[IRONY] US Postal Service Fosters ID Theft

Category: Privacy

The U. S. Postal Service’s heart is in the right place but its head seems to be elsewhere. A free USPS service called “Informed Delivery” intended to cut down on mail fraud has actually been used by ID thieves to run up bogus credit card bills in victims names. Security researchers say the weak identity verification used by USPS made the scam possible. Here is how the scam works, what you can do to protect yourself, and what USPS should have done in the first place. Read on for the details…

Informed Delivery - You've Got Mail!

The US Postal Service's Informed Delivery option sends you a text message or an email containing images of the address side of letter-sized mail that will soon be delivered to your address. The images are a by-product of the automated mail-sorting system. In addition to letters, you can also track packages via the USPS Informed Delivery service.

The object is to minimize the amount of time that mail sits in mailboxes or on porches, vulnerable to theft. Also, if you’re expecting an important letter or package on a certain date but it does not arrive, you can file a report right away. When you view the image of each mailpiece, there's a link to send an "I didn't receive this" message. Presumably, someone at your local Post Office will see that, and start looking for the missing item.

“Informed Delivery” is not a bad idea, per se. But the way in which USPS verifies the identity of someone creating an “Informed Delivery” account is deeply flawed. Four challenge questions are asked, and they are based upon data in the Equifax credit reporting database. You know, the same Equifax that leaked the personal data of over 143 million Americans in 2017? (See my article Equifax Takes the Data Breach Cake for a refresher on how bad the breach was, and how Equifax ultimately made it worse.) So the answers to some of the USPS verification questions are among that compromised data. Answers to other common “knowledge-based authentication” questions are publicly available. Bad actors can and have slipped through this torn net.

Security problems with USPS Informed Delivery

In Bell Isle, Florida, several neighbors received bills ranging from $2,000 to $14,000 for charges made to credit cards they never ordered or used. It seems crooks got approved for credit cards in victims’ names, then quickly signed up for “Informed Delivery” using their own email addresses so they would know when credit cards were going to be delivered to victims’ mailboxes. The crooks stole the cards that victims never knew were coming.

A resident of Grapevine, Texas, almost fell victim to a similar scam, but he was alerted by a letter from a bank advising him to expect the new credit card, which he had not ordered.

Another potential vulnerability in “Informed Delivery” is USPS’ plan to allow interactive ads in emails sent to customers. Unless ads are more tightly controlled than the rest of this service, it’s entirely possible they will be used by bad guys to steer victims to rogue sites for identity theft of malware downloads.

"I'll Have What He's Having..."

Aside from all of that, it seems there are some privacy issues in the system, related to addresses with more than one associated name. One person commented that he lives in an apartment above his landlord, so they share the same address, and he sees the landlord's mail in his informed delivery messages.

USPS officials say you can opt out of “Informed Delivery” by emailing a request to eSafe@usps.gov including the name of the customer, mailing and email addresses. But emails sent to that address get no reply, so who knows?

Putting a freeze on your Equifax credit file will foil online registration for “Informed Delivery.” You can freeze and unfreeze any of your credit files free of charge. With the Experian file frozen, a customer must present ID in person as a Post Office to sign up for “Informed Delivery.”

USPS says over 13 million customers have signed up for “Informed Delivery.” Security researcher Brian Krebs cites unnamed sources who claim 20,000 new sign-ups per day. The more people use this service, the more scams it will attract. USPS hasn’t a moment to lose in fixing the vulnerabilities in “Informed Delivery.”

Are you using the Informed Delivery service offered by the Post Office? If so, what has been your experience? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 18 Jan 2019


For Fun: Buy Bob a Snickers.

Prev Article:
Are You Ready for Hardware Security Keys?

The Top Twenty
Next Article:
[2019] What Dangers Lurk in Cyberspace?

Most recent comments on "[IRONY] US Postal Service Fosters ID Theft"

(See all 34 comments for this article.)

Posted by:

JOD
18 Jan 2019

This makes me wonder if Equifax has actually frozen my file, as requested since 2017, since I recently signed up online for Informed Delivery It has been working fine with no request to go to PO with ID.


Posted by:

J Stubbs
18 Jan 2019

The poor postal service. Delivery persons try real hard - despite the incompetencies of USPS upper management. USPS leaders and decision makers can't fix existing system wide problems and seem good at inventing new ones.


Posted by:

Don
18 Jan 2019

I also use the informed delivery and have had no issues so far. I like it because in inclement weather I sometimes don't go to my mail box for days if there is just junk there. There is rarely anything that comes by mail that is important anymore.


Posted by:

Will
18 Jan 2019

I have Informed Delivery and it is especially useful if you use a PO Box as it eliminates some useless trips. However, I have sometimes received the days before AND days after receiving a piece of mail. The "days after" part is the strange part.


Posted by:

Elsie M. Lucas
18 Jan 2019

How can you tell if you are signed up for the

"Informed Delivery" ?


Posted by:

Lou
18 Jan 2019

Thanks Bob for the information. It is very informative. I have an account with the USPS and therefore have access to the informed delivery section. I can say that it may have its flaws, but in general it works fairly good. I have often thought about what can thieves do with my account. But hackers get into any company including government agency's. So when you sign up for a service online, you cross your fingers and hope that nothing happens.
As for showing ID at the PO to get informed delivery, I learned that USPS is a government entity and does not need permission to access any credit agency. So they can go in and access your information, even if you have a credit freeze. I have a credit freeze since 2016 and last year I signed up for Informed Delivery, however, USPS could access my credit info. Here's the link to learn more about it:

http://postalnews.com/blog/2015/05/09/postal-myths-2-the-usps-is-not-a-government-agency/

Thanks again for the scoop on what's going on with "Informed Delivery."


Posted by:

Doug
18 Jan 2019

I have informed delivery and have had to report a couple of important pieces of mail missing. When I finally received them, on the front was handwritten "put in wrong mailbox". Our delivery guy is a contractor and not the sharpest tack in the box.


Posted by:

Brian B
18 Jan 2019

Just get a secure, lockable mail box, or a Post Office box.


Posted by:

George R
19 Jan 2019

based on the description of how the scam works, it seems that the best way to avoid it is to sign up yourself for "Informed Delivery" with your own email address. Then the scammers won't be able to sign up as if they are you at THEIR email address.


Posted by:

George R
19 Jan 2019

Sorry for the multiple posting. When I read the instruction


Posted by:

lrl
19 Jan 2019

I've had informed delivery since it was first offered. It's useful especially since my route always has late delivery (after 5:00 pm, sometimes after 6:30, unless the carrier is going on vacation the following day, then it's 3:00 pm).

I've had freezes on all my credit reports for decades, and I didn't have to unfreeze when I signed up for informed delivery.

Have also signed up for UPS and FedEx delivery notices; very useful as if you will not be home, can reroute delivery to a UPS/FedEx store for later pick up.

What I have noticed of late is a LOT of spam email claiming to be from USPS, but close inspection of the sender's email address shows it's bogus, e.g. USPS .


Posted by:

carmen
19 Jan 2019

Thanks for the info. I specifically CHOSE NOT to sign up for I.D., but I had a USPS account, so it was "given" to me...I wonder if that means I DIDN'T provide that identifiable information...I don't recall!

I find the information useful even though there have been 3-5 mail pieces so far that we've never received (including a pay check!), and reporting them as missing didn't do anything (as Art F mentioned). I once tried filing an official request for one of those pieces, but I think they only investigate mail that you SEND, not mail missing from your mailbox.

Weighing the pros and cons, I guess I'd rather have the service than not.


Posted by:

Tom C
19 Jan 2019

Thanks for this article. I too have been getting spam messages from "USPS" and "Fedx". What are the valid email domains for the Informed delivery Services?


Posted by:

J Stanley
19 Jan 2019

I have learned a lot from these posts and from Bob Rankin's comments. I have not signed up for Informed Delivery. I check my mailbox daily, but I don't always check my email daily, so the service probably would not be of much use to me. I guess the service would be of most use if one were expecting important mail.


Posted by:

Charles
20 Jan 2019

It's kind of funny. I remember driving up in front of the house, walking down to the mailbox on the corner (one of those multi-box types) and getting my mail every day. Even in light rain. It's part of the ritual of being a person, right? My daughters will have month old mail in the box; I don't get it. Is it hard? I'm retired, living in another country part time, so I don't get much mail now, but when I'm back in the US I stay with my daughter and walk down to the box, every day...


Posted by:

Paul Friswold
21 Jan 2019

Have had I.D. for a few months. When a piece of mail didn't show up in mailbox for about 4 days I went to PO with printed copy of notification. The clerk (very rude and not at all caring) said:"I only sell stamps." When I followed up about who to contact she said to contact the post office from where piece was sent. Used the "did not receive this piece" on the site and never heard word one from post office. Piece did eventually show up about a week late. It was a card from a relative and I wondered if it might have been toyed with as it might contain money??? Some pieces do show up a day or two late, some packages even before scheduled delivery date.In any event we're satisfied with the service as it does provide a bit of a heads up if important pieces of mail are enroute. Now if only we could get delivery on a consistent time basis. Some days around noon, other days as late as sometime after 7 p.m.


Posted by:

TK
21 Jan 2019

I've had Informed Delivery since it started. My complaint is that, on two different occasions (once early on, the other just last week), the email with images of my mail included a mailpiece for someone else at a completely different (but local) address. Not only is that an invasion of that addressee's privacy, but also if I happened to have criminal intent, I'd know exactly whose house to be lurking by when their mailman dropped an enticing piece. I can't help but wonder if images of MY mail have been sent to someone else. I did notify the Postal Service of this problem the first time it happened, for what it was worth (apparently not much). In any case, I appreciate the info in this article and others' thoughts in the comment thread also.


Posted by:

David
26 Jan 2019

Just like any other service, it is not without flaws,and yes it can be hacked, just like anything on the internet.
Complaints should be addressed with a supervisor, not a window clerk as they can't look up anything for you as it is restricted access.


Posted by:

TFH
28 Jan 2019

I've had Informed Delivery for about a month and appreciate that I know what's coming in the mail. It also tells you when USPS packages will be delivered. I purchased a locking mailbox years ago specifically due to credit card info theft. I have also received several scam email msgs. posing as USPS but it's easy to identify and delete them due to the personal 'from' addresses. There have always been thieves and will always be thieves. I guess they push us to become more clever than they are.


Posted by:

AJ
25 Feb 2019

I get 3 emails consecutively as if I signed up for Informed Delivery three times. I just review the images and delete the other 2 emails. Sometimes, I have reviewed the extra emails just to see if there is something different. I have been a victim of ID theft 3 times. It sucks.


There's more reader feedback... See all 34 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy


Article information: AskBobRankin -- [IRONY] US Postal Service Fosters ID Theft (Posted: 18 Jan 2019)
Source: https://askbobrankin.com/irony_us_postal_service_fosters_id_theft.html
Copyright © 2005 - Bob Rankin - All Rights Reserved