In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images.
The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery,” includes a scan of the front of each envelope destined for a specific address each day.
The Postal Service says consumer feedback on its Informed Delivery service has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any bills or other mail being delivered while they’re on the road. It has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide. U.S. residents can find out if their address is eligible by visiting informeddelivery.usps.com.
According to the USPS, some 8.1 million accounts have been created via the service so far (Oct. 7, 2017, the last time I wrote about Informed Delivery, there were 6.3 million subscribers, so the program has grown more than 28 percent in five months).
Roy Betts, a spokesperson for the USPS’s communications team, says post offices handled 50,000 Informed Delivery notifications the week of Feb. 16, and are delivering an additional 100,000 letters to existing Informed Delivery addresses this coming week.
Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.
If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.
A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.
Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.
The USPS told me it uses two ID proofing vendors: Lexis Nexis; and, naturally, recently breached big three credit bureau Equifax — to ask the magic KBA questions, rotating between them randomly.
KrebsOnSecurity has assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History for how much leaks from this lucrative division of Equifax.
All of the data points in an employee history profile from Equifax will come in handy for answering the KBA questions, or at least whittling away those that don’t match salary ranges or dates and locations of the target identity’s previous addresses.
Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, anyone able to defeat those automated KBA questions from Equifax and Lexis Nexis — be they stalkers, jilted ex-partners or private investigators — can see who you’re communicating with via the Postal mail.
Maybe this is much ado about nothing: Maybe it’s just a reminder that people in the United States shouldn’t expect more than a post card’s privacy guarantee (which in can leak the “who” and “when” of any correspondence, and sometimes the “what” and “why” of the communication). We’d certainly all be better off if more people kept that guarantee in mind for email in addition to snail mail. At least now the USPS will deliver your address a piece of paper letting you know when someone signs up to look at those W’s in your snail mail online.
I don’t think any of you know how hard it is to work at the post office I have worked there for 20 years you have no idea what it’s like there are a lot of good people working there and we work very hard never enough people some of us work 12 to 14 hours in a day standing in every kind of weather so before you sit there and complain why don’t you try doing the job just once then you might understand of course mistakes are made but you truly have no idea
Lynn is spot-on. Since I’ve started working at home, I’ve seen my local USPS letter carrier slog through two feet of snow, anvils-and-axe-handles rain, and 100-degree heat, as well as nice weather.
And all to bring me and my neighbors supermarket flyers and bills, and occasionally an announcement of a relative’s wedding or something good.
Every interaction, without exception, I’ve had with USPS people has been positive. That’s in the PO, or in the big building in the industrial park, or on the street.
Here’s something to try next December: thank your mail carrier for doing a good job during the Christmas rush.
Tipping or providing a gift to a postal employee is a form of bribe, a felony.
Same goes for other government and government-adjacent employees, like garbage collectors and your kid’s teacher.
Reader, I think you may be confusing those who are reading this thread. While bribery IS a felony, giving a postal employee a gift card (not cash) from a single store up to a value of $20 is allowed. If I give my letter carrier a $20 Best Buy gift card, no laws OR policies are being violated.
I think the USPS does an amazing job. I would pay $1.00 per stamp. When you realize what you get for that postage stamp – they take your letter and literally deliver it ANYWHERE in the US – it’s a great value and its an amazing service.
I think it’s awful that congress held the USPS’ retirement system to a higher standard than it holds the rest of America, and that is what keeps the price of postage going up. However, postal workers can also be a lot more sure of their retirement funds availability than can other employers’ future pensioners.
They must charge extra for punctuation at your post office.
Must not be a requirement to have much of an education.
♪♫♪ You may run on for a long time… ♪♫♪
https://www.youtube.com/watch?v=anjdacZhyno
Awww, I’m so sorry you feel that because you’re overworked you should be allowed to make mistakes that compromise the safety and security of my mail. By all means, please feel free to not take or accept responsibility and soon you will be out of a job when the USPS is finally privatized and sold to a more efficient company.
I received a scan on February 13, 2018 for 11 letters. I have not received any. I have called the post office and get the run-around for the morning and afternoon supervisors. They take my number and never call back leave me on hold for 10-15 minutes until I hang up. Some of the mail was important and sensitive. I have made a complaint with the postal general and still nothing. Where’s my mail??? What do I do?
That’s actually a good point that I hadn’t considered: That this service provides a window into their incompetence and at least lets you see where the system has broken down (after the scan).
