Amazon’s One-Stop Shop for Identity Thieves

This content has been archived. It may no longer be accurate or relevant.

From The Intercept:

Imagin if a budding identity thief had a free, user-friendly, publicly searchable database that contained the name, location, date of birth, and mother’s maiden name of millions of people. Enter Amazon registries. We already know that Amazon collects plenty of personal information and data that can be arduous for its users to obtain, but the company also readily shares your information for anyone to access when you set up a registry. Because the default visibility settings of registries for weddings, birthdays, new babies, and other occasions are preset to public, Amazon reveals to the world information that financial institutions and other service providers request for identity authentication — and that identity thieves can use to take over your life.

Amazon requires that certain information be provided when setting up a registry. For a wedding registry, Amazon requires the first and last names of both partners, the wedding date, the number of guests attending, and a mailing address. The default share setting is to make the registry searchable not only on Amazon but also via the third-party wedding planning website The Knot. This has led to confusion from Amazon wedding registry users over how The Knot received their registry details. Similarly, when creating a baby registry, Amazon asks for a first and last name, expected due date, whether the baby is the parents’ first child, and a mailing address. The default visibility setting is also set to public and to appear on pregnancy and parenting websites The Bump, What to Expect, and Baby Center.

Anyone can search for a public registry (even without an Amazon account) with just a name or further specifying a date and location. In addition to the list of desired products, wedding registries show the names of both partners, the event location, and the event date. Baby registries return either the name of the upcoming baby or the names of the parents, their city and state, and the expected due date.

At first glance, only wedding registries for weddings happening between 2020 to 2032 and baby registries with due dates between 2020 to 2023 can be searched for. However, there are ways to bypass the date restrictions to access registries from years prior. In the case of multiple results, wedding and baby registries display the top 100 matches, and if no date parameters are entered, search results may contain entries outside the default date ranges. For example, even though Amazon only lets you select dates from 2020 onward, if you don’t specify an exact range when searching a common name, you could get results from, say, 2008.

Perhaps the more critical vulnerability in Amazon’s date range search, however, is that the fields can be modified using the developer tools functionality available in browsers like Chrome and Firefox. A cursory search with modified date fields brought up wedding registries dating as far back as 2004, and baby registries dating back all the way to 2006. So someone could discover the details of a registry set up for a present-day 16-year-old. Who knows how this information could be weaponized in two years, once such a teen becomes a legal adult?

Knowledge-based authentication, known as KBA, is a form of identity authentication favored by service providers such as financial institutions that relies on shared secrets: information that is only known to you and your bank, email provider, or other service. For example, if you lose the password to your bank account, you can regain access by entering information that most people likely don’t know about you, like your mother’s maiden name or your date of birth.

Link to the rest at The Intercept

PG hadn’t seen The Intercept before finding the OP in his online wanderings looking for Amazon stories. He will leave it to others to judge how credible the threat described is.