08
Nov 18

U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service

A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

Image: USPS

The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.

According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”

“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.

The USPS did not respond to repeated requests for comment over the past six days.

The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.

KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.

However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.

Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.

“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”

Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.

“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.”

As noted in last year’s story, the major weakness with Informed Delivery lies in the method the USPS uses to validate new accounts. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.

KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.

But numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place with Equifax and the two other major consumer credit bureaus (Experian and TransUnion).

Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.

The Dallas Morning News piece referenced earlier says Americans can opt-out of Informed Delivery by emailing the “eSafe Team” at USPS at eSafe@usps.gov. However, emails sent to this address by KrebsOnSecurity elicited no response over the past four days.

Yet, one reader received a curious response by emailing the customer service address advertised by USPS’s Informed Delivery service — informeddelivery@custhelp.com. That reader requested that USPS remove her address from eligibility for Informed Delivery, and asked the Postal Service to let her know if anyone had previously signed up for the service at her address.

According to an email shared with this author, the USPS’s customer help team responded by asking the resident to answer some of her KBA questions in plain text via email.

A response from the Informed Delivery division of the USPS’s customer service department.

Sources tell KrebsOnSecurity that the USPS is now processing some 20,000 new Informed Delivery account registrations each day, and that the USPS is continuously deleting new account registrations that it believes may be fraudulent.

There is also a potentially new security wrinkle in the USPS’s Informed Delivery service. The USPS is now generating revenue by allowing third-party companies to advertise interactive content in Informed Delivery communications (PDF) sent to email subscribers.

The program allows the USPS to automatically match scanned mail images to specific advertising campaigns. According to a review of its mailer delivery user guide (PDF), this initiative allows advertisers to publicize content that contains interactive links, which could be abused by malefactors posing as legitimate advertisers.

This graphic, taken from the Secret Service alert, describes how the USPS Informed Delivery system works.

Tags: , , , , ,

98 comments

  1. Interesting, I never knew this service existed. I also forgot I already have a USPS account from buying stamps some time ago.

  2. Christine Alvarez

    Unbelievable scammers will stop at nothing will they? This just shows that we’re unsafe no matter what we do to protect ourselves, Seems there’s always somebody able to defeat our sense of security. Really makes me uneasy and leaves me wondering who and what to trust anymore. This really stinks, I was excited about informed delivery. I hope they are able to fix these problems because it’s a really handy service I use everyday and hope to continue using in the future.

    • >This just shows that we’re unsafe no matter what we do to protect ourselves

      Not really. What it shows us is that online entities, whether they be for-profit, not-for-profit, government, or other, STILL do not think about privacy and security when building their new fancy widgets.

      That’s the real story here. And will continue to be the narrative for a very long time without penalties for their actions.

    • The best way to secure yourself from this threat is to sign up for the service. It is very difficult for someone to sign up as you after you are registered.
      Also help your parents register.

    • > This just shows that we’re unsafe no matter what we do to protect ourselves,

      Please re-read the first line of the article. And in the body of the article, it give some suggestions that would have prevented this.

      What you should have said is “we’re unsafe because people keep ignoring security experts”.

      See also “‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens”

  3. I signed up for Informed Delivery almost right after it became available. It’s a great service so far but I wasn’t aware of the abuse potential. I could sign my roommate up, too, which covers everyone who lives here but despite having been at this address for 16 years we still get mail for previous residents. Could those names also be used to sign up for the service? Will you have to track down every previous resident to make the service safe?

  4. Ok you’re talking about signing up everyone is your house but if you have very little credit info they make you come into the Post office to sign up. They should do that for everyone, wouldn’t that cut down on hackers making your account? Sign up and everything but make them come in to do a real person id?.

    The bad side of having more than 1 resident is seems the mail ordering only goes by address & ignores the person’s name. I live in a apartment above my landlord, we share the same address & I always see his mail in my informed delivery.

  5. Hmm. I recently had to create an online account at the US Social Security Administration. (Turning 65 will happen to you too if you’re lucky.)

    I have credit security freezes so knowledge-based authentication on the social security site didn’t work for me. I had to visit a social security administration office to show ID, prove my identity, and get a one time code. I’m convinced the procedure was secure. My wait was 20 minutes, though; it won’t scale up in its present form.

