26
Feb 18

USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online

In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned images.

Image: USPS

The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed “Informed Delivery,” includes a scan of the front of each envelope destined for a specific address each day.

The Postal Service says consumer feedback on its Informed Delivery service has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any bills or other mail being delivered while they’re on the road. It has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide. U.S. residents can find out if their address is eligible by visiting informeddelivery.usps.com.

According to the USPS, some 8.1 million accounts have been created via the service so far (Oct. 7, 2017, the last time I wrote about Informed Delivery, there were 6.3 million subscribers, so the program has grown more than 28 percent in five months).

Roy Betts, a spokesperson for the USPS’s communications team, says post offices handled 50,000 Informed Delivery notifications the week of Feb. 16, and are delivering an additional 100,000 letters to existing Informed Delivery addresses this coming week.

Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address.

If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.

A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.

Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.

The USPS told me it uses two ID proofing vendors: Lexis Nexisand, naturally, recently breached big three credit bureau Equifax — to ask the magic KBA questions, rotating between them randomly.

KrebsOnSecurity has assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History for how much leaks from this lucrative division of Equifax.

All of the data points in an employee history profile from Equifax will come in handy for answering the KBA questions, or at least whittling away those that don’t match salary ranges or dates and locations of the target identity’s previous addresses.

Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, anyone able to defeat those automated KBA questions from Equifax and Lexis Nexis — be they stalkers, jilted ex-partners or private investigators — can see who you’re communicating with via the Postal mail.

Maybe this is much ado about nothing: Maybe it’s just a reminder that people in the United States shouldn’t expect more than a post card’s privacy guarantee (which in can leak the “who” and “when” of any correspondence, and sometimes the “what” and “why” of the communication). We’d certainly all be better off if more people kept that guarantee in mind for email in addition to snail mail. At least now the USPS will deliver your address a piece of paper letting you know when someone signs up to look at those W’s in your snail mail online.

Tags: , , , , , ,

107 comments

  1. If I signed up for this service last year when it was first offered and someone signed up to ALSO receive scans, does the USPS send scans to both emails or just me? Also, are they going to be telling everyone or allowing me to see on my account page WHO is getting scans of my daily mail? This article is a bit confusing as to how the “new” service will alert me if someone else requests scans of my mail. Is that only for NEW users or for those of us who already have the service or for only those people who have not signed up for the service? How does the USPS contact someone BY EMAIL who has never signed up for this service but someone else has in their place?

    Very confusing how they plan on mitigating the risk.

    • Quid_est_veritas

      You could test out if this is possible by trying to sign up again using information from another member of your household or a different email address.

    • They are notifying people by MAIL not by email if people someone signs up to received scans of the mail for that address, regardless of who is living there.

      But I do see A LOT of potential flaws, but maybe those are just details not included in the article? Especially when it comes to notifying current users.

  2. “Informed Delivery,” does not include a scan of the back of each envelope nor does it currently deal with packages although there appear to be hooks in the system for future tracking of packages:

    Informed Delivery allows you to view greyscale images of the exterior, address side of letter-sized mailpieces and track packages in one convenient location.*

    * Images are only provided for letter-sized mailpieces that are processed through USPS’ automated equipment

    • I can second this. I signed up for the pilot program in Queens, NY about two years ago, and I believe I only ever got envelope fronts. On the other hand, the capabilities and features may vary from region to region. Also, they might only include envelope backs when they detect something relevant there, like the return address.

    • I signed up for this service last summer, and at least in my zip code it does include package tracking information and notifications as well, though the package tracking is just the tracking number and related info and NOT a scan of the actual package. I also only get the front of the envelopes, which is how I hope it stays 🙂

    • I receive notification by USPS on all packages that have a tracking number!

  3. Hmm? I thought I was signed up at USPS (dot) com, but I never requested or received those kind of shipping notices, so maybe I’m good – on the other hand maybe I’m getting confused with Stamps (dot) com, which is actually an independent company.

  4. How would [or would it?] this apply to those of us who have a P.O. Box mail designation at their local U.S. Post Office station? I’m not speaking of those personal mail boxes, like the “P.O. Box’s R Us” types, you see in strip malls and elsewhere.

    Thanks Brian, for continuing to educate those of us who were born in the early to middle part of the 20th century!

