But then I got to this bit:
> KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.
> However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification
What the actual hell? You can sign up online to get mail scanned… without any physical verification you're at the address, with only a physical notification being sent after-the-fact?
What the hell are USPS smoking?
It makes me wonder what you need to do to sign up for this. I wonder…
goes to website
it seems like the only thing they do is ask for the address, and you check a box to accept the T&Cs. I don't know if there's actual verification beyond that step, but it doesn't sound like there is…
This is pretty great too. I moved about two months ago, and switched addresses in Informed Delivery. I got a letter saying I switched, but I never put their code into Informed Delivery, and I still get scans of my mail at the new place. I got the scans before the validation letter, so I could easily have stolen that, and no one would know I'm seeing their mail....
*Edit to make things clearer.
I have not validated anything. The letter says I won't get emails unless I put the code in the letter in Informed Delivery. I did not do that ever and I still get the emails.
Verify online, verify by mail, or... skip. When I hit skip it just sent me to a dashboard that says I'm not enrolled because I'm not verified. I'm gonna let this sit for a few days and see if I start getting the emails.
Realistically if you tamper with mail nothing at all will happen to you, until your fraud raises to a headline figure and could get someone a promotion.
Several years ago a couple people in the community noticed problems with their mail (mail seemingly missing, receiving wrongly addressed items, etc..). They called the postal service and an investigator was out in days. Within two weeks there were hidden cameras mounted in various locations around town pointed at mailboxes. A few more weeks and they apprehended an individual going through mailboxes based on the photos from those cameras. I don't know the final outcome, but the total turnaround from notification to arrest was less than 3 months.
Even underfunded agencies can prioritize. A call notifying them of a problem is a world of difference than them identifying and pursuing issues on their own.
Just like how an underfunded police department may not patrol all the areas they should, but if you call them to notify them of a crime, an officer will likely show up at some point. Even if the officer shows up quite a bit later, the relative difference to when an officer might stumble across that area, much less evidence of the crime, is probably somewhat comparable.
> "about almost every other type of non-violent crime."
This is all my own mail. When I switched ID to the new address, I no longer received emails of mail going to my old address automatically. So there's that.
Falsifying your identity to a federal postal service to gain access to someone else's mail? That breaks a wide range of laws
You think "surely X" but no. Almost never X. Almost always some lazy Y or nothing at all.
After a couple consulting contracts / vuln disclosures I updated my priors of how competent the government was. I'm actually getting worried now that everything is going cyber-physical and corporations can pull the wool over their eyes. The government is great at offense, but defence is boring. Especially at non-fancy agencies / departments. And the salaries are low.
But it doesn't even matter really. Basically so many things are broken and offense gets better over time while defence gets worse. I'm fighting for regulations, etc. But this stuff is so ill-defined that the government has trouble understanding it.
I have come to blame the universities. The CompSci department should have gone to the Civil or Nuclear Engineering department and said "ok, how do we think about time frames over 100 years?" and built out courses out of that. But other than a handful of rare exceptions, right now most grads come out not understanding the true gravity of their decisions.
The one nice thing is that offense is usually incompetent too. I've been on projects dealing with real crime. The number of people nailed with just getting an IP is lolsy. Most criminals are stupid. I partly want to relay what the smartest 2%ile did just to show how low the bar is, but I fear educating the lower 98%.
 Not stupid drug war stuff.
When you're talking about basic attacks to steal some money, this is a substantial but not world-changing effect. On the other hand, a government or cartel willing to invest significant resources in cyber offense can really move the needle. What we've seen Russia, North Korea, Israel, and others achieve is probably only a fraction of what they've actually achieved.
Have you read the Snowden leaks? The actual raw content?
It's pretty tame shit. My main takeaway was ahh, yes the world is as insecure as I thought it was not oh, these guys are using space laser technology hacks.
They've got crack teams to break into some harder gear, and they've got some crazy awesome cryptanalyses going on, but for most of it it's just what you were I would do if someone asked us to get into a bank or whatever. Most stuff is easy to hack anyway unless it's a fully patched iPhone or patched / stripped / locked down Windows server.
Plus you can see the codebases these guys have put out anyway. There was that peodophile CIA coder that had some of his personal codebase match his internal work and there are a bunch of current and former NSA / CSE guys floating around conferences.
I sat with a whole table of them and watched them fall for a simple social engineering attack one minute after being told they were going to fall for the attack.
They're not gods shimon.
And I want to stress I'm not a full time government contractor. I just did a couple short contracts for a department and it made me wtf so hard I signed up for one of those conferences where they set the ticket price so high it keeps out the curious, but it isn't classified or even protected.
But I'll share anyway because you asked.
