Could Informed Delivery Be A Way In for Hackers?

During the past year, Printing Impressions has reported on the potential benefits of the free Informed Delivery program from the United States Postal Service, which emails customers images of the letter-sized mail they will be receiving that day. According to a recent blog on Printing Impressions, "the program includes around 13 million subscribers. An impressive 65% of email subscribers check their Informed Delivery emails nearly every day. If you’ve ever run email campaigns, you’re probably aware that achieving a 65% open rate is quite a feat."

The program has been steadily growing in popularity, but Cybersecurity experts warn it might provide an in for identity theft. According to multiple news sources, including NY Daily News, Fox 8 Cleveland, Postal Times and more, cyber criminals are assuming the identity of mail recipients and signing up for informed delivery in their name and without their knowledge. For example, a KrebsOnSecurity post, details how an internal alert was sent by the Secret Service on Nov. 6, warning about a case in which seven people in Michigan were arrested for allegedly stealing credit cards from mailboxes after secretly signing the victims up for Informed Delivery without their knowledge.

KrebsOnSecurity reports:

KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.

However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.

The identity theft is already taking place, as ClickOrlando.com has reported dozens of Florida residents have already had accounts set up by impostors. The Dallas Morning News has also reported similar circumstances for Texas residents.

The problem, KrebsOnSecurity writes, is the authentication process. All that is needed to set up an account is a person's name, address and email address, with some "'knowledge-based authentication' or KBA questions," which can easily be cracked by cyber criminals. In fact, the The Dallas Morning News reporter revealed that he was able to easily set up an account in his mother-in-law's persona by guessing the answers to her KBAs and began to receive her daily mail breakdown, demonstrating the ease at which it could be done.

Although there is a potential threat for criminals to prey on those who haven't yet signed up for an Informed Delivery account, USPS spokesman Albert Ruiz told The Dallas Morning News that "fraud cases are very low," and the USPS is "currently looking at other methods to provide a more secure method, including cell phone authentication." KrebsOnSecurity writes that users could claim their address for every adult present at their address to prevent fraudulent sign ups, but it's also possible to remove an address' eligibility for Informed Delivery.

What do you think? Respond in the comments below.