Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service (krebsonsecurity.com)

Posted by msmash on from the beware dept.

Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."

52 of 80 comments (clear)

  1. I use this, and it's crap by drinkypoo · · Score: 4, Interesting

    They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I use this, and it's crap by AvitarX · · Score: 1

      They accumulate all of your tracking numbers which is nice.

      Sometimes if I see something from the city I know to actually take my mail in.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    2. Re:I use this, and it's crap by omnichad · · Score: 4, Informative

      They don't photograph the package, but they do give you all the tracking numbers - even if the seller/shipper didn't.

    3. Re:I use this, and it's crap by 0100010001010011 · · Score: 1

      I disagree. Amazon tells me if I have packages.

      This tells me if it's worth my time to walk to the mailbox.

    4. Re:I use this, and it's crap by nospam007 · · Score: 2

      " So the stuff I want most to know about, they don't tell me about."

      That's the way the Government works.

    5. Re:I use this, and it's crap by nospam007 · · Score: 1

      "Informed Delivery actually stopped working for me a few days ago, I wonder if it's at all related to this?"

      Yes, your credit card is gone.

    6. Re:I use this, and it's crap by drinkypoo · · Score: 1

      Amazon tells me if I have packages.
      This tells me if it's worth my time to walk to the mailbox.

      In my case, it's drive to the mailbox. If I'm expecting something it usually has a tracking number, and if not then I scoop it up when I drive by. But what I really want to know about from the USPS is whether any of the few PO box deliverable packages in the world have turned up, and which ones. Most of those I get are some fluffy little packet of nothingness from HK or China and many of them lack meaningful tracking.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:I use this, and it's crap by fahrbot-bot · · Score: 1

      They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.

      I'm sure they get photographed too, they (apparently) just don't send you those with this service.

      --
      It must have been something you assimilated. . . .
    8. Re:I use this, and it's crap by fahrbot-bot · · Score: 4, Funny

      Informed Delivery actually stopped working for me a few days ago, I wonder if it's at all related to this?

      No. The Microsoft Activation server probably downgraded their license. :-)

      --
      It must have been something you assimilated. . . .
    9. Re:I use this, and it's crap by tlhIngan · · Score: 2

      They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.

      Most likely because flat mail is automatically sorted and scanned through the system. And part of that automation is... taking a photo of the envelope and analyzing it for the address and other important details.

      The only change here is that instead of discarding those photos, USPS saves them for you as a service.

      Parcels and other stuff don't get sorted automatically and thus photos don't exist since they were never taken by the machines. Once the item is coded (the bar code they print) then the system can run it through the sorting machines.

    10. Re:I use this, and it's crap by antdude · · Score: 1

      It's not reliable. Sometimes it works and doesn't. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    11. Re:I use this, and it's crap by ayesnymous · · Score: 1

      It also works intermittently. Some days it'll show you the scans. Other days it will tell you you have X pieces of mail on its way, but it won't show you any scans.

  2. Re:How? by WoodstockJeff · · Score: 4, Interesting

    It makes it easier to know when you should pilfer the mail of your victim.

    The majority of rural delivery boxes can't be locked, because the rural carrier would not be able to open them to deliver mail. And locked group mailboxes are only as secure as the keyed-alike master key.

  3. Re:How? by ArchieBunker · · Score: 1

    I've never seen a locked mailbox anywhere but apartment buildings. I guess the theory is the thieves get the pictures so they know when the real mail is arriving. Good luck with that in my neck of the woods. My mailman is an old decrepit piece of shit who sometimes doesn't show up for a week at a time. When he isn't working it's some other minimum wage flunkies.

    On a side note I always wondered if the feds tracked where all the mail was going.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  4. Re:How? by XXongo · · Score: 2

    Ok they get to see the outside of the envelope with your name and address that they already know.

    As far as I can tell, what they are doing is looking at the scans to know when credit cards are being delivered. If you get a new credit card on the average of once a year, this means that they only have to steal your mail once a year, and don't have to steal it the other 313 days a year that there ISN"T a credit card in the mail.

    Unless the mailboxes are unlocked for them to get the actually mail how does this allow them to commit identity fraud?

    Most people in the U.S. don't have locked mailboxes.

  5. Groundskeeper Willie says by necro81 · · Score: 2

    Groundskeeper Willie says "I warned ya!"

