A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting informeddelivery.usps.com.
According to the USPS, some 6.3 million accounts have been created via the service so far. The Postal Service says consumer feedback has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any mail being delivered while they’re on the road.
But a review of the methods used by the USPS to validate new account signups suggests the service is wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.
Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.
Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.
Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels — such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system.
“The whole service is based on a channel they control, and they should use that channel to verify people,” Swire said. “That increases user trust that it’s a good service. Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that.”
I also wanted to know whether there was any way for households to opt out of having scanned images of their mail sent as part of this offering. The USPS replied that consumers may contact the Informed Delivery help desk to request that the service not be presented to anyone in their household. “Each request is individually reviewed and assessed by members of the Postal Service Informed Delivery, Privacy and Legal teams,” the Postal Service replied.
There does not appear to be any limit on the number of people who can sign up for the service at any one address, except that one needs to know the names and KBA question answers for a valid resident of that address.
“Informed Delivery may be accessed by any adult member of a household,” the USPS wrote in response to questions. “Each member of the household must be able to complete the identity proofing process implemented by the Postal Service.”
The Postal Service said it is not possible for an address occupant to receive emailed, scanned images of incoming mail at more than one email address. In other words, if you wish to prevent others from signing up in your name or in the name of any other adults at the address, the surest way to do that may be to register your own account and then urge all other adult residents at the address to create their own accounts.
A highly positive story about Informed Delivery published by NBC in April 2017 suggests another use for the service: Reducing mail theft. However, without stronger authentication, this service could let local ID thieves determine with pinpoint accuracy exactly when mail worth stealing is set to arrive.
The USPS says businesses are not currently eligible to sign up as recipients of Informed Delivery. However, people running businesses out of their home could also be the target of competitors hoping to steal away customers, or to pose as partner firms in demanding payment for outstanding invoices.
Informed Delivery seems like a useful service for those residents who wish to take advantage of it. But lacking stronger consumer validation the service seems ripe for abuse. The USPS should use its own unique communications channel (snail mail) to alert Americans when their physical address has been signed up for this service.
Bob Dixon, the executive program director for Informed Delivery, said the Postal Service is working on an approach that it hopes to make available to the public in January 2018 which would allow USPS to send written notification to addresses when someone at that residence signs up for Informed Delivery.
Dixon said that capability will build on technology already in place to notify Americans via mail when a change of address is requested. Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 3,000 post offices nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.
If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.
“Part of coming up with a mail-based verification system will also let us do some additional notification that, candidly, we just haven’t built yet,” Dixon said. “It is our intent to have this ready by January 2018, and it is one of our higher priorities to get it done by then.”
There is a final precaution that should block anyone from signing up as you: Readers who have taken my advice to freeze their credit files with the four major consumer credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) will find they are not able to sign up for Informed Delivery online. That’s because having a freeze in place should block Equifax from being able to ask you the four KBA questions.
By the way, this same dynamic works with other services that you may not wish to use but which require you otherwise to plant your flag of identity to prevent others from doing so on your behalf, such as managing your relationship to the Internal Revenue Service online and the Social Security Administration. For more information on why you should get a freeze and how to do that, see this piece.
Update, 3:48 p.m. ET: Added bit about how a freeze can block someone from signing up in your name.
Update, Oct. 4, 11:01 a.m.: Several readers have written in to say that although the Postal Service says citizens can opt out of Informed Delivery at a specific address by contacting the Informed Delivery Help Desk, none of those readers have successfully been able to achieve this result. One reader forwarded a response from the Help Desk folks that stated emphatically, “I do understand your concern about fraud and theft but there is no way to make your home address ineligible for Informed Delivery.” No way, that is, kexcept to register as every adult at your address, as stated above.
Besides this, how about the fact that anyone can put a mail delivery on hold for any address up to a specific amount of days without authorization. USPS really needs at least 1 person with the mindset to ask the ‘what if’ questions.
My 4 credit accounts were frozen at some point AFTER I had already made a USPS account for ordering stamps, etc. Today I found the Informed Delivery feature on my USPS account “dashboard” (online at usps.com) even though I had not opted in or provided additional ID info/verification. The only “option” I seem to have is whether or not to get email notifications for the info that is already available online at the website. (I found this option on the USPS Informed Delivery mobile app.)
I might note that WAY back I had made a USPS account, then apparently had forgotten about it, and subsequently registered another account for the same snail mail address using a different email account. I remember that I was alerted by snail mail that this had occurred, with instructions what to do if I though it was fraudulent.
I used this service for a while but since I had long ago stopped mail delivery of any financial type mail I was down to seeing images of all my junk mail. This didn’t seem like a worthwhile use of my time so I discontinued the service.
