
USPS ‘Informed Delivery’ Is Stalker’s Dream - tonyztan
https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/
======
test6554
I wish I could have 72 hours to review the front of all my snail mail
electronically and either select "release to mailbox" or
"shred/recycle/delete". After 72 hours it just assumes you want to release it
to your mailbox.

Logistically, something like that could save the post office a bunch of money
since they don't refund postage just because it was delivered electronically.

Furthermore, people expecting a high-priority package would be more likely to
log in and release it to their mailbox more quickly.

Also I wish I could opt to "block sender" for ads and other junk. The post
office would still get money/postage, but I would just give the post office
advanced consent to shred/recycle all mail from this sender and consider it
officially delivered.

~~~
ghostly_s
> Also I wish I could opt to "block sender" for ads and other junk. The post
> office would still get money/postage, but I would just give the post office
> advanced consent to shred/recycle all mail from this sender and consider it
> officially delivered.

I don't think you understand how junk mail works -- the mailers have a close
business relationship with the USPS, and the fact that you can't 'block' it is
a deliberate design pattern. Junk mail is a huge (possibly the major?) revenue
stream for the post office. Forcing you to physically handle their advertising
message before discarding it is the whole value proposition of this form of
advertising; junk mailers aren't gonna keep paying the USPS if the ads are
never getting to you.

~~~
djsumdog
In many other countries, you can put "No junk mail" or "No bulk mail" on your
letterbox.

The US post service, being a service provided by the state, should help to
prevent wasting paper and serve the people, not the corporations. In the US,
the corporations are not just the primary customers of the USPS, they pretty
much own them as far as influence goes.

~~~
technofiend
That is true of far more things than just mail delivery. Unfortunately
regulatory capture is alive and well in Washington.

------
zaroth
This part was the most interesting to me;

 _There is a final precaution that should block anyone from signing up as you:
Readers who have taken my advice to freeze their credit files with the four
major consumer credit reporting bureaus (Equifax, Experian, Innovis and Trans
Union) will find they are not able to sign up for Informed Delivery online.
That’s because having a freeze in place should block Equifax from being able
to ask you the four KBA questions._

Do people realize that the freeze locks you out of any service using KBA to
authenticate? E.g. would this include sites like login.gov?

~~~
tedmiston
Is it easy or possible to freeze and unfreeze on demand as needed?

~~~
dawnerd
Sure if you like paying the fee every time. Shouldn’t have a fee to begin with
though. Just a way to talk people out of it, really.

~~~
gertef
Equifax is waiving the fee since the recent incident.

~~~
dawnerd
From what I read it's just on their identity service which isn't actually a
freeze. Also doesn't solve the problem of the other agencies charging. You
really need a freeze against them all.

------
gregmac
I signed up for a service from UPS a few years ago that notifies me of
impending shipments and lets me do a few limited things like 'Hold for
pickup'.

The authentication for it was simple and reasonably secure: they physically
mailed me a card with a verification number I had to type in. It took a few
days of course, but only someone with access to my mailbox can get the card
(and my mailbox requires a key to open).

This "knowledge-based authentication" system USPS is using is most definitely
less secure, and I can't fathom how it wouldn't be immensely more complex to
build and maintain.

~~~
zaroth
If you move, would UPS catch that and automatically turn it off?

~~~
huebnerob
I'll say that UPS will only send you automatic updates for packages that match
your full address, including your name. I'm signed up for the service, and I
receive uncannily perfect notifications every time a UPS label is generated
with my street address and name, however I've received exactly zero
notifications about my girlfriend's packages to the same address. In fact,
she's independently signed up for UPS MyChoice under her name and now gets
those notifications herself. It's a great service.

So, when you move, you don't really have to deactivate it so long as you don't
send any more packages to that address with your name.

~~~
gregmac
Thanks for verifying this. I'll add that I get notifications for my wife's
packages so it's likely only based on last name.

This also means in the case you move and the next resident has the same last
name as you, you'll get their package notifications (and can redirect their
packages). Presumably the next resident would have to call UPS support to
figure this out, but the danger is it would not be obvious someone else has
control until they use it, or you attempt to sign up yourself.

------
rconti
I'm accidentally stalking someone via Informed Delivery.

They emailed me, saying my address is eligible, so I signed in with my USPS
account. It ONLY listed an address from 2 moves ago; I haven't lived there in
over 6 years. There was no other way to sign up. So I signed up, assuming just
some records were out of date, or I'd be able to update my address once signed
in.

Nope. I'm getting informed delivery digests for a woman I don't know for an
address I haven't lived at in 6 years.

