Slash Boxes

SoylentNews is people

posted by Fnord666 on Sunday November 11 2018, @09:59AM   Printer-friendly
from the picture-this dept.

Submitted via IRC for Bytram

U.S. Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service — Krebs on Security

A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.

According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”

“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.

The USPS did not respond to repeated requests for comment over the past six days.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @10:37AM (6 children)

    by Anonymous Coward on Sunday November 11 2018, @10:37AM (#760613)

    It was't hard to predict that this type of behavior would occur. How is it that no one at USPS thought of this (or listened to the warnings about this)?

  • (Score: 3, Interesting) by requerdanos on Sunday November 11 2018, @03:56PM (5 children)

    by requerdanos (5997) Subscriber Badge on Sunday November 11 2018, @03:56PM (#760651) Journal

    no one at USPS thought of this (or listened to the warnings about this)

    That conclusion is implied in TFA but I don't think it's a correct one. The USPS works to verify the identity of the person applying for Informed Delivery.

    I signed up for it so I would know whether there was anything important in my post office box*. I had to answer questions like "Which of these streets have you lived on" etc. I failed (don't know enough about myself I guess) and the website locked me out (no more guesses)--I had to go to a post office 40 miles away, the nearest one that could validate me in person with two forms of I.D.

    In short, it seems that the USPS clearly thought of this, and is taking steps to prevent identity theft by this means. Attacking in this way, an attacker has to have already compromised a lot of personal information, or make some very improbably good guesses. The USPS could take further steps--I don't know, perhaps they could require every sign-up to be in person with valid ID--but that would come with problems of its own.

    Krebs is right to point out that this is an avenue that can be exploited, but it's not a wide open hole you could drive a train through on well-greased rails, either.

    * I still never know whether packages I order have arrived at the post office, because I found that informed delivery only seems to know about mail that originated in this country, and I order lots of things from other countries. Packages from other countries have never shown up in my informed delivery account.

    • (Score: 1, Interesting) by Anonymous Coward on Sunday November 11 2018, @07:31PM

      by Anonymous Coward on Sunday November 11 2018, @07:31PM (#760692)

      As mentioned in TFA, the security questions come from the three big credit agencies. Most of these questions require a little homework for someone looking to steal mail, but they aren't that tough. The ones I had to answer were about a previous address and about names of nieces and nephews.

      Being prepared with personal information is always beneficial when trying to open loans or credit cards in someone else's name. There isn't a "Pinky Swear" checkbox on the credit applications.

    • (Score: 3, Informative) by tibman on Sunday November 11 2018, @08:32PM (1 child)

      by tibman (134) Subscriber Badge on Sunday November 11 2018, @08:32PM (#760705)

      I just signed up to see for myself. The questions were actually really good. Someone would have to either know me personally or have a lot of detailed knowledge about my past.

      They probably should send you some physical mail though to confirm you are who you say you are.

      SN won't survive on lurkers alone. Write comments.
      • (Score: 2) by LVDOVICVS on Sunday November 11 2018, @11:30PM

        by LVDOVICVS (6131) on Sunday November 11 2018, @11:30PM (#760735)

        I just signed up for this about a week and a half ago. They asked me four questions. 1) How much did we pay for our house (dollar range). 2) The year our house was built. 3) Which one of four choices was an old phone number of mine. (Not a current one, but used about five or more years ago.) and 4) The last four digits of my social security number.

        I found it a bit disturbing they had this info at the tips of their fingers.

        A few days ago I received a piece of mail alerting me that the account had been set up.

    • (Score: 2) by darkfeline on Tuesday November 13 2018, @08:15PM (1 child)

      by darkfeline (1030) on Tuesday November 13 2018, @08:15PM (#761433) Homepage

      Here's a thought experiment.

      They asked questions like "Which of these streets have you lived on", right? That means they know the answer to those questions, and that answer is sitting in a database somewhere. Presumably, it's not the USPS which gathers that information, so there's some third party which has that information in a database, and "lends" that information to other parties for verification uses.

      Doesn't sound so secure anymore, does it? In fact, an attacker probably has a better chance of answering those questions correctly than the person themself.

      Join the SDF Public Access UNIX System today!
      • (Score: 0) by Anonymous Coward on Saturday November 17 2018, @10:57AM

        by Anonymous Coward on Saturday November 17 2018, @10:57AM (#763034)

        USPS and California State DMV would have both had that information. And at least the latter I know ran their own database system because it was extremely slow running off a mainframe with batch processing and dialup/frame relay links up until the past 10 years or so (I talked to a couple DMV people in regards to how long I should expect my paperwork processing to take, who were more than willing to explain roughly what the system was like.) That said, they were moving to an internet accessable web front end back then, and had only been delayed in it due to budget cuts for the decade prior. As a result they probably have a shoddy IE6 compatible HTML 4.01+Javascript hackjob that has holes out the wazoo in it. No fault of their own, just a bad time and opportunity to upgrade their systems into the 21st century. As I remember it the mainframe was going to be software emulated in a VM as well.