A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
Image: USPS
The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.
According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”
“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.
The USPS did not respond to repeated requests for comment over the past six days.
The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.
KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.
However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.
Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.
“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”
Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.
“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.”
As noted in last year’s story, the major weakness with Informed Delivery lies in the method the USPS uses to validate new accounts. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.
KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.
I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.
But numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place with Equifax and the two other major consumer credit bureaus (Experian and TransUnion).
Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.
The Dallas Morning News piece referenced earlier says Americans can opt-out of Informed Delivery by emailing the “eSafe Team” at USPS at eSafe@usps.gov. However, emails sent to this address by KrebsOnSecurity elicited no response over the past four days.
Yet, one reader received a curious response by emailing the customer service address advertised by USPS’s Informed Delivery service — informeddelivery@custhelp.com. That reader requested that USPS remove her address from eligibility for Informed Delivery, and asked the Postal Service to let her know if anyone had previously signed up for the service at her address.
According to an email shared with this author, the USPS’s customer help team responded by asking the resident to answer some of her KBA questions in plain text via email.
A response from the Informed Delivery division of the USPS’s customer service department.
Sources tell KrebsOnSecurity that the USPS is now processing some 20,000 new Informed Delivery account registrations each day, and that the USPS is continuously deleting new account registrations that it believes may be fraudulent.
There is also a potentially new security wrinkle in the USPS’s Informed Delivery service. The USPS is now generating revenue by allowing third-party companies to advertise interactive content in Informed Delivery communications (PDF) sent to email subscribers.
The program allows the USPS to automatically match scanned mail images to specific advertising campaigns. According to a review of its mailer delivery user guide (PDF), this initiative allows advertisers to publicize content that contains interactive links, which could be abused by malefactors posing as legitimate advertisers.
This graphic, taken from the Secret Service alert, describes how the USPS Informed Delivery system works.
Thanks, Brian.
Useful, interesting, and informative, as all your postings.
This is particularly concerning because we live overseas. We maintain a US address at a friend’s house. Currently we have a one-year forwarding to our overseas home with USPS which means a considerable time lag.
This “Informed” Delivery option seems to expand the pool of potential miscreants, the last thing I need. Postal employees and e-mail hackers would now have access to my mail.
I would like to opt out, but it looks from the image of the USPS response to the woman’s request that I’d have to open an account with USPS. Would that make me more or less secure???
KBA questions never work for me because I never remember how I answer them. Boulder? Boulder, CO? Boulder, Colorado? Which was it? I realize they are a security risk but making up answers is even worse. A year later I have no idea what I answered.
Perhaps you could make it up – and then write it down somewhere …
I’ve started inventing nonsensical answers which I store in a password manager (Keepass, in my case). Keepass allows you to add extra notes about a site entry; I usually put the question and answer there. I’m not particularly familiar with any other manager, but I’d assume they all allow that?
Lastpass has the same general capability to store additional information for each account entry, and that text-box is where I put the security questions and responses (or other related info) for any accounts which involve KBA.
I’ve suggested to others in the past to provide a twist to the answers. For example, if they ask the name of your favorite teacher, you answer with the name of the school that teacher was at. If the question is “first car” then add the color: “Red ’68 Camero.”
I’ve also thought negative questions would be more secure. I’ll never be fb-friends with the person that bullied me in middle school. Nor with the first girl that broke my heart.
Something similar with addresses might work too: Which address have you NOT lived at?
I would recommend you fill out the webform at https://uspshelp.custhelp.com/app/ask_id . For the category of your question, choose “Other – Please describe below:” and enter the residential address that you would like to block. They should answer your email within two days. Yes, it’s correct that without an Informed Delivery account, you will not be able to answer any KBAs, but hopefully they will be able to help you. Alternatively, you can try calling 1-800-ASK-USPS® (1-800-275-8777). A third option would be to have the person living at that residence block that address from Informed Delivery. If they do not want an account, they can locate a nearby Post Office, where they can prove their identity and demand the block.
If your mail is being forwarded, Informed Delivery poses absolutely no risk. Your mail does not get to your mailbox, so there’s no way for identity thieves to access it. The average postal service employees don’t have a way to access your informed delivery images; they’re tied to the USPS.com account that has signed up for Informed Delivery. The only employees that can see the usps.com accounts are the tech support agents, and they need external information from the account owners to access them.