I changed my address in my USPS online profile, and stopped getting the
digests, but haven't gotten them for my new address yet.

What's frustrating about this is what's always frustrating about these kinds
of services -- I have no idea how they're tracking me, and hence no
understanding of how data is indexed.

USPS knows my address. I've filed change of address forms with them every time
I've moved. The mail was duly forwarded each time. I've put holds on my mail
multiple times when on vacation. The hold was honored. I've bought postage
online. Etc.

As an end user, I would't go so far as to say I can't _tell_ how it works, but
I shouldn't have to know, and I don't bother. If I file my change of address
or mail hold, and it works, that's all I care about. I don't bother to see if
I have a saved session, if I'm logged in or if there's just a cookie, and if
those services are tied to my online profile. I just go to the site, punch in
the info, and use it.

So I found it quite surprising that my online profile would have such horribly
out of date info (with no obvious way of updating it during the Informed
Delivery signup process).

------
wristmittens
I tied my email address to my USPS address three apartments and half a decade
ago. Apparently I never updated it since I'm now receiving email from Informed
Delivery with images of mail addressed to that apartment which is obviously
not addressed to me...

~~~
tedmiston
I wonder if they’ve thought through this use case for apartments. It seems
like you shouldn’t receive anything that doesn’t match your name or “current
resident”.

~~~
kylehotchkiss
It all works out if you do moving notification with them. Which everybody
should be doing, as things from the IRS or old utility bills sometimes tend to
not make it to new address you give them.

Plus some of the moving coupons they mail you are pretty good deals. Win-win.

~~~
rconti
Incorrect. My Informed Delivery information was 2 moves out of date and I
always file change of address, my ballots are sent to the new address, etc.

Looking back on it, I don't think there's any requirement you use your
usps.gov login to file a change of address, but that site's info is what they
use for informed delivery.

------
zeveb
What's really sad is that the USPS _could_ be in the identity business. What
other organisation has agents who canvas the entire country on a daily basis,
visiting every home and business?

~~~
crispyambulance

        > USPS could be in the identity business.
    

I have heard this idea before, and I wonder who first floated it?

Certainly, some role as an "authentication service" could be far more robust
and future-proof than their current bread-and-butter: the delivery of junk
mail.

~~~
throwawayknecht
It's already done in other countries.

[http://www.royalmail.com/personal/identity-
verification](http://www.royalmail.com/personal/identity-verification)
[https://www.deutschepost.de/en/p/postident.html](https://www.deutschepost.de/en/p/postident.html)

(Deutsche Post also runs a consumer bank, and does quite a bit of electric /
electric-assisted vehicle R&D.)

------
eeeeeeeeeeeee
Something else to keep in mind with this service: your email provider is now
getting metadata on all of your physical mail. By default, USPS sends the
actual image of the front of the letter to your email.

~~~
DarronWyke
Which really doesn't matter if you use that same address for online ordering.
Which has your address plastered on it. In plain text.

~~~
devy
No, that's not the point. It's not the plain text address info that matters
but the sender (who sends you snail mail) matters. E.G. 123 Main St, Music
City, USA is public knowledge to all people touches your physical mails, but
no one has the entire picture of all physical mails you are getting from in
your physical inbox (shops, banks etc.), until now with Informed Delivery
courtesy of USPS.

------
analogmemory
So I tried to signup and all the "knowledge-based authentication" questions
were places I'd never lived or phone numbers i'd never used. So I failed the
authentication. Now I need to go into a physical post office and verify in
person. This seems like a better option!

------
chx
While we do not have the same service in Canada, the federal my tax account
"forgot password" functionality is snail mail. Drove me nuts before I moved to
a password manager because I travel so much. Much like the presumed clients of
this service. So sending a snail mail would not be as effective as this
article makes it -- unless it's not verification but the password itself.

Consequently: what the post should do is create an account for everyone
eligible and send out a note with username and password. Done.

------
ckorhonen
I've been using the service for a while and really like it. One oddity though
- about 3 months ago my wife started getting Informed Delivery emails for our
old address, didn't sign up for it and it was obvious from the names on the
envelopes that we are not the current residents. Very odd...

------
dboreham
Funny I thought the exact same thing when my wife forwarded the email to me
the other day. Like: "What were they thinking??"

------
Aloha
As someone who uses this service, I find it invaluable.

~~~
benburleson
Would it not be just as valuable if they required better security to use it?

~~~
Aloha
it depending on how much - if it required a trip to the post office to enroll,
probably not, if it required me to mail a postcard back confirming I wish to
enroll, probably.

