A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting informeddelivery.usps.com.
According to the USPS, some 6.3 million accounts have been created via the service so far. The Postal Service says consumer feedback has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any mail being delivered while they’re on the road.
But a review of the methods used by the USPS to validate new account signups suggests the service is wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.
Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.
Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.
Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels — such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system.
“The whole service is based on a channel they control, and they should use that channel to verify people,” Swire said. “That increases user trust that it’s a good service. Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that.”
I also wanted to know whether there was any way for households to opt out of having scanned images of their mail sent as part of this offering. The USPS replied that consumers may contact the Informed Delivery help desk to request that the service not be presented to anyone in their household. “Each request is individually reviewed and assessed by members of the Postal Service Informed Delivery, Privacy and Legal teams,” the Postal Service replied.
There does not appear to be any limit on the number of people who can sign up for the service at any one address, except that one needs to know the names and KBA question answers for a valid resident of that address.
“Informed Delivery may be accessed by any adult member of a household,” the USPS wrote in response to questions. “Each member of the household must be able to complete the identity proofing process implemented by the Postal Service.”
The Postal Service said it is not possible for an address occupant to receive emailed, scanned images of incoming mail at more than one email address. In other words, if you wish to prevent others from signing up in your name or in the name of any other adults at the address, the surest way to do that may be to register your own account and then urge all other adult residents at the address to create their own accounts.
A highly positive story about Informed Delivery published by NBC in April 2017 suggests another use for the service: Reducing mail theft. However, without stronger authentication, this service could let local ID thieves determine with pinpoint accuracy exactly when mail worth stealing is set to arrive.
The USPS says businesses are not currently eligible to sign up as recipients of Informed Delivery. However, people running businesses out of their home could also be the target of competitors hoping to steal away customers, or to pose as partner firms in demanding payment for outstanding invoices.
Informed Delivery seems like a useful service for those residents who wish to take advantage of it. But lacking stronger consumer validation the service seems ripe for abuse. The USPS should use its own unique communications channel (snail mail) to alert Americans when their physical address has been signed up for this service.
Bob Dixon, the executive program director for Informed Delivery, said the Postal Service is working on an approach that it hopes to make available to the public in January 2018 which would allow USPS to send written notification to addresses when someone at that residence signs up for Informed Delivery.
Dixon said that capability will build on technology already in place to notify Americans via mail when a change of address is requested. Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 3,000 post offices nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.
If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.
“Part of coming up with a mail-based verification system will also let us do some additional notification that, candidly, we just haven’t built yet,” Dixon said. “It is our intent to have this ready by January 2018, and it is one of our higher priorities to get it done by then.”
There is a final precaution that should block anyone from signing up as you: Readers who have taken my advice to freeze their credit files with the four major consumer credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) will find they are not able to sign up for Informed Delivery online. That’s because having a freeze in place should block Equifax from being able to ask you the four KBA questions.
By the way, this same dynamic works with other services that you may not wish to use but which require you otherwise to plant your flag of identity to prevent others from doing so on your behalf, such as managing your relationship to the Internal Revenue Service online and the Social Security Administration. For more information on why you should get a freeze and how to do that, see this piece.
Update, 3:48 p.m. ET: Added bit about how a freeze can block someone from signing up in your name.
Update, Oct. 4, 11:01 a.m.: Several readers have written in to say that although the Postal Service says citizens can opt out of Informed Delivery at a specific address by contacting the Informed Delivery Help Desk, none of those readers have successfully been able to achieve this result. One reader forwarded a response from the Help Desk folks that stated emphatically, “I do understand your concern about fraud and theft but there is no way to make your home address ineligible for Informed Delivery.” No way, that is, kexcept to register as every adult at your address, as stated above.
I have been using the service for about 2 months. The email I get daily is for mail arriving that day. It’s a handy way of knowing if something important is arriving or just the usual junk mail.
…Because *who* demanded it?
Was this something they were asked for, or did they just slap it together because they could?
Sounds like someone realized “Hey, we’re scanning mail for automatic sorting, why not send the pix off to the customer before we archive it forever?”
I think you’ll have to talk to Sam Vimes about that.
Woudln’t that be Moist von Lipwig?
Well, I just signed up for it to lock it down as I already had a USPS account. All of the questions were about a single loan that did not exist, so all of the answers (5, of them I think) were “None of the above”. Answering all of them “None of the above” successfully enrolled me.
So, if a fair percentage of other enrollees are also similarly all “None of the above”, it makes for relatively easy pickings in itself.
Since my account already owned the mailbox (I pay for it through the account), it’s a little weird that I’d have to validate – but I guess better (sort of) safe, than sorry.
I signed up too, so I could do it before someone else could. In MY case, none of my questions were “none of the above”.
