Amazon’s One Stop Shop for Identity Thieves

Imagine if a budding identity thief had a free, user-friendly, and publicly searchable database of millions of people’s name, location, date of birth, and mother’s maiden name. Enter the Amazon registers. We already know that Amazon collects a lot of personal information and data that can be difficult for its users to obtain, but the company also easily shares your information for anyone to access when you set up a registry. Because the registry’s default visibility settings for weddings, birthdays, new babies, and other occasions are preset to public, Amazon reveals to the world what information financial institutions and other service providers request for the public. authentication – that identity thieves can use to take control of your life.

Amazon registry creation landing page.

Screenshot: The Interception

Identity theft records

Amazon requires certain information to be provided when setting up a registry. For a wedding registry, Amazon requires the first and last names of both partners, the date of the wedding, the number of guests present, and a mailing address. The default sharing setting is to make the registry searchable not only on Amazon, but also through third-party wedding planning website The Knot. This lead to confusion from Amazon Marriage Registry users on how The Knot received their registry details. Similarly, when creating a baby registry, Amazon asks for a first and last name, an expected due date, whether the baby is the parents’ first child, and a mailing address. The default visibility setting is also set to public and appears on pregnancy and parenting websites The Bump, What to Expect, and Baby Center.

anyone can look for for a public register (even without an Amazon account) with just a name or specifying a date and a place. In addition to the list of desired products, the marriage registers indicate the names of the two partners, the place of the event and the date of the event. Baby registries return either the name of the upcoming baby or the parents’ names, their city and state, and the expected due date.

At first glance, only wedding lists for weddings taking place between 2020 and 2032 and birth lists with due dates between 2020 and 2023 can be searched. However, there are ways to circumvent date restrictions to access records from previous years. In the event of multiple results, the marriage and birth records display the top 100 matches, and if no date parameter is entered, the search results may contain entries outside of the default date ranges. For example, even though Amazon only lets you select dates from 2020, if you don’t specify an exact range when searching for a common name, you might get results from, say, 2008.

However, perhaps the most critical vulnerability in Amazon’s date range search is that fields can be modified using the functionality of developer tools available in browsers such as Chrome and Firefox. A quick search with changed date fields turned up marriage records dating back to 2004 and baby records dating back to 2006. So someone could uncover details of a registry set up for a young 16 years old today. . Who knows how this information could be weaponized in two years, once such a teenager becomes a legal adult?

A redacted search results page for baby registries, modified to show results from 2006, although Amazon's official form only allows date ranges from 2020 to 2023.

A redacted search results page for baby registries, modified to show results from 2006, although Amazon’s official form only allows date ranges from 2020 to 2023.

Screenshot: The Interception

Secrets (widely) shared

Knowledge-Based Authentication, known as KBA, is a form of identity authentication favored by service providers such as financial institutions that relies on shared secrets: information that is only known than you and your bank, email provider or other service. For example, if you lose your bank account password, you can regain access by entering information that most people probably don’t know about you, such as your mother’s maiden name or your date. of birth.

Security issues like this have been around for quite some time. Banks have used the mother’s maiden name as a form of identity authentication for at least 1882. But today, these so-called secrets are inevitably shared far more widely than account holders. to anticipateresulting in heartbreaking cases stolen identities with personal data used for authentication.

An early use of

An early use of the mother’s maiden name as a form of knowledge-based authentication in Frank Miller’s 1882 book “Telegraph Code for Ensuring Confidentiality and Secrecy in the Transmission of Telegrams”.

Screenshot: The Interception

Using multiple Amazon records could reveal huge amounts of information not just about living people, but even an unborn baby. A marriage register would list the mother’s maiden name and a birth register would list the expected date of birth, place and name of the expected child or the parents. If the baby isn’t born on its due date, there’s always Amazon’s birthday gift registry to cross-check. The place and date of birth can, in turn, be used to deduct a partial social security number.

The use of newborn babies for identity theft is not a new phenomenon. The practice of adopting the identity of a deceased infant was popularized in Frederick Forsynth’s 1971 novel “The Day of the Jackal”, in which an assassin scours small parish cemeteries to locate a dead infant whose he could assume the role of. identity in order to apply for a passport in their country. Last name.

While the dead child impersonation technique is still used today, Amazon’s public baby registries have made it much easier to target the unborn. Identity thieves no longer need to consult moldy county registry offices for birth certificates when they can simply search records online.

Confidentiality measures

While there are plenty of other ways to find personal information scattered across the internet, such as social media profiles and genealogy websites, your Amazon registry doesn’t have to be another.

Because Amazon ledgers are public by default, users must manually toggle the privacy settings either to “shareable”, which makes a ledger accessible only via a direct link, or to “private”, making it visible only to users. creators. Another option to mitigate data exposure is to fake the predicted due date, so that Amazon doesn’t show the actual date.

Default privacy settings on the Amazon Baby Registry creation page.  By default, the registries can be searched and viewed by anyone without even needing an Amazon account, and are also shared across three third-party sites, The Bump, What to Expect, and BabyCenter.

Default privacy settings on the Amazon Baby Registry creation page.

Screenshot: The Interception

Also consider that alongside the treasure trove of personal information that public records offer identity thieves, the products themselves present an additional security risk. Anyone can browse a gift registry to see which products have known vulnerabilities to exploit, such as baby monitors that allow remote access to their video streams.

Once a registry’s purpose has been served, there’s no reason not to delete it, rather than let it sit around for about 16 years, as some users have inadvertently done. Although a marriage registry is simple to delete, Amazon’s steps for deleting a baby registry are not clear, with the first step cryptically saying “Go to your .” Perhaps the best preventative solution is to not use a faulty, privacy-eroding service in the first place.

Instructions from Amazon for deleting a baby registry.

Instructions from Amazon for deleting a baby registry.

Screenshot: The Interception