
Man Allegedly Used Change of Address Form to Move UPS Headquarters - augustocallejas
https://www.npr.org/sections/thetwo-way/2018/05/10/610102872/man-allegedly-used-change-of-address-form-to-move-ups-headquarters-to-his-apartm
======
princekolt
> "Henderson-Spruce did not identify himself on the one-page form. At first,
> the initials 'HS' were written on the signature line, but the initials were
> then scratched out and replaced with 'UPS,' according to the charges"

Come on, this guy is a genius. The fact he managed to pull it off by literally
using cartoon-level forgery is nothing but remarkable.

~~~
PascLeRasc
If he gets a reduced sentence he should be a prime prospect for security
analysis/social engineering consulting when he gets out.

~~~
azinman2
I think you're giving him too much credit here... I have a feeling it has a
lot more to do with luck, chutzpah, and USPS incompetence.

~~~
dmoy
Note they're separate things, you'd almost wonder if USPS was intentionally
messing up UPS. Probably not, but that's be nefarious lol.

~~~
itronitron
excellent point, you would make a great defense lawyer

------
marme
The change of address form at USPS is laughably unsecure. All it takes is $1
and anyone can write any address and forward all the mail for 1 year to any
other address. There is no verification of ID and the only warning you get is
a post card at the original address telling you the mail is being forwarded
but by then it is already too late as mail is already being routed to the new
address. Even if you called immediately to stop it some of your mail would end
up at the new address

~~~
chrischen
Postal mail is insecure yet companies and services like to rely on it as the
authoritative form of notice and communication. That and also giving out info
over the telephone.

On one hand we have PCI-compliance, SSL encryption, and on the other hand we
have a phone call (unecrypted, easily tappable anywhere along the thousands of
miles of wire) where companies expect to call me and assume it's secure enough
for me to 1) know that it's definitively them and 2) not have some support
agent steal my credit card information/private information.

~~~
exelius
This drives me mad. My health insurance company tries to call me on a regular
basis, but because they have to verify they’re speaking with me for HIPAA,
they ask for the last 4 of my social.

To which I reply “You called me. I don’t know that you are who you say you
are. I’m not giving you anything.” And hang up. What moron thought this was a
good idea?

~~~
Stratoscope
Just the last four? You're lucky.

One time my own bank scammed me into giving them my full seven digit SSN over
the phone when _they_ called _me_. And all they had to do was ask me for it!

The worst part was that I fell for it. Of course, no harm done, because it
really was my bank, but what an idiot I was.

At least I knew better when the Windows Support people started calling me a
year later!

~~~
himom
7 digits? It’s 3+2+4=9 digits in the US.

~~~
Stratoscope
Thus proving that I can't count past seven!

You've seen off by one errors, this is twice as bad.

~~~
shkkmo
Would have been funnier if you said "thrice"

~~~
AlexCoventry
Which would be three quarters as bad.

------
mjevans
I would /really/ like for national ID numbers to be public, and usable //as//
'addresses' for sent items. The owner of such a national ID address could
update their preferred physical location (preferably also have different
delivery locations and instructions for mail / packages / 'legal documents').
Maybe even electronic delivery addresses as well.

I think the best way of preventing abuse for such a system would be to include
a lookup fee for it's use (part of normal postage for mailed items).

~~~
jopsen
In Denmark we have electronic national ID with one-time tokens on a small
piece of paper.

You can use for: government interaction, banks, utilities, health records, and
lots of other things.

They also made a digital secure mailbox, where you can receive PDFs from
government, banks, utilities, doctors, etc. You can also send replies.

It sucks that all of this is point-and-click web apps without a standardized
API. I'm sure other countries have similar things, but most implementations
are probably snowflakes.

Whereas email is universally integrated everywhere, it's not trusted for
personal sensitive information.

I hope one day secure webauthn and secure email will replace all these
snowflakes. But as much as I hate to admit it, the non-standard walked gardens
does do a better job, with higher security than the old paper world ever did.

~~~
foepys
> They also made a digital secure mailbox, where you can receive PDFs from
> government, banks, utilities, doctors, etc. You can also send replies.

Does that mean one has to constantly monitor this mailbox and is liable if
something is left unanswered?

~~~
jopsen
Yes! This sucks... You can get text or email notifications.

Like I said, I hate these systems with passion, but as much as I hate to admit
it they are more secure than paper ever was. Probably also more convenient, as
things moving fast compared to snailmail.

------
louprado
The article doesn't mention, but the USPS no longer allows you to submit a
change of address from a commercial address. I tried to do this last September
when my business moved and I received a letter from the USPS denying my
request. This included any personal mail that was being sent to the commercial
address even if it didn't have my business name.

I am not sure when the above restriction went into effect. It appears the
crime mentioned in the article was in 2016, so perhaps it is recent.

~~~
_d8fd
This happened to me, too. I lived in a hotel, moved out, and was unable to
forward my mail. My hotel room was considered to be a commercial address. I
think this was in 2011.

------
matte_black
When I was young I “hacked” the USPS to send free mail by putting the return
address as the address I wanted to send to and leaving the actual address
blank or as some invalid address. Then I would deposit the letter somewhere
without a stamp and it would be sent across the country for free (but very
slowly).

Was this actually a felony?

~~~
CamTin
Yes, and a federal one.

~~~
matte_black
So what would I be looking at, prison time?

------
RcouF1uZ4gsC
From the article

> Henderson-Spruce now faces federal charges of mail theft, which carries a
> maximum sentence of five years, and mail fraud, which can be up to 20.

While a lot of current government processes aren't secure, they come with
pretty hefty penalties that dissuade most people from messing around with
them.

~~~
_bxg1
Same with banks/credit card companies. Credit cards are hilariously insecure,
but you'll get sued/prosecuted out the wazoo if you steal someone's info and
make fraudulent charges.

~~~
rosege
I would hope so but im not 100% sure - the reason is because I've had a credit
card been used fraudulently in the past and I got a notification about it very
quickly so could alert the bank and merchants - but the things they bought
would be so easy to track to someone - e.g. Pizza delivered, online clothing
sent to a house.

~~~
therein
Pizza delivery was probably done to check if the card works and also throw the
trail off, and the online clothing sent to a house was probably a shipping
drop.

------
emodendroket
This is an amusing story, but how in the world could he have expected to get
away with this scheme?

~~~
ozten
As an American entrepreneur, he could have protected this revenue stream with
a consulting agreement with Essential Consultants LLC. Currently this
government program is in a closed beta, AFAIK.

------
eof
Somewhat related to this, you can submit an "informed delivery" for any
address; and they will send you photos of every piece of mail being sent to
that address. For free!

I found this out on accident when I forwarded my mail somewhere else while I
was traveling and they prompted me to sign up. I immediately started receiving
emails with photos of all the mail going to this address.

~~~
crazygringo
I signed up for it for my apartment... and starting getting e-mails with
images of the envelope for every single piece of mail for _every resident of
the whole building_ to me.

Huge privacy fail. (And yes, the USPS knows about each individual apartment,
delivering mail into a separate USPS box per apartment...)

~~~
perl4ever
I was trying it out and it seems to be sort of the inverse for me - it showed
only one piece of mail on a day when there were several.

------
msravi
Wait... how did he manage to cash checks that were made out to UPS? Doesn't
the bank verify the beneficiary when cashing a check?

~~~
fyfy18
This was the most concerning thing to me too. How do cheques in the US work in
terms of verification?

~~~
pwg
There is essentially none. You could write a check out to "Mickey Mouse" and
deposit it into your bank account and I doubt anyone would notice.

If there is any verification, it occurs after the fact when someone complains
that a payment got lost. Then the banks start looking to see what happened.

~~~
peterkelly
That seems like something they should probably fix

~~~
pwg
You would normally think so, but they (the banks) likely have a different
viewpoint. They could either, for deposits into accounts in the bank:

1) slow down every deposit by an order of magnitude or more in order to
perform careful identity verification, when the vast majority are correct and
honest

or

2) expend effort, afterward, cleaning up, the very few that are doing
something illegal using the records they keep on what happened, and the fact
that they can simply reverse the transactions when they do find something
amiss.

For them, the cost of #2 is likely still lower than the costs of #1.

Now, the situation is different if you go in with a check and try to negotiate
it for cash in hand right then and there. They will do the full identity
verification at that time, massively slowing down your one-time action of
converting a check into US Dollars in your pocket. This of course makes sense,
there is no way to reverse a transaction that involves handing someone a stack
of fifty dollar bills that they stick in their pocket. But in this case, just
the one individual that did need to be triple checked before the action
completed had their time extended by the verification process.

------
ggm
"what we need, is a computer network, because this kind of over-the-counter
social engineering attack would _never_ work online"

oh. hang on...

------
macintux
To request a new social security card online, it takes your credit report
information.

Thanks, Equifax data breach.

Good news: the SSA will only send your new card to your current address as
reported in your credit report.

Thanks, USPS.

So, in summary, sounds like getting someone else’s social security card is
pretty easy. Admittedly there’ll be a nifty paper trail, but I’m sure that’s
solvable too.

------
Paul-ish
I've had a similar issue where a stranger put a hold on the mail to my house.
Took me a while to figure out, and I'm still not sure why it happened. If I
had been expecting critical mail such as bills, things could have gone worse
than they did. Fortunately it just delayed some packages and spam.

~~~
leephillips
About 20 years ago I had the bright idea of saving trips to the pharmacy by
having them mail me my medicine. After it was a week late, I noticed that I
hadn't been getting any other mail for a week, either. I went to the post
office and learned that my mail was on a vacation hold. Another tenant living
in my small building had filed a legitimate hold, and the P.O. decided that it
applied to the whole building, instead of just his unit. That was the last
time I entrusted anything important to the USPS.

------
iambateman
UPS should play this by sending the guy a package, addressed to UPS, at his
jail cell, thanking him for the service he provided them.

Pretty funny way to go to jail.

------
benmarks
I just CTRL+F'ed and am pleasantly surprised that no one has blah-blah-
blockchained in this thread. Perhaps we've turned a corner.

------
slededit
A lot of government services have no security. Most of the time they require
you to mail things in and rely on the fact that its a federal felony of mail
fraud if you attempt to game them.

------
itronitron
I see a small business opportunity hear offering a service of sending weekly
letters to a person's postal address just so they can be assured that their
address hasn't been changed.

~~~
bllguo
this reminds me of this:
[https://news.ycombinator.com/item?id=16867696](https://news.ycombinator.com/item?id=16867696)

apparently that is a service people offer on the dark net

------
ducttape12
If it was seriously this easy to pull off, perhaps the real guilty parties
here are the USPS workers who let this happen unchecked.

------
newobj
How did he cash all the checks???

~~~
chrischen
You just take it to the bank. One time my friend wrote the amount in the name
field and the name in the amount field and they still cashed it. They did
contact me about a week later, but by that time I could have just walked away
with the cash.

~~~
gowld
You're going to need some kind of ID to cash a large amount of checks. (Sure,
it could be fake ID)

~~~
icedchai
He probably just put it in the ATM, deposited it to his account. Eventually
someone will notice, of course... but it will take weeks, longer than it takes
for him to cash out his accounts.

~~~
pwg
If you are depositing into your own account you could even take it to a human
teller and likely get it deposited without so much as a raised eyebrow.

Of course, depositing it into your own account creates a "paper trail" that
will eventually lead to some law enforcement officer discussing your
activities with you at some time in the future.

------
magicbuzz
Laughable that he could do this!

------
stretchwithme
I find it hard to believe that the post office would actually start forwarding
somebody's mail.

~~~
pugworthy
That's... literally what the form is for.

~~~
stretchwithme
It just hasn't been my experience that they actually do it.

------
Overtonwindow
Now that’s some tenacity!

------
exabrial
The unionized idiots that allowed this should also be investigated. I'm a
little surprised this -could- be pulled off, I think it'd be worthwhile to
check for inside help.

Then again, maybe the USPS is in fact, just that incompetent

------
trisimix
This is so dumb. You cant be arsed to create a more secure form of this
process so you made it illegal. All he did was fill out the paperwork lol.

~~~
jedberg
Being illegal is what makes it secure.

