
U.S. Secret Service Warns ID Thieves Are Abusing USPS’s Mail Scanning Service - venturis_voice
https://krebsonsecurity.com/2018/11/u-s-secret-service-warns-id-thieves-are-abusing-uspss-mail-scanning-service/
======
TazeTSchnitzel
So I began reading and figured, huh, thieves must just stealing be the
validation letter USPS would send, and thought, hey, that system which is used
in many other places for similar things would be quite vulnerable to that
attack, right?

But then I got to this bit:

> KrebsOnSecurity took the USPS to task last year in part for not using its
> own unique communications method — the U.S. Mail — to validate and notify
> residents when someone at their address signs up for Informed Delivery. The
> USPS addressed that shortcoming earlier this year, announcing it had started
> alerting all households by mail whenever anyone signs up to receive scanned
> notifications of mail delivered to their address.

> However, it appears that ID thieves have figured out ways to hijack
> identities and order new credit cards in victims’ names before the USPS can
> send their notification

What the actual hell? You can sign up online to get mail scanned… without
_any_ physical verification you're at the address, with only a physical
_notification_ being sent _after-the-fact_?

What the hell are USPS smoking?

It makes me wonder what you need to do to sign up for this. I wonder…

 _goes to website_

it seems like the only thing they do is ask for the address, and you check a
box to accept the T&Cs. I don't know if there's actual verification beyond
that step, but it doesn't sound like there is…

~~~
LeftTurnSignal
I use this service, and when I signed up there was nothing to verify I was who
I was. I just put in my address, created an account, and within a day or so
could get scans of mail sent to my e-mail.

This is pretty great too. I moved about two months ago, and switched addresses
in Informed Delivery. I got a letter saying I switched, but I never put their
code into Informed Delivery, and I still get scans of my mail at the new
place. I got the scans before the validation letter, so I could easily have
stolen that, and no one would know I'm seeing their mail....

*Edit to make things clearer.

I have not validated anything. The letter says I won't get emails unless I put
the code in the letter in Informed Delivery. I did not do that ever and I
still get the emails.

~~~
tinus_hn
Note that tampering with the mail, even if there are little technical
limitations, is a federal crime that carries pretty severe penalties.

~~~
Someone1234
People love repeating this for some reason, but mail crime is under-funded,
rarely investigated, and even more rarely enforced.

Realistically if you tamper with mail nothing at all will happen to you, until
your fraud raises to a headline figure and could get someone a promotion.

~~~
SomeHacker44
My neighbor stole mail right out of my mailbox. I had it on video. The police
declined to do anything about it. So... anecdotally validated.

~~~
dmckeon
Try the US Postal Inspectors:
[https://postalinspectors.uspis.gov/](https://postalinspectors.uspis.gov/) It
may be too old or too small a case for them, but video evidence may help.

------
esotericn
The fact that "identity theft" is still a thing in 2018 is an indictment on
the legacy financial industry.

If not for the web of opaque "agencies" that collect and sell data about
individuals without affirmative action on behalf of the individual (frankly
still surprised this is legal) it would be a complete non-issue.

It's irrelevant to me whether someone else opens an account with my name -
just as it's irrelevant to me whether someone registers an account elsewhere
with the username 'esotericn'.

The banks bring this problem upon themselves.

edit: The replies to this post are missing the point entirely. Yes, it's a
problem because it's a problem.

It doesn't have to be this way.

~~~
TazeTSchnitzel
> It's irrelevant to me whether someone else opens an account with my name

If they commit crime in your name, that's your problem no matter what
financial system they do it in.

~~~
esotericn
Exactly.

It's a self inflicted issue. They claim that "my identity" matters, so it
matters.

Their decision making affects me through no action of my own.

If you sign up at Reddit with the username 'esotericn', I don't care. It
doesn't matter.

Somehow, if someone signs up for, say, a phone contract in my name and doesn't
pay it, it affects some opaque 'credit score' somewhere because an agency
couldn't be arsed to do due diligence. They push the burden on to end
consumers.

I sidestep most of this by just avoiding debt because I can't be arsed with
the farce.

~~~
TazeTSchnitzel
So, they shouldn't try to use identifying information to track down people
committing crimes?

~~~
esotericn
I'm not really sure how to answer this.

Sure.

That's not actually how "identity theft" affects people for the most part.

The case of the police turning up at your door or some sort of court summons
because a fake "TazeTSchnitzel" performed fraud is pretty rare.

What actually happens is some opaque credit score thing whereby you just find
interacting with the system harder because someone else fucked up.

For example, an agency deciding that because fake "TazeT" managed to get a
phone contract and didn't pay it, real "TazeT" must be a layabout and not pay
his bills.

Or an account of yours has the password reset because someone sent in a photo
of your ID gained from some database leak from a nightclub.

All of this comes about because of inaccurate linking of accounts. There are
trivial ways of determining actual linkage, for example if I send money from
account A to account B under the same name and it goes uncontested, it's the
same identity.

Using stuff like photographs of bits of paper or things sent in the mail as
proof is completely asinine. I get mail from half of my street because my
postman is underpaid and can't be arsed.

