“Wish lists” have become an essential shopping tool for many families.
Let’s say you’re part of a large brood and everyone — from Aunt Edna to Cousin Jerry to Grandma — wants to know what to buy you or your kids for the holidays or for birthdays.
You could tell everyone different items and hope they’re within your family members’ budgets. You can also cross your fingers that they choose the right product in the desired color or size.
Or, you can create a wish list with your favorite retailer.
It’s simple. You go to the retailer’s website, log in and create your list. Then you basically go shopping, plopping the items you long for on the list.
When your relatives are ready to shop, they can visit the site, search for your wish list and select the items they want to purchase.
It’s seen as a win-win: you get what you want and you take the guesswork out of buying for your loved ones.
But if you’re not careful, wish lists can lead to identity theft.
It’s way easier than you might expect to get private information about people from their wish lists.
As an example, we decided to see what we could learn about a Bamboozled relative who is married with two kids.
We started at Amazon. (In case you missed it, read our recent warnings about fraudulent third-party sellers who sell their fake wares on Amazon.)
We clicked over to the wish list page and entered the relative’s name.
Her list came up, as did her birthday — an important factoid for those who might want to steal her identity.
We clicked around her list, and we learned the names of her two children. That’s because she added notes to the items her kids wanted, specifying which kid each item was for.
Next, we tried Target to see if she had a list there.
She didn’t, but both of her kids did. Those were easy to find because we learned the kids’ names on the Amazon site.
Their lists told us the town and state in which they live.
Not the full address, but the town and state are another nice chunk of information for fraudsters.
Over at WalMart.com, wish lists showed us their town and the state, and the birthdays of the kids.
So in less than 10 minutes, we had the names of mom and the kids, birth dates for all three and the family’s town and state.
This relative made a big mistake. All three retailers — Amazon, Target and Walmart — offer privacy settings for wish lists.
But shame on the retailers — the default setting is to make the list public.
So how could scammers use this information? Pretty easily.
There are lots of public databases where the scammer can take someone’s name and hometown and learn more. Exact addresses from property tax records. Email addresses from Facebook, LinkedIn and other social media sites — if the user is loose with privacy settings. And you’d be surprised what a Google search can yield.
Next, with readily available technology, the scammer could create a fake login page for any retailer, borrowing screen shots of the actual retailer login pages. Then the scammer could include code that would record whatever is typed into the login pages — a user name and password.
Once the fake web page is up and running, the scammer could send the user an email impersonating the retailer. It might say, “Here’s a coupon code for an item on your wish list,” or “We have a question about an item on your wish list” or “Somebody has made a purchase from your wish list.” Anything to make the user want to get an update or visit the site. And the email would include a link.
When the user visits the fake site and enters her login and password, the scammer now has access to the person’s account.
When the scammer visits the real account, they can get even more information about you: your full billing and shipping address (and the addresses of anyone you’ve sent a gift), your phone number, and the last four digits and expiration dates of as many credit cards as you’ve added to your account. They can also change your password.
Does it matter if someone can break into your Amazon or Target or Walmart account?
It matters plenty.
They can make purchases and have the items sent to their own address, but that’s not the worst of it.
You see, despite warnings, most people use the same passwords and logins for most of their accounts.
All the scammers have to do now is guess. Guess which banks or financial institutions you use — and they have clues because they had access to your payment information on your retail accounts.
Or they can simply use the info they have to open new credit cards or loans in your name. Or in your kids’ names.
So what should you do?
For starters, if you use wish lists, don’t allow them to be public. Again, public is the default for the lists we’ve examined, so be sure to actively click what you must to make the lists private. You can always send your relatives a link to your list, and some retailers allow you to invite people to your list via email.
Next, don’t use the same login and password for all of your online accounts. Just don’t.
Also, think twice about storing credit card information on any retailer’s website. Hacks happen. Data mishaps happen. Don’t let it happen to you.
Finally, don’t click on retailer emails unless you’re absolutely positive the email is coming from the real business. If you want to use a coupon code from an email, copy it down rather than follow the link — just in case the link takes you to a phony imposter site. Type the address for the real site and type in the coupon code at checkout.
And don’t forget you can check your credit reports for free once a year through AnnualCreditReport.com.
Stay smart, Jersey.
Have you been Bamboozled? Reach Karin Price Mueller at Bamboozled@NJAdvanceMedia.com. Follow her on Twitter @KPMueller. Find Bamboozled on Facebook. Mueller is also the founder of NJMoneyHelp.com. Stay informed and sign up for NJMoneyHelp.com’s weekly e-newsletter.