Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday November 11 2018, @09:59AM   Printer-friendly
from the picture-this dept.

Submitted via IRC for Bytram

U.S. Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service — Krebs on Security

A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.

According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”

“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.

The USPS did not respond to repeated requests for comment over the past six days.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @10:37AM (6 children)

    by Anonymous Coward on Sunday November 11 2018, @10:37AM (#760613)

    It was't hard to predict that this type of behavior would occur. How is it that no one at USPS thought of this (or listened to the warnings about this)?

    • (Score: 3, Interesting) by requerdanos on Sunday November 11 2018, @03:56PM (5 children)

      by requerdanos (5997) Subscriber Badge on Sunday November 11 2018, @03:56PM (#760651) Journal

      no one at USPS thought of this (or listened to the warnings about this)

      That conclusion is implied in TFA but I don't think it's a correct one. The USPS works to verify the identity of the person applying for Informed Delivery.

      I signed up for it so I would know whether there was anything important in my post office box*. I had to answer questions like "Which of these streets have you lived on" etc. I failed (don't know enough about myself I guess) and the website locked me out (no more guesses)--I had to go to a post office 40 miles away, the nearest one that could validate me in person with two forms of I.D.

      In short, it seems that the USPS clearly thought of this, and is taking steps to prevent identity theft by this means. Attacking in this way, an attacker has to have already compromised a lot of personal information, or make some very improbably good guesses. The USPS could take further steps--I don't know, perhaps they could require every sign-up to be in person with valid ID--but that would come with problems of its own.

      Krebs is right to point out that this is an avenue that can be exploited, but it's not a wide open hole you could drive a train through on well-greased rails, either.

      -----
      * I still never know whether packages I order have arrived at the post office, because I found that informed delivery only seems to know about mail that originated in this country, and I order lots of things from other countries. Packages from other countries have never shown up in my informed delivery account.

      • (Score: 1, Interesting) by Anonymous Coward on Sunday November 11 2018, @07:31PM

        by Anonymous Coward on Sunday November 11 2018, @07:31PM (#760692)

        As mentioned in TFA, the security questions come from the three big credit agencies. Most of these questions require a little homework for someone looking to steal mail, but they aren't that tough. The ones I had to answer were about a previous address and about names of nieces and nephews.

        Being prepared with personal information is always beneficial when trying to open loans or credit cards in someone else's name. There isn't a "Pinky Swear" checkbox on the credit applications.

      • (Score: 3, Informative) by tibman on Sunday November 11 2018, @08:32PM (1 child)

        by tibman (134) Subscriber Badge on Sunday November 11 2018, @08:32PM (#760705)

        I just signed up to see for myself. The questions were actually really good. Someone would have to either know me personally or have a lot of detailed knowledge about my past.

        They probably should send you some physical mail though to confirm you are who you say you are.

        --
        SN won't survive on lurkers alone. Write comments.
        • (Score: 2) by LVDOVICVS on Sunday November 11 2018, @11:30PM

          by LVDOVICVS (6131) on Sunday November 11 2018, @11:30PM (#760735)

          I just signed up for this about a week and a half ago. They asked me four questions. 1) How much did we pay for our house (dollar range). 2) The year our house was built. 3) Which one of four choices was an old phone number of mine. (Not a current one, but used about five or more years ago.) and 4) The last four digits of my social security number.

          I found it a bit disturbing they had this info at the tips of their fingers.

          A few days ago I received a piece of mail alerting me that the account had been set up.

      • (Score: 2) by darkfeline on Tuesday November 13 2018, @08:15PM (1 child)

        by darkfeline (1030) on Tuesday November 13 2018, @08:15PM (#761433) Homepage

        Here's a thought experiment.

        They asked questions like "Which of these streets have you lived on", right? That means they know the answer to those questions, and that answer is sitting in a database somewhere. Presumably, it's not the USPS which gathers that information, so there's some third party which has that information in a database, and "lends" that information to other parties for verification uses.

        Doesn't sound so secure anymore, does it? In fact, an attacker probably has a better chance of answering those questions correctly than the person themself.

        --
        Join the SDF Public Access UNIX System today!
        • (Score: 0) by Anonymous Coward on Saturday November 17 2018, @10:57AM

          by Anonymous Coward on Saturday November 17 2018, @10:57AM (#763034)

          USPS and California State DMV would have both had that information. And at least the latter I know ran their own database system because it was extremely slow running off a mainframe with batch processing and dialup/frame relay links up until the past 10 years or so (I talked to a couple DMV people in regards to how long I should expect my paperwork processing to take, who were more than willing to explain roughly what the system was like.) That said, they were moving to an internet accessable web front end back then, and had only been delayed in it due to budget cuts for the decade prior. As a result they probably have a shoddy IE6 compatible HTML 4.01+Javascript hackjob that has holes out the wazoo in it. No fault of their own, just a bad time and opportunity to upgrade their systems into the 21st century. As I remember it the mainframe was going to be software emulated in a VM as well.

  • (Score: 1, Informative) by Anonymous Coward on Sunday November 11 2018, @01:12PM (6 children)

    by Anonymous Coward on Sunday November 11 2018, @01:12PM (#760631)
    • (Score: 1, Interesting) by Anonymous Coward on Sunday November 11 2018, @01:38PM (5 children)

      by Anonymous Coward on Sunday November 11 2018, @01:38PM (#760633)

      Another Krebs article,
          https://krebsonsecurity.com/2018/02/usps-finally-starts-notifying-you-by-mail-if-someone-is-scanning-your-snail-mail-online/ [krebsonsecurity.com]
      This service might be not quite as bad as TFA suggests. From the comments below this link:

      Isaac
      February 28, 2018 at 5:52 pm

      This pre-delivery mail/pkg scan notification along with USPS texting of package tracking and delivery confirmation has upped my mail/pkg security and tracking situation immensely. yeah there might still be some security exposure but its far far better than years before.

      In addition to seeing the mail delivery scan day before I also get a USPS text msg the minute a package is delivered and look out my window and can see the mail carrier driving away, its that fast where I live. If a high value package, or mail (credit card, etc.) is then sitting in my mail box out by road I walk right down to mail box and pull it before a drive-by mail thief can even think about stealing it! If its not there, I know it was in all likelihood inadvertently mis-delivered to a neighbor’s mailbox (has happened twice over last couple of years). Overall, a pretty nifty service considering what it used to be like…

      A few years back I bought a product off eBay that was in a larger package than expected and did not fit in our extra large mail box. Carrier attempted to deliver but gate was locked and forgot to leave an attempted delivery notification. After a weeks time went by with no delivery I went round-and-round with seller…him saying it was shipped and me saying its not here and threatening to file eBay dispute. Only resolved when I went in person to Post Office with a tracking # that seller later provided and asking Post Office what happened to my package? “Oh we have had it here for almost 2 weeks we were about to send it back to shipper, I guess mail carrier didn’t notify you of the initial attempted delivery”.

      Boy, I’m glad those tail chasing days are gone!

      One of the other comments suggested that this service should only be available by signing up at a post office, in person. That makes sense to me, but it would get expensive (in terms of person-hours for the postal clerks that are often overworked already).

      Does anyone here (in USA) not have a bar code inside their mailbox by now? We've had one for the last couple of years ('burbs, mailbox at the street). The delivery person scans every time they stop to deliver or pickup letters (we put up the flag on our box).

      • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @01:59PM

        by Anonymous Coward on Sunday November 11 2018, @01:59PM (#760636)

        I agree that "in person" would be best, but you're right that it isn't practical. Requiring confirmation by mail is better but it's still subject to mail thieves (the same ones who signed up for the service in your name).

        Sending a confirmation postcard with an ID to everyone who signed up online (or an "invite" to everybody in general) is a bad idea because it would be subject to ... wait for it ... mail box thieves.

        I think this service would be great for my PO Box so I'm not heading down to the post office just to see if something showed up.

      • (Score: 2) by stretch611 on Sunday November 11 2018, @02:14PM (2 children)

        by stretch611 (6199) on Sunday November 11 2018, @02:14PM (#760638)

        I have been using the informed delivery service now for about 6 months. I thoroughly enjoy it. Even a good friend of mine that actually works at the post office uses it. (He has been a friend since before he worked there.) I encourage people to sign up.

        One thing though... The emails say allow a week before reporting missing mail. DON'T. I actually had a problem once and after waiting a week, the images are no longer available on the website... kind of defeats the purpose. Maybe allow 2 or 3 days... but a not the full week that the emails say.

        Does anyone here (in USA) not have a bar code inside their mailbox by now?

        I have no idea what you are talking about...

        --
        Now with 5 covid vaccine shots/boosters altering my DNA :P
        • (Score: 1, Informative) by Anonymous Coward on Sunday November 11 2018, @02:44PM

          by Anonymous Coward on Sunday November 11 2018, @02:44PM (#760642)

          >> Does anyone here (in USA) not have a bar code inside their mailbox by now?
          > I have no idea what you are talking about...

          My bad, since we have a sticker (and so does my parent's house), I made the wrong assumption that it was universal, explanations here,
          https://blog.stamps.com/2017/09/29/whats-managed-service-point/ [stamps.com]
          http://www.paperbackswap.com/Managed-Service-Point-Mailbox-Answered/topic/198777/ [paperbackswap.com]
          Looks like the original purpose was to track delivery routes.

          Our "Managed Service Point" sticker is on the inside the mailbox door (rural box, hinge on the bottom of door), so the delivery person has to open the mailbox to scan it. Other images show the sticker on the outside of different kinds of mailboxes. A few times I've been in the front yard and met the mail delivery truck--so they hand me my mail...and then have to open my mailbox anyway to scan in.

        • (Score: 1) by optotronic on Monday November 12 2018, @03:06AM

          by optotronic (4285) on Monday November 12 2018, @03:06AM (#760787)

          One thing though... The emails say allow a week before reporting missing mail. DON'T. I actually had a problem once and after waiting a week, the images are no longer available on the website... kind of defeats the purpose. Maybe allow 2 or 3 days... but a not the full week that the emails say.

          I noticed the same (or similar) thing. The instructions say to wait a week, but if you try to file a complaint the date of the incident can only be 6 or so days ago. I figure they don't want complaints, but like to pretend they care. I recognize it's possible the right hand doesn't know what the left hand is doing, but I've gotten skeptical over the years...

          On the plus side, when I complained about getting other people's mail too many times and some of my mail missing, the post-person seemed to start being more careful.

      • (Score: 2) by urza9814 on Monday November 12 2018, @05:15PM

        by urza9814 (3954) on Monday November 12 2018, @05:15PM (#760970) Journal

        Ugh, it's caused just as many problems as it solves for me.

        First issue is that they routinely mark in the tracking information that stuff has been delivered when it wasn't. If I'm not home to receive a package, they don't deliver it, but they say that they did. Then the next day they "deliver" it to a neighbor, without telling me who they gave it to. Then they tell me I'm on my own to try and track it down. So then I started going into the app and leaving delivery instructions telling them exactly what to do with it...but they ignore those every single time. At this point I really wish the post office would allow me to just place a hold on all packages, but apparently that's not possible either because they sort stuff directly onto the trucks or something.

        And it's constantly showing me my neighbors' mail...it doesn't seem to be very good at associating a mailpiece with the correct address. I've never actually gotten those delivered into my box, but I do get a daily email showing me what they're about to receive...

        I really wish USPS could just shut down and get taken over by UPS...they're the only ones who seem to understand how to deliver shit to the goddamn given address instead of just declaring their job is finished because the package fell off the back of the truck and therefore is no longer in their possession so it's not their problem anymore...

  • (Score: 2) by All Your Lawn Are Belong To Us on Monday November 12 2018, @04:39PM

    by All Your Lawn Are Belong To Us (6553) on Monday November 12 2018, @04:39PM (#760955) Journal

    I just went ahead and signed up for it, thinking that maybe if someone else tries to use my address now I'll get notified or it'll block it. Wonder if it actually does that...

    --
    This sig for rent.
(1)