    My point is, it’s possible to get this right. (My point is NOT that the USPS and the Social Security Administration should unify their authentication systems. No. No. No. Don’t do that.)

    Give the US Government’s checkered infosec track record, I wish agencies like USPS would be more careful to avoid storing or transmitting secrets without overwhelming reasons to do so. Contents of first-class mail are definitely secrets.

  6. It would save me considerable hassle to have Informed Delivery BUT, I will not sign up until they can accept my PGP public key. I know, that means it will get cold in a proverbial hot place.

  7. I think the best thing to do is block access to informed delivery for your address.

    1) The service seems to be address based, names do not seem to matter.

    2) There does not seems to be a limit to how many accounts can sign up for access to informed delivery for an address.

    3) Even if proper limits of who or how many people could sign up, prior residents’ access does not seem to be removed.

    4) A credit freeze does not prevent or inhibit access to informed delivery for an address. It only does so for the individual with a credit freeze. Another individual without a credit freeze will be able to sign up for that same address. Worse yet that individual may not even have to be a resident of that address.

    PO Box addresses are not immune to this. In fact, even without informed delivery, mail addressed to nonresidents or former residents can be delivered to your physical or PO Box address. I am not suprised this carries over to informed delivery. Informed delivery takes this snail mail issue to the internet. It makes me wonder though if asking for a block of informed delivery is by name or by address? By address makes sense, but there seems to be a track record of poor implementation here. I may have to test this. It may be there is currently no way to protect images of mail to your address being accessible to the internet.

  8. One unfortunate thing to note is that already having signed up for informed delivery doesn’t prevent anything. Because the USPS doesn’t allow you to reset a password for a forgotten account (instead telling you to create a new one), I was able to sign up a new account for informed delivery, even though I already had one (for the same name) in place. I received a post card a week or two later informing me of the Informed Delivery sign up.

  9. I received 5 notices via Informed Delivery of 5 individual un-ordered packages from the same fulfillment company in Utah in October 2018. All 5 of the packages disappeared, one at a time, from my locked apartment mailbox… including one while the carrier was still delivering mail on site, and she verified that the missing package was scanned on her hand scanner as Delivered. The USPS mail theft and inspector departments are not interested in investigating these strange un-ordered packages in any way, nor would they tell me if anyone else is receiving informed delivery updates for my mailing address. The USPS is an anachronism, me thinks.

  10. Despite 4 requests, I am unable to get USPS to opt me out of Informed Delivery Requests from an address I have not lived at for over 10 years. Still see every piece of mail and parcel they get. When I ask to opt-out, USPS has me verify information to unsubscribe. No wonder there are id thieves are easily abusing this system.

    • John,
      I feel your pain. I just tried calling the 1 800 ask usps and the wait time was over an HOUR! I tried using the website to email and inquiry and after filling it all out it just said an error has occurred, gee no wonder usps is going in the BLACK financially. Another thing, do they hold those images? Is the us govt now holding on to what kind of mail I receive…really?! and no way to opt out? Contacting my Congressional rep, what else can you do?

      • Chris, the USPS will scan the front of your mail whether you sign up for Informed Delivery or not. They’ve been doing this for ages already. I don’t know how long they keep the images, though.

        • Given that the pics are for national security purposes, the retention period, not necessarily stored at USPS, will be quite long.

        • Given that the pics are for national security purposes, they likely have a long retention period just not necessarily by USPS.

  11. When I signed up, they required that I visit the post office and show proof of identity. It seems strange the rules aren’t standardized across the USPS. This became a problem when I wanted to do this for a PO Box because I don’t have any ID that has a PO box as the address.

    • We had same problem re signing up our PO Box.

      Had to go to a regional PO, not where our POB was, to be verified.

      The regional PO made a fuss about our DL not having our POB as our address. We pointed out that when the cops come to arrest you or take your car, they don’t come to the POB location to do that. This was enough to get them to approve with out a request for any other documents demonstrating a relation to the POB.

      Due to deficits in oversight, we have no idea if a 3rd party is also receiving ID for our POB. Note: we had this POB for years before ID was rolled out, but how would, say, our successor at this box know if we were still receiving ID emails for the box after we eventually give it up? I never saw this issue covered in the FAQs.

