US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service (krebsonsecurity.com) 80
Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."
The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."
I use this, and it's crap (Score:5, Interesting)
They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.
Re: (Score:2)
"Informed Delivery actually stopped working for me a few days ago, I wonder if it's at all related to this?"
Yes, your credit card is gone.
Re:I use this, and it's crap (Score:5, Funny)
Informed Delivery actually stopped working for me a few days ago, I wonder if it's at all related to this?
No. The Microsoft Activation server probably downgraded their license. :-)
Re: (Score:2)
It's not reliable. Sometimes it works and doesn't. :(
Re: (Score:2)
They accumulate all of your tracking numbers which is nice.
Sometimes if I see something from the city I know to actually take my mail in.
Re:I use this, and it's crap (Score:5, Informative)
They don't photograph the package, but they do give you all the tracking numbers - even if the seller/shipper didn't.
Re: (Score:2)
I disagree. Amazon tells me if I have packages.
This tells me if it's worth my time to walk to the mailbox.
Re: (Score:2)
Amazon tells me if I have packages.
This tells me if it's worth my time to walk to the mailbox.
In my case, it's drive to the mailbox. If I'm expecting something it usually has a tracking number, and if not then I scoop it up when I drive by. But what I really want to know about from the USPS is whether any of the few PO box deliverable packages in the world have turned up, and which ones. Most of those I get are some fluffy little packet of nothingness from HK or China and many of them lack meaningful tracking.
Re: (Score:3)
" So the stuff I want most to know about, they don't tell me about."
That's the way the Government works.
Re: (Score:2)
They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.
I'm sure they get photographed too, they (apparently) just don't send you those with this service.
They don't even give you photos of all your mail. (Score:2)
Given that they've also started embedding ads in with the daily email, the service has been losing its appeal to me -- whic
Re: (Score:3)
Most likely because flat mail is automatically sorted and scanned through the system. And part of that automation is... taking a photo of the envelope and analyzing it for the address and other important details.
The only change here is that instead of discarding those photos, USPS saves them for you as a service.
Parcels and o
Re: (Score:2)
Re:How? (Score:5, Interesting)
It makes it easier to know when you should pilfer the mail of your victim.
The majority of rural delivery boxes can't be locked, because the rural carrier would not be able to open them to deliver mail. And locked group mailboxes are only as secure as the keyed-alike master key.
Re: (Score:2)
"Single-house locked mail boxes do exist. "
Yes, the rest of the planet uses them exclusively.
Re: (Score:2)
USPS has special locks that you can buy an assortment of mailboxes with already installed it if you're handy you could buy the locking mechanism and install it your self, I'm sure that would depend on the type of box you have but its still possible. You don't think they carry a special key for every apartment complex do you?
Re: (Score:2)
You mean just like how they can't lock postal drop boxes?
They sell mailboxes that operate the same way. You put the mail in, it drops down to a place that you can unlock.
Re: (Score:2)
I've never seen a locked mailbox anywhere but apartment buildings. I guess the theory is the thieves get the pictures so they know when the real mail is arriving. Good luck with that in my neck of the woods. My mailman is an old decrepit piece of shit who sometimes doesn't show up for a week at a time. When he isn't working it's some other minimum wage flunkies.
On a side note I always wondered if the feds tracked where all the mail was going.
Re: (Score:3)
The USPS has been taking a picture of every piece of mail that passes through it for a decades. In some ways this should not be surprising - most mail sorting is automated, using machine vision to read the address labels (either hand-written, or barcode). In fact, the USPS was a strong investor in optical character recognition decades ago, because they recognized they could get much greater throughput this way. Previously,
Re: (Score:2)
More recently, the USPS has started retaining these images for a period of time. This has, for instance, been helpful in law enforcement - see the recent case of Cesar Sayoc.
The answer is that the data is being handed off to the DHS or similar [nytimes.com]...
But I don't know how long the images are kept for,
...and therefore it is being stored forever and ever, amen.
or what other legitimate uses there may be for it.
There's no end of potential legitimate uses for that data. There's also no end of potential illegitimate ones, either. Sadly, the feds will store it for all eternity, so that it can be used by friend and foe alike.
Re: (Score:2)
Lol, it would never make it.
Re: (Score:3)
Re: (Score:2)
I'd just attach a spring to close it.
Re: (Score:2)
Then the mail carrier will destroy your mailbox out of spite.
Song: Harry the mailman [Re:How?] (Score:1)
Harry the mailman brings us letters soaked with rain,
Jambs the box so full that the mail is crushed,
and then laughs when we complain.
Charlie the milkman is the biggest slob in town,
Seldom leaves the quarts that we've asked him for,
and when he does, they're upside-down
11 months throughout the year
they're as lousy as can be,
but starting December they work with great efficiency.
Charlie and Harry really show they're full of zip
Then they work that way,
every dog
Re: (Score:3)
Ok they get to see the outside of the envelope with your name and address that they already know.
As far as I can tell, what they are doing is looking at the scans to know when credit cards are being delivered. If you get a new credit card on the average of once a year, this means that they only have to steal your mail once a year, and don't have to steal it the other 313 days a year that there ISN"T a credit card in the mail.
Unless the mailboxes are unlocked for them to get the actually mail how does this allow them to commit identity fraud?
Most people in the U.S. don't have locked mailboxes.
Re: (Score:1)
Ok they get to see the outside of the envelope with your name and address that they already know.
As far as I can tell, what they are doing is looking at the scans to know when credit cards are being delivered. If you get a new credit card on the average of once a year, this means that they only have to steal your mail once a year, and don't have to steal it the other 313 days a year that there ISN"T a credit card in the mail.
You missed the point. Thieves are signing up for NEW credit cards. Then watching when the card arrives and intercepts it before the homeowner. They wont know until the followin
Groundskeeper Willie says (Score:3)
If only the USPS had a budget for fixing this (Score:2)
Can someone remind me again why the USPS seems to have a cash flow problem? I mean, if there was plenty of money to around inside the USPS I'm sure that things like this would be more likely to be fixed.
Re: (Score:2)
Here's your reminder [cnbc.com].
Re: (Score:1)
Republicans: starve the beast, run up the debt, divert as much of the treasury as possible into corporate welfare and subsidies
Nothing new here. The postal budget was ripe for plundering.
Re: (Score:1)
Can someone remind me again why the USPS seems to have a cash flow problem? I mean, if there was plenty of money to around inside the USPS I'm sure that things like this would be more likely to be fixed.
Congress has regularly raided the USPS's coffers for the last 30 years, but in 2006 G.W. Bush required that they pre-fund the full expected value of their retirement accounts (about $55-$70 billion) up front costing them $5.5 to $5.8 billion every year since 2007.
All other federal agencies are allowed to invest a smaller amount each year under the assumption that those investments will grow to meet their final needs, much like regular folks do with their 401(k) and IRA's.
Re: (Score:2)
Perhaps you remember why people should be funding their retirement accounts - because people are bad at managing money that doesn't "do" anything and then you get situations where a company (or a bank in case of GWB) fails and the retirement funds get raided along the way.
Even commercial retirement accounts are supposed to have the entire expected value available at all times. Sure there are ways to doctor the numbers and invest, but the investments have to be non-risky, something the USPS and many others f
Re: (Score:2)
Congress has regularly raided the USPS's coffers for the last 30 years, but in 2006 G.W. Bush required that they pre-fund the full expected value of their retirement accounts (about $55-$70 billion) up front costing them $5.5 to $5.8 billion every year since 2007.
All other federal agencies are allowed to invest a smaller amount each year under the assumption that those investments will grow to meet their final needs, much like regular folks do with their 401(k) and IRA's.
Nothing changed. The USPS retirement funds buy U.S. treasuries putting the money exactly where Congress can get to it. The fund is composed of IOUs.
I can view mail at my old address (Score:2)
I moved a few years ago and haven't updated my address on usps.com. Apparently USPS turned on Informed Delivery automatically for me - so I can see all mail delivered to my old address. How cool and creepy is that!
