Unfortunately, what Amazon has to secure is almost every account. 2 factor authentication is great for the more security-conscious, but that's a very small percentage of Amazon's customers. All the scammers would have to do is hit one of the 98% of accounts that just have default security.

Sure, it can protect your account, but it can't protect Amazon unless they force everyone to use it (which would obviously not be good for building customer loyalty.)

GMail has a nice 2-factor scheme. While the SMS might need external services, the app-based verification keys are based on open standards and open-source code, and can be added to any web application with about 10 lines of code: http://code.google.com/p/google-authenticator/

There is even a Unix login module for adding it to SSH.

Amazon use the same two factor auth too. I've got my AWS account secured with the Google Authenticator app using TOTP codes as well as passwords.

It worries me that "consumer friendly" customer service leaks information like this, that could potentially lead to my AWS account getting suspended while fraud is investigated.

It's probably a good idea not to use the same Amazon account for AWS and personal shopping, just for this reason.

Yeah, I know that _now_…

I've got real live client sites which I haven't (yet) migrated important S3/Route53/EC2/CloudFront services out of the "I'll just try this out on my account to see if it'll work" setup.

The OP actually suggests a second factor for authentication: The last four digits of the card you paid the order with.

Except that Amazon shows you the last 4 of your card when logged in. That should be removed and the cards should be named.

This is for authentication when you're not logged in. But that aside, yes, I'd would too prefer named cards. I don't think of my cards by their numbers quite as much as their issuers.