Monday, February 6, 2023
  • Home
  • Featured
  • Parenting
  • Pregnancy
  • Birth
  • Lifestyle
  • Shop
Baby Care News
  • Home
  • Featured
  • Parenting
  • Pregnancy
  • Birth
  • Lifestyle
  • Shop
No Result
View All Result
  • Home
  • Featured
  • Parenting
  • Pregnancy
  • Birth
  • Lifestyle
  • Shop
No Result
View All Result
Baby Care News
No Result
View All Result
Home Birth

Amazon’s One-Stop Shop for Identity Thieves

by Baby Care News
August 7, 2022
in Birth
Reading Time: 7 mins read
A A
0
LorenzoMatteucci theIntercept 08 05
Share on FacebookShare on Twitter


Imagine if a budding identity thief had a free, user-friendly, publicly searchable database that contained the name, location, date of birth, and mother’s maiden name of millions of people. Enter Amazon registries. We already know that Amazon collects plenty of personal information and data that can be arduous for its users to obtain, but the company also readily shares your information for anyone to access when you set up a registry. Because the default visibility settings of registries for weddings, birthdays, new babies, and other occasions are preset to public, Amazon reveals to the world information that financial institutions and other service providers request for identity authentication — and that identity thieves can use to take over your life.

Amazon's registry creation landing page.

Amazon’s registry creation landing page.

Screenshot: The Intercept

Identity Theft Registries

Amazon requires that certain information be provided when setting up a registry. For a wedding registry, Amazon requires the first and last names of both partners, the wedding date, the number of guests attending, and a mailing address. The default share setting is to make the registry searchable not only on Amazon but also via the third-party wedding planning website The Knot. This has led to confusion from Amazon wedding registry users over how The Knot received their registry details. Similarly, when creating a baby registry, Amazon asks for a first and last name, expected due date, whether the baby is the parents’ first child, and a mailing address. The default visibility setting is also set to public and to appear on pregnancy and parenting websites The Bump, What to Expect, and Baby Center.

Anyone can search for a public registry (even without an Amazon account) with just a name or further specifying a date and location. In addition to the list of desired products, wedding registries show the names of both partners, the event location, and the event date. Baby registries return either the name of the upcoming baby or the names of the parents, their city and state, and the expected due date.

At first glance, only wedding registries for weddings happening between 2020 to 2032 and baby registries with due dates between 2020 to 2023 can be searched for. However, there are ways to bypass the date restrictions to access registries from years prior. In the case of multiple results, wedding and baby registries display the top 100 matches, and if no date parameters are entered, search results may contain entries outside the default date ranges. For example, even though Amazon only lets you select dates from 2020 onward, if you don’t specify an exact range when searching a common name, you could get results from, say, 2008.

Perhaps the more critical vulnerability in Amazon’s date range search, however, is that the fields can be modified using the developer tools functionality available in browsers like Chrome and Firefox. A cursory search with modified date fields brought up wedding registries dating as far back as 2004, and baby registries dating back all the way to 2006. So someone could discover the details of a registry set up for a present-day 16-year-old. Who knows how this information could be weaponized in two years, once such a teen becomes a legal adult?

A redacted search result page for baby registries, modified to display results from 2006, despite Amazon's official form only allowing date ranges from 2020 to 2023.

A redacted search result page for baby registries, modified to display results from 2006, despite Amazon’s official form only allowing date ranges from 2020 to 2023.

Screenshot: The Intercept

(Widely) Shared Secrets

Knowledge-based authentication, known as KBA, is a form of identity authentication favored by service providers such as financial institutions that relies on shared secrets: information that is only known to you and your bank, email provider, or other service. For example, if you lose the password to your bank account, you can regain access by entering information that most people likely don’t know about you, like your mother’s maiden name or your date of birth.

Security questions like this have been around for a while. Banks have used mother’s maiden name as a form of identity authentication since at least 1882. But today these so-called secrets are inevitably shared much more broadly than account holders anticipate, resulting in harrowing cases of identities getting stolen with personal details used for authentication.

An early use of 'mother's maiden name' as a form of knowledge-based authentication in Frank Miller's 1882 Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams.

An early use of mother’s maiden name as a form of knowledge-based authentication in Frank Miller’s 1882 book “Telegraphic Code to Insure Privacy and Secrecy in the Transmission of Telegrams.”