Brian…I understand the concern about fraud, but could you briefly explain how fraudsters could use data extracted from Equifax servers to commit fraud. I’ve mever been a victim of fraud so I’m not sure how it could happen in this case.
Not to mention the NSA now has a copy of all mail in the US now, too. How convenient…
uhh… wat? That is a stretch… so you think the NSA has a way to open every piece of mail, read it’s contents… that is what you wrote. I think if i concentrate I can see your image coming into view from my usps.com account… i see tin-foil…. yup… stylish!
*originally commented under wrong story*
Both my wife and I have signed up for this so it allows more than 1 user per address. I did not get a notification when she signed up, so don’t count on being the first to grab the account to guarantee safety.
Good to know. I was just about to ask this very question.
VERY VERY secure USPS. Way to go!
This is generally a terrible idea and terrible security. Not just the fact that the service can be abused.
It means the USPS is not just scanning all letters for automatic sorting but also *keeping copies of the scan* on some server, which are then compared to the list of consumers who have signed up, and sent by email. The email itself is unsafe. And what else happens with those scanned images, all stored in a database keyed by delivery address? Are they deleted immediately after use? Given the general lack of security awareness in the US, I doubt it.
Under European privacy law, in my understanding the whole setup would be illegal. Postal services are not allowed to store any data about the letters they deliver, that would be unauthorized data collection and a breach of mail secrecy. (This is similar to Telecom companies storing connection data. In Europe, the Telecoms must not by law store any more data than they absolutely need to fulfill their business purpose. However, there have been attempts to legalize preemptive data storage for law enforcement purposes, but the EU Court has ruled the law unconstitutional in 2014. https://en.wikipedia.org/wiki/Data_retention).
how strange that folks cannot understand that scanning for sorting (which has been done by USPS computers for DECADES) is being confused with reading the contents? This is information on the outside of the envelope! Information publicly available by viewing the envelope… not private… not illegal to view… and as far as “saving” the info? are you kidding? Have you seen Postal’s budgets… they can’t save these images longer than a month or two – the postal inspectors have to present probable cause within that time or else the image autotragically gets deleted… and anyway who cares if the outside of the envelope is kept by the folks who maintain the most up to date record of all addresses in the US (as well as many foreign countries)?
By that exact same argument, nobody should be complaining when the government accesses and stores only the “external” (metadata) info about our phone calls and emails. And yet we do complain, for very good reason.
And who cares if the USPS doesn’t have the capacity to store the info very long. If some nosy agency wants it, they’ll get it and store it themselves in very close to real time.
I have a freeze on my Equifax account (just checked it, in fact) and I still got the KBA questions and was able to sign up.
I attempted to sign up via the web site (I have freeze on 3 credit companies). It asked relevant questions, but I apparently entered a “wrong” answer, so it refused to let me sign-up. I now had to go a certain USPS office in person. (So answering WRONG may be a way to lock out online requests). I went to the office, and they has NO IDEA what informed delivery was. They eventually figured it out, and I got enrolled.
I have credit freezes w all 4 agencies; I nevertheless tried signing up for informed delivery and was in fact asked KBA questions to validate my identity. However the end result was a notice that my ID validation attempt failed. The correct answer to some questions was “None of the above,” but a couple of the questions provided one correct choice — so, although I could not complete the process online, it did appear that Equifax or another agency indeed provided material for the questions — credit freeze notwithstanding. One of the questions was to identify the last 4 digits of my SSN– the choices included my actual SSN last 4 digits!(i.e., the list was not comprised of wrong choices plus None of the Above). And this with a credit freeze.
Incidentally, the system did offer me the opportunity to come to one of select post offices to verify my identity in person, using ID such as driver’s license, passport, and a barcode supplied by the website which must be brought to the post office. So perhaps one can sign up for informed delivery notwithstanding having 4 credit freezes– remains to be seen.
NJB: Good post.
My online experience w/ USPS mirrors yours EXACTLY.
FWIW, I already had freezes w/ all four CRIs + ChexSystems.
Post Equifax I added Fraud Alerts to all five as well. (Which I intend to renew quarterly)
I’ll report-back my in-person verification experiences.
I have a freeze with Equifax, Transunion, and Experian and still got the KBA, but I passed verification, and signed on the program.
we file change of addrees on October 10-2017 request start date October 12-2017 confirmation no, 1728-3900-0042-1010 how come the mail still coming October 12 October 13 and October 14 please we need answer asap
The scan is strong enough to make some letter contents legible, more so for a motivated interceptor such as the NSA or fraudster.