially if the items are in different conditions. 

Why Amazon Warehouse stuff is so cheap 

Just like other major retailers such as Walmart or Target, Amazon takes in a lot of customer returns, which it can no longer sell as new-in-box, regardless of why the buyer sent the item back or whether it's even been opened. 

That's why everything Amazon Warehouse sells is listed as used, even if the product itself has never been touched. Regardless of its condition, used stuff is just worth less -- sometimes a lot less. And that's good for you.

What to do when you get a lemon

Of the dozens (if not hundreds) of Amazon Warehouse listings I've bought over the years, I only ever ran into problems with a handful of them -- a Bluetooth adapter for my car that would randomly shut off, a wireless router that didn't broadcast any signal, a very well-worn puppy harness with dog hair stuck to it; stuff like that. 

Don't throw away those Amazon boxes just yet -- if you do happen to receive an item that's broken or doesn't work, you'll need to return it to Amazon.

Claudia Cruz/CNET

Whenever that happens, I just return the item like I would any defective product, then order another one. Sure, it's a bit more hassle, but considering the hundreds, if not thousands of dollars I've saved over the years this way, it's worth the extra effort.

Truth is, most Amazon Warehouse items are in perfect working order -- many haven't even been so much as pulled out of their packages yet, like the Ring 2 Doorbell I got for $65 (it retails for $139) or the Baby Trend stroller I paid $81 for instead of $105. Even for stuff that has been taken out of the box, Amazon puts everything through what the company calls a "rigorous 20-point inspection process," after which each item is given a quality grade and priced accordingly. 

Some items may have cosmetic damage or be missing parts, accessories, instructions or assembly tools, but Amazon will detail any damage to the product or packaging, as well as any missing element along with the condition, so you won't be surprised. For example, I knew when I ordered a 100-watt Pyle amplifier for $29 that the accessories were loose and the amp would come repackaged. Who cares? I saved $15.

The different quality grades and what they mean

Amazon has five different grades it assigns to items it resells. Here they are with brief explanations of what Amazon means by them.

Renewed: This is the highest grade an Amazon Warehouse item can receive and is on par with what other companies might call "refurbished." Renewed items have been closely inspected and tested and determined to look and function like new and come with a 90-day replacement or refund guarantee. The "refreshed" Roku Express Plus I ordered had never even been opened.

The Amazon Warehouse listing for this product in Good condition costs $121.79. The same item in Very Good condition costs almost $7 more. Either option, however, is better than paying $164.99 for it brand-new.

Screenshot by Dale Smith/CNET

Used, Like New: No noticeable blemishes or marks on the item itself, although the packaging may be damaged, incomplete or missing all together. All accessories are included, and any damage to the package will be described in the listing. The box for the Like New Evenflo locking gate I saved $6 on was a little banged up, but I've seen way worse on Walmart's shelves. The gate itself was flawless.

Used, Very Good: Item has been lightly used, with minor visible indications of wear and tear, but otherwise in good working order. Packaging might be damaged, incomplete or the item repackaged. Any missing accessories will be detailed on the listing. I saved $4 on a Very Good Bosch Icon wiper blade that had, like, one scuff on it.

Used, Good: Item shows moderate signs of use, packaging may be damaged or the item repackaged and could be missing accessories, instructions or assembly tools. Another Bosch Icon wiper blade I got was only in Good shape, but I saved $15 on that one, and honestly I can't tell one from the other now that they're on my car.

Used, Acceptable: Very well worn, but still fully functional. Major cosmetic defects, packaging issues and/or missing parts, accessories, instructions or tools. I got an Echo Dot for $23 that was considered Acceptable. I think it has a scratch near the power port, but now it's on my nightstand where it does its job well, and mostly in the dark, for less than half the cost of a new one.

How to choose the right grade

If there are multiple listings with different grades available for the product I want to buy, I think about what I'm going to use it for. If it were something purely functional and I couldn't care less about its cosmetic condition, like hair clippers or a cordless drill, I'd go with the cheapest option, period. 

The Ring 2 video doorbell normally retails for $200. As of early November, Amazon has it discounted to $139, however the Amazon Warehouse price is only $90.

Chris Monroe/CNET

If it's something I'd display, like a kitchen mixer, end table or wall clock, I'd read the descriptions a little more closely and look for items that are rated Very Good or Like New. 

But honestly, a low enough price on just about anything can woo me into putting up with some scratches or scuffs. Not to mention, in my experience, Amazon tends to err on the side of caution, marking items as Good or Acceptable that the average person would consider Very Good or Like New.

