U.S. Secret Service Warns ID Thieves Are Abusing USPS’s Mail Scanning Service

So I began reading and figured, huh, thieves must just stealing be the validation letter USPS would send, and thought, hey, that system which is used in many other places for similar things would be quite vulnerable to that attack, right?<p>But then I got to this bit:<p>&gt; KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.<p>&gt; However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification<p>What the actual hell? You can sign up online to get mail scanned… without <i>any</i> physical verification you&#x27;re at the address, with only a physical <i>notification</i> being sent <i>after-the-fact</i>?<p>What the hell are USPS smoking?<p>It makes me wonder what you need to do to sign up for this. I wonder…<p><i>goes to website</i><p>it seems like the only thing they do is ask for the address, and you check a box to accept the T&amp;Cs. I don&#x27;t know if there&#x27;s actual verification beyond that step, but it doesn&#x27;t sound like there is…

The fact that &quot;identity theft&quot; is still a thing in 2018 is an indictment on the legacy financial industry.<p>If not for the web of opaque &quot;agencies&quot; that collect and sell data about individuals without affirmative action on behalf of the individual (frankly still surprised this is legal) it would be a complete non-issue.<p>It&#x27;s irrelevant to me whether someone else opens an account with my name - just as it&#x27;s irrelevant to me whether someone registers an account elsewhere with the username &#x27;esotericn&#x27;.<p>The banks bring this problem upon themselves.<p>edit: The replies to this post are missing the point entirely. Yes, it&#x27;s a problem because it&#x27;s a problem.<p>It doesn&#x27;t have to be this way.

I&#x27;ve been using mailbox services (UPS Store) for almost 15 years. It costs extra money but pays for itself many times over.<p>I never have packages stolen, never have to wait around to sign for things, my mail is locked up, I don&#x27;t have to put a mail hold or have a friend get my mail when I travel, and never have to deal with changing addresses. It also improves my privacy since fewer people have my street address. I don&#x27;t worry about someone doxing me.<p>It&#x27;s not foolproof. Someone could social engineer access to my box or packages. Doing so requires significantly more effort and risk than grabbing something off a porch so it&#x27;s much less likely. It would have to be highly targeted too.

I use Informed Delivery (pretty handy), so when I started reading the article, I thought -- I should be safe, because I already signed up for the account at my address.<p>Not so! FTA: &quot;Normally in these cases I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.&quot;

I&#x27;m working on a honeypot service that lets people create canary credentials to detect eavesdropping. One of the fringe use cases is to see if someone has intercepted your mail or packages. I&#x27;m not sure if that&#x27;s a use case anyone actually cares about though, but stories like this make me wonder.<p>curious if this is something anyone here would want to try, I&#x27;m happy to give some free invites if anyone wants - my email is in my profile.

Security Concerns aside. The informed delivery service is great. I&#x27;ve been using it for a little over a year now. They began inserting ads into the Informed Delivery Email. Senders must place some sort of barcode that is then read by the USPS scanner. It&#x27;s nice to see our postal service trying to close the gap on their (net) loss.

I signed up the USPS mail scanning because I thought that it would be cool. However, I live in a small apartment building, and apparently USPS doesn&#x27;t recognize it as an apartment building, so I would get everyone&#x27;s mail. There was no verification either. I found it kind of scary the amount of info I was getting. Had to cancel because there was a lot of noise and it ultimately wasn&#x27;t useful for me.

I&#x27;ve noticed after first signing up around April that whatever scanner they&#x27;re using can see through the envelope and you can pretty clearly read at least part of the contents for a standard folded letter, but at some point later in the year the contrast of the images was changed and it wasn&#x27;t as common to see it anymore. Most of my mail is junk, but I can only imagine the kinds of opportunity that capability at scale presents.

I&#x27;m sitting here in Vietnam. For two years now, I get pictures every day of my friends mail emailed to me because I switched my address to her house when I left the US. I was not asked a single question about it, they just started appearing after I filed a change of address notice, which cost me like $1 or something. Something seems so wrong with that.

When my wife signed up for this a few months ago I was astonished to see that the envelope scans are sent in the clear in an email. I didn&#x27;t realize at the time that there is in addition no authentication of the sign up process!

Exploits aside, this service however convenient, just reeks of Big Brother to me. Not that I get that much info via USPS anymore but the idea that __everything__ is being logged (for future reference?) makes me uncomfortable.

I tried to sign up for this service and failed due to some identification challenge issue USPS was unable to explain. The online sign up process went along smoothly, but I was asked to bring a slip printed from the online process plus valid identification to a post office for in-person verification. Brought the documents and still was unable to validate my identity. The robot behind the counter could not explain why the application was rejected.<p>Curious how identity thieves made could complete an application when I, with all proper documentation in person at a post office, could not.

I wonder if more than one party can sign up for the same address? Am I safe because I&#x27;ve already signed up or are they happy to let someone else monitor my mail too?

I didn&#x27;t see it in the article, but these scans also show the first page of the letter on top. I thought I was crazy when I first saw it, but I can actually read account info etc from inside the letter!!!! If someone got my account they&#x27;d actually be able to tell part of what I&#x27;m getting not just from who.

Despite the security issues, this is a pretty cool service - I wonder if the UK Royal Mail is doing it ... oh of course not

Informed Delivery is great!<p>...... at sending me scanned mail from a place I lived at 9 years ago.<p>Tried to remedy it, not available at my ACTUAL address.

when I signed up for this I put in my apartment number for my building, but apparently usps thought I should get all mail for the whole building. I had to cancel it as there was so much noise. But they didn&#x27;t do any verification or anything, which was kind of scary.

The article mentions the ability to “opt out” out but I can’t find it anywhere on the usps website

FWIW, the Informed Delivery isn&#x27;t available everywhere. I tried to sign up and was denied.

I didn&#x27;t even know about informed delivery until now. Cool feature.