Good point. But say someone in the neighborhood stole all that mail from your mailbox that day and opened it and destroyed it. No eyewitnesses or cameras around. What could the USPS do?
In the US, check with the Postal Inspection Service.
https://postalinspectors.uspis.gov/
Above each scan, there is a box or link that you can check which says, “I didn’t receive this mailpiece.” Now, while that may not do anything about THAT particular item, it does help the USPS identify trends and patterns so that they can improve their practices.
USPS fails to deliver mail even with this service. I personally mailed a birthday card last august and has failed to reach pèrson i mailed.
This is another waste of money from the USPS. You have to pick up the mail anyway. Just go get it! Now if we could just delete the mail we don’t want digitally, then we got a winner!
That would be awesome.. it would save SO much wear & tear on my shredder!
That would be seriously awesome.. It would save so much wear & tear on my shredder it isn’t even funny!
I’ve actually surprisingly never had that happen in like 30 years.. I’ve told people stuff was in the mail when it wasn’t, sure, but if it was it always got there – although sometimes like mailing to relatives in the middle of nowhere, PA it might take a week when I can get a letter across the country in 2 days..
Oops.. wrong reply button clicked I guess 🙁
Counterpoint:
My dad and I were fishing for a week up on Prince of Wales island, SE Alaska.
We went to a little general store/tackle shop/greasy spoon on Sunday, to get a King stamp.
Dad and mom’s 50th wedding anniversary was the following Wednesday (mom is very understanding!) so we decided to send mom a happy anniversary postcard.
Before we finished shopping, the gal behind the counter pointed out that our postcard was already leaving on “that float plane taking off out back”.
Mom got the postcard, in Orange County, CA, on Tuesday.
Damn good service for 35¢
Yet another method that the government uses gather information about each of us. It is sold to us as a “service” when if fact it is a method to trace communications. The sheeple taxpayers love paying for this stuff. Don’t get me started on the personal DNA tests and genealogy web sites. The government thanks you for contributing to their databases.
Seriously, it’s not the government you need to worry about even if they ARE collecting your data.
It’s COMPANIES who buy and sell that information on you that should concern you – the companies, corporations, and big-money donor special interests that OWN the government that want to profile and market to you and people like you…
It won’t be long and you’ll be getting targeted ads for accessories to go with your tin-foil hat…
Umm.. they’re collecting this anyway, and have been for years. They’re not trying to “sell” us a service – for free – just allowing us access to what they’ve already got.
So have any pre-existing subscribers gotten their remedial notice yet, and if so, did THAT letter show up in Informed Delivery beforehand? Seems like that’s kind of important to know…
I love this service because my husband would get the mail and hide it from me. I would find it under the door mat, etc. Or he would put mail on hold and pick up at the post office and not show me. I would have to call the Post office almost everyday and ask if my mail was on hold. Now I know what’s coming to the box or on hold, etc without calling the post office. It puts my mind at ease.
Doesn’t sound you are focusing on the real issue.
Does the notice they send you about turning on the feature also get scanned? If so, wouldn’t a thief be alerted when to intercept it?
I was wondering that myself but seeing as I’m supposedly getting no mail at all according to this system I guess I’m not gonna be the one who finds out 🙂
Curious that their web site says that my zip code (94121) is eligible for this service; but when I try to sign up, it says that the address is not eligible for the service.
Take a look at the Q & A on the page that Brian linked to. One of them is the same as yours and is answered..
Leave it to the USPS to do something half-assed like this. I would expect nothing less from an employer who drives away their best hires.
“…credit card apps that where just ploys to update a credit bureau database… ”
Equifax sells people’s database data to mail marketing printers, according to one national printing website. After doing some checking of a unique address of mine with the three main credit bureaus (miners of addresses for marketing), I highly suspect Experian does too.
What are people’s experience of receiving this non-business relationship marketing after placing credit bureau freezes with all the main credit bureaus?
This service rocks. I now only shovel the snow by the mailbox when the USPS is delivering mail I actually want!
LMAO – Yes! I knew I wasn’t the only one who did this!!
If I sign up for this service from the USPS, will that prevent someone else from signing up for mail notifications for my mail?
From the looks of it, no – at least as long as they use a different e-mail address and it might possibly require at least a different first name, but from my read, it’s supposed to notify you of all mail going there regardless of the addressee, but you do have to pass their knowledge-based questions they pull from the credit files – although everything it asked me about me probably could have been looked up on the net easily enough with a Google search in another tab without even having to resort to a hacked database.