Officially no warranty, but your mileage may very

One of the benefits of purchases made through Amazon Warehouse is that Amazon's standard 30-day replacement or refund return policy applies, which comes in handy if you wind up with a lemon. Amazon does caution that because these products are considered used they don't come with the manufacturer's original warranty.

Amazon Echo Dots can usually be had for over 50% off their retail price of $50 when Amazon Warehouse lists them for sale.

Ben Fox Rubin/CNET

That said, if the product hasn't already been registered in someone else's name, there's a decent chance any issues you run into past Amazon's 30-day window can be resolved with a call to the manufacturer.

Amazon Prime members still get free shipping

Subscribing to Amazon Prime won't get you a bigger discount on Amazon Warehouse Deals, but you'll get free shipping just as you would for any other Prime-eligible item, which is why I still pay for Prime even though most of my purchases come from Amazon Warehouse.

Most of the stuff I've bought through Amazon Warehouse ships and arrives within the same one- to two-day window I get with new items, although some orders do take longer to fulfill. If that's the case, the extra handling time is usually indicated on the listing, so I know what to expect.

Amazon Prime members don't get any extra discounts on Amazon Warehouse merchandise, but they still benefit from free and usually pretty fast shipping. 

James Martin/CNET Third-party sellers and other deals

While wading around in the listings looking for Amazon Warehouse Deals you may have discovered even more discounted listings not sold by Amazon. What you've stumbled upon are items sold by third-party retailers whose only relationship with Amazon is that their items are for sale on Amazon's marketplace, much like eBay. 

However, Amazon's buyer protections lag considerably behind eBay's. eBay guarantees customers their money back in the event of a dispute, and although Amazon will ultimately do the same, its process is a bit more convoluted, so proceed with caution. Generally, if I can't find a good enough deal on Amazon Warehouse, I'll tab over to eBay and look for the item there instead. eBay is a little more transparent about both its vendors and the merchandise they sell. If I'm going to buy garage-sale used as opposed to Amazon's never-opened used, I prefer eBay.

Now playing: Watch this: What Amazon's one-day shipping means for you

0:55

Originally published last year. 

Lessons from the Bezos phone hack - a corner case or an early warning for enterprises?

‘If Jeff Bezos isn’t safe, no one is’. ‘We should all be terrified’. Those were common themes after additional details emerged on the techniques hackers used to exfiltrate personal and sensitive information from Jeff Bezos phone and leak it to a tabloid. While there’s some truth in the first reaction — if you present a juicy enough target to a nation state or person of virtually unlimited resources, they can probably find a way to compromise your phone and its data.

However, the second is hyperbole since few of us are sufficiently interesting (or threatening) to warrant spending the kind of money required to mount a targeted attack with the requisite social engineering, spear phishing and zero-day payloads. Nevertheless, the Bezos hack is instructive since it illustrates the modes of attack and types of vulnerabilities capable of reaching a knowledgeable user along with the ramifications of a fully compromising a phone.

Reported in January 2019, the Bezos hack in itself is old news, but the topic resurfaced last week after details from a forensic report, commissioned by Bezos, were leaked to the Financial TImes and subsequently referenced in a statement from the UN Human Rights Commission. The Guardian and the UN report have handy timelines of the events, but for those that haven’t been following the twists and turns, here are the key talking points:

Saudi Crown Prince Mohammed bin Salman is accused of ordering the murder of journalist Jamal Khashoggi for his frequent columns critical of the Kingdom in the Washington Post.

MBS (as he is colloquially known) comes to the US in the spring of 2018 for a charm offensive with President Donald Trump and major business leaders. Bezos meets him at a Hollywood dinner where they exchange contact information.

MBS and Bezos have a chat exchange via WhatsApp, MBS’s preferred means of private communication.

The report contends that one of the messages MBS sends is loaded with malware that exploits a since-discovered WhatsApp vulnerability (likely this one) delivered via an encrypted video file (MP4). The phone of two Saudi human rights activists who frequently communicated with Khashoggi are also infected this same way.

The phone of an Amnesty International official is infected via the same technique, but later discovered to be compromised. Subsequent forensic analysis finds data implicating an Israeli software company, NSO, expert in crafting phone malware that often exploits unreported and unknown software vulnerabilities. NSO is frequently used by law enforcement and others to thwart phone privacy technology or surreptitiously gather evidence.

The National Enquirer publishes and publicizes a story of Bezos's extra-marital affair that includes intimate text messages from his hacked phone.

