Hacker News new | comments | ask | show | jobs | submit login
U.S. Secret Service Warns ID Thieves Are Abusing USPS’s Mail Scanning Service (krebsonsecurity.com)
269 points by venturis_voice 3 months ago | hide | past | web | favorite | 129 comments

So I began reading and figured, huh, thieves must just stealing be the validation letter USPS would send, and thought, hey, that system which is used in many other places for similar things would be quite vulnerable to that attack, right?

But then I got to this bit:

> KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.

> However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification

What the actual hell? You can sign up online to get mail scanned… without any physical verification you're at the address, with only a physical notification being sent after-the-fact?

What the hell are USPS smoking?

It makes me wonder what you need to do to sign up for this. I wonder…

goes to website

it seems like the only thing they do is ask for the address, and you check a box to accept the T&Cs. I don't know if there's actual verification beyond that step, but it doesn't sound like there is…

I use this service, and when I signed up there was nothing to verify I was who I was. I just put in my address, created an account, and within a day or so could get scans of mail sent to my e-mail.

This is pretty great too. I moved about two months ago, and switched addresses in Informed Delivery. I got a letter saying I switched, but I never put their code into Informed Delivery, and I still get scans of my mail at the new place. I got the scans before the validation letter, so I could easily have stolen that, and no one would know I'm seeing their mail....

*Edit to make things clearer.

I have not validated anything. The letter says I won't get emails unless I put the code in the letter in Informed Delivery. I did not do that ever and I still get the emails.

I just signed up, and this is what you see after you create an account: https://i.imgur.com/uHponvi.png

Verify online, verify by mail, or... skip. When I hit skip it just sent me to a dashboard that says I'm not enrolled because I'm not verified. I'm gonna let this sit for a few days and see if I start getting the emails.

Yes, it is that easy. I did it and told my parents about it. They signed up to be notified when my grandparents received mail so they could make sure bills were taken care of. Not a case of abuse, but they didn't have to validate anything to start receiving notifications of other people's mail.

Note that tampering with the mail, even if there are little technical limitations, is a federal crime that carries pretty severe penalties.

People love repeating this for some reason, but mail crime is under-funded, rarely investigated, and even more rarely enforced.

Realistically if you tamper with mail nothing at all will happen to you, until your fraud raises to a headline figure and could get someone a promotion.

Interesting you say this as I had heard similar stories of underfunded mail crime investigations in the past. However, where I live is a very seasonal location. Population goes from 10000+ over the summer to under 1000 during the winter months.

Several years ago a couple people in the community noticed problems with their mail (mail seemingly missing, receiving wrongly addressed items, etc..). They called the postal service and an investigator was out in days. Within two weeks there were hidden cameras mounted in various locations around town pointed at mailboxes. A few more weeks and they apprehended an individual going through mailboxes based on the photos from those cameras. I don't know the final outcome, but the total turnaround from notification to arrest was less than 3 months.

> They called the postal service and an investigator was out in days.

Even underfunded agencies can prioritize. A call notifying them of a problem is a world of difference than them identifying and pursuing issues on their own.

Just like how an underfunded police department may not patrol all the areas they should, but if you call them to notify them of a crime, an officer will likely show up at some point. Even if the officer shows up quite a bit later, the relative difference to when an officer might stumble across that area, much less evidence of the crime, is probably somewhat comparable.

My neighbor stole mail right out of my mailbox. I had it on video. The police declined to do anything about it. So... anecdotally validated.

Try the US Postal Inspectors: https://postalinspectors.uspis.gov/ It may be too old or too small a case for them, but video evidence may help.

For mail-related crime, you should also contact the U.S. Postal Inspection Service. https://postalinspectors.uspis.gov

People love stating this fact because it's likely most people are surprised the law allows for such severe serious penalties for what might seem like a petty infraction. What you've said about underfunded enforcement and rare investigations could be said about almost every other type of non-violent crime.

Uh kyc banking laws used to fund terrorism (eg hawalas) have been extensively ramped up over the past 20 yrs. Theres certain non violent crimes that law enforcement has carte blanche to investigate.

That's good to know.

> "about almost every other type of non-violent crime."

The DEA and other drug-related enforcement certainly isn't underfunded ...

I don't think GP is suggesting that anyone here tamper with mail. However, if you are someone who steals identities and money why would you care? This is pretty easy to verify properly and short of the time delay I can't think of any negative of doing so.


This is all my own mail. When I switched ID to the new address, I no longer received emails of mail going to my old address automatically. So there's that.

Observing someone else's mail wouldn't count as tampering with it. Some other category might apply though.

IANAL but the impression I get is that loosely defined terms like "tamper" can be interpreted in many different contexts depending on how eager the prosecutor is.

Falsifying your identity to a federal postal service to gain access to someone else's mail? That breaks a wide range of laws

Right -- falsifying identity to get postal resources would be a relevant category of crime. I don't see how mere non-destructive observation of the external packaging would count as tampering though.

This is correct in my experience. The letter says you have to confirm with the code, but either without doing that you keep getting the emails with scanned images.

I just tried to sign up with my business address. It told me that the address is not available for Informed Delivery but rather than it just ending there, it allowed to go ahead and create an account for that address any way. I'll have to wait and see if they later reject the account somehow.

Same exact situation here. Moved, got mailed a code to verify my address change, was lazy and never entered the code into Informed Delivery, still get Informed Delivery email notifications for scans of mail sent to my new address, and I am able to view the scans.

Yeah. It's essentially this bad almost everywhere.

You think "surely X" but no. Almost never X. Almost always some lazy Y or nothing at all.

After a couple consulting contracts / vuln disclosures I updated my priors of how competent the government was. I'm actually getting worried now that everything is going cyber-physical and corporations can pull the wool over their eyes. The government is great at offense, but defence is boring. Especially at non-fancy agencies / departments. And the salaries are low.

But it doesn't even matter really. Basically so many things are broken and offense gets better over time while defence gets worse. I'm fighting for regulations, etc. But this stuff is so ill-defined that the government has trouble understanding it.

I have come to blame the universities. The CompSci department should have gone to the Civil or Nuclear Engineering department and said "ok, how do we think about time frames over 100 years?" and built out courses out of that. But other than a handful of rare exceptions, right now most grads come out not understanding the true gravity of their decisions.

The one nice thing is that offense is usually incompetent too. I've been on projects dealing with real crime[0]. The number of people nailed with just getting an IP is lolsy. Most criminals are stupid. I partly want to relay what the smartest 2%ile did just to show how low the bar is, but I fear educating the lower 98%.

[0] Not stupid drug war stuff.

This is a great perspective but it's important to remember your sample bias -- you're only making judgments about the offender you've identified. Or more snarkily, you've only caught the people dumber than you.

When you're talking about basic attacks to steal some money, this is a substantial but not world-changing effect. On the other hand, a government or cartel willing to invest significant resources in cyber offense can really move the needle. What we've seen Russia, North Korea, Israel, and others achieve is probably only a fraction of what they've actually achieved.

Yes, but they don't put their crack team on most stuff.

Have you read the Snowden leaks? The actual raw content?

It's pretty tame shit. My main takeaway was ahh, yes the world is as insecure as I thought it was not oh, these guys are using space laser technology hacks.

They've got crack teams to break into some harder gear, and they've got some crazy awesome cryptanalyses going on, but for most of it it's just what you were I would do if someone asked us to get into a bank or whatever. Most stuff is easy to hack anyway unless it's a fully patched iPhone or patched / stripped / locked down Windows server.

Plus you can see the codebases these guys have put out anyway. There was that peodophile CIA coder that had some of his personal codebase match his internal work and there are a bunch of current and former NSA / CSE guys floating around conferences.

I sat with a whole table of them and watched them fall for a simple social engineering attack one minute after being told they were going to fall for the attack.

They're not gods shimon.

> I sat with a whole table of them and watched them fall for a simple social engineering attack one minute after being told they were going to fall for the attack.

Story time?

I mean it isn't that interesting of a story, really.[-1]

And I want to stress I'm not a full time government contractor. I just did a couple short contracts for a department and it made me wtf so hard I signed up for one of those conferences where they set the ticket price so high it keeps out the curious[0], but it isn't classified or even protected.

But I'll share anyway because you asked.

I walk into the room titled "something something Social Engineering Attacks" because the other one was on something I couldn't care less about. Fiddling with AWS settings probably.

Look around. Mostly tired, overworked looking sysadmins from different government departments and the occasional consulting company or bank.

Walk further into the room and there it is, a table full of my people. Dungeons and dragons (D&D) looking types of both genders that looked like they were born in or around 1984.

Sit down. "Hi." They're friendly; I forget what we talk about, but they all have sigint department name tags. Most were slated to give talks later in the conference.

Talk starts. Guy on stage.

Guy: "Within one minute of explaining what I'm going to socially engineer you to do you will do it."

Me: Internal monologue; The fuck you will.

D&D: Look kinda intrigued, kinda befuddled.

Guy: "Ok so first thing we need to do is to get you to stand up. Don't worry the clock hasn't started yet. We're just standing."

Me: Squints skeptically. Stands. Internal monologue: Where the hell is this going?

D&D: Stands up like the rest of the room, faces guy.

Guy: "Ok here is the game I'm going to get you to flip your hands like this."

Guy: Flips hands from palms down to palms up.

Me: Internal monologue: The fuck you are.

Me: Crosses arms.

D&D & Room: Chuckle.

Guy: "Ok, you ready? Go. Oh; one last thing..."

Me: Internal monologue: Ha! Good fucking luck buddy you already said "go" and I'm already crossed.

Guy: "...otherwise there is no game at all you'll just cross your arms and stand there. So you have to put your arms in front of you like this..."

Guy: Begins to slowly raise his arms.

D&D & Room: Begin to raise their arms so their palms are face down to the ground.

Guy: "... like this."

Guy: Shows arms out in-front of him with the palms face up.

Me (Quietly, to my table of future elf and dwarven partisans.): "Nooo. Don't do it."

D&D & Room: Flip their hands over to match guy.[2]

D&D: Look away from guy to me.

Guy: Does the TA-DA gesture.

Room: Laughs.

D&D: "How did you know?"

Me: "I know how these people think."

Rest of the conference people were convinced I was a Canadian spy or something. It's ok though. I got too drunk and made a fool of myself because a convo I had with a cyberwarfare guy (essentially) confirmed my fears that self-driving cars were WMDs due to class-attack (bad server update ala notPetya, say).

Gunna be feeling the burning shame on that one for at least another year.


At least all that foolishness is over. I thought I was losing my mind. Now that Schneier's book is out and it's been almost a year I'm back to being able to trust my own mind again. The cybersec scene is kinda stressful, but it's nothing compared to the kind of stress where you can't trust your own mind.

[-1] Well it wasn't going to be, so I spiced it up a bit by expanding into my failings as a human.

[0] Well most of the time, anyway. Can't stop me from lolsing into a conference to get a better read on where things are at.

[1] Memory isn't perfect, but you get the idea.

[2] Room of 100 people and I'm almost certain I was the only one that didn't get tricked.

There are some interesting social pressure group dynamics at play (e.g. go out in public and start staring at the sky and a people will start trying to see what you are looking at and glance at the sky-- literally monkey see monkey do?)

If somebody's staring at the sky, either there's something interesting to look at or they're nuts, and I like to give people the benefit of the doubt by not assuming the latter.


We had Informed Delivery at our old house, and now we have it at our new house... except we don't know how to stop receiving emails from the old house, so we know what the homeowner of our old house gets every day.

Did you setup a different email account for your new house ? I think they have some very simple check (not that secure obviously) that a single email can only sign up for informed delivery for one address.

There's a link at the bottom of every email to unsubscribe

You can forward someone else's mail too. Just go to the post office, fill out the form, and drop it in the mailbox. There's no verification, though there is notification at both the old and the new address. Not to mention it's a crime to do that.

Here in Sweden, everyone's address has to be registered with the Tax Agency. In their (securely authenticated by digital ID which can only be obtained using photo ID) online services you can choose to disallow changes of your registered address which are not made digitally to prevent this kind of thing.

Personally I have this turned on, because I'm conscious that every piece of information you'd need to send a fake address change notification for me is either public or easily obtainable with a call to the Tax Agency, which is far from reassuring.

That system would also allow us to completely get rid of our horrendous voter registration system, and make universal voting a reality.

The failures of the US voter registration system are deliberate, targeted disenfranchisement.

It would. In fact, Sweden has no “voter registration” per se, everyone who is registered as living here just gets a voting card in the mail before the election, I did earlier this year. (I only moved to Sweden this year and had no idea how to register to vote, turns out I don't need to!)

It's not great for privacy though, so I understand the resistance of the US and the UK to it. Mind you, the US wouldn't have to make the whole thing public like Sweden does for… reasons.

What if you have like 10 addresses? Can you vote 10x?

One registered main address per person, though you can register an additional “special post address” if you want to get your mail somewhere other than where you sleep for an extended period of time. You can't vote twice even if you did get two cards, you have to show ID (which I dislike, but it's at least relatively easy to obtain here) and your name is crossed out on the voter list once you've voted.

Lots of countries use the tax system to automatically sign up voters. Obviously this doesn't catch all potential voters - the people who don't file taxes because they have no income are likely a lot of the most disenfranchised individuals - but it gets you 90% of the way there. In Canada, whenever you file your taxes you have a box to tick 'automatically share my information with federal and provincial elections authorities'.

While it's administered by the Swedish Tax Agency, what Sweden has is actually a general population registration system that everyone* has to be in and which is used across the entire government.

*Asylum seekers and various types of temporary residents and such are not technically considered to be in the population register, though they are usually still in fact in the database, just with less information and a flag saying they don't count

Except in the USA, voting is constitutionally a state thing, not federal.

Federal laws, oversight. Local administration.


Cue the fever dreams whenever anyone merely suggests we harmonize, normalize the details. As if predictable standards for signature verification will inevitably lead to a military coup.

Even if that were entirely true, which it isn't, the Constitution is not fixed (except maybe the part about equal representation in the Senate, and there's a two-step trick to change that, too.)

The thing that stunned me about mail forwarding in the US is that it's free. There's as little verification here in Canada as in the US, but it's a pretty pricey service (minimum ~$60 depending on length of time) which naturally rate-limits fraud attempts.

Oh it's "Free" in the normal way. In that they sell your new address to marketers. I stopped using it years ago when I moved and then started getting catalogs for what felt like every business out there.

It struck me how easy it would be to get someone else's social security card this way: with the information from the Equifax breach, you have all the data you need to request a replacement card online, and by forwarding their mail you can get the card when it arrives.

It's always been easy to commit crime, it's just harder to get away with them, and luckily most people don't want to commit crimes (and then another percentage don't think the risk is worth the reward -- hence deterrence) . In this case, anything related to stealing someone else's mail is an insta-felony.

Last time I got social security cards, they were printed on cardstock with absolutely no security features. They would be trivial to counterfeit, if you had the number to begin with. It's amazing that they are accepted as a form of ID to get e.g. a passport.

They may be one form of ID required. (And I'm not sure that's even the case.) They are certainly not sufficient. You need proof of citizenship. You need some form of government-issued ID.

I haven't personally had a social security card in many decades. For the first time in I don't know how long, I do need to provide some form of proof of SSN to get a RealID drivers license renewal but last year's W2 is sufficient for that.

Yeah not required, but accepted. And not sufficient by itself. Birth certificate is good to prove citizenship and those appear to be easily forgeable also, at least the ones I've seen.

It's all a tradeoff. As a passport holder, a homeowner, and an employed person who gets a W-2, it only took me a few minutes to round up suitable documents to get a RealID-compliant drivers license renewal. But I'm sure it's more difficult for many. Some level of fraud is probably an acceptable cost for not making identity hard to prove for a significant slice of the population.

not in CA? the dmv lady told me i had to have my physical SSN card (which incidentally wasnt listed as a requirement on their website :| )

Apply for a replacement card and wait seven months for it to arrive is more like it...

That's my experience after hand delivering the form to the SS office so it would be quick.

Took me less than 2 weeks this spring, everything submitted online.

I signed up earlier this year and the validation required answering several multiple choice questions with data from my credit report such as mortgage, car loan, etc.

I also received a postcard confirming that Informed Delivery had been activated for my postal address.

Same here. I signed up late last year and they used the same kind of credit bureau-based system that social security uses to verify your identity by asking questions about previous addresses, current mortgage or car loans, etc.

Maybe it would be good to also add in a postcard check where they send you a code to verify you have access to mail for the address anyway. Sure, a thief could too, but in that case there isn't much of an extra risk to informed delivery since you'd be compromised already.

I see, so they do some kind of verification. Thanks for your reply!

I guess asking about credit report info is inadequate if people are managing to abuse this. One problem with that kind of thing is it's essentially security by obscurity, it's not deliberately created secret knowledge that can be trusted, it's stuff which happens to not be public and which only you should know, but there's no guarantee and you can't easily change it, right?

The more I think about it I might be getting the validation mixed up with healthcare.gov.

I definitely received the postcard though.

I just signed up and 2 out of the 4 questions could easily have been looked up on Zillow and they're all multiple choice with 4 options. The 2 questions were the year my house was built and the original sale price.

So anyone would've had a 1/16 chance of just guessing it right.

I signed up a few months ago and had this type of validation as well. I didn't get a postcard, presumably they hadn't started that practice yet.

A scary reminder of how we're only at the very tip of the social engineering / identity faking problem. An incredible amount of our systems are just based on an honor system, yet targeted attacks are so, well, targeted that these systems are slow to change.

Like how I reset my Bank of America 2FA three years ago with just my name and billing address of my card.

It's kind of like internet abuse and DDoS in a way: I see HNers recommending something like CloudFront. Yet after being on the receiving end of a dedicated attacker that was able to bleed my financials, I would never use it again. And since it's not a widespread problem by nature of being a targeted attack, people continually have to learn the hard way on an individual basis, if they even get unlucky to begin with. So there's no real widespread need to change.

