A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting informeddelivery.usps.com.
Image: USPS
According to the USPS, some 6.3 million accounts have been created via the service so far. The Postal Service says consumer feedback has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any mail being delivered while they’re on the road.
But a review of the methods used by the USPS to validate new account signups suggests the service is wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.
Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.
Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.
Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels — such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system.
“The whole service is based on a channel they control, and they should use that channel to verify people,” Swire said. “That increases user trust that it’s a good service. Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that.”
I also wanted to know whether there was any way for households to opt out of having scanned images of their mail sent as part of this offering. The USPS replied that consumers may contact the Informed Delivery help desk to request that the service not be presented to anyone in their household. “Each request is individually reviewed and assessed by members of the Postal Service Informed Delivery, Privacy and Legal teams,” the Postal Service replied.
There does not appear to be any limit on the number of people who can sign up for the service at any one address, except that one needs to know the names and KBA question answers for a valid resident of that address.
“Informed Delivery may be accessed by any adult member of a household,” the USPS wrote in response to questions. “Each member of the household must be able to complete the identity proofing process implemented by the Postal Service.”
The Postal Service said it is not possible for an address occupant to receive emailed, scanned images of incoming mail at more than one email address. In other words, if you wish to prevent others from signing up in your name or in the name of any other adults at the address, the surest way to do that may be to register your own account and then urge all other adult residents at the address to create their own accounts.
A highly positive story about Informed Delivery published by NBC in April 2017 suggests another use for the service: Reducing mail theft. However, without stronger authentication, this service could let local ID thieves determine with pinpoint accuracy exactly when mail worth stealing is set to arrive.
The USPS says businesses are not currently eligible to sign up as recipients of Informed Delivery. However, people running businesses out of their home could also be the target of competitors hoping to steal away customers, or to pose as partner firms in demanding payment for outstanding invoices.
Informed Delivery seems like a useful service for those residents who wish to take advantage of it. But lacking stronger consumer validation the service seems ripe for abuse. The USPS should use its own unique communications channel (snail mail) to alert Americans when their physical address has been signed up for this service.
Bob Dixon, the executive program director for Informed Delivery, said the Postal Service is working on an approach that it hopes to make available to the public in January 2018 which would allow USPS to send written notification to addresses when someone at that residence signs up for Informed Delivery.
Dixon said that capability will build on technology already in place to notify Americans via mail when a change of address is requested. Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 3,000 post offices nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.
If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.
“Part of coming up with a mail-based verification system will also let us do some additional notification that, candidly, we just haven’t built yet,” Dixon said. “It is our intent to have this ready by January 2018, and it is one of our higher priorities to get it done by then.”
There is a final precaution that should block anyone from signing up as you: Readers who have taken my advice to freeze their credit files with the four major consumer credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) will find they are not able to sign up for Informed Delivery online. That’s because having a freeze in place should block Equifax from being able to ask you the four KBA questions.
By the way, this same dynamic works with other services that you may not wish to use but which require you otherwise to plant your flag of identity to prevent others from doing so on your behalf, such as managing your relationship to the Internal Revenue Service online and the Social Security Administration. For more information on why you should get a freeze and how to do that, see this piece.
Update, 3:48 p.m. ET: Added bit about how a freeze can block someone from signing up in your name.
Update, Oct. 4, 11:01 a.m.: Several readers have written in to say that although the Postal Service says citizens can opt out of Informed Delivery at a specific address by contacting the Informed Delivery Help Desk, none of those readers have successfully been able to achieve this result. One reader forwarded a response from the Help Desk folks that stated emphatically, “I do understand your concern about fraud and theft but there is no way to make your home address ineligible for Informed Delivery.” No way, that is, kexcept to register as every adult at your address, as stated above.
Just another reason I’m thankful for having a PO box.
Surprise — you can sign up for informed delivery images for your PO box. But I suppose that unless someone has access to your key or knows your combination, it’s hard to steal mail out of it.
Great information, I signed up for it, almost too easy, I did find it interesting they used my home address to get to my credit report without my ssn…..
I went to sign up and it told me that I already had an account! So, the attackers got to them first and prevented me from signing up.
> attackers got to them first
Not necessarily!