    • Yes you can sign up to get your PO Box mail but it has to be a separate account using a different email address if you have one to the street address

  5. So they send you a notice, by mail, that someone signed up. Ne’er-do-wells can see this notice coming as well, Right?

  6. Considering the USPS employs only criminals, this is a laughable service. I have a rented mailbox from the USPS that is IN a government building with bulletproof glass and cameras in the lobby – there are cameras every where BUT_FOR where they’re needed most – in the mail sorting area where the employees handle the mail. I’ve had several parcels with tracking number stolen directly FROM the allegedly secured USPS. And the complaints I filed -that I had to jump through numerous obstacles erected by the USPS that took about a month to file- mysteriously disappeared. Poof. USPS: Employing illegal aliens/criminals and protecting them at YOUR expense should be the new tag line.

    • Prattle On, Boyo2

      USPS has cameras everywhere fyi, including every DC. Don’t try spreading fake news because you had a bad experience(s).

    • I’m a postal worker at a major distribution center. Not only are there cameras on the workroom floor but also overhead spy tunnels where postal inspectors can view the workroom floor without anyone knowing they are there. Also, if you steal mail, you’re fired.

  7. Envelopes with new credit and debit cards are easily recognizable and even though they need phone activation these days I’d rather not have some third party know when they are showing up.

    I’m at a loss to understand why government agencies are not charged with doing in-depth security evaluations of everything they do and every change they make.

    Years ago I was applying for Social Security and there was a sign on the wall at the SSA office that said, “We don’t return forged documents.” I asked the agent about it and she said that they get loads of forged documents from people trying to cheat the SSA.

    “Do you turn the cheaters in to the FBI?”, I asked. No, she said, but at least we don’t give them the documents back.

    Well, their attitude from this to Medicare Fraud to Telemarketing hasn’t changed a bit. Asleep at the switch.

    • If you register a business in any of 3 states:
      Nevada
      Wyoming
      Delaware
      that you don’t live in and make $$ in, you have no right to answer the question.

      The problem is businesses bankrupting the government with their offshore accounts!

  8. I’ve noticed in some of my scanned envelopes, a bit of the contents inside are exposed, even when using security envelopes. Not totally recognizeable but enough characters to distinguish some things. I was kind of surprised to see that

  9. Interesting. The question is how many people will ignore that little piece of paper with the notification when they receive it in their pile of junk mail?

  10. Hummm, I’ve had several pieces of mail that never got delivered. Used the report missing mail option and absolutely no response. BFD to the USPS.

  11. Another gov’t funded convenience for fraudsters. Since Amazon is now using USPS for “last mile” deliveries, perhaps we can hope that some day Amazon will swallow up USPS and we’ll actually have market driven service (not perfect, but at least tech savvy and responsive). Think how much money we’d save in the millions USPS looses every year!

    • Almost all of the investment and ongoing cost in this system came out of the DHS budget post 9/12. The interface to send the stored scans out to the recipient was comparatively trivial.

      • You must be young. The USPS has been doing that for decades. And the cameras on every one of their mailtrucks, where do you think Google Maps got their idea from?

    • Prattle On, Boyo2

      Not one cent of US taxpayer money goes to the USPS. It is the only 100% self sustaining agency in the federal government. It wouldn’t be losing any money had Congress not required them to set aside millions of dollars for future retirees, which Congress doesn’t require of any other federal agency.

      • From the USPS FY2017 report:

        “Similar to the last several years, the Postal Service was unable to make any of the payments that were due to the federal government at the end of the fiscal year, which amounted to approximately $6.9 billion in 2017, to pre-fund pension and health benefits for postal retirees.
        “Making the payments to the federal government in full or in part would have left the Postal Service with insufficient liquidity to ensure that we will be able to cover our current and anticipated operating costs, make necessary capital investments, and absorb any contingencies or changes in the marketplace,” said Chief Financial Officer and Executive Vice President Joseph Corbett. “We will continue to prioritize the maintenance of adequate liquidity to ensure the Postal Service is able to perform our primary mission of providing universal service to all Americans.””

        This my friend is a reverse subsidy. If the USG doesn’t go after the USPS for what they should be paying them, then the USG is funding the USPS through subsidy.

  12. So, it appears I’ll have to register to prevent someone from registering for me. Great.

  13. Does the Postal Service routinely scan everyone’s mail? Or do they only scan and retain it IF the customer signs up for this service?

  14. Very good service but it should also include oversized envelopes and packages getting delivered. On a negative note. It scans junk mail,as well. Yet to see foreign incoming Air-Mail scans or Registered letters. In Milwaukee area this device includes sorted mail as of 8:00 Am but my mailman delivers it after 2 PM, simertimesvafter 4:00 PM.

