Posts Tagged: USPS


2
Oct 17

USPS ‘Informed Delivery’ Is Stalker’s Dream

A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.

The service, dubbed “Informed Delivery,” has been available to select addresses in several states since 2014 under a targeted USPS pilot program, but it has since expanded to include many ZIP codes nationwide, according to the Postal Service. U.S. residents can tell if their address is eligible by visiting informeddelivery.usps.com.

Image: USPS

Image: USPS

According to the USPS, some 6.3 million accounts have been created via the service so far. The Postal Service says consumer feedback has been overwhelmingly positive, particularly among residents who travel regularly and wish to keep close tabs on any mail being delivered while they’re on the road.

But a review of the methods used by the USPS to validate new account signups suggests the service is wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service.

Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

Once signed up, a resident can view scanned images of the front of each piece of incoming mail in advance of its arrival. Unfortunately, because of the weak KBA questions (provided by recently-breached big-three credit bureau Equifax, no less) stalkers, jilted ex-partners, and private investigators also can see who you’re communicating with via the Postal mail.

Perhaps this wouldn’t be such a big deal if the USPS notified residents by snail mail when someone signs up for the service at their address, but it doesn’t.

Peter Swire, a privacy and security expert at Georgia Tech and a senior counsel at the law firm of Alston & Bird, said strong authentication relies on information collected from multiple channels — such as something you know (a password) and something you have (a mobile phone). In this case, however, the USPS has opted not to leverage a channel that it uniquely controls, namely the U.S. Mail system.

“The whole service is based on a channel they control, and they should use that channel to verify people,” Swire said. “That increases user trust that it’s a good service. Multi-channel authentication is becoming the industry norm, and the U.S. Postal Service should catch up to that.”  Continue reading →


4
Aug 14

‘White Label’ Money Laundering Services

Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action. But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that.

The typical process of "cashing out" stolen credit card accounts.

The typical process of “cashing out” stolen credit card accounts.

Today’s post looks at one such evolution in a type of service marketed to cybercrooks that has traditionally been perhaps the most common way that thieves overseas “cash out” cybercrimes committed against American and European businesses, banks and consumers: The reshipping of goods purchased through stolen credit cards.

Cybercrooks very often rely on international reshipping services to help move electronics and other goods that are bought with stolen credit cards, shipped abroad, and then sold for cash. Many fraudsters use stolen credit cards to pay for U.S. Postal Service and FedEx shipping labels — a.k.a. “black labels” — but major shipping providers appear to be getting better at blocking or intercepting packages sent with stolen credit cards (at least according to anecdotal evidence from the cybercrime forums).

As a result, crooks increasingly are turning to a more reliable freight: So-called “white label” shipping services that are paid for with cybercrime-funded bank accounts via phony but seemingly legitimate companies in the United States. Continue reading →


3
Jul 12

Who Says Email Is Eating at Postal Revenues?

Shadowy online businesses that sell knockoff prescription drugs through spam and other dodgy advertising practices have begun relying more heavily on the U.S. Postal Service to deliver prescription drugs to buyers in the United States direct from warehouses or mules within the U.S. The shift comes as rogue online pill shops are seeking ways to lower shipping costs, a major loss leader for most of these operations.

An ad for Rx-Parners pill shop that ships from the US.

Traditionally, a majority of the counterfeit pills advertised and sold to Americans online have shipped from India. But the process of getting the pills from India to customers in the United States is so expensive and fraught with complications that it has proved to be a big cost center for the largest rogue pharmaceutical operations, according to a study I wrote about last month.

“One of the surprising things we found was that shipping dominates program costs,” said Stefan Savage, one of the lead authors on the study, and a professor in the systems and networking group at the University of California San Diego.

The researchers discovered that most rogue pharmacy operations spend between 11 to 12 percent of their annual revenue on shipping costs. Part of the reason for the high cost is that pill shipments from India and elsewhere outside of the United States frequently get delayed or confiscated by U.S. Customs officials. This forces the rogue pharmacies to either refund the customer’s money, or to eat the costs of re-shipping the pills.

Increasingly, however, some of the largest spam affiliate programs are delivering some of their most popular drugs — including erectile dysfunction pills and everything from Accutane to Cipro and Diflucan and Plavix — direct to U.S. buyers from shipping locations within the United States.

“This is why you see pharmacy outfits like RX-Partners, Mailien and Stimulcash picking the most popular drugs and warehousing them in the United States so they can do USPS shipping through mules,” Savage said.

Continue reading →


31
Oct 11

Turning Hot Credit Cards into Hot Stuff

Would that all cybercriminal operations presented such a tidy spreadsheet of the victim and perpetrator data as comprehensively as profsoyuz.biz, one of the longest-running criminal reshipping programs on the Internet.

Launched in 2006 under a slightly different domain name, profsoyuz.biz is marketed on invite-only forums to help credit card thieves “cash out” compromised credit and debit card accounts by purchasing and selling merchandise online. Most Western businesses will not ship to Russia and Eastern Europe due to high fraud rates in those areas. Underground businesses like Profsoyuz hire Americans to receive stolen merchandise and reship it to those embargoed regions. Then they charge vetted customers for access to those reshipping services.

Below is a screen shot of the administrative interface for Profsoyuz, which shows why its niche business is often called “Drops for Stuff” on the underground. The “Дроп” or “Drop” column lists Americans who are currently reshipping packages for the crime gang; the “Стафф” or “Stuff” column shows the items that are being purchased and reshipped with stolen credit card numbers.

Profsoyuz reshipping service admin panel.

The column marked “Холдер” or “Holder” indicates the cardholder — the name on the stolen credit card account that was used to purchase the stuff being sent to the drops. I rang Laura Kowaleski, listed as the person whose credit card was fraudulently used on Oct. 11, 2011 to buy a Star Wars Lego set for $189, plus $56 in shipping. She told me I reached her while she was in the process of filing a police report online, after reporting the unauthorized charge to her credit card company.

The Lego set was sent via FedEx to Oscar Padilla, a 37-year-old from Los Angeles. Padilla said he believed he was working for Transit Air Cargo Inc. (transitair.com), a legitimate shipping company in Santa Ana, Calif., and that he got hired in his current position after responding to a job offer on careerbuilder.com. However, the Web site used by the company that recruited him was transitac.com.

Continue reading →