If you ever signed up for a USPS account in the past, even many years ago, for instance to buy stamps or have free Priority™ boxes delivered to you, the account already exists – and Informed Delivery piggybacks on that.
I signed up for this service a couple months ago after I moved. I love the service, but can see how it could be abused. Makes hacking a USPS.com account a big deal. I actually have pointed this out to some of our users as a security mechanism to reduce the potential for mail fraud by keeping tabs on what’s being delivered while they’re at work.
It also works for package delivery as it will notify you when a tracking number is created with your address as the destination. I believe UPS offers something similar through their My Choice program.
I was able to signup for the Informed Delivery service even though froze credit at 3 of the 4 bureaus listed a few month ago. The only one I didn’t have it frozen for was Innovis which I did today after finishing the article. Just wondering since I confirmed Experian still had the freeze in place why was I able to sign up for the Informed Delivery, perhaps Innovis provide the answers??? Thanks.
USPS Informed Delivery does not involve a credit check, so a credit freeze has no effect on your ability to sign up for Informed Delivery.
Same here. 3 out of 4 (Innovis being the exception). I believe a credit freeze does not prevent anybody from signing up.
I signed up for this and can confirm that a credit freeze prevents completion of the signup process online. Instead, I had to wait about 10 days for a confirmation letter from USPS and then take that to the PO along with my photo ID to complete the signup in person.
Once I started receiving the daily emails, I noticed that not everything gets included. My emails only include images of regular sized letters (such as bank and credit card statements, utility bills, etc.). Anything that is larger, such as magazines or items in A4-sized envelopes, or thicker packages with books or CDs from AbeBooks or Amazon, or boxes from Amazon, doesn’t show up in my email scans.
So far, I’ve seen one instance where the images of the letters being scanned were superimposed, as if they were stuck together in the sorting machine. Those letters, which included a birthday card from my sister, were never delivered and I presume they’ve been lost or destroyed. But at least I have evidence that an attempt was made to send me something!
I’m getting pics of the envelopes, not of magazine or flyers, but I’m getting emails about packages with tracking numbers and there is a tab on the webpage that shows tracking numbers and who sent the package.
@Peter
You may have been a victim of theft by a postal worker and you should report this to the postmaster at the applicable post office or via the HQ number, even if there was not great loss to you.
There are many cases where postal workers have been caught (eventually) opening letters with birthday or holiday greeting cards in hopes of finding cash, etc. within. This is especially true if the envelope is colorful or has any type of indication it is other than a standard letter.
http://gantdaily.com/2014/05/15/postal-worker-accused-of-stealing-from-greeting-cards/
http://archive.sltrib.com/article.php?id=3440743&itype=CMSID
Here’s at least a link to a starting place to begin the search/report.
http://faq.usps.com/?articleId=1449159866675
You only get images of LETTER mail that are run through the mail processing machines. Mail that has to hand sorted like Magazines, newspapers( commonly called FLAT mail), bulky LETTER mail and flyers are not run on LETTER mail processing machines. Packages or parcel will appear on the website because they have tracking numbers and have to be scanned at each sort operation.
Updating my own comment…The birthday card finally arrived, 22 days after I received the Informed Delivery email notice. It was hand delivered to me by a neighbor, and I guess it was delivered to the wrong address sometime in the last 22 days and eventually made its way to my door through the kindness of my neighbor. So there was no mail theft in search of cash, gift cards etc., just a mistaken delivery. The other items in the Informed Delivery message still haven’t been delivered, though. They looked like junk mail anyway, so I’m not worried about them.
You could also point out that FedEx and UPS also let you claim your address and get notices that packages are going to be delivered. Takes the guesswork out of stealing your packages.
These two are much less noisey than the USPS notifications.
Typical… Put up something that seems good, but is fraught with problems and promise to fix it later. Thanks for nothing USPS. I accept no deliveries of anything at home. Gets rid of all the junk-mail too.
I have a freeze in place at all 4 credit bureaus and was able to instantly sign up without any KBA. I already have an online account with USPS since I use it frequently to ship packages so that may have contributed to the ease in signing up. Clicked on Informed Delivery link above, took me to account login page, logged into account and clicked on link for Informed Delivery and that’s it. Done!