Regarding the KBA questions. I use Mac, so I keep a keychain entry for each account. If the account needs any KBA’s I note each question and type a random string of characters for each answer. I then copy and paste the random strings into the form at the website. I save the keychain entry.
For those using another operating system I am sure there is some way to make similar notes and save them.
Hope this helps.
There seems to be some confusion over KBA and security questions. Security questions are the ones you provide the answers for later use. They are used when you are establishing an account and there is not yet any sensitive information to access or you have proven valid access by other means.
With KBA, on the other hand, you do not get to provide answers for later use. KBA answers come from your credit/consumer report files, including erroneous information. KBA is used before you can provide answers for later use, when access to existing sensitive information is being established. You must prove you are entitled to access the information. They are presented in multiple choice format, often with a none of the above choice.
Frequently, those with credit freezes in place are unable to access information protected by KBA. I have freezes in place. I am perplexed that valid information is presented with KBA, but validation fails. Logically, this information should not even be accessible when a freeze is in place. Occasionally, none of the above is the correct answer. There was recent news of a flaw in one provider’s KBA, answering none of the above to all questions granted access.
In the same way, they may be all to easy to play and
detailed instructions are shown for the capability
of the players. Just remember that you possibly will not win all the time however it is easy for
you to gain profit while your having fun with the best type of
strategy. Certain funny games may also be becoming loved by girls, which
offer fun time for your young folk.
BOT word-salad!
“How fiendishly clever!” — Batman
“Normally in these cases, I’d urge readers to simply plant their flag by registering an account to claim their address.”
So if I live alone(sad I know), should I sign up for informed delivery?
Advantages:
1. Better awareness of what’s on the way (anti-pilfering).
2. Planting a flag (even though it’s not exclusive).
3. If you’re not there, you can arrange for somebody to pickup any important incoming mail.
Ps There are between 30 and 40 million single resident households in the USA. There is nothing inherently sad or dishonorable about living alone.
I have a “Informed Delivery” account and haven’t had any issues with it
I too have “Informed Delivery” and have had no issues with it during the six months I’ve had it. I believe I signed up after having frozen my credit files with the “Big 4” reporting companies. USPS was unable to process my registration online (don’t know the reason), so I had to physically visit a Post Office and present my paperwork and picture ID which showed the address for which I was signing up.
I believe the reason you couldn’t register it online is the fact that your credit was frozen, therefore they couldn’t pull of the validation information from the credit bureaus.
Same thing happened with me – froze my credit several years ago, enrolled for informed delivery online and then had to go to a PO and verify my identity. I love this service.
I’d rather do it that way anyhow – too bad the bankers haven’t learned to require physical presence with ID to get a lot of things done!
Anything done to make life easier for customers has the potential of abuse. It appears the US Mail, in order to keep this very useful service, will need to use the US MAIL to deliver a security code to the address of the service requester which would need to be entered to to begin the service.
It will also help if every mailbox is locked to slow down thieves trying to intercept certain letters from the mailbox.
At least if a mailbox has its lock broken, the post office should have a record of the mail that was delivered.
Great service as usual Brian. This is one that hits almost everybody.
I’m generally happy with Informed Delivery.
When I registered last year with FedEx Delivery Manager, one of the KBA questions asked me which of four names I was “associated with.” I had never heard of any of those people and there was no “none of the above” option, so I took a wild guess and chose a name. Apparently I guessed right, because I was verified. I googled the person’s name later to see if we had lived at any of the same places, but found nothing.
I’ve lived in apartments for many years and I think KBA presented the name of some other random tenant who lived in the building at the same time as a person I might be associated with. But the buildings where I’ve lived are large complexes where tenants don’t usually learn each other’s name. The mailboxes in these buildings show only the apartment number on the outside, not the tenant’s name.
What’s to stop the thieves from signing up in the name of someone who doesn’t live at your address? Could then still see everything being mailed to you? How does the post office know who lives at your address? It’s the address that’s the hook, not the names.
Slight typo: “Equfiax”.
