US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

US Secret Service Warns ID Thieves are Abusing USPS's Mail Scanning Service (krebsonsecurity.com)

Posted by msmash on Friday November 9, 2018 @02:02AM from the beware dept.

Brian Krebs reports: A year ago, KrebsOnSecurity warned that "Informed Delivery," a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

The internal alert -- sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide -- references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS's Web site. According to the Secret Service alert, the accused used the Informed Delivery feature "to identify and intercept mail, and to further their identity theft fraud schemes."

13 of 80 comments (clear)

Min score:

Reason:

Sort:

I use this, and it's crap by drinkypoo · 2018-11-09 02:07 · Score: 4, Interesting

They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Re:I use this, and it's crap by omnichad · 2018-11-09 02:58 · Score: 4, Informative
  
  They don't photograph the package, but they do give you all the tracking numbers - even if the seller/shipper didn't.
2. Re:I use this, and it's crap by nospam007 · 2018-11-09 04:12 · Score: 2
  
  " So the stuff I want most to know about, they don't tell me about."
  That's the way the Government works.
3. Re:I use this, and it's crap by fahrbot-bot · 2018-11-09 06:11 · Score: 4, Funny
  
  Informed Delivery actually stopped working for me a few days ago, I wonder if it's at all related to this?
  No. The Microsoft Activation server probably downgraded their license. :-)
  
  --
  It must have been something you assimilated. . . .
4. Re:I use this, and it's crap by tlhIngan · 2018-11-09 07:09 · Score: 2
  
  They only give you photos of your flat mail. Packages don't seem to get photographed, ever, even just padded envelopes. So the stuff I want most to know about, they don't tell me about.
  Most likely because flat mail is automatically sorted and scanned through the system. And part of that automation is... taking a photo of the envelope and analyzing it for the address and other important details.
  The only change here is that instead of discarding those photos, USPS saves them for you as a service.
  Parcels and other stuff don't get sorted automatically and thus photos don't exist since they were never taken by the machines. Once the item is coded (the bar code they print) then the system can run it through the sorting machines.
Re:How? by WoodstockJeff · 2018-11-09 02:16 · Score: 4, Interesting

It makes it easier to know when you should pilfer the mail of your victim.
The majority of rural delivery boxes can't be locked, because the rural carrier would not be able to open them to deliver mail. And locked group mailboxes are only as secure as the keyed-alike master key.
Re:How? by XXongo · 2018-11-09 02:18 · Score: 2

Ok they get to see the outside of the envelope with your name and address that they already know.
As far as I can tell, what they are doing is looking at the scans to know when credit cards are being delivered. If you get a new credit card on the average of once a year, this means that they only have to steal your mail once a year, and don't have to steal it the other 313 days a year that there ISN"T a credit card in the mail.

Unless the mailboxes are unlocked for them to get the actually mail how does this allow them to commit identity fraud?
Most people in the U.S. don't have locked mailboxes.
Groundskeeper Willie says by necro81 · 2018-11-09 02:36 · Score: 2

Groundskeeper Willie says "I warned ya!"
Re:How? by necro81 · 2018-11-09 02:46 · Score: 2

On a side note I always wondered if the feds tracked where all the mail was going
The USPS has been taking a picture of every piece of mail that passes through it for a decades. In some ways this should not be surprising - most mail sorting is automated, using machine vision to read the address labels (either hand-written, or barcode). In fact, the USPS was a strong investor in optical character recognition decades ago, because they recognized they could get much greater throughput this way. Previously, each letter would go past a human worker that would read the address and type in the ZIP code with a specialized keyboard.

More recently, the USPS has started retaining these images for a period of time. This has, for instance, been helpful in law enforcement - see the recent case of Cesar Sayoc. But I don't know how long the images are kept for, or what other legitimate uses there may be for it.
Best Mitigation: Sign up now by omnichad · 2018-11-09 03:02 · Score: 3, Informative

The best way to prevent this is to be the first to sign up. That way you are already associated first. If they let allow multiple accounts for one address....well...at least you'll get advance notice when they deliver the activation code for the new account.
1. Re:Best Mitigation: Sign up now by Typing_Ptarmigan · 2018-11-09 05:55 · Score: 2
  
  Freezing your credit is the better way. Not only does this protect you from folks trying to sign you up for Informed Delivery, it also protects you from people opening credit cards, loans, etc in your name.
  The second article (link in the summary) states that "...numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place..." and this typing ptarmigan was able to sign up for the USPS Informed Delivery service (using KBA: Knowledge-Based Authentication) a little while ago even though I have credit security freezes in place.
Authentication by XXongo · 2018-11-09 03:07 · Score: 3, Informative

What prevents me from entering in any random address?
"knowledge based authentication".
They ask you a question that, supposedly, only the resident of the address can answer. Krebs says that this is pretty weak security.
Article didn't say what kind of question that is, but a hint comes from the fact that if you freeze your Equifax credit rating, they can't ask the question. So it seems to be something that Equifax knows.

Do they send a postcard to the address stating "your mail is being monitored" ??
Didn't you read the article? That was the whole point: no, they don't.
Re:How? by reboot246 · 2018-11-09 04:56 · Score: 2

I'd be happy if the mail carrier would just close the fucking mailbox when it's raining. She somehow manages to close it when it's not raining, so I presume she just does it for spite.

Nothing like soaking wet mail stuffed in a box when you've been out of town for a week. I have complained, but that seems to make it worse. They all look out for each other.