  15. Michelle Gagliano

    I like this feature. However like today it said i would 5 pieces of mail..saw what they were and i only recieved 3 pieces..this happens all the time..usually the next day i get the other mail..just thought that was weird

  16. 15 pieces of mail missing since the first of the year. All credit card checks and credit card envelopes. USPS notified. Nothing done. Informed delivery is bitter sweet for the post office.

    • Quid_est_veritas

      George, You will need to “opt out” to stop receiving those unsolicited blank checks from your existing CC companies and new CC offers.

      https://www.optoutprescreen.com

      I have done it and it works and will show up on one’s credit report as having opted out.

      However, you will have to enter PII including SSN, but you can alternatively US snail mail a request to each of the credit bureaus. Which option you choose and the directions to do so are on the second page.

      • That’s a dicy enough looking website that I had to do some snooping around with dig, geoiplookup and whois. At least the servers are in the USA. I guess what made me cautious what the “Norton Secured” logo, LOL. I’d use certified mail…

  17. If they were smart, they would charge for this service. I would gladly pay $5/mo (annual, up front) possibly even $10/mo.

    Sadly, I cannot even activate it regardless. And the PO that has my box has nothing to do with the ID process.

  18. Not on this topic – but I don’t see where else to suggest a useful review by Brian.

    –> Is running as “Standard User” under Windows still of any value?

    Following traditional recommendations, I do it even on machines I own. But the more I browse the white hat sites, the more I wonder if today’s malware commonly has enough escalation mojo to render this practice moot. I know it used to, but does it still gain much, or even anything, to suffer the slings and arrows of Standard User?

    • Maybe.
      It depends on which things are more likely to be vulnerable.
      I think at this point, the user escalation dialog is fairly protected.
      But, how safe/smart are the things that run escalated? And how easily tricked are you as a user?

      The current attack is against the Skype updater (which is runs elevated).

      From my perspective, the big question is what do you care more about? Your data, or the OS?

      If someone can get malware to run as you and encrypt all of your files, do you care if they could also get some program to run as Admin?

  19. This brand is always bitching about being broke. What a waste of money and a stupid idea. Time for a rate increase.

    • Broke because Congress won’t allow reasonable increases in the cost of service.

      Here in Switzerland, a 1st class letter costs about a buck-ten in USD to send.

      • The USPS lost/misplaced 8 pieced of my mail last year. Some were bank checks that I had to replace. They lost a USPS money order. I was charged a $5.00 trace fee. Paid for their error. I will not go into the previous years.

        My local carrier delivers my mail and other route mail all over the area. Too many incidents to list here. Now, you believe I should pay a buck for the same incompetence.

  20. whats.my.mail.today

    have had this for a while starting with the previous only service of early notification of any mail with tracking numbers. now the two are combined with both regular mail (envelope size) and any mail with tracking numbers. last year, got two snail mail letters from usps saying that someone from my household (that would be me) had access to this information, and this was months after using this service for some time. nice that they sent these snail mail letter notices, but really this was months after using the service. well, you could probably say this was all beta before and very few people were using this before perhaps. but at least now better that they apparently put more security by requiring whatever security code they send with the snail mail letter notices to at least prevent moving address changes.

    the scan that they email to you is only of the front. no back scan. like why bother with a back scan. even if go to your online usps account, the scan is only of the front. also, no scans of oversize junk mail like for the typical grocery store advertisements and coupons that you get every week, or anything that is oversize.

    delivery packages like boxes with tracking numbers include tracking timelines but not picture scans. maybe later they will include everything.

    what is awful about this is if the mailman misdelivers your mail and of course you don’t get it although the informed delivery notification says you should get it today. if it is really important mail, then you are on pins and needles hoping the misdelivery corrects itself so you get it the next day or if you should go ahead and check the box on informed delivery page saying you didn’t get the delivery. for me, there is no telling if the usps will act on checking that box. so it’s off to the post office to file an actual claim if do not get that particular mail in a day or so.