It hasn’t notified me about anything though and there’s been mail in the box every single day. If I login and try to see what’s on it’s way on their website it just shows 1 package delivered last week. I guess there’s a few kinks to be worked out in the system.. if it’s done at the local post office that doesn’t surprise me, These guys/gals are so overworked I’ve seen them go as far as having to use their own cars, scanning something as delivered and dropping it off like real late on the way home or on their way in the next morning real early, etc..
Forgot to add about that last paragraph… so I’m not too worried about anyone else getting any info either. At least not yet.
Well at least I know nobody is gonna find out anything about my mail – I signed up for it figuring it would be useful and so far the only notification I got was a package that was delivered last week!
Funny thing is that you don’t actually even need to answer those questions to sign up. A document that insurance is registered to that address is sufficient. So you show up with an ID with your name and car insurance for that address and you’re registered.
I did this after I couldn’t get my PO Box registered because it wasn’t on my credit report. Sending a postcard or requiring the use of a postcard to register would at least be the minimum I’d expect.
They also don’t bother using the fact that I purchased my box online as evidence of the address, which is even more weird.
They must add an Opt-out choice to NOT make images of my mail available online to anyone at anytime, ever.
Also, where are the images stored, how long are they retained, how are they protected from unauthorized access, who is given access, are the images routinely or otherwise shared with other government agencies (IRS, ICE, EPA), etc., etc.
This pre-delivery mail/pkg scan notification along with USPS texting of package tracking and delivery confirmation has upped my mail/pkg security and tracking situation immensely. yeah there might still be some security exposure but its far far better than years before.
In addition to seeing the mail delivery scan day before I also get a USPS text msg the minute a package is delivered and look out my window and can see the mail carrier driving away, its that fast where I live. If a high value package, or mail (credit card, etc.) is then sitting in my mail box out by road I walk right down to mail box and pull it before a drive-by mail thief can even think about stealing it! If its not there, I know it was in all likelihood inadvertently mis-delivered to a neighbor’s mailbox (has happened twice over last couple of years). Overall, a pretty nifty service considering what it used to be like…
A few years back I bought a product off eBay that was in a larger package than expected and did not fit in our extra large mail box. Carrier attempted to deliver but gate was locked and forgot to leave an attempted delivery notification. After a weeks time went by with no delivery I went round-and-round with seller…him saying it was shipped and me saying its not here and threatening to file eBay dispute. Only resolved when I went in person to Post Office with a tracking # that seller later provided and asking Post Office what happened to my package? “Oh we have had it here for almost 2 weeks we were about to send it back to shipper, I guess mail carrier didn’t notify you of the initial attempted delivery”.
Boy, I’m glad those tail chasing days are gone!
USPS Also has to send notifications for somebody else tracking your mailpieces … what you say
Does anyone know if you need to do a temporary lift on an Equifax credit freeze before applying this service? I would assume so but didn’t want to do that until
I was certain that is necessary. Please advise. Thanks!
This service is so ripe for fraud, that it should only be available by in-person sign-up, with photo I.D.
The same goes for changes of addresses.
Actually working at the post office is quite difficult, without a doubt!
I just found out that my neighbor has been getting this service for quite a while. Problem is, he is being sent pictures of MY MAIL!He says he never requested it. It just started coming to HIS eMail! I feel totally violated. Especially since I have no idea how long this has been going on.
Now, how do I get this stopped?
I just signed up for informed delivery, and they required that I verify my identity by visiting a post office in person and presenting both my government ID and a barcode that the USPS generated specifically for me. The process involved a USPS employee scanning the barcode, scanning the barcode on the back of my government ID, and asking me whether I still lived at the address printed on the front of my government ID; I said yes. The USPS employee then printed out a small receipt with a confirmation number on it, and wished me a nice day.
As I drove home I realized that I could have been asked to supply a fingerprint, in addition to the barcode and government ID. This might have given the government an additional means to identify me in the future, namely a fingerprint, useful throughout my entire lifetime and possibly beyond. Here I am requesting to be identified with something I am, have and know — I’m not enabling Big Brother, because in this case I determine that it works for me — and they missed a golden opportunity to glean some valuable data about me.
I know the DMV requests a fingerprint, but that’s a state agency.
Thanks a lot for sharing this with all of us you actually
understand what you’re talking approximately! Bookmarked. Kindly
additionally discuss with my website =). We will have a
link exchange agreement among us