Maybe a little off topic, but renting a post office box is a good security practice. It not only prevents thieves from taking credit cards from your mailbox, but it makes a good address to use for all accounts. Some financial institutions balk at the idea, claiming the Patriot Act doesn’t allow it, but screw them. All my financial institutions, including banks, investment companies, 401K company, even the state revenue office and IRS, use my post office box address.
Using a po box address is good for your online profile too because it helps protect your family and valuables in your residence. It helps prevent people from researching the value of real estate owned by or connected to you. Having the po box somewhere other than where you live, for example near where you work or some other place you frequent, helps steer the malicious and curious even farther away from your home and family.
Same here. Financial institutions have a way to add a mailing address but they do need your physical address on file. Even the IRS is cool with this on tax returns. Just about the only entity I’ve found that doesn’t accept a PO Box as a primary mailing address is the Secretary of State. Also, one time I was having some (non-controlled substance) medication and supplies shipped to me but the pharmacy would not do it to the PO Box. I explained that this was more secure than the mailbox at home, and the chain of custody was limited at the PO, but no dice. We like the pseudo-anonymizing benefits you mentioned. Also when we move, we won’t have as much junk mail going to the old home address.
A lot of post offices can provide you with a physical mailing address for your PO box that will allow you to have a physical address for those entities that won’t accept a PO box address.
Why dont they make it so that the Informed delivery accounts and the services it provides are not activated until the person receives a letter, that is not scanned, that has a challenge response code? Enter the code into the site and it activates the scanning service.
I’ve had the service for both my home and PO Box addresses for a few years. For my PO Box account I had to go to the Post Office to prove my identity along with a bill showing the address matching my PO Box – because apparently my answer(s) to the KBA questions didn’t match.
To further protect against signups by potential mail thieves, I recommend that new signups be forced to either signup at a Post Office to prove identity like I did, or sign for a certified mail piece sent to the person & address of the applicant. Without certified mail, crooks could still get to the mailbox and intercept any official communication from USPS before the resident does.
Another weakness of Informed Delivery is:
1. A single I.D. account can not be configured to send emails to multiple email recipients.
2. Multiple I.D. accounts can not be configured to send to a single email.
For instance:
– we have a street box and a PO Box
– all Mail is maximally routed to the PO Box (mostly advertising and political mailers come to street box although important mail occasionally arrives in a he street box)
– my mother and sister live together
– I live overseas
– my mom gets ID for the street box
– sister gets ID for the POB
– I get ID for for street box
– none of us can get ID for both boxes
– it is not possible to change the account username (want a different name, go thru the creation process again, also good luck deleting the old account)
– It is not possible to a) designate an overseas number to receive 2FA text messages, or b) to designate a US based number already in use for a different ID account, thus it’s not possible to set up 2FA or account recovery for such accounts.
When the ID program was first launching, iirc late 2017, I learned about it here (Thanks Brian!) and I signed the three of us up.
At that time, there was talk (iirc in Brian’s article(s), and in a reply from or FAQ on the ID site) that from the following Jan (IIRC 2018), would have upgraded to address some of these shortcomings. I checked multiple times since then, but not recently, and there is no sign that any upgrades or changes have been made to the system.
I wonder if anybody has requested the IG responsible for the USPS look into and recommend changes to the system.
Robert, you shouldn’t *have* to do it this way, but it would be a relatively trivial process to setup mail forwarding addresses and/or mail rules to accomplish the shared notifications you desire.
Thought about doing what you suggest, but didn’t yet go in that direction.
The promise from the Usps at the time we did the set up was that a person could sign up for their multiple locations. This would be ideal for folks that have winter/summer/vacation homes etc.
Thanks for the reminder. Will have to consider changing since Usps reneged on its commitment.
Brian, some of my replies are not appearing. One here and one and a repeat to one of your comments.
Doggone it, Brian!