  21. Quid_est_veritas

    I attempted to sign up for Informed Delivery online back several months ago. The bad news is that I was presented with multiple KBA questions of which the proper answer was “None of the above” for most. There were some former home address questions which were somewhat redundant, where if someone knew where I had lived they could answer all the questions correctly, like former street address, city of residence, county of residence all in the same bank of questions. Well the good news/bad news was that even though all questions were answered correctly I was rejected and to try again later. After several attempts over a few weeks time I always presented with “unable to be approved at this time” or similar. So was given the option to go to the local post office with a bar coded print out from the website. The first postal clerk denied knowing what Informed Delivery was or how to help me, even though at least 5 posters and/or pamphlets were in eyesight. Jerk. The second worker was cheerful and helpful and found the handheld POS scanner device (that’s Point of Sale) and had me signed up in minutes. It took a few days for it to get up and running properly but the emails are arriving daily now.

    Perhaps the inability to sign up online was due to the credit freezes I placed on all four credit bureaus. Even though some information was still leaking out, it didn’t help with online registration.

    • Here’s some data points that reflect our experience.

      I signed my elderly mom, sister and myself up for the service in Nov 2017, we all share the same home and PO addresses. All mail that we can, we receive paperless into our email addresses, all the rest is directed to our POB, very little comes to the physical address (there is also a nice local cooperation between the PO handling our POB mail and another PO handling our street box mail to route items from the latter to the former if the address is appended with a little code, this is unofficial, done manually, for free, and works most of the time.)

      Immediately in the wake of the Equifax debacle, finally acting long overdue on Brian’s excellent advice, I locked down all of our credit bureau accounts; serendipitously, this was well in advance of signing up for the Inf Del service so the changes had a bit of time to propagate and settle thru the system.

      Also worth mentioning is that, some years ago, to help avoid KBA based answer problems, I reviewed each of our credit bureau records and scrubbed all inaccurate addresses and data (but didn’t add any addresses not already there). Furthermore, I built up an internal chronological history list for each of us with all old addresses, phone numbers, etc. other items like which bank or credit cards did you use, loan history, etc., I have an overview of already. With all this background, answering KBA questions should have been a snap but wasn’t.

      I did the applications sequentially on the same evening to different results (IIRC, I also did all applications from my Mac’s Swiss IP address (rather than using team viewer to go through my mom’s US based Mac’s IP address.))

      Results:

      Sister’s Inf Del appl. related to POB: Failed 2x on the KBA, got try again later, or go to PO for verification, replies. Tried the next day, failed again. Sis went on 2nd day, to the regional PO that handled Inf Del. The clerk had to find the manager to find the scanner, and reasonably quickly completed the task. Only real snag was that my sister dropped icees license uses the physical home address and the clerk was concerned about the mismatch (this is a flaw in the verification process where the system doesn’t direct you to the PO where your POB lives), I was in the line and just said that to me it was illogical to expect a POB address on a driver’s license because the cops want to visit, they want to come to your home not POB (I don’t know if this is true, but it was all I had to offer and it worked.)

      Mom’s Inf Del appl. related to the home address: Failed 2x on the KBA, got try again later, or go to PO for verification, replies. Tried the next day, failed again. A day after my sister, my Mom went to the regional PO that handled Inf Del. They found the scanner and completed the task without problem.

      My Inf Del appl. related to the home address (and I did it about 5 min after failing on my mom’s): I did mine last, and expected to fail because, although I use their addresses, I have been posted overseas for years and have used my address here from time to time. Result? I passed the first time, no local verification was needed. LoL.

      On the basis of my experience, even if you fail, and have to do local verification, a crook on a foreign IP address, knowing enough about you and your history, despite you having credit report locks in place*, stands a 30% chance of success.

      * Just After, in early Nov, I applied for an AMEX Platinum and an AMEX Blue cards for both my mom and sister one of each for both). The block had to be lifted to get the applications approved. Same thing when I applied for the same cards for myself in January.

    • I had a similar experience, probably due to credit freeze. Had to go to a local post office, show ID, wait for them to find the POS scanner. The first scanner was a POS, it didn’t work, they found a second one that did work. Emails arriving every day.

  22. Brian, I appreciate the time and effort you put into keeping us up to date on security issues. Thank you.

  23. As a senior citizen I find all these “services” more avenues for the fraudsters to scam us. And why the @^&* is the post office still using Equifax??? They are doing little to help people secure their privacy after that massive breach and they charge us for the inconvenience of having to freeze and unfreeze our credit records. All these companies that are making money from this type of “service” are the scammers too.

  24. Interestingly, you can receive scanned mail images without having to correctly answer the knowledge based questions. That’s what I had to do since the questions are based, at least for me, on the previous owner rather then the new owner. Anyways, if their system shows I can’t pass the “Vertication check,” that probably explains why I haven’t received a letter…

  25. So the geniuses at the USPS implemented a system I don’t want, that basically allows a random stranger to know when I receive mail. Great…

    So how does one unsubscribe? I want no part of this so-called “convenience”.

    All the more so after discovering that the USPS sells my information. I found that out accidentally by not giving them a forwarding address one year. The junk mail dropped to almost zero, and I never get those bogus credit card apps that where just ploys to update a credit bureau database voluntarily and for free. If an organization or individual needs to know my new address, I’ll notify them. Otherwise my info is not for sale or public use. If my information is air-gapped, then it can’t be hacked, IMHO…

    • Are you really sure the PO sells your info? I’m not.

      Occam’s razor suggests an alternative scenario, one where (assuming you hadn’t done a credit card or direct advertising opt out) the credit bureaus sold your data to the places sending targeted offers (that IS their business model after all). The PO business model is sending bulk untargeted stuff like Val-Pack coupons. In addition, the longer you are at an address, more info gets exchanged and sold among the bureaus and you can end up in the White Pages as has been our experience.

      • USPS does sell the information on your forwarding mail orders. I have this from two sources:

        1) USPS itself.

        2) Extensive personal experience: I spent a great deal of effort to remove myself from mailing lists, including using the Do Not Solicit organizations and contacting each mailing organization to confirm my “do not solicit” order. (I also used different variations of my name in order to track offenders.) When I moved using a mail forwarding order, I got junk again. When I moved without using one, I didn’t.

  26. USPS can’t deliver my mail to my house instead of a cluster mailbox three blocks away because of cost savings, yet they have money to waste on this crap. Nice going, USPS! Wasting money on something most of your customers don’t care about while getting rid a services they do want (don’t even get me started on them getting rid of international surface mail so they can jack up the prices by forcing you to use air mail). Uhm and nobody is worried about Big Brother here either?? I hope they go bankrupt and when the government bails them out, maybe some of this stuff will get looked at and fixed.

    • There seems to be a lot of ignorance behind your anger.

      All the photos and storage existed since at least 9/11 for law enforcement purposes; what the PO has reasonably done here is tied into that to offer customers a heads up of what’s coming. This also helps ensure accountability of the system and the carriers to get the mail to you (if you don’t know what’s coming, how can you report it lost? Where’s the accountability or improvement potential? There is none.). This should also address your diffuse big brother concerns, in that the pics ain’t new, the sharing with you is.

      You seem to think the PO is really independent and can go bankrupt. It is not a direct sub department of the IIRC Commerce Department anymore, but it is still owned by the USG, yeah, by you. So the PO apocalypse you are spoiling for will just come out of your own pocket.

      Instead of appreciating the PO’s attempt to compete by leveraging a unique selling point, one that for a trivial investment and operating cost can offer better security and accountability for your postal mail, one barely out of beta, one which still has room for improvement, you grind an axe because surface mail had to eventually die when intercontinental ocean liners became cruise ships and both intercontinental people and postal business necessarily moved to the more common air transport method?

    • I forgot to address the cluster vs curb complaint. This is a direct result of folks complaining about first class stamp prices (long before the rise of the internet would have forced the same solution due to volume drops). Congress approves, or at least did in the past, any postal rate increases. If you want to point fingers, start with your senators and reps from the 1980’s onward but mostly at the folks that didn’t like increases (note Canada 1st class letters cost between 20 to 30 US¢ more than US equivalent, likewise, Australia is about 30 US¢ more.)

    • I’m pretty sure these scanned images have their first purpose as part of the sorting system. I believe clerks look at the images that don’t successfully get through the OCR process and use a keyboard to enter enough of the address to get the piece into the right carrier’s mailbag.

      I’ve heard that they can do this remotely, and in so doing offer employment in areas far from big cities.

      Just because delivering mail is hard, it seems harsh to slag the USPS for trying to innovate.

  27. Now if I could just get them to put the mail in the right box. Very frustrating.

  28. Already been having mail issues. Mail gets lost all the time or it takes 6 weeks to get there unbelievable. Happened numerous times and it’s still going on now.

  29. This has been tried before. There was a service called Earth Mail at the beginning of the 2000s. It seems that people are more willing to accept the service this time as apposed to back then.

  30. As a pre-existing informed delivery customer, I am anxiously waiting for my notice from the post office about informed delivery subscriptions that were started prior to February 16th.

    Has anyone who was previously enrolled in the service, received any notifications during this second week they were supposed to be sent out? I realize that timeframe has not expired yet but I am still watching for my own notification.