Agreed, my experience was the same. I have been receiving these daily emails for my address for several months, and, like CJ, I had an existing USPS account for shipping packages that led me directly to Informed Delivery signup, a no- brainer at the time. Sometimes we can get too much a of good thing, or seemingly good thing.
I placed a freeze over a year ago with all four CRAs and although I was able to create an account, I was not able to enroll in Informed Delivery™ notifications. Curiously I was permitted to go forward and answer four or five pertinent questions that were moderately easy to answer. Only then was I rejected after answering the last question. I was able to attempt enrollment again (and again), and those second set of questions were also applicable to me. So the KBA data is there in advance of querying Equifax. Seems to me like another opportunity for hacking.
In one set of questions, three were related to a past address, i.e.
1) street number & name 2) city, and 4) county
I was given the choice of In-Person Identity Verification and elected to go forward with that option. Subsequently, I was emailed a barcode that I must present at one of my local USPOs along with my state DL.
Confirming what the article and several comments note:
“Informed Delivery will enable you to receive digital images of the exterior of your letter mail each day via email or … ”
One delivery option for the mail covers/images is email, often leaving the images vulnerable in transit through SMTP, and unencrypted at rest in the mail box. Even better authentication when service is initiated will not solve this problem.
+1
Email is a huge weak link in this foolish “product” of the USPS. Anyone can see standard email in transit or in cloud storage. All the security of a postcard.
I have an online USPS account (12+ years) and I’ve been using the Informed Delivery program for the last two months. It works for me. I totally love the aspect of being able to see the front images of my letter-sized mail pieces (doesn’t work yet for packages or anything larger than a standard business sized envelope) by 8 am on the day of mail delivery.
A friend of mine was intrigued and signed up. Only to find out that “someone already requested this service for your address.” Someone from USPS eventually called her and explained that someone at her address had already requested the service but they weren’t able to tell her who that person was. The USPS has frozen her address so that nobody can use the service and the person she spoke with suggested that the anonymous requester may be in a lot of legal trouble, as far as potential mail fraud charges.
Brian Krebs, I can most likely give you this friend’s contact information so that you could follow up with her and get more specific details, but I would need to check with her first.
I wanted to add that my friend lives in a townhouse and has
no current housemates.
It concerns me that multiple comments cite having freezes in place, yet having been able to sign up for informed delivery. Are the freezes working? Have they been thawed without the consumer’s knowledge?
I am also concerned that some with freezes in place report being presented with KBA questions yet are denied due to the freeze. Where is the information coming from? Isn’t a freeze supposed to prevent access to this information?
I have opted to go paperless with most of everyone I do business with thank goodness. I don’t trust the USPS with statements or documents anymore. They can scan my junk mail all they want.
Documents and bills that fail to be delivered by postal service can be challenged by law. Purposely interception of US mail is a crime.
Claiming you didn’t get an email leaves you without recourse. And if it’s intercepted, you have no one to prosecute but a ghost.
You’re a contrarian and a fool.
The number of post offices in the US is not 3,000, it is more like 30,000.
I have had an account for USPS mail hold for years. It appears this is (expectedly but not explicitly noted) used for part of Informed Delivery authentication. I also have credit freezes set at all bureaus so I failed initial setup and I’m in 72hr jail before trying again. I then added and verified my mobile number to my USPS profile but I need to wait to try. Will see how it goes in 3 days.
I signed up a few months ago because mail thieves have been hitting our neighborhood. Plus, our revolving delivery people are totally unreliable, so I needed to keep on top of bill deliveries. Seems like a no-win situation all around.
I got a negative first impression of USPS online a couple of years ago when I was setting up my account and they rejected my choice of password because it contained profanity.
How could they tell it contained profanity except by reading the plaintext of my password?
#SecurityFAIL!
Yes, the computer has your password in plaintext when you transmit it to them. It does this so it can apply rules to that plaintext, usually the form of “at least 8 characters” and “both upper and lowercase characters”, but occasionally against a dictionary of known cracked passwords (including profanity). It needs the plaintext to do that. Even the most security conscious websites do this. Once it has finished with that, it should hash the password and store the hash in long term memory while discarding the plaintext password from ephemeral memory.
What you have described isn’t a security fail on the part of USPS.