Every day I come here krebsonsecurity, I now do so with a sense of ‘trepidation’. Like: what’s he gonna uncover next that I have to add to the other ulcer-worries of everything concern us humans headlong rush into the digital world. (haha, just joking ya..I think…;-)
Ok, I’ve now read this article 3-4 times, and I am still a bit unclear. I currently have a USPS online account, created like 4-5 years ago. I would (and still do use it) for paying for & printing out ‘pre-paid mail postage’, i.e., if I happened to sell something on Ebay, or if I want to ship something to family. But I am confused…
My confusion is this: is there something (a setting, maybe) in my USPS online account that I can click where it would prevent any future use of and/or signing-up of USPS’ scanning service this article talks about? I looked, just now, through my USPS online account, but as is usual with all things “Postal”, it is not very clear.
Or should I do nothing and just relax knowing I already have a USPS account and therefore can’t fall victim (unless someone breaches this account…whether man-in-the-middle, malware, or..cough, cough—Equifax-like) since the mail scanning service can’t be signed-up for without having access to the USPS account in my possession. Is this correct?
Wow, I just re-read the above paragraph and I am even confusing myself now….
God, if you’re really, truly up there and/or out there in the Universe, I’ve never asked for a thing in my life. Will you please radically advance the development of AIs for humans so that I can afford/buy a ‘Second-by-Second Evolving Hunter AI’ entity that will every minute swirl around the world-wide various Nets, continually sniffing, parsing, preventing, and/or just plain shutting down and thwarting all digital attack avenues against this poor biological sap that I am?? Maybe put it in my Christmas stocking? I’ve hard enough time keeping my biological side ‘in check’ ;-/
Because if you don’t do this, dear Master of the Universe, I just know that one day I am going to wake up, drink my coffee, rub my eyes, log on and click Mr. Kreb’s cute little upside-down Avengers umbrella browser shortcut, and be greeted with a title from him along these lines:
“Your mental thoughts and DNA-telomere synthesis are no longer yours. Together they are hackable. Here’s how the invasion occurs” ;-0
In Jesus’ name: AMEN!!
I have used this service for some time and like it a lot. However option to click on a piece of mail you were supposed to receive is just to give you a warm fuzzy, it does absolutely nothing. I had something missing for some time and used this option. I got no response so went in to my local PO and asked about it. I forced the employee to admit it does nothing more than give you a warm fuzzy because they have no way of knowing where that piece of mail is…….
Is there a way to find out if someone has been signed up for Informed Delivery? I work at a CU and we’ve had in the past month a few cases that seem to fit the pattern.
I like Informed Delivery a lot. I know what’s coming. If someone signed up for a credit card in my name, I would see the image of the credit card envelope and be warned about the scam. It wouldn’t matter if they intercepted the credit card, I would see it on the Informed Delivery email.
In this manner, it does help with Identity Theft, but you need to have an account before the thieves do.
The post office really doesn’t know who gets mail delivered at an address. For Example a few years ago I was dating a man that I didn’t live with. He was in my car with me driving when we were involved in an accident. A week or so later an accident chasing lawyer mailed my date at my address a letter offering his services. This gentleman NEVER lived at my address – however I a pretty sure that post office would allow him to set up on Informed delivery account for my address. I think this service is doing more harm than good that way it is setup now. The intention was good they just need to fix the sign up process.
Am I the only one that’s creeped out because the email address for customer support is “@custhelp.com” (and not usps.gov)? And then they ask for personal info verification in a plaintext email? That’s a strong indication that the USPS has no idea what it’s doing.
Give the man a prize!
The suspicious domain caught my eye, too. Maybe that’s why BK included the screenshot.
That domain is owned by Oracle; USPS might be subcontracting the entire Informed Delivery project or just the customer support side of it.
Sigh. I posted about vulnerabilities in Informed Delivery back in March this year…
https://www.facebook.com/libove/posts/10155495915703358
So, what is even worse is that signing up for your address doesn’t prevent a criminal from also signing up for your address. I just tried it, and signed up both me and my wife and it allowed me to have a second account for same address. My guess is that there is no limit. So, signing up doesn’t prevent anyone from also signing up.
Hi KF,
Can I ask you a question: does one signup for this “Informed Delivery” through an already existing USPS online account (if you have one)? Or is the sign-up for this at a completely different website and Postal-run (or Postal-affiliated) website?
Your post, I mean, “…signing up doesn’t prevent someone else from signing up…”…I never would have believed that and/or this whole thing if I hadn’t read Brian’s article here today. Just seems like it cannot be real, no org is this in-ept…ugh ;-(
Thank you if you are able to answer my question.
Fraud is very lucrative business for criminals.
I wonder if the criminals have such good knowldge, where did they learned all that? Perhaps there is some secret organization who teaching all that fraud stuff.
Since all fraudsters are well equiped and with good knowledge.
More like the marketing and business types who set up these systems (with visions of $$$ dancing in their eyes) don’t even bother to consider the security ramifications. That is left to the users.
To Frank Haynes and others:
I agree with you.
The USPS should not be in the marketing/information collection business because of its almost monopoly position.
There is too much sensitive so called “metadata” flowing through the USPS system that it not only invites ID theft but a constellation of security and privacy risks. As Brian Krebs notes this “Informed delivery” can lead to credit card fraud and other more serious crimes involving threats, harassment, personal injury and so on.
I think you will find that the “Informed delivery” grew out of the Mail Isolation Control and Tracking (MICT) and Mail Cover programs by the FBI and other law enforcement techniques only to be used for “Advertising Revenue” and somewhat of helpful service to citizens who would like to track their mail [The latter a seemingly good idea gone bad].
“Mail cover is a law enforcement investigative technique in which the United States Postal Service, acting at the request of a law enforcement agency, records information from the outside of letters and parcels before they are delivered and then sends the information to the agency that requested it.”- Wikipedia
Ht tps://en.wikipedia.org/wiki/Mail_cover
[Url fractured to prevent bot scans]
This photographing or scanning includes all mail items flowing through the USPS to all USA citizens and citizen abroad flowing in to the USA. That data base must be very large. The opportunity for abuse is huge. I am sure Brian Krebs could think of a number of serious dangers other than financial fraud.
As Jay Libove and other posters note the Informed Delivery is leaking like the Titanic that it will take a huge amount of time, money and effort to keep it from becoming a disaster with multiple victims.
It probably should be rolled out slowly and securely over decent length of time. At this juncture it probably will end up doing more damage than good for the average Joe Citizen.
I would be happy to see the problems fixed instantly but I think it will take years of work and a many victims tossed under the bus.
usps.com needs to add multi-factor/two-factor authentication option, using an authenticator app.
social security web site utilizes MFA/2FA, but they only allow sms texting as second factor.
“I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.”
Equifax has invalid information about my past and will not correct it. I’d rather that they not pretend to know my history than get it wrong.
Things must be getting worse! I’ve always been able to get any of the credit reporting agencies to correct information in my data. In fact I did most of it over the phone!! I would suggest getting hold of your state AG or even you congressman to address this issue. They are not god, and they are required to correct false or incorrect information.
i think a credit freeze is 10 times easier than jumping thru hoops chasing mail. another thing you can do is opt out of credit card offers. i do use informed delivery and like it. i know when something i’m waiting for is on the way.
I have my credit frozen and was still able to set up an account. I then had a problem with my account and received the email asking for the security question answers. I sent them figuring I could just go into my account and change them. Guess what, you can’t change your user name or security answers. I sent an email asking what you are suppose to do if your account has been compromised. The response was-
Thank you for contacting the USPS® Internet Customer Care Center.
You’ve reached USPS Technical support. In order to provide you with accurate information, please contact one of our non-technical customer service representatives.
Customer Service representatives are available to take your calls at 1-800-ASK-USPS® (1-800-275-8777)
I called an was on hold for over 1 1/2 hours. The man who answered said they don’t handle informed delivery and tried to transfer me but hung up on me instead.
I can not find a simple answer to how to close/delete/deactivate your USPS account.
You can create a new one but that doesn’t stop someone from using your old one.
That is pretty much what I figured. If you try to recover your account by clicking on the user ID or password recovery, all it does is direct you to register again; and of course we all know that old data is in their system somewhere.
In my experience, USPS treats “John Doe” and “John X Doe” as different people.
Because it has to in case of multiple people with similar names.