Bezos publishes a blog accusing the Enquirer of extortion with excerpts from their email exchange detailing the tabloid’s demands.

Saudi Arabia is accused of complicity in and denies any involvement in the Bezos hack.

A security expert hired by Bezos claims he is confident the Saudis had access to Bezos’ phone.

And finally, last week’s details of the forensic analysis into Bezos’s phone are leaked and published by the media and UN Human Rights Commission.

While the full report hasn’t been publicly released, the leaked portions and UN summary lack many critical technical details, it does indicate the basics of the attack and how flaws in the WhatsApp video downloaded can be exploited to deliver malware to a phone. However, the report does not conclusively tie the hack to the Saudi government, MBS or NSO, since it didn’t decrypt the malware-carrying video file and examine it for malicious software.

So what does this all mean to me and my company?

It’s easy to be alarmed by the Bezos hack since it illustrates the vulnerability of a tech-savvy, but busy, executive using a closed, highly secure device — the iPhone with iOS — to rootkit-level access. However, one can’t get paranoid over the attack since it required a lot of planning and money for the targeted execution and code payload. While the leaked forensics report didn’t include details about the payload, I agree with the UN assessment (paragraph 9) that it is probably very similar, if not identical to NSO’s Pegasus spyware, which works like this (similarities highlighted):

To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.

The reason most organizations have little to worry about is that you don’t become a target of something like Pegasus unless you are a high-value target since according to an NSO Group contract reviewed by the New York Times, the company typically does 8-figure deals with foreign governments or domestic law enforcement agencies. Even a minimal deal to spy on 10 iPhones runs $1.15 million, $650,000 for the phone software, plus a $500,000 setup fee.

The takeaway for enterprise IT is that your average user won’t be the target of such a sophisticated attack, although your CEO and senior executives might be if they run a multi-billion dollar global enterprise with lots of competition, particularly if some of it is in China or other nations with loose definitions of intellectual property.

Good phone security hygiene like restricting the apps on employees’ phones, segregating phone users into a VPN with tightly controlled access to other enterprise networks and enforcing two-factor authentication for all accounts will prevent most security problems. However, organizations should enforce these policies on any device, company- or employee-owned, connecting to its network via an MDM (mobile device management) system. These can be as complicated as a third-party security suite or simple as using the Apple Business Manager or enabling mobile devices controls on the Google admin console for organizations using GSuite.

Organizations needing more elaborate protections of the kind that likely would have detected and quarantined the Bezos phone before it could have exfiltrated data or spread malware over internal networks should investigate mobile threat defense (MTD) products. These typically work by monitoring mobile devices and detecting anomalous behavior that indicates a compromised device. Most organizations aren’t convinced they need an MTD product, with Gartner estimating that only 15 percent of organizations have one deployed. Incidents like the Bezos hack might bolster sales, however, since Gartner expects a doubling of MTD penetration to 30 percent this year. Most will likely be a part of a more comprehensive endpoint management suite from established vendors like BlackBerry, IBM, Microsoft, MobileIron and VMware.

My take

There are enterprise security lessons anytime a famous person’s sensitive texts, pictures and emails are splashed across the Internet. Whether it is due to personal naïveté or mistakes, structural security problems with a particular app or service or, as in the Bezos case, a carefully executed plan targeting a particular person or small group. The latter, i.e. the extensively-planned, expensive-to-execute targeted attacks, are the most successful and dangerous, but also the least likely to create a broad threat to the average enterprise. Nonetheless, the incident offers lessons for both enterprise IT and individual phone users.

Individuals must be highly skeptical of unsolicited communications, particularly those with file attachments, even when they come from a peripheral acquaintance over a supposedly secure private channel like WhatsApp. Furthermore, WhatsApp has such a poor security record that users should avoid it in preference to something like iMessage or Signal.

Enterprises should enforce basic mobile security policies via MDM software and investigate MTD or comprehensive endpoint management suites for high-risk or high-value employees.

Decoding the Jeff Bezos phone hack: What the rest of us can learn from the forensic report

Amazon CEO Jeff Bezos. (GeekWire File Photo)

Jeff Bezos’ smartphone is back in the news. After days of second-hand reports that the Amazon founder and Washington Post owner’s phone was hacked by none other than Saudi Crown Prince Mohammed bin Salman, a.k.a. MBS, we now have access to the full forensic report on the incident.