  6. Re:How? by Anonymous Coward · · Score: 1

    Ok they get to see the outside of the envelope with your name and address that they already know.

    As far as I can tell, what they are doing is looking at the scans to know when credit cards are being delivered. If you get a new credit card on the average of once a year, this means that they only have to steal your mail once a year, and don't have to steal it the other 313 days a year that there ISN"T a credit card in the mail.

    You missed the point. Thieves are signing up for NEW credit cards. Then watching when the card arrives and intercepts it before the homeowner. They wont know until the following month when a bill shows up for the max limit of the card. They don't have to wait for that once a year replacement card.

  7. If only the USPS had a budget for fixing this by OzPeter · · Score: 1

    Can someone remind me again why the USPS seems to have a cash flow problem? I mean, if there was plenty of money to around inside the USPS I'm sure that things like this would be more likely to be fixed.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:If only the USPS had a budget for fixing this by omnichad · · Score: 1

      Here's your reminder.

    2. Re:If only the USPS had a budget for fixing this by Anonymous Coward · · Score: 1

      Republicans: starve the beast, run up the debt, divert as much of the treasury as possible into corporate welfare and subsidies

      Nothing new here. The postal budget was ripe for plundering.

    3. Re:If only the USPS had a budget for fixing this by Anonymous Coward · · Score: 1

      Can someone remind me again why the USPS seems to have a cash flow problem? I mean, if there was plenty of money to around inside the USPS I'm sure that things like this would be more likely to be fixed.

      Congress has regularly raided the USPS's coffers for the last 30 years, but in 2006 G.W. Bush required that they pre-fund the full expected value of their retirement accounts (about $55-$70 billion) up front costing them $5.5 to $5.8 billion every year since 2007.

      All other federal agencies are allowed to invest a smaller amount each year under the assumption that those investments will grow to meet their final needs, much like regular folks do with their 401(k) and IRA's.

    4. Re:If only the USPS had a budget for fixing this by guruevi · · Score: 1

      Perhaps you remember why people should be funding their retirement accounts - because people are bad at managing money that doesn't "do" anything and then you get situations where a company (or a bank in case of GWB) fails and the retirement funds get raided along the way.

      Even commercial retirement accounts are supposed to have the entire expected value available at all times. Sure there are ways to doctor the numbers and invest, but the investments have to be non-risky, something the USPS and many others fail to do during the early 2000's causing the economy to eventually spiral out of control.

      And $5.5B is not pre-funding, it's funding sufficiently so that existing employees that retire can get their promised money out, money that the USPS and others pre-LOST during the banking crisis.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:If only the USPS had a budget for fixing this by Agripa · · Score: 1

      Congress has regularly raided the USPS's coffers for the last 30 years, but in 2006 G.W. Bush required that they pre-fund the full expected value of their retirement accounts (about $55-$70 billion) up front costing them $5.5 to $5.8 billion every year since 2007.

      All other federal agencies are allowed to invest a smaller amount each year under the assumption that those investments will grow to meet their final needs, much like regular folks do with their 401(k) and IRA's.

      Nothing changed. The USPS retirement funds buy U.S. treasuries putting the money exactly where Congress can get to it. The fund is composed of IOUs.

  8. Re:How? by necro81 · · Score: 2

    On a side note I always wondered if the feds tracked where all the mail was going

    The USPS has been taking a picture of every piece of mail that passes through it for a decades. In some ways this should not be surprising - most mail sorting is automated, using machine vision to read the address labels (either hand-written, or barcode). In fact, the USPS was a strong investor in optical character recognition decades ago, because they recognized they could get much greater throughput this way. Previously, each letter would go past a human worker that would read the address and type in the ZIP code with a specialized keyboard.

    More recently, the USPS has started retaining these images for a period of time. This has, for instance, been helpful in law enforcement - see the recent case of Cesar Sayoc. But I don't know how long the images are kept for, or what other legitimate uses there may be for it.

  9. I can view mail at my old address by ripvlan · · Score: 1

    I moved a few years ago and haven't updated my address on usps.com. Apparently USPS turned on Informed Delivery automatically for me - so I can see all mail delivered to my old address. How cool and creepy is that!

    What prevents me from entering in any random address? Do they send a postcard to the address stating "your mail is being monitored" ??

    I used to travel on business a lot and used the website to stop / start my mail when on extended trips. I forgot I had an account until today! How many other people might be in this same situation?