Or, how many HNers unknowingly use a webhost that null routes them under attack yet never experienced that?

I'm guessing they were going off the doctrine of "You have no expectation of privacy in the external packaging of your mail" <insert lawyeresque point about "lol tons of people handle and see it">.

Thus, they didn't see a need for tight security regarding who can get access to such images.

Others have referenced mail forwarding, which is obviously very bad, but mail holds work the same way.

Most residential mailboxes at older homes face sidewalks and are trivial to steal from anyway. I thought my current setup in a new neighborhood would be ideal: individual locking boxes. And then one day mail got jammed in my side of the lock and I couldn't open it, so I waited for the mail carrier who promptly opened their side and handed me the contents with no verification at all.

It's just a shitshow all-round. There's virtually no thought for security or intrgrity of the system at any level.

> What the actual hell? You can sign up online to get mail scanned… without any physical verification you're at the address, with only a physical notification being sent after-the-fact?

I signed up for Informed Delivery a couple weeks ago, and it did ask for additional verification information. It was similar to questions asked by financial institutions when opening accounts online: "which of these 4 addresses have you lived at in the past?", "What was the name of your first pet?", etc. All presumably information that has been collected by companies such as Experian.

This seems like yet another instance showcasing the staggering lack of engineering ethics going on in critical information infrastructure designs. We have/used methods (PE licensure) to ensure that some sort of ethical engineering is occurring in critical designs. I hope we can find a way to bring these practices back and protect the people who cannot be reasonably expected (or asked) to understand these designs.

> What the hell are USPS smoking?

They always been smoking something.

When they released their "forward your mail to your new home online" feature where they charge your credit card $1 to verify your new ZIP code, I read it somewhere on dark web that a gift card works as well. I was actually purchasing new house, so I figured I give it a try! I bought a $20 gift card Visa Vanilla (with cash) and registered it online (during my visit in Starbucks using their WiFi) with my new ZIP code (you can provide any ZIP code while you register your gift card - its only for further verification) and sure it worked out like a charm! I figure I am not the only one that succeed with this. Then I read few months later at the same forum someone answer that USPS is blocking gift and prepaid cards at the moment. But for few months at least a hell broke out loose when you could load $20 gift card and pretty much forward mail of 20 strangers to your desired location, at $1 per pop.

I signed up for it for my P.O. Box a few months ago. It had those credit history style questions such as have you owned property in such and such a county or what month did you make this purchase. But none were relevant to me or my business so I had to verify in person.

The in person verification consisted of showing them my id.

It only scans the outside of the letter, not the contents. I'm not sure I follow how that's enough to steal a credit card number or other sensitive information in the mail.

Validation of the full name of the person living there?

Regardless, it is a great service to sign up for. You do get it automatically if you have other accounts or used too. I had a few people sign up for it at work.

the reason I started was we had a disappearing mail issue in my neighborhood that was eventually solved. plus its good to know when stuff you are expecting actually arrived. since I order a bit online having the packages listed is a great feature but they do not photo scan those. you can set delivery instructions for some

its free, its useful, and while it does have a security issue along with nearly every service the post office offers it hurts you not for using it.

in a day an age where we have privacy issues one of the biggest is proving who you are to agencies that have a real effect on your life and others. so we need to solve the ID issue as well.

It lets you know when something is coming that's worth stealing. Cuts down on your chances of being caught for a bunch of junk mail down quite a bit.

I'll second this. Recently I moved back to my home state and decided to have my more serious mail sent to my grandparent's permanent home address instead of my temporary new address. I signed up for this Informed Delivery service, and now I get a scanned image of every piece of mail entering my grandparent's mailbox. It's a security nightmare.

I went on (am on) a long international trip, and had my mail forwarded to my father's. It prompted me to sign up for that, and without any verification I immeidately started getting scans of every package being sent to my father's house. He was never notified by them, nothing came in the mail. This was ~8 months ago.

I vaguely remember that at least some USPS service (could have been forwarding) asks for ID verification questions that would be in your credit profile or other databases. UPS also does something similar for their own equivalent, but UPS does send a physical letter if it cannot confirm that the address belongs to you.

You need to verify. Either with some questions related to your credit check (like previous addresses, employment history) or physically getting a mail to that address.

A version of this was already possible to do using address forwarding which included same way of verification.

That’s a real shame. I must have signed up after that letter was sent.

It’s a great service otherwise.

You still need to go to the actual mailbox to steal the credit cards, so you could presumably steal the verification as well. I don't actually see what this buys a person beyond I guess knowing when the credit card will show up so he can intercept it, but really you could just figure 3 days to receive a new card and be right most of the time.

> What the hell are USPS smoking?

Whatever it is, there is a lot of it about.

The fact that "identity theft" is still a thing in 2018 is an indictment on the legacy financial industry.

If not for the web of opaque "agencies" that collect and sell data about individuals without affirmative action on behalf of the individual (frankly still surprised this is legal) it would be a complete non-issue.

It's irrelevant to me whether someone else opens an account with my name - just as it's irrelevant to me whether someone registers an account elsewhere with the username 'esotericn'.

The banks bring this problem upon themselves.

edit: The replies to this post are missing the point entirely. Yes, it's a problem because it's a problem.

It doesn't have to be this way.

> web of opaque "agencies"

While I've got no love for credit-reporting agencies, and they have managed to mangle my file, they do act as a non-partisan 3rd party that can (when their records are accurate) verify that a person is credit-worthy -- Which is a highly valuable service. Banks can offer low rates and other economic incentives to credit-worthy people, and make decisions for hundreds of thousands of dollars (i.e. a mortgage) in minutes, due to the existence of TransUnion, etc.

If it was possible for you to opt-out (or refuse to opt-in), you'd pay much more for a mortgage or any loan, decisions would take weeks, you'd be burdened with having to self-report your credit history (i.e. collect every statement on every account for the past 5-10 years) and since you are self-reporting, banks would still add a premium on because they would assume you've "forgotten" to include the credit card which you skipped payments on for 3 months back a few years ago.

As an analogy, auto insurers can easily check your accident and claims history -- imagine what your premiums would be if insurers had no way to check. They would have to assume the worst about almost everyone, and charge accordingly.

Do credit agencies need to be more accurate, and more secure? Absolutely. But wishing to opt-out entirely would likely be detrimental to you personally.

I pretty much have opted out entirely. I'm sure these agencies collect information on me regardless, there's not much I can do about that.

I have no need for loans other than possibly a mortgage - I find it difficult to conceive of why one would even want a loan, outside of the first few years of adulthood.

The mortgage is a stickler, but given that I have no desire to lock myself in to the traditional 25 years of working to buy a house in a high CoL area, it really just means saving before buying.

It would be nice to have those things, but not with the additional stress involved of satisfying arbitrary requirements all the time.

I prefer to live life without thinking about how other entities wish to 'rank' me all the time. I'd find it stifling to do otherwise.

> As an analogy, auto insurers can easily check your accident and claims history -- imagine what your premiums would be if insurers had no way to check. They would have to assume the worst about almost everyone, and charge accordingly.

More realistically, you'd be asked to provide your claim history, and if you fraudulently provided a fake history, you'd be hit with severe penalties.

In many cities, you can't even rent an apartment without a credit history.

Can't say I've experienced that. I hear that credit agencies in the US are pretty entrenched though so it doesn't surprise me!

The main difficulty I have here in the UK is with agencies that are extremely bureaucratic and can't deal with minor deviations from protocol.

I tend to rent directly from individuals for that reason. I prefer speaking to actual humans rather than drones in layers of a bureaucracy.

This isn't a case of "identity theft" at least the modern sense of the term, this is a case of impersonation, which has been a problem since humanity existed.

> It's irrelevant to me whether someone else opens an account with my name

If they commit crime in your name, that's your problem no matter what financial system they do it in.


It's a self inflicted issue. They claim that "my identity" matters, so it matters.

Their decision making affects me through no action of my own.

If you sign up at Reddit with the username 'esotericn', I don't care. It doesn't matter.

Somehow, if someone signs up for, say, a phone contract in my name and doesn't pay it, it affects some opaque 'credit score' somewhere because an agency couldn't be arsed to do due diligence. They push the burden on to end consumers.

I sidestep most of this by just avoiding debt because I can't be arsed with the farce.

So, they shouldn't try to use identifying information to track down people committing crimes?

I'm not really sure how to answer this.


That's not actually how "identity theft" affects people for the most part.

The case of the police turning up at your door or some sort of court summons because a fake "TazeTSchnitzel" performed fraud is pretty rare.

What actually happens is some opaque credit score thing whereby you just find interacting with the system harder because someone else fucked up.

For example, an agency deciding that because fake "TazeT" managed to get a phone contract and didn't pay it, real "TazeT" must be a layabout and not pay his bills.

Or an account of yours has the password reset because someone sent in a photo of your ID gained from some database leak from a nightclub.

All of this comes about because of inaccurate linking of accounts. There are trivial ways of determining actual linkage, for example if I send money from account A to account B under the same name and it goes uncontested, it's the same identity.