You should obtain a password manager that will generate random, per-website passwords for you that won’t include easy-to-guess passwords like profanity.
That verification for password strength/complexity/etc was most likely done client-side, so it’s not as if they have the password in cleartext on their end.
The informeddelivery[dot]usps[dot]com site requires that you ENable Javascript in your browser. Bad form; very bad form.
Too much malware is reliant on Javascript to perpetrate its nasties, so I just keep it DISabled all the time.
everyone noting they have credit freezes, that has nothing to do the verification process the post office, UPS or FedEx uses
They are using the Knowledge-based authentication service likely from Equifax
That’s not an inquiry against your credit file, so a freeze isn’t going to prevent any company from using KBA
Great article Brian. Just rushed to sign up for this to be first to do so (before someone else does in my name).
Have credit freezes, gave me a KBA challenge, but didn’t like my answers. Brian, please verify with USPS how they authenticate (which bureau, if they do a credit pull).
My response ended up telling me to pick a nearby post office for personal identification. This is what they should use period, with no ability to complete the process online!!!
That’s not how it works. Any number of people can sign up to receive informed delivery of your mail, as long as they can answer the authentication questions. And you don’t know how many people are receiving the info.
Do we have proof of this? Does this work as an account under each name in a family, one per name or does this system authenticate even with differing names, other than those of recipients?
I live in an apt building in Manhattan. The info provided to me by USPS reflected the contents of my neighbors’s mail. All 40 of them. Very intrusive and clearly marketing had the vote over security on this project.
Thanks Brian. Great insight as always.
I too live in a Manhattan building, with over 100 apartments, and Informed Delivery only shows me mail for my apartment. But it’s not just mail to me, it’s everyone: my wife, my three non-resident kids, and more. Delivery within the building is often erroneous (I get neighbor’s mail and vice versa), Informed Delivery seems more accurate than the actual delivery.
In Switzerland enrollment for the same service is pretty secure but with a high initial effort – which i personally doesn’t find a bad thing
1. Sign up online – create UserID & Password
2. Receive confirmation code to set up SMS 2FA by Snail Mail via separate channel
3. Visit your local post office to identify with official documents e.g. passport, ID card (which costs you 30$).
4. Service is activated
Don’t know if the USPS service also allows this but in Switzerland we are able to also receive the content of the mailing in digital form if requested (for a price).
This comment made me curious. The service is called E-Post Office. The explanation is confusing but it seems that customers can choose whether they want to receive mail from participating businesses on paper or electronically. E-Post Office can act like a special email account so the recipient can directly respond to the sender. I don’t quite see the point since one can opt for e-billing from almost any company. But the Swiss designers certainly have thought much harder about data protection and privacy than the USPS (as is their obligation).
https://www.post.ch/en/customer-center/all-online-services/epof/e-post-office/info
I moved, filled out the move docs, was notified that my account for informed delivery will be suspended, but 6 months later, I still get scanned email for the new tenants… no way to get off the damn service since they cancelled my account. Was simpler to just add an email rule to send to trash…
Just verified that any random name can be used create a USPS account for your address. And if that name is someone who was ever associated with your address then that will be captured in Equifax’s database. This means that a crazy ex spouse or other previous resident can set up Informed Delivery by answering the questions about her/himself pulled from Equifax. The credit freeze on your name doesn’t block this.
I wonder whether that is true. It seems that the validation questions are not based on the name but on the address.
They may contact these credit agencies for something, but I always answer nonsense for KBAs treating them like passwords. Equifax is never going to confirm that I was born in Qvertkyx. Seemed to work for this.
Below is a copy of my conversation so far with USPS trying to proactively opt out of this service. No dice 48+hrs later…
—–
Customer By CSS Web (10/02/2017 XX:XX XM)
I am requesting that scans of mail for our address, XXXXX, not be available for any accounts. I work in the loss prevention and security fields, and have been a target of identity theft in the past. Please note that no one that legally resides at this address has created a legitimate account with your service to view scans of mail. Thank you.
—
Auto-Response By (10/02/2017 XX:XX XM)
Dear valued USPS® customer,
Thank you for contacting the United States Postal Service. A customer service representative will respond to your inquiry shortly.