Motherboard has posted a copy here. The report was prepared by FTI Consulting, at the request of Bezos’ investigator. If you’re into computer forensics, it’s a good read and provides the kind of nitty-gritty detail that a good forensics report should have. For example, the report notes that once FTI took possession of the phone, its facilities were guarded 24x).

But if you don’t want to read a 15+ page forensics report, here are the key points to focus on:

FTI was unable in their investigation to find or identify malware on the system

FTI was unable to gain full access to the device due to lacking a password for iTunes backups.

Bezos and MBS sent a message via WhatsApp on 4/4/18 to MBS and received a reply on 4/5/18, apparently to exchange phone numbers.

On 5/1/18, Bezos received a message from Mohammad bin Salman (MBS) with a large video file. This “arrived unexpectedly and without explanation”.

After 5/1/2019, “The amount of data being transmitted out of Bezos’ phone changed dramatically after receiving the WhatsApp video file and never returned to baseline….egress on the device [data sent from the device] immediately jumped by 29,000 percent.”

Alex Stamos, the former Facebook chief security officer, posted a Twitter thread with his take on the report. He puts it well when he says, “This FTI forensics report is not very strong. Lots of odd circumstantial evidence, for sure, but no smoking gun. The funny thing is that it looks like FTI potentially has the murder weapon sitting right there, they just haven’t figured out how to test it.”

That last point is important and one that FTI clearly realizes. The report indicates that FTI is continuing to explore additional lines of investigation. And in good crowdsourcing fashion, after Stamos posted his analysis, a number of people in the security community offered to help.

Why is this investigation “not very strong”? Because, as of the writing of the report, FTI was unable to gain full access to the device to do a full forensic analysis. This is apparently because of issues with iTunes backup that they detail in their report, likely because of a forgotten password.

In other words, Bezos’ investigators have run into the same problem that we’ve been reading law enforcement is facing with the iPhones related to the naval base shooting in Pensacola, Fla. This has led to Attorney General William Barr and President Trump to renew the call for ways to bypass encryption, a move that is reigniting the “encryption wars” of the 1990s.

The FTI Consulting investigators have, however, outlined a compelling circumstantial case. Clearly SOMETHING happened on 5/1/18 to Bezos’ phone to make it start sending massive amounts of data. And that was the same date Bezos got a video from MBS that was unexpected. FTI Consulting bolsters its circumstantial argument by noting and showing evidence that a customer of the Hacking Team, a company that has been known to make hacking and surveillance tools used by nation-states and others, asked in May 2018 if it was possible to infect a device through a picture or video which is automatically downloaded. The request even specifically asks about WhatsApp, the Facebook-owned app that Bezos and MBS used.

Where does this leave us? With a reasonable, credible circumstantial case. It also leaves us with a technical mystery that hasn’t yet been solved, but may be solved in the future. The amount of interest in this case alone means that this unsatisfactory answer won’t suffice forever. Add in the enthusiasm with which the security community likes a good challenge, and is now looking to jump in, and you can reasonably expect that there will be more to come out of this.

Meanwhile, what does this teach the rest of us?

First, if you are potentially the target of a nation-state-level attack, you should change your phones regularly. One thing that is surprising to me out of this report is that Bezos apparently kept the same phone, with the same configuration, for nearly a year. If there was malware on the phone starting in May 2018, it was still active apparently until February 2019, a full eight months. This episode also reminds us of an important principle in security: if the physical device isn’t secure, then all bets are off. If someone gets physical access to the device, they own it. Indeed, the key to more information in this case likely will come because the investigators have Bezos’ physical device and are able to crack that.

Second, the FTI Consulting report makes another reasonable, circumstantial argument that whoever hacked his phone listened in on a phone briefing in February 2019 about possible hacking of his phone. This is a reminder that a compromised mobile device is a spy’s best friend. It has, by design, audio and video gathering capabilities. It also gives attackers information about your physical location. And it can give them access to every email, social media account and app you have on the device. Seeing as most people live on their phones, this gives complete and total access.

Third, this underscores that even “secure” chat apps like WhatsApp or Signal are not bulletproof and don’t provide complete protection. Those apps provide encryption of conversations, yes. But the key phrase is “end to end encryption”: if one of the ends is compromised with malware, all bets are off.

This story is not over. There is not a conclusive answer yet. I’m not 100% convinced yet. However, there is a reasonable circumstantial case out there. So I’m nearly 100% convinced that I may be 100% convinced in the future. And if additional research is brought to bear and is successful, that circumstantial case could end up being even more solid.

Finally, it’s a reminder that even billionaires, and even ones in tech, can be hacked. Be careful out there.