Using stuff like photographs of bits of paper or things sent in the mail as proof is completely asinine. I get mail from half of my street because my postman is underpaid and can't be arsed.

Ah, yes, I see the argument about credit reports. Putting aside the question of whether they can exist at all, the security checks are laughable and therefore someone can make a black mark on yours by impersonating you with much greater ease than should be the case.


The other main category of problem that comes with identity theft is my own resources being used (e.g. an account, bank or otherwise) by a non-me.

Again, this goes away if you use real authentication rather than "oh, he has a photo of a pink bit of plastic with an address on it?, gosh must be him, here you go!".

It would be more expensive to do so, though, so we don't. The burden is pushed on to the end user.

In a justice system that actually does what ours pretends to do that isn't my problem at all. I'm innocent until proven guilty, and if other people accept insecure methods of authentification that shouldn't be my problem.

Or put another way: if a burgler spraypaints the words "wongarsu was here" on the walls after relieving a house of its valuables the police may want to hear my side; but it isn't my problem because those words prove nothing.

It would not be a problem if it were only a problem for the entities creating it. It will become very relevant to you if it ever happens to you.

except then they blame you, for having your identity "stolen".

I've been using mailbox services (UPS Store) for almost 15 years. It costs extra money but pays for itself many times over.

I never have packages stolen, never have to wait around to sign for things, my mail is locked up, I don't have to put a mail hold or have a friend get my mail when I travel, and never have to deal with changing addresses. It also improves my privacy since fewer people have my street address. I don't worry about someone doxing me.

It's not foolproof. Someone could social engineer access to my box or packages. Doing so requires significantly more effort and risk than grabbing something off a porch so it's much less likely. It would have to be highly targeted too.

I use Informed Delivery (pretty handy), so when I started reading the article, I thought -- I should be safe, because I already signed up for the account at my address.

Not so! FTA: "Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address."

I'm working on a honeypot service that lets people create canary credentials to detect eavesdropping. One of the fringe use cases is to see if someone has intercepted your mail or packages. I'm not sure if that's a use case anyone actually cares about though, but stories like this make me wonder.

curious if this is something anyone here would want to try, I'm happy to give some free invites if anyone wants - my email is in my profile.

would you mind expounding a bit on how this might work in application?

Basically, we host a collection of honeypot websites, which resemble login pages for a normal website. Our users create 'bait credentials' (username/password) for these honeypot websites.

The users then hide these bait credentials in places that should be private (in this case, a letter or package to be mailed). If an eavesdropper intercepts the package, they'll also find the bait credentials (perhaps written on a post-it note). If they try to use the stolen bait credentials at the honeypot website, our users then get an alert, and the intrusion is logged.

The normal use case is to place bait credentials on your devices or servers, but in this case they would be used in a physical location (i.e. a letter in the mail).

Take a look at https://www.tamarin.us if you want - I'd appreciate any feedback, I'm still trying to validate the concept.

Security Concerns aside. The informed delivery service is great. I've been using it for a little over a year now. They began inserting ads into the Informed Delivery Email. Senders must place some sort of barcode that is then read by the USPS scanner. It's nice to see our postal service trying to close the gap on their (net) loss.

It would be nicer for Congress to not impose capricious retirement funding requirements, artificially making them look unprofitable.

Requiring that pensions and other future benefits be funded at their present discounted value is majestically reasonable. The opposite is how you get pension crises.

Just looked this up--it's apparently called "Informed Delivery Interactive Campaigns". They use the example of a mailer advertising an online sale: recipients with Informed Delivery can click on the link right from the USPS dashboard to the sale website. They have a bunch of analytics you can get and the whole thing looks pretty sophisticated.

As far as I can tell, this is all free to mailers, at least for the moment. Maybe they're planning on charging for it later.

USPS docs here: https://www.usps.com/business/informed-delivery.htm

I signed up the USPS mail scanning because I thought that it would be cool. However, I live in a small apartment building, and apparently USPS doesn't recognize it as an apartment building, so I would get everyone's mail. There was no verification either. I found it kind of scary the amount of info I was getting. Had to cancel because there was a lot of noise and it ultimately wasn't useful for me.

I've noticed after first signing up around April that whatever scanner they're using can see through the envelope and you can pretty clearly read at least part of the contents for a standard folded letter, but at some point later in the year the contrast of the images was changed and it wasn't as common to see it anymore. Most of my mail is junk, but I can only imagine the kinds of opportunity that capability at scale presents.

