[IRONY] US Postal Service Fosters ID Theft
The U. S. Postal Service’s heart is in the right place but its head seems to be elsewhere. A free USPS service called “Informed Delivery” intended to cut down on mail fraud has actually been used by ID thieves to run up bogus credit card bills in victims names. Security researchers say the weak identity verification used by USPS made the scam possible. Here is how the scam works, what you can do to protect yourself, and what USPS should have done in the first place. Read on for the details…
Informed Delivery - You've Got Mail!
The US Postal Service's Informed Delivery option sends you a text message or an email containing images of the address side of letter-sized mail that will soon be delivered to your address. The images are a by-product of the automated mail-sorting system. In addition to letters, you can also track packages via the USPS Informed Delivery service.
The object is to minimize the amount of time that mail sits in mailboxes or on porches, vulnerable to theft. Also, if you’re expecting an important letter or package on a certain date but it does not arrive, you can file a report right away. When you view the image of each mailpiece, there's a link to send an "I didn't receive this" message. Presumably, someone at your local Post Office will see that, and start looking for the missing item.
“Informed Delivery” is not a bad idea, per se. But the way in which USPS verifies the identity of someone creating an “Informed Delivery” account is deeply flawed. Four challenge questions are asked, and they are based upon data in the Equifax credit reporting database. You know, the same Equifax that leaked the personal data of over 143 million Americans in 2017? (See my article Equifax Takes the Data Breach Cake for a refresher on how bad the breach was, and how Equifax ultimately made it worse.) So the answers to some of the USPS verification questions are among that compromised data. Answers to other common “knowledge-based authentication” questions are publicly available. Bad actors can and have slipped through this torn net.
In Bell Isle, Florida, several neighbors received bills ranging from $2,000 to $14,000 for charges made to credit cards they never ordered or used. It seems crooks got approved for credit cards in victims’ names, then quickly signed up for “Informed Delivery” using their own email addresses so they would know when credit cards were going to be delivered to victims’ mailboxes. The crooks stole the cards that victims never knew were coming.
A resident of Grapevine, Texas, almost fell victim to a similar scam, but he was alerted by a letter from a bank advising him to expect the new credit card, which he had not ordered.
Another potential vulnerability in “Informed Delivery” is USPS’ plan to allow interactive ads in emails sent to customers. Unless ads are more tightly controlled than the rest of this service, it’s entirely possible they will be used by bad guys to steer victims to rogue sites for identity theft of malware downloads.
"I'll Have What He's Having..."
Aside from all of that, it seems there are some privacy issues in the system, related to addresses with more than one associated name. One person commented that he lives in an apartment above his landlord, so they share the same address, and he sees the landlord's mail in his informed delivery messages.
USPS officials say you can opt out of “Informed Delivery” by emailing a request to eSafe@usps.gov including the name of the customer, mailing and email addresses. But emails sent to that address get no reply, so who knows?
Putting a freeze on your Equifax credit file will foil online registration for “Informed Delivery.” You can freeze and unfreeze any of your credit files free of charge. With the Experian file frozen, a customer must present ID in person as a Post Office to sign up for “Informed Delivery.”
USPS says over 13 million customers have signed up for “Informed Delivery.” Security researcher Brian Krebs cites unnamed sources who claim 20,000 new sign-ups per day. The more people use this service, the more scams it will attract. USPS hasn’t a moment to lose in fixing the vulnerabilities in “Informed Delivery.”
Are you using the Informed Delivery service offered by the Post Office? If so, what has been your experience? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 18 Jan 2019
|For Fun: Buy Bob a Snickers.|
Are You Ready for Hardware Security Keys?
The Top Twenty
 What Dangers Lurk in Cyberspace?
There's more reader feedback... See all 33 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [IRONY] US Postal Service Fosters ID Theft (Posted: 18 Jan 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved