
Postcode loophole enables fraudsters to hijack eBay parcels - jimnotgym
https://www.theguardian.com/money/2019/sep/22/fraudsters-hijack-ebay-parcels-postcode-scam
======
buro9
There does seem to be a spate of something... articles in which the solution
is "A British startup, what3words".

They must be spending a steady amount on PR. The news seems perfectly
constructed for the obligatory quote from their founder when in this case the
answer isn't their system, but just that Royal Mail use the correct
identifier: the post-code and the identifying information for the property
(building name and/or building number as well as company name if applicable).

~~~
whatfreewords
Their legal team is vicious about taking down any open-source implementation
of the W3W encoding algorithm. This is sad because it could be legitimately
useful in a small handful of circumstances, but only if it were free and open
to all.

We released WhatFreeWords last week and it was taken down after 4 days.

It is back up now at [https://whatfreewords.org/](https://whatfreewords.org/)
but who knows for how long.

You can read their DMCA notice to our previous hosting at
[https://whatfreewords.org/download/dmca-20190917.pdf](https://whatfreewords.org/download/dmca-20190917.pdf)

~~~
nitrogen
I'm not a lawyer, but I don't think US copyright covers functionality (that is
what patents are for) if you haven't copied any code or creative output, and
thus the DMCA wouldn't apply, so that wouldn't be a valid use of a DMCA
takedown.

~~~
whatfreewords
Unfortunately that's not how the DMCA works.

Once they've submitted a DMCA notice, the hosting company has to take it down
within 2 days unless you file a counter-notice, which has to personally
identify you and be signed "on penalty of perjury".

None of the DMCA process has anything to do with whether the claimant has a
legitimate copyright claim over the work.

------
mytailorisrich
The alleged issue highlighted in this piece of PR for a commercial company
(shame on The Guardian for playing along) has nothing to do with postcodes. If
there is an issue it is with the way Royal Mail handles tracked mail and
proofs of postage.

UK postcodes are more precise that in any other country I'm familiar with and
are a terrific system [1]: Postcodes are precise to about the street level vs.
a whole town or district in most countries. This allows websites that need
your address to work it out fully just by asking postcode and house number in
most cases.

[1]
[https://en.wikipedia.org/wiki/Postcodes_in_the_United_Kingdo...](https://en.wikipedia.org/wiki/Postcodes_in_the_United_Kingdom)

~~~
soneil
The Irish system,"eircode", is actually more exact. Much more exact. I live in
a regular semi split into two flats, and upstairs have a different eircode to
me. Because we both share the same front door, our letter-box is actually
mapped to three eircodes - eg 1 (the address of the house before it was
split), 1A & 1B (downstairs/upstairs, post-split). I also find it interesting
that the three are non-sequential.

~~~
noneeeed
That's pretty cool. It's funny that Ireland has such an accurate system now,
when it used to be used as the classic example of not assuming things about
addresses because much of Ireland didn't _have_ postcodes of any form.

I really like the idea of having a system that is that accurate. Although as
someone else pointed out, in the UK your postcode and house number/name are
almost always enough to uniquely identify your property.

------
peteretep
> “This issue highlights the fact postcodes are based on out-of-date
> technology”

Piss off, it shows that a postcode without a house identifier is a shitty way
for Royal Mail to guarantee delivery is all.

~~~
Zenst
More so as the onus and legal aspect (data protection) means that the receiver
has no way of disputing this with Royal Mail, only the sender does. So if the
sender pays for the basic service, this can happen, if they paid a little bit
more for the tracking service, thats different.

Case is, you can send a letter - no way of tracking that, but if you send it
recorded delivery, that's tracked.

So issue here is not the Royal Mail, more case of Ebay etc allowing people to
send things using the cheapest untrackable way and allowing such abuse to
transpire.

But then every system is abusable - you can send a recorded delivery item to a
person, log into tracking and see a copy of that person's signature which you
could then abuse in nefarious ways. But many systems open to such abuse. Send
a cheque to somebody - they cash it. Then track via your bank and get the bank
account details of the recipient. Heck send cheque via recorded delivery and
and get the targets signature and bank account details, all legal like. Is
that a fault in the systems and even if it is - how do you fix that!

Well, Ebay could insist that all postings are done recorded delivery - would
solve this instance.

------
vanilla-almond
This article is quite confusing in the way it explains the fraud technique.
Here's my understanding (using a made-up example):

In the UK, a full postcode e.g B40 4XJ (made up) can be shared by more one
than home or building. So the homes numbered 1-20 Acacia Avenue all share the
same full postcode: B40 4XJ

Janet lives at 7 Acacia Avenue. She sells her iPhone via eBay for £200 to
Patrick living elsewhere. She posts a parcel containing the iPhone to Patrick.

Patrick, via eBay, contacts Janet and says the iPhone is faulty and wants a
refund.

Through eBay, Patrick generates a return label (shipping label) which lists
Janet's address: _7 Acacia Avenue, B40 4XJ_. However, Patrick, alters the
address on the label to state: _19 Acacia Avenue, B40 4XJ_.

He can do this, of course, because the label is generated online, and using
some graphics editing program, he can alter the label before he prints it.

Patrick posts an empty box to 19 Acacia Avenue and keeps the iPhone. Patrick
now has the iPhone and a refund from eBay for the £200 he paid for the iPhone.

What of the empty parcel posted to 19 Acacia Avenue? Presumably, the parcel
isn't signed for when it is delivered? Or is it? If the parcel requires a
signature on delivery, surely the resident of 19 Acacia Avenue will
immediately notice the parcel is addressed to someone else?

Please do correct the above if it's incorrect.

~~~
mamon
My understanding is that the empty box is posted to a different addres,
because eBay only issues a refund when they get the confirmation that the
parcel was delivered.

I assume that the unsuspecting resident of 19 Acacia Avenue, B40 4XJ will sing
off receipt for the parcel, then open it and find the box empty, but since
they weren't expecting any delivery at all they will do nothing about it,
maybe just tell the story as an anecdote next time they go to drinks with
friends.

Another thing that enables the fraud is that eBay only compares postal codes,
so the delivery to 7 Acacia Avenue and 19 Acacia Avenue is all the same for
them.

~~~
lozenge
Ebay checks the house number as well. The problem is the package is routed to
the local post office using the machine readable barcode which contains the
postcode, then somebody reads the house number when they deliver the package.
By photoshopping the printed address, the parcel can be deliberately
misrouted.

That said, Royal Mail say anything over £100 should be Signed For so why did
eBay let somebody return an iPhone without using Signed For?

------
esotericn
This has almost nothing to do with a "postcode loophole" and almost everything
to do with the two following facts:

\- eBay are supremely uninterested in being an unbiased arbiter of disputes.

This goes back as far as I can remember and likely to the dawn of eBay. People
have been scamming each other on there for 15 years at a minimum.

\- Royal Mail do not provide proof of postage at a granular level.

Combine that with the above where eBay will probably take a piece of tissue
paper as proof of postage and there you are.

~~~
FDSGSG
>\- eBay are supremely uninterested in being an unbiased arbiter of disputes.

It's not just eBay though, it's also the credit card companies. You can't
escape this by switching platforms.

------
ryanlol
So how does this enable the fraud? Why would this not work with an empty
return package?

E: I guess this is just one of many possible ways to force a carrier to "lose"
a parcel, enabling the fraudster to use the same ebay account more times
without attracting complaints from sellers.

~~~
thinkingemote
it does work with an empty package but it just goes to another address. So the
seller doesn't get any package. If the seller were to get an empty package
they would have some proof to show ebay and so the fraud would be harder to
stop.

~~~
megaremote
> If the seller were to get an empty package they would have some proof to
> show ebay and so the fraud would be harder to stop.

What? Think about it for a second, what proof would they have?

~~~
chaz6
They could have video surveillance of the package from delivery to being
opened.

~~~
ryanlol
Why would they bother with the video surveillance? That's not going to help
the seller win the dispute.

------
gandalfian
I'm not sure an exact grid reference would help delivery drivers in many urban
areas. There is just too much stuff jumbled on top and behind each other plus
shadowed from an accurate GPS signal.

------
jjp
Headline whilst HN correct is misleading.

TLDR - fraudster orders good, returns empty box with tracking, tracking label
is photoshopped to different property in post code. Fraudster knows that
tracking only records post code not property within post code. eBay issue
refund.

Problem is granularity of tracking nothing to do with post code loophole.

~~~
FDSGSG
Ebay would issue the refund even if the fraudster didn't photoshop the
tracking label.

Is the granularity of the tracking _really_ the problem? I believe fraud is
the problem, and it's an impossible one to solve.

~~~
mytailorisrich
The issue is Royal Mail being negligent.

Even for proofs of postage sometimes (always?) the certificate only lists the
recipient's postcode instead of the name and full address.

~~~
johnnycab
You are correct that _Proof of Postage_ only records the postcode, which can
only be obtained at the the Post Office (for free), when handing over the
letter/parcel at the counter. However, you can insist upon the address or the
property number to be recorded ─ which requires a 'Certificate of Posting',
which needs to be filled in and stamped. You can have one or the other, not
both. This absolves RM of any negligence albeit they could clarify this
distinction.

Since, this particular scam is originating from a very specific ecosystem; in
this case, the responsibility ultimately lies with eBay and to a certain
extent with PayPal ─ who are blasé about these scams and have zero intent on
solving these issues, they are even happy to front-load the system, so it
favours certain types of scammers.

[https://business.help.royalmail.com/app/answers/detail/a_id/...](https://business.help.royalmail.com/app/answers/detail/a_id/826/)

~~~
mytailorisrich
If anything your reply makes RM look even worse... Also the issue seems to
also lie with tracking, not just with proof of postage (or whatever exists
solely for the purpose of confusing customers who are never made aware of
these 2 options)

------
beautifulfreak
This can happen in the US, too. I sat on a grand jury that heard a case
involving the same scam.

------
llacb47
Go away what3words PR team

------
why-oh-why
I find it ludicrous that we’re still not using GPS coordinates as addresses.
My address would look something like

    
    
        First Last
        Street # or Building Name if any
        18.0000 -7.0000
        USA
    

Basically the “ZIP city, state” line should be replaced by coordinates; 4
decimals are precise to 11 meters.

And in less dense areas you might not need the second line either:

    
    
        First Last
        18.0000 -7.0000
    

Mail is not handled manually anymore so why act like it still is?

~~~
pidg
How does your mail get delivered? Mine still gets delivered by a human.

~~~
why-oh-why
Your mailman follows a screen that tells them where to go.

~~~
nemetroid
From the few mailmen I know, this is hardly the case.