~~~
TazeTSchnitzel
Ah, yes, I see the argument about credit reports. Putting aside the question
of whether they can exist at all, the security checks are laughable and
therefore someone can make a black mark on yours by impersonating you with
much greater ease than should be the case.

~~~
esotericn
Right.

The other main category of problem that comes with identity theft is my own
resources being used (e.g. an account, bank or otherwise) by a non-me.

Again, this goes away if you use real authentication rather than "oh, he has a
photo of a pink bit of plastic with an address on it?, gosh must be him, here
you go!".

It would be more expensive to do so, though, so we don't. The burden is pushed
on to the end user.

------
driverdan
I've been using mailbox services (UPS Store) for almost 15 years. It costs
extra money but pays for itself many times over.

I never have packages stolen, never have to wait around to sign for things, my
mail is locked up, I don't have to put a mail hold or have a friend get my
mail when I travel, and never have to deal with changing addresses. It also
improves my privacy since fewer people have my street address. I don't worry
about someone doxing me.

It's not foolproof. Someone could social engineer access to my box or
packages. Doing so requires significantly more effort and risk than grabbing
something off a porch so it's much less likely. It would have to be highly
targeted too.

------
bjnord
I use Informed Delivery (pretty handy), so when I started reading the article,
I thought -- I should be safe, because I already signed up for the account at
my address.

Not so! FTA: "Normally in these cases I’d urge readers to simply plant their
flag by registering an account to claim their address. However, the USPS
allows new account creations for anyone currently able to receive mail at your
address, which means that claiming your address may involve registering an
account with every adult present at your address."

------
newman8r
I'm working on a honeypot service that lets people create canary credentials
to detect eavesdropping. One of the fringe use cases is to see if someone has
intercepted your mail or packages. I'm not sure if that's a use case anyone
actually cares about though, but stories like this make me wonder.

curious if this is something anyone here would want to try, I'm happy to give
some free invites if anyone wants - my email is in my profile.

~~~
charlietango92
would you mind expounding a bit on how this might work in application?

~~~
newman8r
Basically, we host a collection of honeypot websites, which resemble login
pages for a normal website. Our users create 'bait credentials'
(username/password) for these honeypot websites.

The users then hide these bait credentials in places that should be private
(in this case, a letter or package to be mailed). If an eavesdropper
intercepts the package, they'll also find the bait credentials (perhaps
written on a post-it note). If they try to use the stolen bait credentials at
the honeypot website, our users then get an alert, and the intrusion is
logged.

The normal use case is to place bait credentials on your devices or servers,
but in this case they would be used in a physical location (i.e. a letter in
the mail).

Take a look at [https://www.tamarin.us](https://www.tamarin.us) if you want -
I'd appreciate any feedback, I'm still trying to validate the concept.

------
vxxzy
Security Concerns aside. The informed delivery service is great. I've been
using it for a little over a year now. They began inserting ads into the
Informed Delivery Email. Senders must place some sort of barcode that is then
read by the USPS scanner. It's nice to see our postal service trying to close
the gap on their (net) loss.

~~~
GavinMcG
It would be nicer for Congress to not impose capricious retirement funding
requirements, artificially making them look unprofitable.

~~~
SilasX
Requiring that pensions and other future benefits be funded at their present
discounted value is majestically reasonable. The opposite is how you get
pension crises.

------
penguin123
I signed up the USPS mail scanning because I thought that it would be cool.
However, I live in a small apartment building, and apparently USPS doesn't
recognize it as an apartment building, so I would get everyone's mail. There
was no verification either. I found it kind of scary the amount of info I was
getting. Had to cancel because there was a lot of noise and it ultimately
wasn't useful for me.

------
mfielder
I've noticed after first signing up around April that whatever scanner they're
using can see through the envelope and you can pretty clearly read at least
part of the contents for a standard folded letter, but at some point later in
the year the contrast of the images was changed and it wasn't as common to see
it anymore. Most of my mail is junk, but I can only imagine the kinds of
opportunity that capability at scale presents.

~~~
sp00ls
I noticed the same thing with the see through envelope part. I live in an
apartment and get mail in my informed delivery dashboard addressed to past
tenants at this address all the time. The system seems to only care about
address, not name. The mail never arrives (possibly due to forwarding?) but I
can read the first page of about half of it. It does seem to have gotten
slightly better but I just checked my last few emails from USPS and I can
still make out words through the envelope. I'm sure with a small bit of image
manipulation I would be able to read them clear as day.