Screenshot: The Intercept

Using multiple Amazon registries could reveal massive amounts of information not just about living people but even of a baby yet to be born. A wedding registry would show the mother’s maiden name, and a birth registry would list the projected date of birth, location, and either the expected child’s or the parents’ names. Should the baby not be born on their expected due date, there’s always the Amazon birthday gift registry to crosscheck. The location and date of the birth can, in turn, be used to deduce a partial Social Security number.

Using newborns for identity fraud is not a new phenomenon. The practice of adopting a deceased baby’s identity was popularized in Frederick Forsynth’s 1971 novel “The Day of the Jackal,” in which an assassin trawls small parish graveyards to locate a dead child whose identity he could assume in order to apply for a passport in their name.

While the technique of taking over the identity of a dead child is still used today, Amazon’s public baby registries have made it far easier to target those who haven’t been born yet. Identity thieves no longer need to peruse musty county registrar offices for birth certificates when they can just search for registries online.

Privacy Measures

While there are copious other ways to find personal information sprinkled throughout the internet, such as on social media profiles and genealogy websites, your Amazon registry doesn’t need to be another.

placeholder 1 1

Related

▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​▄​

Because Amazon registries are public by default, users have to manually toggle the privacy settings either to “shareable,” which makes a registry accessible only via a direct link, or “private,” making it visible only to the creators. Another option to mitigate data exposure is to fudge the expected due date, so Amazon doesn’t display the actual date.

Default privacy settings on Amazon's baby registry creation page. By default, registries can be searched for and are viewable by anyone without even requiring an Amazon account, and are also shared on three third-party sites, The Bump, What to Expect, and BabyCenter.

Default privacy settings on Amazon’s baby registry creation page.

Screenshot: The Intercept

Also take into account that alongside the treasure trove of personal information public registries afford identity thieves, the products themselves pose an additional security risk. Anyone could browse a gift registry to see which products have known vulnerabilities to exploit, such as baby monitors that allow remote access to their video feeds.

Once a registry’s purpose has been served, there’s little reason not to delete it, rather than leave it lingering for 16-odd years, as some users have inadvertently done. While a wedding registry is straightforward to delete, Amazon’s steps for deleting a baby registry are unclear, with step one cryptically instructing to “Go to your .” Perhaps the best preemptive solution is not to use a faulty, privacy-eroding service in the first place.

Amazon's instructions for deleting a baby registry.

Amazon’s instructions for deleting a baby registry.

Screenshot: The Intercept



Source link

Tags: AmazonsIdentityOneStopShopThieves
Previous Post

If U.S. can subsidize oil, it can subsidize parenting; give voters a reason to vote; policy reduces benefits for retirees; Joseph will innovate, collaborate in legislature

Next Post

Sunday Reads: One teen’s pregnancy scare; will cremations doom cemeteries?

Related Posts

gettyimages 1371783077
Birth

How to Register a New Baby for a Social Security Number

February 2, 2023
sky doctor stanford childrens 1200x675 2
Birth

A Joyful Pause for Premature Baby on Heart Transplant List

February 1, 2023
eug t
Birth

Where will Princess Eugenie give birth to second royal baby?

January 31, 2023
molly mae hague has given birth to her first child with tommy fury
Birth

Molly-Mae Hague gives birth and welcomes Tommy Fury’s first child

January 30, 2023
diddy love baby 012923 Split 1c487471e04b4c83936bab42ebe3c935
Birth

Diddy Shares Sweet Photos of 3-Month-Old Baby Daughter Love

January 29, 2023
amadea
Birth

Baby with rare condition teaches lessons of resilience, unpredictability

January 28, 2023
Next Post
autumn 6

Sunday Reads: One teen's pregnancy scare; will cremations doom cemeteries?

1f16c04a fcb2 443a 9332 0033caad1c92 shutterstock 1888258360

Can Dad Help With Newborns At Night? You Bet He Can

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Disclaimer
  • Privacy Policy
  • DMCA
  • Cookie Privacy Policy
  • Terms and Conditions
  • Contact us
BABY CARE NEWS

Copyright © 2023 - Baby Care News.
Baby Care News is not responsible for the content of external sites.

No Result
View All Result
  • Home
  • Featured
  • Parenting
  • Pregnancy
  • Birth
  • Lifestyle
  • Shop

Copyright © 2023 - Baby Care News.
Baby Care News is not responsible for the content of external sites.