—
Response By Email (10/03/2017 XX:XX XM)
Dear XXXXX,
Thank you for contacting the USPS® Internet Customer Care Center.
If you have not signed up for the Informed Delivery service, you should not be receiving scans of mail for your account.
If you have any additional questions or concerns, please contact us again.
Thank you for emailing your Postal Service™,
USPS Internet Customer Care Center
—
USPS Internet Customer Care Center
Customer By CSS Email (10/03/2017 XX:XX XM)
I want to make sure that no scans are available to any future accounts created for my address – XXXXX. My concern is that a fraudulent account could be created by a thief in order to view incoming packages and facilitate interception of mail to our street address. I appreciate your response to this concern.
—
Subject: Response to your inquiry from the Postal Service
Response By Email (10/03/2017 XX:XX XM)
Dear XXXXX,
Thank you for contacting the USPS® Internet Customer Care Center.
If an account was made with your address, to get Informed Delivery, you have to go through and Identity Verification Process, so someone could not just access your mail images by simply signing up for a new account
If you have any additional questions or concerns, please contact us again.
Thank you for emailing your Postal Service™,
USPS Internet Customer Care Center
same here. USPS no help at all. see transcript:
Subject: Response to your inquiry from the Postal Service
Response By Email (10/04/2017 10:18 AM)
Dear XXXXX,
Thank you for contacting the USPS® Internet Customer Care Center. The Postal Service™ does not maintain address lists of individuals and/or organizations. The only address information we maintain are customer change of addresses.
All emails from the Postal Service originate from our mail system and the contents are strictly images of the mail associated with your delivery address. For consumers that use Informed Delivery®, we use the email registered on their usps.com® profile. Email messages will be sent from USPSInformedDelivery@usps.gov.
You may also choose to contact your local Consumer Affairs and Claims Office. Phone numbers for local Consumer Affairs and Claims Offices are listed in your telephone book with other U.S. Postal Service® numbers.
Below, I have included the mailing address of the main office:
United States Postal Service
Policy and Program Development
USPS – HQ
475 L’Enfant Plaza SW
Washington DC 20260-0004
If you have any additional questions or concerns, please contact us again.
Thank you for emailing your Postal Service™,
USPS Internet Customer Care Center
Customer By CSS Email (10/04/2017 08:50 AM)
No, I don’t have an account, and I don’t use email for this. I want to opt my home address out of the informed delivery system. I consider that system to be a gross breach of proper computer and privacy practice.
Please tell me how to opt out my home address from any and every notification related to “informed delivery”
Thanks,
XXXXX XXXXX
Response By Email (10/03/2017 06:20 PM)
Dear XXXXX,
Thank you for contacting the USPS Internet Customer Care Center.
We understand that you wish to unsubscribe from email notifications from your Informed Delivery account. In order to do so, please uncheck the Informed Delivery Check Box on your account page, OR click the Unsubscribe link at the bottom of an email notification you’ve received from Informed Delivery. Your email notifications should cease within 1-2 days of unsubscribing. If you continue receiving notifications beyond the 2 day period, please contact us again.
Thank you for contacting your Postal Service,
USPS Internet Customer Care Center
Auto-Response By (10/02/2017 06:13 PM)
Dear valued USPS® customer,
Thank you for contacting the United States Postal Service. A customer service representative will respond to your inquiry shortly.
Customer By CSS Web (10/02/2017 06:13 PM)
I want to opt out of informed delivery. There is no way _anybody_ on the internet needs to view images of my mail.
IRS rewards Equifax with multi-million dollar fraud-prevention contract after massive data breach
the Internal Revenue Service (IRS) still awarded the company a multi-million dollar contract on September 30 — the last day of the fiscal year — to “verify taxpayer identity and to assist in ongoing identity verification and validation needs of the Service.”
http://www.politico.com/story/2017/10/03/equifax-irs-fraud-protection-contract-243419
Recently the Informed Delivery app is requiring authentication when a new version is installed. Should be good right? Depends. It asks you to authenticate with an SMS code, but it asks you to input your mobile phone to receive the code. Say what? I have not tried to input a phone number not associated with my account yet. Hopefully there is a test for that before they send the authentication code. If not, it is a major security flaw.
I received an email with a unique authentication code and link to opt in to Informed Delivery. There were no questions!