First off, let me just make clear that I sincerely love our United States Postal Service. They are one of the most efficient and best-run bureaucracies in the country and still managing to be self-sufficient without the need for federal subsidies. There may be occasional issues, but as far as cost goes, you really can't beat USPS for shipping within the domestic United States.
Earlier today, however, I noticed a fairly disturbing loophole that could easily be utilized by the unscrupulous and nefarious. It seemed like forever since I had checked my USPS account. I have signed in a few times to take advantages of services like printing postage but until reminded, I had forgotten that "informed delivery" even existed.
<img src="https://media.8ch.net/file_store/851e1dafcb7b53e512ce90895557688378b95ea6a0c88378736946aaddfbeb16.png" style="max-height:640px;max-width:360px;">
If you have a USPS account and are opted in, informed delivery offers a chance to "preview" your mail before it arrives. Greyscale images of the exterior, address side of letter-sized mail pieces, parcels and package tracking information are available.
Here's the thing though, after I reset my password and signed in to check Informed Delivery, I found something seriously disturbing. Evidently, I had signed up for the service years ago while living in Myrtle Beach.
Now bear in mind, I have received mail in three states, five cities and nearly a dozen addresses in the last four years. Despite having gone through the address change service with USPS each time, I was (until this afternoon) still receiving "informed delivery" information for my previous address.
<img src="https://media.8ch.net/file_store/cf3e4b812a3eb4f7614b4bea2de31304fc62fff88134734116ebea33435cca05.png" style="max-height:640px;max-width:360px;">
So, if you sign up for "informed delivery" you get updates on <strong>EVERY PIECE</strong> of mail that address receives. The service is not restricted to "tracked" mail either. Bills, letters, parcels, etc. all appear online before in your mailbox. You even get a warning of what day it will come in. Oh, and you don't even have to live there at the time, apparently.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">USPS ‘Informed Delivery’ Is Stalker’s Dream <a href="https://t.co/xUknQtdWet">https://t.co/xUknQtdWet</a></p>— Intrasecure (@intrasecure) <a href="https://twitter.com/intrasecure/status/928789062558928897?ref_src=twsrc%5Etfw">November 10, 2017</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
I was staying with an ex-girlfriend at the time I signed up initially. Let's just imagine that she was still living there and I am a creepy stalker. With informed delivery, I could potentially intercept important mail, keep up with money being spent and gather other private and personal details remotely using the US Post Office's free service.
Part of the issue is that, like so many online services, opt-out is a headache. Another issue is the "online verification" method. Using online searches like Pipl and Spokeo or paid services like BeenVerified it's easy to deduce past addresses and other public information used to verify that you are who you say you are. Not to mention that the people most likely to try to hack personal accounts are often friends, family, exes who most likely know "your mother's maiden name" and all those other lame-o, easily discovered "security questions."
<img src="https://media.8ch.net/file_store/7003f48df4a304406af486e4f8610065afc22cdb8952240d3ff4bfcd43659537.png" style="max-height:640px;max-width:360px;">
Krebs On Security also <a href="https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/">covered this story just last month</a>. One workaround to the privacy issues leading to a stalker's wet dream may potentially be having snail mail verification sent to any address that signs up for it. Most likely the best way to prevent this being accessed is by signing up for the service and having all other adults sign up for the service. Even so, at this point, with your password (something several couples share), the service can still be remotely accessed online.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">The USPS is featuring Informed Delivery, where recipients will be able to know what's in their mailboxes before they even get home. Find out how to apply this USPS offering to your nonprofit fundraising efforts! <a href="https://t.co/tVccrBaSjo">https://t.co/tVccrBaSjo</a></p>— Production Solutions (@PS_PSDigital) <a href="https://twitter.com/PS_PSDigital/status/928658301054803968?ref_src=twsrc%5Etfw">November 9, 2017</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
<blockquote>The Postal Service said it is not possible for an address occupant to receive emailed, scanned images of incoming mail at more than one email address. In other words, if you wish to prevent others from signing up in your name or in the name of any other adults at the address, the surest way to do that may be to register your own account and then urge all other adult residents at the address to create their own accounts.
A highly positive story about Informed Delivery published by NBC in April 2017 suggests another use of the service: Reducing mail theft. However, without stronger authentication, this service could let local ID thieves determine with pinpoint accuracy exactly when mail worth stealing is set to arrive.</blockquote>
Bob Dixon, manager of the Informed Delivery program, told Krebs on Security that would send a written notification to addresses that had been signed up for the program. Meantime, if you've got a shady ex who has your address and mother's maiden name, now might be a good time to see if you're already signed up without your knowledge.
sounds interesting !!