Hacker News new | past | comments | ask | show | jobs | submit login
USPS ‘Informed Delivery’ Is Stalker’s Dream (krebsonsecurity.com)
112 points by tonyztan on Oct 3, 2017 | hide | past | web | favorite | 57 comments

I wish I could have 72 hours to review the front of all my snail mail electronically and either select "release to mailbox" or "shred/recycle/delete". After 72 hours it just assumes you want to release it to your mailbox.

Logistically, something like that could save the post office a bunch of money since they don't refund postage just because it was delivered electronically.

Furthermore, people expecting a high-priority package would be more likely to log in and release it to their mailbox more quickly.

Also I wish I could opt to "block sender" for ads and other junk. The post office would still get money/postage, but I would just give the post office advanced consent to shred/recycle all mail from this sender and consider it officially delivered.

> Also I wish I could opt to "block sender" for ads and other junk. The post office would still get money/postage, but I would just give the post office advanced consent to shred/recycle all mail from this sender and consider it officially delivered.

I don't think you understand how junk mail works -- the mailers have a close business relationship with the USPS, and the fact that you can't 'block' it is a deliberate design pattern. Junk mail is a huge (possibly the major?) revenue stream for the post office. Forcing you to physically handle their advertising message before discarding it is the whole value proposition of this form of advertising; junk mailers aren't gonna keep paying the USPS if the ads are never getting to you.

In many other countries, you can put "No junk mail" or "No bulk mail" on your letterbox.

The US post service, being a service provided by the state, should help to prevent wasting paper and serve the people, not the corporations. In the US, the corporations are not just the primary customers of the USPS, they pretty much own them as far as influence goes.

That is true of far more things than just mail delivery. Unfortunately regulatory capture is alive and well in Washington.

> I wish I could have 72 hours to review the front of all my snail mail electronically


> The post office would still get money/postage,

The post office can't take money from a customer and then fail to provide the service because someone else told them to. That would be fraid.

> Logistically, something like that could save the post office a bunch of money

Debatable for lack of data. Remember, the post office doesn't do special delivery runs just for you, rather to make deliveries to everyone on a route. If your neighbors are still asking for their mail, then the post office still has to pay for labor + gas + vehicle maintenance to make the deliveries, they just skip your house.

What you'd actually have to do is JIT dynamically figure out the daily delivery route, and see if doing so would allow the post office to employ fewer delivery people to cover a smaller number of overall daily deliveries. Of course, theoretically speaking that's relatively simple - but in the real world, different localities will derive different levels of benefit (including possibly zero) and it's a very expensive system to build to find out how much benefit would be derived.

I've nearly eliminated the amount of junk mail I get with https://www.paperkarma.com/ ... down to maybe one or two a week instead of multiple per day

If you're in Canada you can follow the instructions here for CanadaPost, https://www.canadapost.ca/web/en/kb/details.page?article=how...

This part was the most interesting to me;

There is a final precaution that should block anyone from signing up as you: Readers who have taken my advice to freeze their credit files with the four major consumer credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) will find they are not able to sign up for Informed Delivery online. That’s because having a freeze in place should block Equifax from being able to ask you the four KBA questions.

Do people realize that the freeze locks you out of any service using KBA to authenticate? E.g. would this include sites like login.gov?

Isn't that an even better reason to freeze your credit reports, given that Equifax was hacked and they are providing knowledge-based authentication for the USPS and who knows what other services.

>That’s because having a freeze in place should block Equifax from being able to ask you the four KBA questions.

My father put a freeze on all three agencies when the news of the breach came out. Today, I tried to help him sign up for informed delivery (on the theory that if he did, it would be harder for someone else to do so in his name).

I don't know what impact the freeze had on the KBA, because it showed him a batch of four questions with information that was definitely his (like, last 4 digits of SSN), but then wouldn't verify him; he then got two more batches of questions that had absolutely no relevance, and choosing "none of the above" just resulted in two more failures to verify.

Is it easy or possible to freeze and unfreeze on demand as needed?

Sure if you like paying the fee every time. Shouldn’t have a fee to begin with though. Just a way to talk people out of it, really.

Apparently, in some states, they're not allowed by law charge a fee. I'm in NY, and I was able to freeze my credit reports for free.

Equifax is waiving the fee since the recent incident.

From what I read it's just on their identity service which isn't actually a freeze. Also doesn't solve the problem of the other agencies charging. You really need a freeze against them all.

The bureaus allow lifting a freeze temporarily, but there could be a fee, depending on what state you live in.

I signed up for a service from UPS a few years ago that notifies me of impending shipments and lets me do a few limited things like 'Hold for pickup'.

The authentication for it was simple and reasonably secure: they physically mailed me a card with a verification number I had to type in. It took a few days of course, but only someone with access to my mailbox can get the card (and my mailbox requires a key to open).

This "knowledge-based authentication" system USPS is using is most definitely less secure, and I can't fathom how it wouldn't be immensely more complex to build and maintain.

Nextdoor takes this approach too to verify that you live in a neighborhood. However, the vulnerability I see in this is that there’s nothing that actually validates I live at an address just because I can receive mail that was sent there. E.g., someone could take it out of my mailbox without living there to verify that they “live” there; or I could send it to a work address.

Nextdoor does something that makes the postcard completely useless -- if you don't respond to the postcard, they'll put you in a queue for your "neighborhood leads" to approve:


The problem is this is your neighbor confirming that a person by that name lives near them. They have no way of confirming that person is the actual owner of the account being verified, unless they go over, knock on their door, and ask "hey, did you sign up for Nextdoor."

So someone could sign up as Nextdoor as me. I throw away the postcard, because I don't know why I got it and I don't want anything to do with Nextdoor. Meanwhile a well-meaning neighbor of mine can just go and approves the account.

If you move, would UPS catch that and automatically turn it off?

I'll say that UPS will only send you automatic updates for packages that match your full address, including your name. I'm signed up for the service, and I receive uncannily perfect notifications every time a UPS label is generated with my street address and name, however I've received exactly zero notifications about my girlfriend's packages to the same address. In fact, she's independently signed up for UPS MyChoice under her name and now gets those notifications herself. It's a great service.

So, when you move, you don't really have to deactivate it so long as you don't send any more packages to that address with your name.

Thanks for verifying this. I'll add that I get notifications for my wife's packages so it's likely only based on last name.

This also means in the case you move and the next resident has the same last name as you, you'll get their package notifications (and can redirect their packages). Presumably the next resident would have to call UPS support to figure this out, but the danger is it would not be obvious someone else has control until they use it, or you attempt to sign up yourself.

Unfortunately, I'm receiving scans of everything that comes to my mailbox, including mail destined for the previous tenant that is still addressed to my apartment.

Hm, I am not sure. The program is called UPS My Choice, one of the items in their FAQ [1] has:

"There are some common reasons why you’re currently unable to enroll in UPS My Choice, including:"

"You recently moved to a new home. There may be little or no public record information about your move. Unfortunately, until updated information about your move becomes part of the public record through mortgages, deeds, utility bills, etc., you won't be able to enroll."

It does sound like they do more verification, but it's not clear if they check this regularly to deactivate accounts.

It also makes me wonder if they verify by the name the shipment is going to (matching last name). I've never had something shipped to my house that didn't have my last name on it so I'm not sure.

[1] https://www.ups.com/us/en/help-center/tracking-support/valid...

They do verify names. I have had packages shipped to my house on behalf of friends, or in a hobby business name, and don't get notified like I get for my packages.

I'm accidentally stalking someone via Informed Delivery.

They emailed me, saying my address is eligible, so I signed in with my USPS account. It ONLY listed an address from 2 moves ago; I haven't lived there in over 6 years. There was no other way to sign up. So I signed up, assuming just some records were out of date, or I'd be able to update my address once signed in.

Nope. I'm getting informed delivery digests for a woman I don't know for an address I haven't lived at in 6 years.

I changed my address in my USPS online profile, and stopped getting the digests, but haven't gotten them for my new address yet.

What's frustrating about this is what's always frustrating about these kinds of services -- I have no idea how they're tracking me, and hence no understanding of how data is indexed.

USPS knows my address. I've filed change of address forms with them every time I've moved. The mail was duly forwarded each time. I've put holds on my mail multiple times when on vacation. The hold was honored. I've bought postage online. Etc.

As an end user, I would't go so far as to say I can't tell how it works, but I shouldn't have to know, and I don't bother. If I file my change of address or mail hold, and it works, that's all I care about. I don't bother to see if I have a saved session, if I'm logged in or if there's just a cookie, and if those services are tied to my online profile. I just go to the site, punch in the info, and use it.

So I found it quite surprising that my online profile would have such horribly out of date info (with no obvious way of updating it during the Informed Delivery signup process).

I tied my email address to my USPS address three apartments and half a decade ago. Apparently I never updated it since I'm now receiving email from Informed Delivery with images of mail addressed to that apartment which is obviously not addressed to me...

I wonder if they’ve thought through this use case for apartments. It seems like you shouldn’t receive anything that doesn’t match your name or “current resident”.

When I registered a change of address with USPS they automatically canceled my informed delivery at the old address.

You also cannot have multiple addresses. So you would need to cancel your old informed digest to register your new address for informed digest.

I guess the best solution would be for them to periodically send a letter to registered addresses with a code they can use to view/manage informed digest reciepients for that address.

It all works out if you do moving notification with them. Which everybody should be doing, as things from the IRS or old utility bills sometimes tend to not make it to new address you give them.

Plus some of the moving coupons they mail you are pretty good deals. Win-win.

Incorrect. My Informed Delivery information was 2 moves out of date and I always file change of address, my ballots are sent to the new address, etc.

Looking back on it, I don't think there's any requirement you use your usps.gov login to file a change of address, but that site's info is what they use for informed delivery.

What's really sad is that the USPS could be in the identity business. What other organisation has agents who canvas the entire country on a daily basis, visiting every home and business?

That assumption doesn't work for a big chunk of rural and small town America. I make the once-a-week trek to the post office to pick up my mail.

I tried to sign up for the informed delivery service, since it would be nice to know if it's worth my while to make the weekly trip into town, but those stupid KBA questions would never let me through. Verifying you by random, incorrect, data that they somehow scrapped out of the ether seems much less reliable then just letting me show up at the post office with ID in hand to sign up for it.

    > USPS could be in the identity business.
I have heard this idea before, and I wonder who first floated it?

Certainly, some role as an "authentication service" could be far more robust and future-proof than their current bread-and-butter: the delivery of junk mail.

It's already done in other countries.

http://www.royalmail.com/personal/identity-verification https://www.deutschepost.de/en/p/postident.html

(Deutsche Post also runs a consumer bank, and does quite a bit of electric / electric-assisted vehicle R&D.)

I don't disagree about their ability to be in the identity business, but the image of them doing home delivery everywhere is a bit dated. There are swaths of the US where you get a PO Box and no delivery of any kind.

Or basically any new development since they require cluster boxes now. Unless it’s a quick stop for the driver, expect lots of “attempted delivery” slips.

Wow, that would suck, but at least they probably have a street addresses. That whole 911 thing is oddly implemented.

I would love it if I could take a QR-code printed copy of my PGP key, and have the local post office scan and digitally sign it after verifying my identity. Or a local Notary Public.

Assuming you would pay the fee and supply the ids, I see no reason for a NP not to sign a printout of your GPG key + QR code, will, or whatever.

He wants someone to digitally sign it, like for the notary or the USPS to act as a certificate authority.

Isn't this a prime example of what happens when USPS puts a toe in the water of the identity business? Be careful what you wish for!

And has offices where one could go and have physical checks for establishing identity...

This actually how it works in Germany. The postal service provides PostIdent [1]. E.g. when opening a bank account, you get a letter with which you go to a post office where you sign and your ID gets checked.

1: https://de.wikipedia.org/wiki/Postident

Something else to keep in mind with this service: your email provider is now getting metadata on all of your physical mail. By default, USPS sends the actual image of the front of the letter to your email.

Also, it looks like you can't change this behavior. I'd prefer if I simply received an email that said "you have mail coming soon, sign in to view the image" but it appears to either be off/on, you can't customize the actual notification message.

Which really doesn't matter if you use that same address for online ordering. Which has your address plastered on it. In plain text.

No, that's not the point. It's not the plain text address info that matters but the sender (who sends you snail mail) matters. E.G. 123 Main St, Music City, USA is public knowledge to all people touches your physical mails, but no one has the entire picture of all physical mails you are getting from in your physical inbox (shops, banks etc.), until now with Informed Delivery courtesy of USPS.

Maybe go read what I wrote before replying? I'm talking about metadata. They will see every company/person you correspond with by mail now.

So I tried to signup and all the "knowledge-based authentication" questions were places I'd never lived or phone numbers i'd never used. So I failed the authentication. Now I need to go into a physical post office and verify in person. This seems like a better option!

While we do not have the same service in Canada, the federal my tax account "forgot password" functionality is snail mail. Drove me nuts before I moved to a password manager because I travel so much. Much like the presumed clients of this service. So sending a snail mail would not be as effective as this article makes it -- unless it's not verification but the password itself.

Consequently: what the post should do is create an account for everyone eligible and send out a note with username and password. Done.

I've been using the service for a while and really like it. One oddity though - about 3 months ago my wife started getting Informed Delivery emails for our old address, didn't sign up for it and it was obvious from the names on the envelopes that we are not the current residents. Very odd...

Funny I thought the exact same thing when my wife forwarded the email to me the other day. Like: "What were they thinking??"

As someone who uses this service, I find it invaluable.

Would it not be just as valuable if they required better security to use it?

it depending on how much - if it required a trip to the post office to enroll, probably not, if it required me to mail a postcard back confirming I wish to enroll, probably.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact