Last year, the United States Postal Service (USPS) rolled out a service called Informed Delivery.
Here’s how it works, Informed Delivery allows you to preview your mail digitally online through black and white images of your actual letter-sized mail. These images are processed by USPS sorting facilities will be provided each morning.
To be clear, the images are scans of the exterior, address label side of your mail and not the actual contents. Notifications and the images will then be sent only on the days the mail is being processed and delivered to your home.
But now, even this convenience is being exploited by criminals to steal your hard-earned cash. Read on and learn more about this alarming scheme.
Informed Delivery Scam
Security website KrebsOnSecurity reported that a new internal alert was recently issued by the U.S. Secret Service to its law enforcement partners warning about a new criminal scheme that’s making the rounds.
It turns out crooks are now abusing Informed Delivery to commit identity theft and credit card fraud.
By signing up as their victims on the USPS’s website for Informed Delivery, the crooks can then identify their mail and steal the credit cards from their mailboxes.
Not only that, but the Secret Service memo also stated that criminals are using Informed Delivery to pinpoint potential identity theft victims.
The Michigan Incident
To support the claim that crooks are indeed abusing the USPS’s Informed Delivery feature, the Secret Service memo cited a recent Michigan case where seven people were arrested in September for stealing credit cards from mailboxes after masquerading as their victims on the USPS site.
Using their victims’ credentials, they then signed them up for Informed Delivery “to identify and intercept mail, and to further their identity theft fraud schemes.”
Using this scheme, the accused were able to steal around $400,000 worth of unauthorized charges on credit cards they applied for under their victims’ names.
They then used the stolen credit cards to buy gift cards and other merchandise from retail stores.
This means that Informed Delivery is just a part of a much larger and elaborate scheme. The crooks most likely already have all their victims’ sensitive information (name, address, Social Security Number, etc.) already on hand, enough to apply for a credit card.
Informed Delivery is just another cog in their credit card fraud machinery – the final step to intercept the physical credit card itself.
What’s being done about it?
Earlier this year, based on reports about the weaknesses of the Informed Delivery feature (which allowed crooks to sign up as someone from any household), the USPS implemented a new security system alert all households by physical mail when someone in the house signs up for Informed Delivery.
If your address is entered into the system, a note will be sent to inform that is the case. If you don’t remember registering, that’s a red flag, and you might want to head to the post office personally to straighten it all out.
Another new security measure involves a change of address. If you file a change, USPS will not automatically transfer the Informed Delivery service to the new address.
Instead, it will send a letter with a special code that is tied to the new address as well as the username for the person who requested the change. To complete the change, the code will need to be entered using that very account.
It’s still not enough
However, despite these new security features, Krebs said that crooks have found a way to hijack their victims’ identities and order new credit cards under their names before the USPS can send their mailed notifications (it’s snail mail, after all).
The crooks most likely figured out the timing perfectly – they waited it out until the credit cards are on their way before signing up their victims for Informed Delivery.
For example, Krebs cited one woman from Belle Isle, Florida, who claimed that she received a $2,000 bill for an unauthorized credit card before getting the USPS notice saying that someone in her household has signed up for Informed Delivery. Well, the problem? She never signed up Informed Delivery in the first place.
This means the crooks were already receiving images of her mail while the unauthorized credit was on its way, making it rife for the picking.
The problem with Informed Delivery signups
So what’s one big glaring weakness of Informed Delivery? Apparently, the way the USPS validates new accounts. Signing up for the feature only requires your name, address, an email address and generic four security questions.
The problem? As with any “knowledge-based authentication” security questions (like “In what city were you born?, “What’s your mother’s maiden name?,” “What’s the name of your pet,” etc.), these can be easily phished or obtained via social engineering and social media services.
Another potential security and privacy hole is the fact that the USPS is now allowing advertisers to put interactive content in its Informed Delivery emails. This revenue stream allows marketers to match specific ad campaigns to your scanned mail images.
And you know what that means – aside from being a privacy risk itself, cybercriminals can also exploit these ads to send malicious links to Informed Delivery subscribers.
How to protect yourself
Informed Delivery is convenient since it lets you check your mail before it arrives or while you’re away from home. However, unless the USPS strengthens its validation process, crooks can find ways to exploit it for their misdeeds.
One way to protect yourself is to preempt the crooks themselves by signing up for Informed Delivery to claim your address right away. This means you’ll have to register each adult who resides in your address to claim their identities, too. Hopefully this way, your account will get flagged each time someone signs up for the service on your address’s behalf and you can dispute it right away.
If you have any questions about the Informed Delivery program, you can send an email to firstname.lastname@example.org.