    I changed my address online - so we'll see what happens.

    1. Re:I can view mail at my old address by archer,+the · · Score: 1

      > Do they send a postcard to the address stating "your mail is being monitored" ?

      Not useful: the identity thieves could just steal that once they sign up as you.

  10. Best Mitigation: Sign up now by omnichad · · Score: 3, Informative

    The best way to prevent this is to be the first to sign up. That way you are already associated first. If they let allow multiple accounts for one address....well...at least you'll get advance notice when they deliver the activation code for the new account.

    1. Re:Best Mitigation: Sign up now by archer,+the · · Score: 1

      Screw that. I shouldn't need to create an online account just to protect my mail. Too many online accounts...

    2. Re:Best Mitigation: Sign up now by omnichad · · Score: 1

      Of course you shouldn't have to. But that doesn't change the fact that it will help protect you.

    3. Re:Best Mitigation: Sign up now by archer,+the · · Score: 1

      Freezing your credit is the better way. Not only does this protect you from folks trying to sign you up for Informed Delivery, it also protects you from people opening credit cards, loans, etc in your name.

    4. Re:Best Mitigation: Sign up now by omnichad · · Score: 1

      And when a credit card you already have is due to expire, a new one gets mailed out. This helps prevent someone from intercepting it.

    5. Re:Best Mitigation: Sign up now by Typing_Ptarmigan · · Score: 2

      Freezing your credit is the better way. Not only does this protect you from folks trying to sign you up for Informed Delivery, it also protects you from people opening credit cards, loans, etc in your name.

      The second article (link in the summary) states that "...numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place..." and this typing ptarmigan was able to sign up for the USPS Informed Delivery service (using KBA: Knowledge-Based Authentication) a little while ago even though I have credit security freezes in place.

    6. Re:Best Mitigation: Sign up now by zilym · · Score: 1

      Bzzt. I just signed up multiple accounts with different email addresses for one mailing address. So far, no notice at all that there are multiple email addresses monitoring the one single mailing address. So, your suggestion that the best way to prevent this is to be the first to sign up is bunk. This is a very flawed system, even the "online verification" questions were super easy to guess. Thanks a lot to USPS for making everyone's (ID thieves) lives easier...

    7. Re:Best Mitigation: Sign up now by omnichad · · Score: 1

      I forgot that the welcome letter does not include an activation code and that they verify only with the online info. Still, at least you'd know if you were missing important mail that day and could get a jump on any fraud that might be happening.

  11. Authentication by XXongo · · Score: 3, Informative

    What prevents me from entering in any random address?

    "knowledge based authentication".

    They ask you a question that, supposedly, only the resident of the address can answer. Krebs says that this is pretty weak security.

    Article didn't say what kind of question that is, but a hint comes from the fact that if you freeze your Equifax credit rating, they can't ask the question. So it seems to be something that Equifax knows.

    Do they send a postcard to the address stating "your mail is being monitored" ??

    Didn't you read the article? That was the whole point: no, they don't.

    1. Re:Authentication by archer,+the · · Score: 1

      One more reason to freeze one's credit. Everyone should freeze their credit, and only unlock it for those few days when one actually needs it.

    2. Re:Authentication by ripvlan · · Score: 1

      I updated my address online to be my current one. It didn't ask any questions, but I did receive an email letting me know changes had been made to my profile.

      I'll wait to see if I get a post-card or something. I know when I created a Forward-my-mail request the Postmaster in my new town sent me a postcard asking Who Lives Here Now? So that they don't start rejecting mail etc.

      But apparently the online edition isn't tied to it as I could, until the other day, still see scanned mail at my old address.

  12. Re:How? by Highdude702 · · Score: 1

    USPS has special locks that you can buy an assortment of mailboxes with already installed it if you're handy you could buy the locking mechanism and install it your self, I'm sure that would depend on the type of box you have but its still possible. You don't think they carry a special key for every apartment complex do you?

  13. Re:How? by 0100010001010011 · · Score: 1

    You mean just like how they can't lock postal drop boxes?

    They sell mailboxes that operate the same way. You put the mail in, it drops down to a place that you can unlock.

  14. Re:How? by nospam007 · · Score: 1

    "Single-house locked mail boxes do exist. "

    Yes, the rest of the planet uses them exclusively.

  15. I know it's not culturally ok anymore... by argStyopa · · Score: 1

    ...but we need to actually consider REALLY PUNISHING people?

    I mean, these identity thieves, assuming they're of the vanishingly small % that ever get caught or prosecuted, are going to spend maybe 18 months in a relatively cushy orange-is-the-new-black low security facility?:

    How is that IN ANY WAY a deterrent? It wouldn't be to me, if I decided that's how I wanted to make $.

    And remember, jail isn't just about rehabilitating people (personally, i don't think you can; you can teach them to constrain their behaviors, but the behaviors/drives are still there), it's about PUNISHING and DETERRING crime.

    Maybe we should take a nod from Hammurabi: if you're clearly convicted of this, cut off a hand. I guarantee you the incidence would drop.

    --
    -Styopa
    1. Re:I know it's not culturally ok anymore... by rahvin112 · · Score: 1

      You can't put anyone in jail for this because the jails are full of drug criminals with mandatory minimum sentences. These aren't violent crimes or drug crimes so they are typically released from prison immediately due to overcrowding. On top of this it's a very low priority for law enforcement because there is no property they can seize and then keep the money for themselves like drug crimes.

      Until the war on drugs ends and the perverse system of justice it's created is abolished you won't solve this problem. Cops are interested in crime that isn't easy to solve and they don't get a kickback from, drug crime does.

    2. Re:I know it's not culturally ok anymore... by rahvin112 · · Score: 1

      I hate when my fingers miss the contraction.

      Cops are NOT interested in crime that isn't easy to solve and they don't get a kickback from, drug crime does.

    3. Re:I know it's not culturally ok anymore... by Agripa · · Score: 1

      So lock up and execute more white people.

  16. Re:How? by drinkypoo · · Score: 1

    More recently, the USPS has started retaining these images for a period of time. This has, for instance, been helpful in law enforcement - see the recent case of Cesar Sayoc.

    The answer is that the data is being handed off to the DHS or similar...

    But I don't know how long the images are kept for,

    ...and therefore it is being stored forever and ever, amen.

    or what other legitimate uses there may be for it.

    There's no end of potential legitimate uses for that data. There's also no end of potential illegitimate ones, either. Sadly, the feds will store it for all eternity, so that it can be used by friend and foe alike.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. Re:How? by reboot246 · · Score: 2

    I'd be happy if the mail carrier would just close the fucking mailbox when it's raining. She somehow manages to close it when it's not raining, so I presume she just does it for spite.

    Nothing like soaking wet mail stuffed in a box when you've been out of town for a week. I have complained, but that seems to make it worse. They all look out for each other.

  18. Re:How? by ArchieBunker · · Score: 1

    I'd just attach a spring to close it.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  19. Re:How? by ArchieBunker · · Score: 1

    Lol, it would never make it.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  20. They don't even give you photos of all your mail. by gaiageek · · Score: 1

    As far as the daily email showing your coming mail is concerned, it only shows a portion of it. If you want to see all the photos they have of your mail you have to log in to their website, which IMO misses the point of getting an email showing your incoming mail in the first place. And even if you log in, they often only have photos for half your incoming mail (at our place anyway).

    Given that they've also started embedding ads in with the daily email, the service has been losing its appeal to me -- which sucks because in principle it's a very good idea.

    --
    www.gaiageek.com
  21. Song: Harry the mailman [Re:How?] by buzz_mccool · · Score: 1
    (Sung to the tune of Frosty the Snowman)

    Harry the mailman brings us letters soaked with rain,
    Jambs the box so full that the mail is crushed,
    and then laughs when we complain.

    Charlie the milkman is the biggest slob in town,
    Seldom leaves the quarts that we've asked him for,
    and when he does, they're upside-down

    11 months throughout the year
    they're as lousy as can be,
    but starting December they work with great efficiency.
    Charlie and Harry really show they're full of zip
    Then they work that way,
    every doggone day,
    'till they get their Christmas tip!

    (Mad magazine circa 1975)

  22. Thanks, USPS by 93+Escort+Wagon · · Score: 1

    I didn’t even know this “service” existed. I just signed up for it - not because I want it, but because I didn’t want somebody else to sign up in my place. I’ll probably never look at it.

    --
    #DeleteChrome
  23. Re:How? by q4Fry · · Score: 1

    Then the mail carrier will destroy your mailbox out of spite.