------
latchkey
I'm sitting here in Vietnam. For two years now, I get pictures every day of my
friends mail emailed to me because I switched my address to her house when I
left the US. I was not asked a single question about it, they just started
appearing after I filed a change of address notice, which cost me like $1 or
something. Something seems so wrong with that.

------
dboreham
When my wife signed up for this a few months ago I was astonished to see that
the envelope scans are sent in the clear in an email. I didn't realize at the
time that there is in addition no authentication of the sign up process!

------
chiefalchemist
Exploits aside, this service however convenient, just reeks of Big Brother to
me. Not that I get that much info via USPS anymore but the idea that
__everything__ is being logged (for future reference?) makes me uncomfortable.

~~~
jimmy1
Informed Delivery is just them offering a service based on infrastructure that
was already there -- the mail scanning was put into place during the 90's
anthrax in the mail scares, and that's really it's purpose.

~~~
chiefalchemist
" and that's really it's purpose."

Not to get off topic but...Or so we were told.

Today, __every__piece of USPS is scanned because of a handful of rogue letters
20+ yrs ago? No one unreasonable would find that reasonable.

~~~
jimmy1
It wasn't 20+ years ago, that was my bad (there were some anthrax cases in the
90s, but the high profile cases were in the 00's). There are cases of the USPS
finding traces of anthrax in mail every 5 years, on average, probably more
that we don't hear about. Most recent high profile case was in 2008.

Every package is also X-rayed for potential explosives because of a scare 20+
years ago -- and thankfully they continued to do so otherwise we'd have some
dead due to pipe bombs.

People find it extremely reasonable. We have increased airport security now
because of what happened 17 years ago and most people also find that
reasonable.

------
rabboRubble
I tried to sign up for this service and failed due to some identification
challenge issue USPS was unable to explain. The online sign up process went
along smoothly, but I was asked to bring a slip printed from the online
process plus valid identification to a post office for in-person verification.
Brought the documents and still was unable to validate my identity. The robot
behind the counter could not explain why the application was rejected.

Curious how identity thieves made could complete an application when I, with
all proper documentation in person at a post office, could not.

~~~
LeftTurnSignal
I just signed up for this (all online, never had to talk to anyone) maybe 6
months or more ago. I used it when it was "MyUSPS" too. Neither (at the time)
required any external forms of anything.

I just created my account, put my address in and that was that. Then I lost
that accounts info, or something weird happened with it and I could no longer
login to it. so I created another account for the same address. that validated
immediately too. I don't remember seeing any e-mails or anything notifying me
that a second account is now getting those e-mails. There's a chance there was
something, but I don't remember it.

Maybe I signed up for it before they had those extra protections in there, but
that's my experience so far.

------
twothamendment
I wonder if more than one party can sign up for the same address? Am I safe
because I've already signed up or are they happy to let someone else monitor
my mail too?

~~~
brewdad
Send me your address and I'll tell you. ;)

The article mentions that you really need to register every person at your
address to avoid being monitored by an unknown. Even so, there is no clear
indication whether USPS even verifies that a registered name receives mail at
a given address.

------
bargl
I didn't see it in the article, but these scans also show the first page of
the letter on top. I thought I was crazy when I first saw it, but I can
actually read account info etc from inside the letter!!!! If someone got my
account they'd actually be able to tell part of what I'm getting not just from
who.

------
lifeisstillgood
Despite the security issues, this is a pretty cool service - I wonder if the
UK Royal Mail is doing it ... oh of course not

------
rconti
Informed Delivery is great!

...... at sending me scanned mail from a place I lived at 9 years ago.

Tried to remedy it, not available at my ACTUAL address.

------
penguin123
when I signed up for this I put in my apartment number for my building, but
apparently usps thought I should get all mail for the whole building. I had to
cancel it as there was so much noise. But they didn't do any verification or
anything, which was kind of scary.

------
rudolph9
The article mentions the ability to “opt out” out but I can’t find it anywhere
on the usps website

------
EADGBE
FWIW, the Informed Delivery isn't available everywhere. I tried to sign up and
was denied.

~~~
creeble
Yes, not available at P.O. Boxes afaict too. I wish it were, until I read
Krebs' article!

~~~
zaatar
This is incorrect; you can indeed get Informed Delivery for [at least some] P
O Boxes, postal employees don't know how to do it, but if you change the
address on your Credit Card to be the P O Box, and then try authenticating
using that card, it passes fine. That's what I did for my own P O Box, for
example (it failed the first time when my card was using my street address).

------
xfitm3
I didn't even know about informed delivery until now. Cool feature.