Example :
John Doe
John Doe II
John Doe III
and nicknames. How much mail is addressed to actors using their screen name and not their real name?
e.g. John Wayne instead of Marion Mitchell Morrison
signed up for this in very beginning when it wasn’t called informed delivery and was able to sign up despite having freezes on my credit records. and back then (seems like years ago now) did not get any notices in regular USPS hardcopy mail about someone (me) signing up for this for MONTHS. actually got two of the hardcopy letter notices, but MONTHS apart. but those were in the early days when no one cared about using this except for early adopters like me.
now it is definitely more difficult to sign up for informed delivery. signed my mom up online for it, but the KBA online questions all failed. had security freezes/locks on my mom’s credit records. all the KBA questions were wrong anyways. so had to send my elderly mom to the post office – twice – to verify in person. the first time when she went in, whoever was helping her apparently did not know what he was doing and saying the computers were down. he just did not know what he was doing. he took my mom’s info and said they would get to it later. waited two weeks, got an email saying the original online registration was going to expire if did not verify. so sent my mom back to the post office. this time she got someone who knew what she was doing and completed the verification. got an email that day saying that it was all complete and would begin getting the informed delivery alerts via email. the regular usps hardcopy letter notice saying that someone (my mom) signed up for informed delivery for my parents’ address arrived WEEKS later. repeat: WEEKS later. better than months later like for me in the early days, but still it was WEEKS LATER. the notice letter had something like a URL for turning off the informed delivery if it wasn’t for either one of my parents. but still, the NOTICE LETTER took WEEKS to get.
so, even if you yourself signed up for informed delivery, someone else, who is not you, and who is not in your family residence, theoretically could sign up for informed delivery, walk into the local post office with fake IDs, could possibly somehow convince a postal clerk at the counter to approve the fake verification, and the bad guys would then have like a few weeks to monitor your mail and snatch the credit card applications before you even get the USPS hardcopy notice letter saying someone else signed up for the informed delivery. yes you should see in your informed delivery alerts that the credit card junk mail is arriving, but if you don’t receive it that day, the mailman and the post office will tell you to wait a week before complaining of any missing mail because of how the mail can be misrouted. it happens — me watched via priority mail tracking how our property tax payment got misrouted bouncing around from wrong delivery to wrong delivery and took weeks to get to the right office when it should have took 2days — but usually if the informed delivery alerts says to expect certain mail to arrive today, well, you will most of the time get it on that day of the informed delivery alert. so even if you have signed up for informed delivery, there is still an open window of vulnerability of like 2-4 weeks when the bad guys could do this fraudulent credit card nonsense.
so if your informed delivery says you are getting junk mail that looks like something for getting new credit cards or new loans, then go watch your mailbox like a hawk and do not ignore it if you do not actually get that junk mail, but really go hound the folks at the post office about this. and sign up, or re-signup at whatever websites that will stop these credit card applications etc. being sent to you.
I work for the Postal Service and when they first announced this travesty of online access ro tour mail I wrote an e mail to those promoting it at the higher levels of management. I pointed out that they were handing identity thieves a most valuable tool, and in light of the recent theft of Government Employee personal information, thry should know better. The person or persons that dreamed up this STUPID program should be fired bot celebrated.
Mr. Krebs:
I just read your related article titled “USPS ‘Informed Delivery’ Is Stalker’s Dream” (10/02/17) with the following excerpt,
“If someone already signed up for Informed Delivery later posts a change of address request, the USPS does not automatically transfer the Informed Delivery service to the new address: Rather, it sends a mailer with a special code tied to the new address and to the username that requested the change. To resume Informed Delivery at the new address, that code needs to be entered online using the account that requested the address change.”
I beg to differ. I signed up for Informed Delivery, then months later posted a change of address with USPS.com, followed by a change on my Informed Delivery account. I never received that mailer the article mentions would be sent, and I definitely did not enter any code online.
However I did try to resume Informed Delivery at the new address through my online account and was emailed a notice asking me to visit a local post office, so that upon presentation of government ID, and that email which had a bar code for scanning with their device, I would then be “verified” and so my Informed Delivery would resume. When I showed up at the post office, their device was not working (it was offline). I showed up there four days in a row but their scanner never worked.
Please note, my Informed Delivery resumed shortly after I changed my address through my online account, despite my authentication at the post office being incomplete.
Furthermore, I changed my address again through my online account about 2 months later, and the Informed Delivery resumed without the postal authentication.