What prevents me from entering in any random address? Do they send a postcard to the address stating "your mail is being monitored" ??
I used to travel on business a lot and used the website to stop / start my mail when on extended trips. I forgot I had an account until today! How many other
Authentication (Score:4, Informative)
What prevents me from entering in any random address?
"knowledge based authentication".
They ask you a question that, supposedly, only the resident of the address can answer. Krebs says that this is pretty weak security.
Article didn't say what kind of question that is, but a hint comes from the fact that if you freeze your Equifax credit rating, they can't ask the question. So it seems to be something that Equifax knows.
Do they send a postcard to the address stating "your mail is being monitored" ??
Didn't you read the article? That was the whole point: no, they don't.
Re: (Score:2)
Re: (Score:2)
I updated my address online to be my current one. It didn't ask any questions, but I did receive an email letting me know changes had been made to my profile.
I'll wait to see if I get a post-card or something. I know when I created a Forward-my-mail request the Postmaster in my new town sent me a postcard asking Who Lives Here Now? So that they don't start rejecting mail etc.
But apparently the online edition isn't tied to it as I could, until the other day, still see scanned mail at my old address.
Re: (Score:2)
Not useful: the identity thieves could just steal that once they sign up as you.
Best Mitigation: Sign up now (Score:4, Informative)
The best way to prevent this is to be the first to sign up. That way you are already associated first. If they let allow multiple accounts for one address....well...at least you'll get advance notice when they deliver the activation code for the new account.
Re: (Score:2)
Re: (Score:2)
Of course you shouldn't have to. But that doesn't change the fact that it will help protect you.
Re: (Score:2)
Re: (Score:2)
And when a credit card you already have is due to expire, a new one gets mailed out. This helps prevent someone from intercepting it.
Re: (Score:2)
Freezing your credit is the better way. Not only does this protect you from folks trying to sign you up for Informed Delivery, it also protects you from people opening credit cards, loans, etc in your name.
The second article (link in the summary) states that "...numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place..." and this typing ptarmigan was able to sign up for the USPS Informed Delivery service (using KBA: Knowledge-Based Authentication) a little while ago even though I have credit security freezes in place.
Re: (Score:1)
Bzzt. I just signed up multiple accounts with different email addresses for one mailing address. So far, no notice at all that there are multiple email addresses monitoring the one single mailing address. So, your suggestion that the best way to prevent this is to be the first to sign up is bunk. This is a very flawed system, even the "online verification" questions were super easy to guess. Thanks a lot to USPS for making everyone's (ID thieves) lives easier...
Re: (Score:2)
I forgot that the welcome letter does not include an activation code and that they verify only with the online info. Still, at least you'd know if you were missing important mail that day and could get a jump on any fraud that might be happening.
I know it's not culturally ok anymore... (Score:2)
...but we need to actually consider REALLY PUNISHING people?
I mean, these identity thieves, assuming they're of the vanishingly small % that ever get caught or prosecuted, are going to spend maybe 18 months in a relatively cushy orange-is-the-new-black low security facility?:
How is that IN ANY WAY a deterrent? It wouldn't be to me, if I decided that's how I wanted to make $.
And remember, jail isn't just about rehabilitating people (personally, i don't think you can; you can teach them to constrain their be
Re: (Score:2)
So lock up and execute more white people.
Re: (Score:2)
You can't put anyone in jail for this because the jails are full of drug criminals with mandatory minimum sentences. These aren't violent crimes or drug crimes so they are typically released from prison immediately due to overcrowding. On top of this it's a very low priority for law enforcement because there is no property they can seize and then keep the money for themselves like drug crimes.
Until the war on drugs ends and the perverse system of justice it's created is abolished you won't solve this proble
Re: (Score:2)
I hate when my fingers miss the contraction.
Cops are NOT interested in crime that isn't easy to solve and they don't get a kickback from, drug crime does.
Thanks, USPS (Score:2)
I didn’t even know this “service” existed. I just signed up for it - not because I want it, but because I didn’t want somebody else to sign up in my place. I’ll probably never look at it.