I walk into the room titled "something something Social Engineering Attacks" because the other one was on something I couldn't care less about. Fiddling with AWS settings probably.
Look around. Mostly tired, overworked looking sysadmins from different government departments and the occasional consulting company or bank.
Walk further into the room and there it is, a table full of my people. Dungeons and dragons (D&D) looking types of both genders that looked like they were born in or around 1984.
Sit down. "Hi." They're friendly; I forget what we talk about, but they all have sigint department name tags. Most were slated to give talks later in the conference.
Talk starts. Guy on stage.
Guy: "Within one minute of explaining what I'm going to socially engineer you to do you will do it."
Me: Internal monologue; The fuck you will.
D&D: Look kinda intrigued, kinda befuddled.
Guy: "Ok so first thing we need to do is to get you to stand up. Don't worry the clock hasn't started yet. We're just standing."
Me: Squints skeptically. Stands. Internal monologue: Where the hell is this going?
D&D: Stands up like the rest of the room, faces guy.
Guy: "Ok here is the game I'm going to get you to flip your hands like this."
Guy: Flips hands from palms down to palms up.
Me: Internal monologue: The fuck you are.
Me: Crosses arms.
D&D & Room: Chuckle.
Guy: "Ok, you ready? Go. Oh; one last thing..."
Me: Internal monologue: Ha! Good fucking luck buddy you already said "go" and I'm already crossed.
Guy: "...otherwise there is no game at all you'll just cross your arms and stand there. So you have to put your arms in front of you like this..."
Guy: Begins to slowly raise his arms.
D&D & Room: Begin to raise their arms so their palms are face down to the ground.
Guy: "... like this."
Guy: Shows arms out in-front of him with the palms face up.
Me (Quietly, to my table of future elf and dwarven partisans.): "Nooo. Don't do it."
D&D & Room: Flip their hands over to match guy.
D&D: Look away from guy to me.
Guy: Does the TA-DA gesture.
D&D: "How did you know?"
Me: "I know how these people think."
Rest of the conference people were convinced I was a Canadian spy or something. It's ok though. I got too drunk and made a fool of myself because a convo I had with a cyberwarfare guy (essentially) confirmed my fears that self-driving cars were WMDs due to class-attack (bad server update ala notPetya, say).
Gunna be feeling the burning shame on that one for at least another year.
At least all that foolishness is over. I thought I was losing my mind. Now that Schneier's book is out and it's been almost a year I'm back to being able to trust my own mind again. The cybersec scene is kinda stressful, but it's nothing compared to the kind of stress where you can't trust your own mind.
[-1] Well it wasn't going to be, so I spiced it up a bit by expanding into my failings as a human.
 Well most of the time, anyway. Can't stop me from lolsing into a conference to get a better read on where things are at.
 Memory isn't perfect, but you get the idea.
 Room of 100 people and I'm almost certain I was the only one that didn't get tricked.
Personally I have this turned on, because I'm conscious that every piece of information you'd need to send a fake address change notification for me is either public or easily obtainable with a call to the Tax Agency, which is far from reassuring.
It's not great for privacy though, so I understand the resistance of the US and the UK to it. Mind you, the US wouldn't have to make the whole thing public like Sweden does for… reasons.
*Asylum seekers and various types of temporary residents and such are not technically considered to be in the population register, though they are usually still in fact in the database, just with less information and a flag saying they don't count
Cue the fever dreams whenever anyone merely suggests we harmonize, normalize the details. As if predictable standards for signature verification will inevitably lead to a military coup.
I haven't personally had a social security card in many decades. For the first time in I don't know how long, I do need to provide some form of proof of SSN to get a RealID drivers license renewal but last year's W2 is sufficient for that.
That's my experience after hand delivering the form to the SS office so it would be quick.
I also received a postcard confirming that Informed Delivery had been activated for my postal address.
Maybe it would be good to also add in a postcard check where they send you a code to verify you have access to mail for the address anyway. Sure, a thief could too, but in that case there isn't much of an extra risk to informed delivery since you'd be compromised already.
I guess asking about credit report info is inadequate if people are managing to abuse this. One problem with that kind of thing is it's essentially security by obscurity, it's not deliberately created secret knowledge that can be trusted, it's stuff which happens to not be public and which only you should know, but there's no guarantee and you can't easily change it, right?
I definitely received the postcard though.
So anyone would've had a 1/16 chance of just guessing it right.
Like how I reset my Bank of America 2FA three years ago with just my name and billing address of my card.
It's kind of like internet abuse and DDoS in a way: I see HNers recommending something like CloudFront. Yet after being on the receiving end of a dedicated attacker that was able to bleed my financials, I would never use it again. And since it's not a widespread problem by nature of being a targeted attack, people continually have to learn the hard way on an individual basis, if they even get unlucky to begin with. So there's no real widespread need to change.