  12. There is no way to opt out of Informed Delivery? What can I do? Got enough troubles in my life!

  13. Leave it to the USPS to fuck people over like they don’t do it enough already

  14. Granted, the ID service has some inherent weaknesses, but can we address the elephant in the room? For a large number of USPS customers, mail delivery itself is not secure. Take a drive down any rural, and many suburban, streets in America and you will see it lined with a treasure trove of attack vectors – aka residential mail boxes. ID may make it easier for thieves to know which boxes to pilfer, but the problem of mail (and therefor identity) theft existed before ID. Fortunately for me I am in a closed community with a centralized locked mail center. But for those customers without that mitigation, the risk will persist until a better delivery mechanism is established.

  15. There are stiff penalties for messing with the US Mail. I would think they apply here, right?

  16. Well, after reading this article, i decided to go ahead and “plant my flag”. I have to say, i like the idea of Informed Delivery, but the execution does concern me as well. One of my concerns was that after I sign up, someone else could sign up under another name and email address and i would never know. What should occur if this does happen however is that I should see the Welcome letter generated by the fraudulent account on the Informed Delivery dashboard which would alert me to the shenanigans.

    One outstanding question I do have however is when I sign up, how do i know that someone doesn’t already have an account related to my address. I think there should be a feature to get a list of all accounts related to that address with extra points for being able to disable them from a “primary” user account.

    So yeah, i definitely understand folks who just want to block their address from Informed Delivery, but i can see a nice use case for it. I mean, we all have to get new credit or debit cards from time to time and everyone in the world can identify that “nondescript” envelope that it comes in. So I think the ability to watch out for it is pretty neat.

  17. I love the service and as a security measure change your password frequently.

  18. I, too, had someone sign me up for Informed Delivery. And I, too, have a freeze on all 3 of the credit bureaus. So, seriously, how do they do it.

  19. Scammers don’t need Informed Delivery to “hack you mail”
    Most people leave their mailbox at the end of their property unguarded. You lock your house, car, phone, computer etc…If your afraid of people going into your mail..Lock your mailbox too.
    Furthermore for a scammer to pretend to send a unsuspecting target an email with an ominous link is harder then it seems at face value..Yeah they could…but they need to purchase a mail permit for a few hundred bucks. Plus the Informed delivery would be linked back to the culprits mailer ID..So they could easily be traced down. Also unlike another communication mediums the Post Office has its own branch of law enforcement to investigate these sorts of things. It may have some flaws but if used right Informed Delivery can help you know if that credit card you applied for (or didn’t apply for) Is on your mailbox or not. If you see it in the scan but not in your mail box you’ll know something is up…with out ID bad-guys could be in your mail box everyday cherry picking all the good stuff and you never know.

  20. Anyone who give the USPS any of their personal info (email, etc.) is a fool. The USPS is not to be trusted with it.

  21. Simple: USPS mails a postcard with 16 character one-time use random passphrase which must be entered over the web before the service is enabled.

    Thank you, I’ll take my million dollar consulting fee in Forever stamps.

  22. I had my credit card stolen from my mail this Saturday. They spoofed my number to verify the card and then spent over $4000 on the card. I noticed because I check my accounts every day and saw the charges.

  23. One more bug to add to the list: USPS’ site isn’t requiring NEW authentication for user-address pairs, just “any” authentication ever. So previous address-holders of your address may still be able to see your mail.

    Specifically:
    I just enrolled myself in informed delivery for my PO Box (using my existing USPS account) and for my home address (using my old USPS account). But when I logged into the old USPS account for the first time, it was still associated with my old home address and I found that this account inexplicably already had been signed up for informed delivery FOR THE CURRENT RESIDENT. Somehow I was seeing HIS package ETAs and HIS scanned letters.

    I think that on my old account I had previously “validated” both my identity and my old address at some point in the past when I bought stamps. And when I went to access Informed Delivery, it didn’t ask me to newly confirm my address or newly validate that address — it just assumed that the address from 5+ years ago was still mine. Big problem.

    I managed to dissociate that old address from mine, but this is a new, concerning development in an already long list of bad security practices.

  24. I have visited their site multiple times today, it responds that the service is unavailable. Is it possible they pulled the service down?

  25. Yesterday the service was unavailable but it’s working now.

Leave a comment