Slashdot Mirror
US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service (krebsonsecurity.com)
Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.
The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."
The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."
They don't photograph the package, but they do give you all the tracking numbers - even if the seller/shipper didn't.
The best way to prevent this is to be the first to sign up. That way you are already associated first. If they let allow multiple accounts for one address....well...at least you'll get advance notice when they deliver the activation code for the new account.
What prevents me from entering in any random address?
"knowledge based authentication".
They ask you a question that, supposedly, only the resident of the address can answer. Krebs says that this is pretty weak security.
Article didn't say what kind of question that is, but a hint comes from the fact that if you freeze your Equifax credit rating, they can't ask the question. So it seems to be something that Equifax knows.
Do they send a postcard to the address stating "your mail is being monitored" ??
Didn't you read the article? That was the whole point: no, they don't.