Or, how many HNers unknowingly use a webhost that null routes them under attack yet never experienced that?
Thus, they didn't see a need for tight security regarding who can get access to such images.
Most residential mailboxes at older homes face sidewalks and are trivial to steal from anyway. I thought my current setup in a new neighborhood would be ideal: individual locking boxes. And then one day mail got jammed in my side of the lock and I couldn't open it, so I waited for the mail carrier who promptly opened their side and handed me the contents with no verification at all.
It's just a shitshow all-round. There's virtually no thought for security or intrgrity of the system at any level.
I signed up for Informed Delivery a couple weeks ago, and it did ask for additional verification information. It was similar to questions asked by financial institutions when opening accounts online: "which of these 4 addresses have you lived at in the past?", "What was the name of your first pet?", etc. All presumably information that has been collected by companies such as Experian.
They always been smoking something.
When they released their "forward your mail to your new home online" feature where they charge your credit card $1 to verify your new ZIP code, I read it somewhere on dark web that a gift card works as well. I was actually purchasing new house, so I figured I give it a try! I bought a $20 gift card Visa Vanilla (with cash) and registered it online (during my visit in Starbucks using their WiFi) with my new ZIP code (you can provide any ZIP code while you register your gift card - its only for further verification) and sure it worked out like a charm! I figure I am not the only one that succeed with this. Then I read few months later at the same forum someone answer that USPS is blocking gift and prepaid cards at the moment. But for few months at least a hell broke out loose when you could load $20 gift card and pretty much forward mail of 20 strangers to your desired location, at $1 per pop.
The in person verification consisted of showing them my id.
Regardless, it is a great service to sign up for. You do get it automatically if you have other accounts or used too. I had a few people sign up for it at work.
the reason I started was we had a disappearing mail issue in my neighborhood that was eventually solved. plus its good to know when stuff you are expecting actually arrived. since I order a bit online having the packages listed is a great feature but they do not photo scan those. you can set delivery instructions for some
its free, its useful, and while it does have a security issue along with nearly every service the post office offers it hurts you not for using it.
in a day an age where we have privacy issues one of the biggest is proving who you are to agencies that have a real effect on your life and others. so we need to solve the ID issue as well.
A version of this was already possible to do using address forwarding which included same way of verification.
It’s a great service otherwise.
Whatever it is, there is a lot of it about.
If not for the web of opaque "agencies" that collect and sell data about individuals without affirmative action on behalf of the individual (frankly still surprised this is legal) it would be a complete non-issue.
It's irrelevant to me whether someone else opens an account with my name - just as it's irrelevant to me whether someone registers an account elsewhere with the username 'esotericn'.
The banks bring this problem upon themselves.
edit: The replies to this post are missing the point entirely. Yes, it's a problem because it's a problem.
It doesn't have to be this way.
While I've got no love for credit-reporting agencies, and they have managed to mangle my file, they do act as a non-partisan 3rd party that can (when their records are accurate) verify that a person is credit-worthy -- Which is a highly valuable service. Banks can offer low rates and other economic incentives to credit-worthy people, and make decisions for hundreds of thousands of dollars (i.e. a mortgage) in minutes, due to the existence of TransUnion, etc.
If it was possible for you to opt-out (or refuse to opt-in), you'd pay much more for a mortgage or any loan, decisions would take weeks, you'd be burdened with having to self-report your credit history (i.e. collect every statement on every account for the past 5-10 years) and since you are self-reporting, banks would still add a premium on because they would assume you've "forgotten" to include the credit card which you skipped payments on for 3 months back a few years ago.
As an analogy, auto insurers can easily check your accident and claims history -- imagine what your premiums would be if insurers had no way to check. They would have to assume the worst about almost everyone, and charge accordingly.
Do credit agencies need to be more accurate, and more secure? Absolutely. But wishing to opt-out entirely would likely be detrimental to you personally.
I have no need for loans other than possibly a mortgage - I find it difficult to conceive of why one would even want a loan, outside of the first few years of adulthood.
The mortgage is a stickler, but given that I have no desire to lock myself in to the traditional 25 years of working to buy a house in a high CoL area, it really just means saving before buying.
It would be nice to have those things, but not with the additional stress involved of satisfying arbitrary requirements all the time.
I prefer to live life without thinking about how other entities wish to 'rank' me all the time. I'd find it stifling to do otherwise.
> As an analogy, auto insurers can easily check your accident and claims history -- imagine what your premiums would be if insurers had no way to check. They would have to assume the worst about almost everyone, and charge accordingly.
More realistically, you'd be asked to provide your claim history, and if you fraudulently provided a fake history, you'd be hit with severe penalties.
The main difficulty I have here in the UK is with agencies that are extremely bureaucratic and can't deal with minor deviations from protocol.
I tend to rent directly from individuals for that reason. I prefer speaking to actual humans rather than drones in layers of a bureaucracy.
If they commit crime in your name, that's your problem no matter what financial system they do it in.
It's a self inflicted issue. They claim that "my identity" matters, so it matters.
Their decision making affects me through no action of my own.
If you sign up at Reddit with the username 'esotericn', I don't care. It doesn't matter.
Somehow, if someone signs up for, say, a phone contract in my name and doesn't pay it, it affects some opaque 'credit score' somewhere because an agency couldn't be arsed to do due diligence. They push the burden on to end consumers.
I sidestep most of this by just avoiding debt because I can't be arsed with the farce.
That's not actually how "identity theft" affects people for the most part.
The case of the police turning up at your door or some sort of court summons because a fake "TazeTSchnitzel" performed fraud is pretty rare.
What actually happens is some opaque credit score thing whereby you just find interacting with the system harder because someone else fucked up.
For example, an agency deciding that because fake "TazeT" managed to get a phone contract and didn't pay it, real "TazeT" must be a layabout and not pay his bills.
Or an account of yours has the password reset because someone sent in a photo of your ID gained from some database leak from a nightclub.
All of this comes about because of inaccurate linking of accounts. There are trivial ways of determining actual linkage, for example if I send money from account A to account B under the same name and it goes uncontested, it's the same identity.
Using stuff like photographs of bits of paper or things sent in the mail as proof is completely asinine. I get mail from half of my street because my postman is underpaid and can't be arsed.
The other main category of problem that comes with identity theft is my own resources being used (e.g. an account, bank or otherwise) by a non-me.
Again, this goes away if you use real authentication rather than "oh, he has a photo of a pink bit of plastic with an address on it?, gosh must be him, here you go!".
It would be more expensive to do so, though, so we don't. The burden is pushed on to the end user.
Or put another way: if a burgler spraypaints the words "wongarsu was here" on the walls after relieving a house of its valuables the police may want to hear my side; but it isn't my problem because those words prove nothing.
I never have packages stolen, never have to wait around to sign for things, my mail is locked up, I don't have to put a mail hold or have a friend get my mail when I travel, and never have to deal with changing addresses. It also improves my privacy since fewer people have my street address. I don't worry about someone doxing me.
It's not foolproof. Someone could social engineer access to my box or packages. Doing so requires significantly more effort and risk than grabbing something off a porch so it's much less likely. It would have to be highly targeted too.
Not so! FTA: "Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address."
curious if this is something anyone here would want to try, I'm happy to give some free invites if anyone wants - my email is in my profile.
The users then hide these bait credentials in places that should be private (in this case, a letter or package to be mailed). If an eavesdropper intercepts the package, they'll also find the bait credentials (perhaps written on a post-it note). If they try to use the stolen bait credentials at the honeypot website, our users then get an alert, and the intrusion is logged.
The normal use case is to place bait credentials on your devices or servers, but in this case they would be used in a physical location (i.e. a letter in the mail).
Take a look at https://www.tamarin.us if you want - I'd appreciate any feedback, I'm still trying to validate the concept.
As far as I can tell, this is all free to mailers, at least for the moment. Maybe they're planning on charging for it later.
USPS docs here: https://www.usps.com/business/informed-delivery.htm
Not to get off topic but...Or so we were told.
Today, __every__piece of USPS is scanned because of a handful of rogue letters 20+ yrs ago? No one unreasonable would find that reasonable.
Every package is also X-rayed for potential explosives because of a scare 20+ years ago -- and thankfully they continued to do so otherwise we'd have some dead due to pipe bombs.
People find it extremely reasonable. We have increased airport security now because of what happened 17 years ago and most people also find that reasonable.
Curious how identity thieves made could complete an application when I, with all proper documentation in person at a post office, could not.
I just created my account, put my address in and that was that. Then I lost that accounts info, or something weird happened with it and I could no longer login to it. so I created another account for the same address. that validated immediately too. I don't remember seeing any e-mails or anything notifying me that a second account is now getting those e-mails. There's a chance there was something, but I don't remember it.
Maybe I signed up for it before they had those extra protections in there, but that's my experience so far.
The article mentions that you really need to register every person at your address to avoid being monitored by an unknown. Even so, there is no clear indication whether USPS even verifies that a registered name receives mail at a given address.
...... at sending me scanned mail from a place I lived at 9 years ago.
Tried to remedy it, not available at my ACTUAL address.
For some odd reason it seems to only work for packages. Not standard letter mail.
At least now I get an alert that a package went to the Post Office and isn't coming to my house.