Additional heads-up. I’ve had a USPS account for ages … and just discovered that “Informed Delivery” is active. I never did anything to active it, and I never answered any KBA questions. I suggest that anyone with an existing USPS account use a very strong password now that you’ve got Informed Delivery.
Darn it, just when I was marveling at how reasonably secure it seems to be to send checks of both large and small value through the mail with only a simple envelope to protect them, you dashed my idealism 🙂
Signed up for a account and the KBA questions are very easy to guess if you know someone well enough.
I’ve been using Informed Delivery for a few years in NE & SE US. When I started using a private P.O box service I found that not only was I getting daily scans of my own mail, but other POB users as well. I was seeing where they banked, who held their debts, where their kids were schooled, etc. The POB staff and the few other PO users I spoke to were indifferent; didn’t seem to care one bit. I spoke to mail carriers, and none were even aware of Informed Delivery. Local USPS post office stated, or rather surmised, that it was probably due to how the POB mailing address was coded in their system. I wonder how many other addresses (POBs, apartments, etc) are similarly “coded” ?
Yikes, that sounds like a UPS Store or Mailboxes Etc nightmare. Many small businesses prefer the more official “8300 Anystreet, SUITE 100” address used by these stores to “PO Box 120”.
I wonder if ANY box holder at the MBetc could also see mail to any other “Suite 100” business? And how would USPS vet the person signing up for one of these addresses in the first place?
If you miss one of the KBA questions, it will “fail” your registration attempt, telling you to try verification later. Just hit the back button and try again until you “pass”!!
I just tried logging into my USPS account to see about this, and it was *happy* to sign me up using an address I haven’t lived at for two years.
I filed an official USPS change of address form when I moved.
It’s unfortunate that a “permanent” change of address isn’t really permanent. It expires after a year.
Unfortunate? Dunno quite. Try moving into a place where the prior owner shares your last name. After a year, the nightmare will end, and the prior owner will stop getting your mail.
That’s poor implementation on the part of USPS if they are only matching on last name.
If you miss one of the KBA questions, just hit the back button and try again!
I verified this entering my sister’s info. After answering all questions correctly on the first page the verification failed. I backed up and received a page of new questions; correctly answered and failed. Backed up and was locked out for72 hours. I expect she will have to go to a PO to finish.
My moms account I had to fail because there was info belonging to a known ID theft among the possible answers (which I didn’t want to validate), so I checked none of the above. I had no chance to go back but was told to go to the PO with photo I’d snd the email barcode they sent to complete the verification b
Myself, I, handled last, and probably have the oddest combination of addresses as I live overseas, have US credit cards and investment accounts, and use both the physical and PO box of my mom/sister for some things. So I had little expectation of success. Oddly enough, I flew thru the validation answering an address and town I haven’t lived in since 1986. The other two were none of the above.
Setting up the USPS accounts were easy, it was only the validation of the Informed Delivery that diverged so wildly in result.
I should also mention that three weeks ago I froze accounts for all the above at eq, ex, in and tu, having received letters from all of them. The freeze didn’t seem to prevent the KBA questions from being displayed or even in the one case successfully answered.
Correction: One question was in what year did I receive my SSA card.
Note: Until but a few years ago, the first 5 digits were a give away as to the state and time period in which a card was issued. It was later changed after the USG realized that this predictability was a security risk.
I don’t think the USG is giving this info away, you did when you applied for a credit card or loan, or your bank did as part of their agreement with the credit bureaus. That combined with the predictability of the SSN format makes the issuance location and year into possible questions.
Great story. My question is “what” KBA does the USPS have that they are supposedly relying upon to identify me? As far as I know they have my name and address and nothing more. I concur, this system is ripe for the criminals to exploit.
I think they are using information that the Government knows. I got former address, possible additional occupants, and weird as hell: When did I sign up for my Soc Sec card–which I am sure I answered incorrectly, but it still validated me.
This is horrid.
My wife was able to get her account signed up and did not have her credit bureau accounts locked. I tried a few months ago but had my accounts locked and could not. I got the notice I had to go in, so I am guessing they use one of the big three. (I locked Innovis last week)
As stated in the story, they use Equifax.
As per my comments above and delivered elsewhere, I’m starting to think that the accounts that I locked on 9/9, and received letters (w/ PINs and file nos for) are not really locked. Given how dysfunctional Eq is, I shouldn’t be surprised. I’m going to have to dig in in that tomorrow.
Unless your SSN is very old or rather new, you can figure out when and where it was issued with the “Five-Digit Decoder” on this page: http://www.stevemorse.org/ssn/ssn.html
It appears that table is not reliable. I don’t believe my parents waited until I was six years old before applying for a Social Security Card in my name.
This is ridiculous they continue to do this to people…”We created this new thing so you HAVE to make an account before a criminal does”.
It’s amazing that they don’t use snail mail for confirmation and that there is no way to opt out of the service 🙁
USPS just doesn’t get it.
It should send snail mail to the address to confirm sign-up and after that sign-up is then done (preferably in person at a post office with photo ID) send notificiation to the snail mail address that it was done.
The way they do it still allows mail to be viewed in advance of the notification arriving at the snail mail address. By then it may be too late.
or to reduce handling, send a code to the address by snail mail that must be entered online to allow the service.
Oh good God. Yes, everyone who is eligible NEEDS to sign up and claim your name/address before someone else does. So, I went to claim mine, signed up really fast, and the KBA are SO DAMN EASY, that, indeed, a Zillow or Whitepages dot com search will provide all of the required answers. SHOCKINGLY SIMPLE.
And, guess what, once I passed this super simple verification, the Post Office showed me scans of mail from LAST week, going into this week. So, they have already scanned the mail whether you opted in or not. Good God. CLAIM YOUR INFORMATION, IN A HURRY!!
Your mail has been scanned for a long time, it’s only recently the USPS has made those images available to the customer via informed delivery.
The scans are a part of their sorting system.
There is no justification for keeping images of the scans after the sorting is done. This is outrageous and frightening. Who else can get access to these images, whether fraudulently or officially?
Since 9/11 DHS has probably spent billions upgrading the USPS sorting equipment to take digital scans of everything passing throu the system. At a minimum, if you get caught up in a terror investigation they will pull this info to see who has been sending you mail or at least where it was posted from.
USPS is now just trying to turn all this info into a competitive advantage by sharing it with recipient customers. It’s a really great thing just poorly implemented.
FYI about 5 years ago I submitted the suggestion they should do this because at the time i moved my elderly mother’s curb deliver to a POB for better security and safety. I was hoping they would do this so she would only have to visit the PO if something landed in her box (at the same time we moved all her correspondence to electronic delivery and taught her to use an iPhone; she does fine.). Funny thing is, I used her curb address for the Informed Delivery set-up, and then learned that the system can’t simultaneously accomodate her PO box (curb and POB are in two different ZIPC, YMMV. I decided to leave the curb box as the ID address because if it doesn’t see any, non junk mail in the next 6 months, we will remove it.)
So I don’t claim the USPS acted on my suggestion but if they did it would be nice to get a thank you! LoL. (In just glad it is available and we can use it for one of mom’s addresses at least.)
For curb and POB, you need account for each, regardless of zip.
I just tried signing up. I have answered my own KBA questions correctly twice, and they have been unable to verify my identity. My choices are to click an Opt-In button to verify my identity in person at the Post Office, or to click Continue to try again online later. Perhaps they are already getting negative feedback and have “broken” the online KBA as the easiest way to avoid misuse?
Karl,
Did you freeze your accounts at the credit bureaus? If so, then you cannot authenticate online
I had the same issue as Karl, and if, as you say, it’s due to a credit security freeze, I guess that’s perhaps one more pro for a security freeze. Since, I figure if *I* can’t authenticate online, theoretically neither could a malicious actor.
I read the faq in one of the sites, EQ I think. And IIRC, it said the freeze doesn’t block authentication. Maybe I’m wrong on agency or it has changed in the fluidity of the current situation but I know I read this when I froze accounts on 9/9.
“Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.”
Except if I signed up for the service, I would know it was coming and could take it from the mailbox when it was delivered.
That would only be possible if you live in a location that predates neighborhood mailboxes with locks.
Thanks for the heads up! One more account to maintain mostly to block others.
1) IRS
2) Social Security Administration
3) E-Verify USCIS (your resume dates should match the I-9 system)
4) Three credit bureau (freeze)
5) Your health insurer (avoid extra mystery “dependents”)
6) USPS (so nobody can pounce on valuable mail/know your mail holds for out-of-town vacations)
Did I forget any?
You forgot one of the credit bureau. There are 4. Innovis is the smallest one but the freeze is free and easiest of the 4 to do online.
As far as I can tell, the e verify site is for employers only. I poked around a bit and didn’t see info there applying to employees.
Probably also useful if you want to intercept a check or new fraudulently obtained debit or credit card.
I don’t have an account with USPS, so am I safe from any abuse of informed delivery? Or can someone still try to sign up and impersonate me? Brian said the KBA info is being drawn from Equifax, but what if you froze all your credit bureau accounts, am I safe?
I have had credit freezes on all 4 credit agencies for several years. I just signed up for usps.com and Informed Delivery. To authenticate my identity for sign-up, they clearly had information from my credit report.
As for the flimsy questions you can use if you forget your password, select topics you aren’t involved in, and then make up an answer that doesn’t even answer the question. That would make these impossible for someone to guess based on other knowledge of you.
I was (probably still are) getting the emails for my old address/new owner. Marked them as spam.
I started using this service about a week ago. My postal mail is delivered to a mailbox on the side of the road. I like to know when important letters or packages are delivered to the mailbox so I can make sure they are picked up. As an example, my bank said they were sending me a new debit card. Although most of my postal mail is junk mail, I paid special attention to my informed delivery email to see if the debit card was being delivered. Another problem we have to deal with is misdeliveries. Misdeliveries of junk mail is a blessing. Misdeliveries of debit cards or checks is a serious problem. I would rather not test my neighbors’ virtue and patience. Hopefully, this service will reduce thefts and misdeliveries. To me, this service is very similar to the notification services offered by UPS and FedEx.
We get so much mis-delivered mail and packages that I think my local Post Office hires illiterate people to deliver mail.
Will a Security Freeze block the USPS KBA? It happened when signing up online for another Federal government account. The freeze had to be lifted for the KBA to work.
I now wonder if USPS is keeping a photo file of ALL delivered mail. Whether you sign up for the service or not, pictures are stored of all mail and only sent to you when you subscribe. This honeypot of pictures could be used by law enforcement and any purpose a hacker may find useful.
I believe they have been scanning the outside of all mail for some time now.
Yes but they don’t need to *store* the images! What happens with this huge database, who has access to it, how long is it kept? (It used to be expensive to keep unneeded bulk data stored but that isn’t much of an issue any more, unfortunately.) I’m surprised you didn’t raise these questions, Brian. Apart from that, thanks for the great work!
For those of you who may not know, the USPS has been scanning every piece of mail that goes through the system. This is primarily for law enforcement purposes. This came into being sometime after 9/11 and the mailing of anthrax to the National Enquirer and the US Senate. Law enforcement could request the scanned information. This is also subject to misuse, as Arizona Sheriff Joe Arpiao asked for USPS records on his opponents.
Its release to the public was probably prompted by the tracking information available online from FedEX and UPS. UPSP could thereby remain competitive, and possibly better.
Of course, just because we can do something doesn’t make it a good idea.
The USPS has been scanning mail for years but not for law enforcement purposes. The images were used to sort the mail by machine. When letter mail is processed in the cancelling machine, the machine not only cancels the stamp, it reads the name and address on the pieces to spray the bar-code on the front and an ID for the mail piece on the back. If you look at the back of the letter, you may see a Hot pink bar-code. In the event the mail piece can’t be read by the machine, image of the letter is transmitted to remote encoding site for a human to read the address and determine the delivery address bar-code. The next time that pieces is run on a machine, the ID tag on the back is read and the delivery bar-code will be sprayed on the front of the piece. When the mail piece reaches the mail processing plant for the delivery address, the delivery bar-code sorting machine reads the ID tag for informed delivery.
Law enforcement started using the images after the anthrax attacks to try and determine where a letter may have been mailed using the ID tag on the back of the letter. The tags have a number unique to the machine and the order the letter passed through the machine. This assumes the letter with the anthrax and the letters before and after may have mailed in the same collection box and came into the mail processing plant together. In which agents could contact the senders to determine where they mailed their letter.
A) read Joe’s comment about automation going on for decades already…
B) this goes back to the 80s, as part of the effort to track butt heads like the unabomber… and for automation
Sounds like having a freeze in place will prevent someone from setting this up. So glad I did this several years ago as suggested by Brian. Thank you, Brian!
You are wrong. I have had credit freezes in place for several years with all 4 agencies. I was able to sign up for this service through usps and all of the identity verification questions were from my credit–could tell by the topics.
What a great way to hasten the death of snail mail.
Correction: there are more than 30,000 USPS retail locations, not 3000. The notification “sent by USPS” is actually sent by a partner company – MyMove, formerly Imagitas, owned by Red Ventures. Piggy backing on the verification process used for changes of address would be extraordinarily easy.
I signed up a couple months ago. It took me five tries to answer the KBA questions. I had to wait a couple of days after every attempt. The KBA questions were mostly about my home (age, square footage, etc.), but every answer was wrong. I resorted to using Zillow to found a couple wrong answers. It finally worked when I answered all five questions wrong, but “correct”.
That said, I do love the service. I can see the incoming bills and payments in the morning, hours before the mail arrives in the late afternoon. I frequently have it all managed by the time I get the mail delivery. I no longer spend time in the evening doing that stuff. It works great while traveling too. And I can take screen shots and forward mail images to other people who need to know about a mailing.
Interestingly, I was enrolled to be eligible for this service without KBA; the key was that I had recently placed a temporary mail hold online, therefore they had associated the Email address with postal address.
I did need to request delivery of informed delivery notifications; they didn’t start that automatically.