I noticed the same thing with the see through envelope part. I live in an apartment and get mail in my informed delivery dashboard addressed to past tenants at this address all the time. The system seems to only care about address, not name. The mail never arrives (possibly due to forwarding?) but I can read the first page of about half of it. It does seem to have gotten slightly better but I just checked my last few emails from USPS and I can still make out words through the envelope. I'm sure with a small bit of image manipulation I would be able to read them clear as day.

I'm sitting here in Vietnam. For two years now, I get pictures every day of my friends mail emailed to me because I switched my address to her house when I left the US. I was not asked a single question about it, they just started appearing after I filed a change of address notice, which cost me like $1 or something. Something seems so wrong with that.

When my wife signed up for this a few months ago I was astonished to see that the envelope scans are sent in the clear in an email. I didn't realize at the time that there is in addition no authentication of the sign up process!

Exploits aside, this service however convenient, just reeks of Big Brother to me. Not that I get that much info via USPS anymore but the idea that __everything__ is being logged (for future reference?) makes me uncomfortable.

Informed Delivery is just them offering a service based on infrastructure that was already there -- the mail scanning was put into place during the 90's anthrax in the mail scares, and that's really it's purpose.

" and that's really it's purpose."

Not to get off topic but...Or so we were told.

Today, __every__piece of USPS is scanned because of a handful of rogue letters 20+ yrs ago? No one unreasonable would find that reasonable.

It wasn't 20+ years ago, that was my bad (there were some anthrax cases in the 90s, but the high profile cases were in the 00's). There are cases of the USPS finding traces of anthrax in mail every 5 years, on average, probably more that we don't hear about. Most recent high profile case was in 2008.

Every package is also X-rayed for potential explosives because of a scare 20+ years ago -- and thankfully they continued to do so otherwise we'd have some dead due to pipe bombs.

People find it extremely reasonable. We have increased airport security now because of what happened 17 years ago and most people also find that reasonable.

This scanning of your mail is happening whether you sign up or not. It's simply part of the process of moving items from A to B. The fact USPS found a way to add value for their customers should be commended.

I tried to sign up for this service and failed due to some identification challenge issue USPS was unable to explain. The online sign up process went along smoothly, but I was asked to bring a slip printed from the online process plus valid identification to a post office for in-person verification. Brought the documents and still was unable to validate my identity. The robot behind the counter could not explain why the application was rejected.

Curious how identity thieves made could complete an application when I, with all proper documentation in person at a post office, could not.

I just signed up for this (all online, never had to talk to anyone) maybe 6 months or more ago. I used it when it was "MyUSPS" too. Neither (at the time) required any external forms of anything.

I just created my account, put my address in and that was that. Then I lost that accounts info, or something weird happened with it and I could no longer login to it. so I created another account for the same address. that validated immediately too. I don't remember seeing any e-mails or anything notifying me that a second account is now getting those e-mails. There's a chance there was something, but I don't remember it.

Maybe I signed up for it before they had those extra protections in there, but that's my experience so far.

I wonder if more than one party can sign up for the same address? Am I safe because I've already signed up or are they happy to let someone else monitor my mail too?

Send me your address and I'll tell you. ;)

The article mentions that you really need to register every person at your address to avoid being monitored by an unknown. Even so, there is no clear indication whether USPS even verifies that a registered name receives mail at a given address.

I didn't see it in the article, but these scans also show the first page of the letter on top. I thought I was crazy when I first saw it, but I can actually read account info etc from inside the letter!!!! If someone got my account they'd actually be able to tell part of what I'm getting not just from who.

Despite the security issues, this is a pretty cool service - I wonder if the UK Royal Mail is doing it ... oh of course not

Informed Delivery is great!

...... at sending me scanned mail from a place I lived at 9 years ago.

Tried to remedy it, not available at my ACTUAL address.

when I signed up for this I put in my apartment number for my building, but apparently usps thought I should get all mail for the whole building. I had to cancel it as there was so much noise. But they didn't do any verification or anything, which was kind of scary.

The article mentions the ability to “opt out” out but I can’t find it anywhere on the usps website

FWIW, the Informed Delivery isn't available everywhere. I tried to sign up and was denied.

Yes, not available at P.O. Boxes afaict too. I wish it were, until I read Krebs' article!

This is incorrect; you can indeed get Informed Delivery for [at least some] P O Boxes, postal employees don't know how to do it, but if you change the address on your Credit Card to be the P O Box, and then try authenticating using that card, it passes fine. That's what I did for my own P O Box, for example (it failed the first time when my card was using my street address).

I've been able to get it to partially work for my PO BOX.

For some odd reason it seems to only work for packages. Not standard letter mail.

At least now I get an alert that a package went to the Post Office and isn't coming to my house.

I didn't even know about informed delivery until now. Cool feature.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact