Identity Thieves Target USPS Mail Scanning Service
The U.S. Secret Service issued an internal warning stating multiple field offices reported that the new United States Postal Service (USPS) Informed Delivery service is being used to commit credit card fraud scams and identity theft. Mail customers who sign up for the service may view images of their postal mail and track incoming packages online in the USPS app. Hackers are redirecting scanned mail notifications away from the legitimate owners, to themselves in order to intercept new credit card accounts and other banking information, according to a Krebs on Security post.
The USPS introduced the new service, known as Informed Delivery, sends residential mail recipients notifications to let them know what snail mail is on the way to their homes. With the service, mail recipients can preview their mail online from anywhere in the world. The service rolled out to a limited area in 2014. It expanded in 2017 making it a more desirable target for hackers.
How do scammers hack the USPS Informed Delivery mail preview service? Identity thieves sign up random people’s home addresses for Informed Delivery. Names and addresses are available from public records like voting rosters, real estate information, and telephone directories. Yes those big fat phone books still exist! Just last weekend, we had a phone book dropped off on the front doorstep. After regarding it and laughing at how important those phonebook listings once we, we promptly escorted it into the recycling bin without ever taking it out of its wrapper.
Back to the ID theft. When you sign up for Informed Delivery, you can choose to have a postcard mailed to your house with a verification code or you can verify your identity online. Of course, hackers go with the online verification otherwise they’d have to be at your house to intercept the mail. I chose to verify my identity online.
I was asked four super simple questions that obviously came from real estate records. Identity thieves are able to pass the security verification questions with information found on social media and from easily accessible records. One of the services used to verify USPS customer identity is sourced from Equifax. You know Equifax, right? The credit bureau was hacked earlier this year. The private information of over 145 million US customers and 700,000 UK customers was stolen. One Equifax manger was already Convicted of Insider Trading. The then Equifax CEO Richard Smith appeared before Congress. The insider trading case against Former Equifax CIO Jun Ying is not yet decided.
Is this ID verification process secure? No. To help with security and fraud issues, the USPS added more security to their Informed Delivery service. As of February 16, the Postal Service notifies households by snail mail whenever anyone using that address signs up to receive these scanned notifications. Using their wholly owned delivery system makes more sense than asking a few online questions just about anyone can answer with a little Googling. However, even with the snail mail confirmation and online interrogation, there are still security issues. Hackers still have a window of a few days from signing victims up for email scanning until the notification is delivered to scam whatever comes to them via the notification service.
What is the Postal Service’s USPS Informed Delivery program?
The United States Postal Service’s Informed Delivery service allows users to preview their mail and manage packages scheduled for delivery. (Because well know how useful USPS package tracking is!) Informed Delivery sends users black-and-white images of the exterior, address side of letter-sized mail. USPS Informed Delivery service currently has 13 million users
Images are only provided for letter-sized mail that are processed by automated mail handling equipment. With Informed Delivery, residential mail customers can preview incoming mail thought their online account, schedule re-delivery, and track Packages. This service is not available for businesses. The feature is provided for free and is a great service for those who travel frequently as long as thier identities have not been scammed :(.
According to a Fast Company post, a USPS spokesman sent the following statement:
“Unfortunately, in very few cases, an individual’s identity has already been compromised by a criminal who then has used it to set up an Informed Delivery account.”
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers